{"id":5059,"date":"2022-03-13T13:13:00","date_gmt":"2022-03-13T12:13:00","guid":{"rendered":"https:\/\/cyber-fi.net\/?p=5059"},"modified":"2022-03-24T22:15:24","modified_gmt":"2022-03-24T21:15:24","slug":"how-to-connect-the-meraki-mx-to-ms-switches","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2022\/03\/13\/how-to-connect-the-meraki-mx-to-ms-switches\/","title":{"rendered":"How to connect the Meraki MX to MS switches"},"content":{"rendered":"\n<p>Connecting the Meraki MX to an internal switched network? Sounds easy and if the network is build without any redundancy, it is very easy indeed:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx1-1024x352.jpg\" alt=\"\" class=\"wp-image-5060\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx1-1024x352.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx1-300x103.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx1-768x264.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx1.jpg 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>It can get a little bit problematic if redundancy is added. If you come from the Cisco ASA, you have tools like<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>routed interfaces<\/li><li>Port-Channel<\/li><\/ul>\n\n\n\n<p>But on the MX we have<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>no port-channels<\/li><li>switched interfaces<\/li><li>no spanning-tree<\/li><\/ul>\n\n\n\n<p>In addition to that, we have Meraki switches that &#8220;only&#8221; support RSTP and no per-VLAN RSTP.<\/p>\n\n\n\n<p>In the redundant setup, we have basically two options to connect the redundant MX firewalls to the redundant MS switches:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx2-1024x352.jpg\" alt=\"\" class=\"wp-image-5063\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx2-1024x352.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx2-300x103.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx2-768x264.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx2.jpg 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Option 1:<\/h2>\n\n\n\n<p>Based on <a rel=\"noreferrer noopener\" href=\"https:\/\/documentation.meraki.com\/MX\/Deployment_Guides\/MX_Warm_Spare_-_High_Availability_Pair#Recommended_Topologies\" target=\"_blank\"><strong><mark style=\"background-color:#00d084\" class=\"has-inline-color\">Meraki documentation and best practice<\/mark><\/strong><\/a>, both MX are connected to both switches and for this discussion, it is not relevant if the switches are standalone or stacked switches:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx3-1024x352.jpg\" alt=\"\" class=\"wp-image-5064\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx3-1024x352.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx3-300x103.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx3-768x264.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx3.jpg 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>But from a Spanning-Tree view, the topology looks like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-1024x352.jpg\" alt=\"\" class=\"wp-image-5065\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-1024x352.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-300x103.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-768x264.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4.jpg 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p> With the MX not participating in Spanning-Tree, we need to make sure that the switches can block one interface of each of these connections. For this we need to make sure that STP BPDUs can flow freely through the MX. When coming from an ASA background, you are probably used to have sub interfaces on the ASA, but not to configure the main-interface with a nameif, security-level and IP-address. Lets assume we configure something similar on the MX:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"558\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-2-1024x558.png\" alt=\"\" class=\"wp-image-5066\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-2-1024x558.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-2-300x163.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-2-768x418.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-2-1536x837.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx4-2.png 1722w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Although we only want to use the two tagged networks CORE-TRANSFER and DMZ, by dropping untagged traffic on the MX, we also drop BPDUs and Spanning-Tree can not block the two ports on the switches and the network is likely to be severely impacted.<\/p>\n\n\n\n<p>If configured correctly, the ports that connect the two MX look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-1024x352.jpg\" alt=\"\" class=\"wp-image-5068\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-1024x352.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-300x103.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-768x264.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5.jpg 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The upper switch has two STP designated ports, both are forwarding and the one with the white arrow indicates the connection to the active\/primary MX. The second switch has two ports in the STP blocking state.<\/p>\n\n\n\n<p>The switch ports connecting the MX have RSTP enabled, but no STP guard active:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"165\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms1-1-1024x165.png\" alt=\"\" class=\"wp-image-5085\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms1-1-1024x165.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms1-1-300x48.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms1-1-768x124.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms1-1.png 1302w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>What is the corresponding MX configuration? There are multiple ways to implement it, each with its own pros and cons. The easy way is the following (ignoring the best practice not to use VLAN1):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"659\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-1024x659.png\" alt=\"\" class=\"wp-image-5069\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-1024x659.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-300x193.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-768x494.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-1536x988.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6.png 1738w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>VLAN 1 is used as the native VLAN on the MX and is used for the management-ports of the connected Meraki MS switches. The default port- and management-vlan-configuration on the MS switches matches the MX config and no adjustment is needed. But special caution is needed to make sure no user-port is configured for VLAN 1 in this setup. Probably extra Firewall rules for VLAN 1 should allow Meraki Dashboard communication but nothing else in case a user is placed in VLAN 1 by mistake.<\/p>\n\n\n\n<p>Alternatively we can use a different VLAN as the native VLAN:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"698\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-3-1024x698.png\" alt=\"\" class=\"wp-image-5086\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-3-1024x698.png 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-3-300x205.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-3-768x524.png 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-3-1536x1048.png 1536w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx5-3.png 1692w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now we need to make sure that the switches use this VLAN as the management-VLAN and also have this VLAN native on the uplinks.  For this setup, the management VLAN was not configured individually on the &#8220;LAN IP&#8221;, it was set on the &#8220;Switch settings&#8221; page for all switches.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"190\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms2-1.png\" alt=\"\" class=\"wp-image-5088\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms2-1.png 566w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms2-1-300x101.png 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"904\" height=\"242\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms2-2.png\" alt=\"\" class=\"wp-image-5089\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms2-2.png 904w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms2-2-300x80.png 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/ms2-2-768x206.png 768w\" sizes=\"auto, (max-width: 904px) 100vw, 904px\" \/><\/figure>\n\n\n\n<p>The main benefit is that users are not likely to be assigned to this VLAN by mistake.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Option 2:<\/h2>\n\n\n\n<p>In option 1 we rely on Spanning-Tree to block ports. Probably every network-admin in the world already faced problems with Spanning-Tree and\/or caused unplanned downtimes by misconfiguring Spanning-Tree. For this reason a different approach could be used that has less redundancy, but can be more stable:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-1024x352.jpg\" alt=\"\" class=\"wp-image-5070\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-1024x352.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-300x103.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6-768x264.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx6.jpg 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Each MX has only one connection to the switched network. Spanning-Tree is not needed any more to block ports, both switch ports that connect the MX firewalls are in the forwarding state. In this scenario we don&#8217;t need a native VLAN on the MX and we can drop untagged traffic without causing any problem.<\/p>\n\n\n\n<p>Although this setup can be more stable, there is at least one major drawback (in addition to the reduced redundancy):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx7-1024x352.jpg\" alt=\"\" class=\"wp-image-5071\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx7-1024x352.jpg 1024w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx7-300x103.jpg 300w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx7-768x264.jpg 768w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx7.jpg 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>When the link between the two switches fail, we run into a split-brain situation (Anyone else already had a non-working stack-connection after a reboot?). VRRP between both MX can&#8217;t reach each other and both Firewalls become active:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"218\" src=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx8.png\" alt=\"\" class=\"wp-image-5078\" srcset=\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx8.png 576w, https:\/\/cyber-fi.net\/wp-content\/uploads\/2022\/03\/mx8-300x114.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><\/figure>\n\n\n\n<p>For sure, this is a bad situation and you want to get out of it as fast as possible. But with option 2 it can even get worse. Both firewalls want to use the virtual IP but only one can do that. The part of the network that had the previous &#8220;Current master&#8221; likely has uninterrrupted internet connectivity. But the part of the network with the previous &#8220;passive, ready&#8221; will have limited connectivity.<\/p>\n\n\n\n<p>When facing the problem some time ago in a &#8220;real&#8221; network, one switch completely lost connectivity to the dashboard which can make troubleshooting problematic if you are not onsite. While doing some more tests recently, the dashboard connectivity was delayed, but I was able to manage both switches and a PCAP showed that the spare MX fell back to its interface IP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations?<\/h2>\n\n\n\n<p>I have no recommendation to generally use Option 1 or Option 2. Most of the time I prefer the oficially suggested way which is Option 1. Just be aware of how the network behaves and choose wisely!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Connecting the Meraki MX to an internal switched network? Sounds easy and if the network is build without any redundancy, it is very easy indeed: It can get a little bit problematic if redundancy is added. If you come from the Cisco ASA, you have tools like routed interfaces Port-Channel But on the MX we <\/p>\n<div class=\"read-more-text\"><a href=\"https:\/\/cyber-fi.net\/index.php\/2022\/03\/13\/how-to-connect-the-meraki-mx-to-ms-switches\/\" class=\"read-more\">continue reading<\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[1,705,14],"tags":[704,703,702],"class_list":["post-5059","post","type-post","status-publish","format-standard","hentry","category-general","category-meraki","category-networking","tag-high-availability","tag-meraki-ms","tag-meraki-mx"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5059","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=5059"}],"version-history":[{"count":17,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5059\/revisions"}],"predecessor-version":[{"id":5097,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/5059\/revisions\/5097"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=5059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=5059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=5059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}