Sorry, when writing up the reply, i forgot that this would be specific to Meraki (*facepalm*). Yes, the information I provided was for an ASA. ... View more

Probably not of much help here as my Anyconnect knowledge is very limited but it's definitely possible. My previous company had something similar.   Looking at the XML schema, I don't see anywhere to insert a message via XML directly. However, the description indicates it should be editable in the message catalog.   + <!-- + This control enables an administrator to have a one time message + displayed prior to a users first connection attempt. As an example, + the message could be used to remind a user to insert their smart + card into it's reader. + + The message to be used with this control is localizable and can be + found in the AnyConnect message catalog. + (default: "This is a pre-connect reminder message.") + --> + <ShowPreConnectMessage>false</ShowPreConnectMessage> Source: [PATCH] Provide profile.xml for AnyConnect (infradead.org)     Looks like the message string is under localization settings Solved: SSL VPN (AnyConnect) and Customize Preconnect Message - Cisco Community     ... View more

Yes, either should be fine ... View more

Not quite. You need to ensure that your internal DNS can forward requests that it doesn't have the answer for. These should be forwarded to another DNS that does have the answer. Typically you would set up to forward to an external, top level DNS, such as 8.8.8.8 (Google's DNS) or 1.1.1.1 (Cloudflare DNS ... View more

You'll need one of those set up in order to resolve domains external to your environment, including the Meraki dynamic domain name for your MX. ... View more

When you say doesn't resolve correctly, is it resolving to any IP address at all? Is your client PC using a well known internet DNS or an internal DNS? ... View more

As the client has already been given an IP address, it will typically hold onto it until expiration. It would be up to the client to request a new IP from the DHCP server.   Most operating systems will support this in one way or another but you'll need to log onto the client directly. Worst case scenario, rebooting the client should also force it to pull a new IP. ... View more

Thanks @MeredithW  Congrats to the top contributors... Killing it as always.   A great community indeed. ... View more

Meraki recommends using the hostname precisely for the reason you mentioned. In the event of a WAN failover, the hostname should update to the new WAN IP.   In regards to getting it working, using a hostname vs an IP address shouldn't make a difference as long as the hostname resolves correctly. Are you using the Meraki dynamic hostname or do you have another hostname defined? Does the hostname resolve to the correct IP on the client PC? ... View more

You're correct, the MS220-8P is an 8 port GigE switch. It received an EOL notice in 2018 - https://meraki.cisco.com/lib/pdf/eol/meraki_eol_ms220-8.pdf   I believe last date of support is 2025. As support is tied to licensing, and licenses are required for the devices to operate, you will need to purchase a license for the switch in order to continue using it. ... View more

Thanks mate. I figured that was the case but wanted to confirm I wouldn't be stuck in the water if I did buy a USB modem. You'll be glad to know that there will definitely be MS and MRs scattered around the site. 😉 No MT's and MV's yet but never out of the question. ... View more

The only reason I can think of DHCP being recommended is for ease of initial configuration (zero touch deployment etc). If you want to stick with DHCP IP's for the AP's, you've got a few options:  - Create DHCP reservations for the AP's to ensure their IP remains consistent  - Rather than adding individual addresses as NPS clients, add the entire Meraki AP management subnet   Of course, as you mentioned the other option is to use static IP's instead. ... View more

As @Karl mentioned, you will need Meraki support to assist in enabling the No-NAT feature. You can then change this per uplink or per VLAN.   https://community.meraki.com/t5/Security-SD-WAN/MX-in-Routed-Mode-with-No-Nat/m-p/44061/highlight/true#M11161   ... View more

Right! Sorry, i guess I'm the one who was confused!   I haven't used SSID tunneling myself so I'm not sure whether the MR's L3 firewall rules are applied.  My hunch is that they are still applicable but I'll let someone more knowledgeable comment with the correct answer 🙂 ... View more

I think there's a little bit of confusion regarding the site-to-site VPN.   The VPN tunnel itself begins and terminates at the MX device, not the AP's. Network traffic originating from the AP's will need to be routed (via Meraki or non-Meraki devices) to the MX, at which point it will be encapsulated and passed to the MX at the other site. This is the same for both VPN concentrator and routed modes.   Therefore, the AP doesn't discriminate between network traffic that will end up on a VPN tunnel and traffic that won't. It simply enforces the per-SSID firewall rules configured.     Also, a quick note in regards to: "Guess i am trying to get my head around how the VPN traffic will be subject to the stateful firewall when the MR Access Points has no visibility inside this tunnel."  - Firewall rules on the AP are stateless ... View more

If I understand correctly, you're asking whether the AP firewall rules are applicable to site-to-site VPN traffic?   The firewall rules present under the wireless configuration is specific to a give SSID. These rules are applied when traffic hits the AP prior to being sent over a site-to-site VPN. MR Firewall Rules - Cisco Meraki So all network traffic on that SSID will have the rules applied to them, regardless of whether it will end up traversing the site-to-site VPN or going directly to the Internet.   The AP doesn't need to be in bridged mode for the rules to be applied. For example, the NAT mode configuration suggests adding additional L3 firewall rules NAT Mode with Meraki DHCP - Cisco Meraki As a point of difference, firewall rules configured under "Security and SD-WAN" are enforced on the MX device and is where you need to look at traffic destined for Internet vs Site-to-site VPN. ... View more

Right, ok that makes sense. If the traffic is not being routed, an L3 VLAN interface shouldn't really be needed (unless you have some other requirement for it). You also don't need to explicitly define the VLAN anywhere like you would in traditional switches. https://community.meraki.com/t5/Switching/How-can-I-create-VLANs-on-MS-220-switch/m-p/11117/highlight/true#M818     You would really only need to ensure:  - iSCSI traffic is tagged (either on the Meraki switchport or elsewhwhere)  - The applicable Meraki switchports have the VLAN allowed on the trunk   You would probably also want to restrict the iSCSI VLANs from traversing to unnecessary switches. ... View more

I'm not sure I understand what you're trying to achieve. Is there a reason you need to create L3 interfaces on the downstream stack as well as the upstream switch? On Meraki switches, VLAN's are already present and tagged traffic can be passed by default. They do not need to be created on the switch as you would on a traditional Cisco switch via CLI.   If you already have a VLAN 104 interface on the upstream switch, you don't need to create one on the downstream stack. You would configure that upstream IP as the gateway for the VLAN. If you have L3 interfaces for some VLANs (Eg, 1,3,5) on the downstream switch and L3 interfaces for other VLANs (2,4,6) on the upstream switch, then it makes sense to create a transit VLAN between the two switches.   MS Layer 3 Switching and Routing - Cisco Meraki ... View more

Unfortunately no, the device needs to be unclaimed by the original owner. Without being able to claim it into a Meraki account, there is no way to use the device.   The below link outlines Meraki's standpoint on the topic Cisco Meraki Devices purchased Second Hand - Cisco Meraki ... View more

No-NAT is possible but I believe it still requires Meraki Support to enable. You also need to be running a semi recent firmware version - 15.x and above ... View more