MX WAN Interface accepting multiple VLANs

KyleR-D · ‎03-14-2025

Hi everyone, I know I can set a VLAN ID on the WAN uplink of my MX. However is it possible to allow multiple VLANs or create sub-interfaces under the WAN uplink?

mloraditch · ‎03-14-2025

No this is not possible. Depending on your use case, you could put a breakout switch in front of the MX and be able to create multiple access ports on the various VLANs that could then be used by devices, but the MX wan interfaces can not have sub-interfaces.

Can you explain more about what you are trying to do?

If you found this post helpful, please give it a thumbs up. If my answer solves your problem please click Accept as Solution so others can benefit from it.

KyleR-D · ‎03-14-2025

Understand, I need to pass down 3 VLANs from the ISP equipment for data, management, and VOIP to my MX. Would creating a trunk and using the trunk VLAN ID work or not?

aleabrahao · ‎03-14-2025

You can create a trunk on a switch and then select a switch port in access mode for each VLAN and logically one of these ports will be assigned to the WAN interface of the MX.

It should work without any problems.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

mloraditch · ‎03-14-2025

What @alessandrodematos said is right, but I'm not sure I am understanding what your ISP is providing. Kinda sounds like they are providing a managed firewall with a direct handoff for your LAN. I'd try to understand better there as I've often seen where what you want and what the ISPs sales team enters into the system are not translated properly.

If you found this post helpful, please give it a thumbs up. If my answer solves your problem please click Accept as Solution so others can benefit from it.

KyleR-D · ‎03-14-2025

I'll get back to you on this.

aleabrahao · ‎03-14-2025

If possible, please share it here in the discussion, so we can try to help you.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

inderdeepsingh1 · ‎03-14-2025

You can connect the wan to a switch trunk port for example vlan x ,y on port 1.

Then port 2 you can use a port with vlan x( internet to mx).

And port 3 you can use vlan y( data to your lan?)

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/

aleabrahao · ‎03-14-2025

I think this won't work for MX, because the WAN port doesn't support trunk. Correct me if I'm wrong.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Karsten Iwen · ‎03-15-2025

With that approach, you build a physical bypass around your firewall. With the slightest mistake by the ISP your internal network is openly exposed to the internet. I would not do this.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.