Thanks!
Do you happen to know if, having that turned off, I can selectively mesh hubs? Like, say if the four Canadian sites above all needed to be a full mesh (and thus be four hubs), with the US sites still separate, is that possible?

You cannot, no;   that switch is an 'all or nothing'

A separate Org for the US and Canada (with IPsec VPN tunnels between the two, if needed) would allow what you want, but I'd probably recommend talking to your Meraki account team about your overall requirements;   separate Orgs has downsides, of course...

Thanks! Right now I'm just speculating in advance, when the time comes I'll get in touch with support and/or my account manager and see what looks best.

Hey, thanks. I like the way you think. Your reward is so many words oh my goodness.

At the moment, it's just speculation on my part as to how to deal with potential future scenarios.

A bit of story time about my situation: My company presently (the "Canada" sites, in my example, though the example was pretty heavily simplified) got bought out. The company that bought us put us in charge of IT for all of the other companies they own in North America (in the example, this is represented by the two US sites, though again, it's simplified in the original question to get my point across).

The reality is more like 9 sites for my company, and 5 other companies with, presently, one site each, and an edict from on high that "brace yourselves, the C suite wants infinite money and more expansion is coming".

The situation is such that all 9 of "my" sites need VPN connectivity, and as of right now, the other companies are partially connected - two of them are connected with a site to site VPN, and three are isolated. That, of course, may change in the future.

So, before I start looking to switch them over to Meraki security appliances, I thought I'd post up to see what the options were or a potential solution might look like.

The firewall rules would likely get me the end result I need, which is to be able to control exactly which sites can connect to which other sites, and when, but I see merit in "you don't need to worry about making sure the firewalls are correct if there's just no physical way for the sites to connect up".

An ideal solution in my brain would be the ability to set up multiple, "named autoVPN networks". So that I could add and remove members of them as I see fit - we could have the "Company A" network with the hub(s) and spokes for my company, and then the "Company B/C" network to connect those two, and then company D is isolated, but Company E with three sites comprises the "Company E" network, then later when company F joins up and needs to collaborate with E, we can add them to that as a fourth site or spoke off of their HQ or what have you. As companies start collaborating or need to connect together, we can combine the networks into larger ones or rearrange that topology as needed.

This also helps de-complicate things in that I can have multiple sites that all use, say, 192.168.1.0/24, and as long as they're part of separate "named VPN networks" and no two sites on any single VPN network have overlapping subnets, I'm fine. So I don't need to care if, in the above example, Company A and B and F all use 192.168.1.0/24, since they're totally isolated from one another, and I don't need to re-do their subnet entirely unless I need to connect them together.

(Yes, just fixing all the IP ranges would be a better way to deal with that, but like any IT guy, I'm understaffed and overwhelmed and I like shortcuts.)

Likewise, redoing all the subnets and connecting anyone who might need to be to one big AutoVPN, then deciding who can connect to whom with firewall rules is also an answer to the question, but that's a lot of firewall rules to add and manage and test and maintain whereas "not connected" is just "not connected" and a simpler implementation.

Turning off the Hub meshing would also work, being that you can connect from one spoke to another through the hub (as long as the Hub in question has enough firewall horsepower and connection speed to deal with that), and that's how we run our network now, one HQ as the hub, and everything else is a spoke.

This works - most of the resources that spokes need are here at the hub, and most of the traffic between them is just VoIP calls at the moment (and we're migrating to a cloud phone system, so even that's going away). The unknown there is what the situation might look like with our sibling companies and it might be that there's a need to have a lot of traffic in every direction and just need four sites in a mesh (or, validly, maybe pick one of those sites to host most of their equipment and data and give it bigger firewalls and better connections and make it a hub, though that's a fair bit of project work as opposed to ticking four check boxes for autoVPN on to make four meshed hubs).

Hence my question about multiple Dashboards - just moving sites to different Dashboards and handling the AutoVPN independently for each set of sites that need to connect up is one way to do it - a "named VPN network" is just a "different Dashboard", and I can mesh and spoke each of those as I see fit. (Moving sites between Dashboards would be a pain, though.)

In short: Everything's chaos and there might be 5 different answers to the multitude of situations I might encounter, and I wanted to know what my options are. That all got really ramble-y, but I hope it helps!