This is Part 3 of the „Connecting Meraki MX to …“ series.
How to connect the Meraki MX to MS switches (Part 1)
Connecting the Meraki MX to the Internet (Part 2)
In Option 6 and 8 of Part 2, I use a link between the two WAN switches:
One question could be if this link is really needed. And as always, the answer is „it depends“.
For me, there are typically two reasons to use the setup with the cross-link:
Limited ports on the Firewall
To be able to manage both switches, they need to be reachable from the active firewall. With the cross-link, we have the direct link from the active firewall to switch one, and reach switch two via the cross-link between switch one and switch two.
Without the cross-link, we need two links from both firewalls to both switches:
And if we have devices with a small number of interfaces like the MX64 or the MX67, we are „wasting“ two interfaces instead of using only one per firewall.
Additional devices on the WAN switches
Because of the limitations of extranet L2L-VPNs on the MX, I often pair a Cisco Secure Firewall with the MX. Depending on the setup, I sometimes prefer to have both (or more) ISPs on a single interface using subinterfaces instead of having one interface per ISP.
With this setup, the firewall connected to WAN-switch one needs to be able to reach the ISP router connected to WAN-switch 2. And this is also done through the cross-link:
Would I say that the setup with a cross-link is better than a setup without? No, it’s only different and both can be the right solution based on the environment.
Always stay connected!