You can try the factory reset procedure here to get the MX back to defaults, https://documentation.meraki.com/zGeneral_Administration/Support/Resetting_Cisco_Meraki_Devices_to_Factory_Defaults. But before you do that I'd call support and see what they can do to assist, they can likely see things happening on the backend that you can't. ... View more

@d2 Exactly that. In normal circumstances you have your primary internet link and your MPLS link on MX1. You run AutoVPN across them both (assuming there is internet access from the MPLS network somewhere - either directly or via the head-end) and you can use the SD-WAN capability. You have a backup internet link on MX2 so that in the event that MX1 fails you get internet access (local breakout) via MX2 and an AutoVPN tunnel is brought up to connect back to your head-end.   The other failure scenarios are (assuming primary internet is in WAN 1 on MX1): primary internet fails, all traffic goes via the MPLS link. MPLS link fails, all traffic goes via the primary internet. Both primary internet and MPLS link fails, VRRP will make MX2 active and all traffic will go via backup internet link. ... View more

Hi @d2 , here's some confirmation of your points, and some considerations.   You are correct, only Active MX forwards traffic, but the Standby MX does need to have connectivity to the Meraki cloud so that it can report in, receive firmware upgrades, etc. Sometimes its a struggle (or expensive) to get the MPLS carrier to provide that second port and additional IP addresses on their CPE device. Consider your failure scenarios as you're only likely protecting against the failure of the MX in this case. Can you make do without the MPLS circuit temporarily if an MX fails? You'll still have connectivity to data centre via the AutoVPN over the internet. Consider your option for the internet links. Do you need a internet link with a /29, what's the price? You may be able to get two separate internet links from two separate carriers instead. The circuits on the WAN side don't need to be in the same subnet, they don't have to have a vIP and they can be completely independent, VRRP doesn't run between the WAN ports. On the LAN side of the MX, yes, they do use VRRP, but both MX appliances share a single IP address (VRRP runs at Layer 2 in this instance), so you can keep your /30 between the MX and the switches. Changing the carrier routing to static is a definite. BGP on the MX is for within the SD-WAN (iBGP) and integrating to the SD-WAN head-end data centre (eBGP). Its not intended for integrating with a carrier running BGP. With regards the visibility, that depends how you set it up. By default the MX allows all outbound internet and all the return traffic, like a normal stateful firewall. But with the AutoVPN/SD-WAN you can force all traffic to your central site still if you'd like. Or, if you purchase the SD-WAN Plus license, then you can do application specific breakout at the branch site, and still tunnel the other traffic to the data centre. Or you can used direct internet access for all traffic at the branch, and only internal traffic across the SD-WAN. I'm sure others will have more comments and suggestions too.  ... View more

@Dennb10  What IOS-XE version is running on the Catalyst? Are all the other APs that are working all MR45s and are the other Catalysts running the same IOS-XE version? Are there any messages related to PoE in the Catalyst event log? I think you're probably better off troubleshooting this from the Catalyst side. I know there have been bugs in IOS-XE where the LLDP power negotiation doesn't work correctly with some devices. ... View more

Good job on solving the Checkpoint issue.   The reason you couldn’t use the /16 is because if you do then the subnets for both locations end up being 143.161.0.0, and you can’t have that if you want to send traffic between them. (Each octet in an IP address is 8 bits, so a /24 means the first three octets define the subnet, whereas a /16 means only the first two octets define the subnet).   If you’re using a /24 at each site, you have 254 available IP addresses per site, so if you’ve only got 20 devices (even 50) that’s more than enough. The VPN can work for all the devices on the network, but that depends on the routing being setup correctly, and the network segmented properly. ... View more

@UmutYasar Unfortunately the BGP integration is only available when running the MX in VPN concentrator mode. But it does work as you say - it runs iBGP across the AutoVPN, and then eBGP to another device (e.g. your MPLS router), exchanging routes in both directions.     ... View more

Get the Catalyst 9000 Visio stencils from the Cisco website. They’re the same as the Catalyst 9300-48 switches. If you need the 4x10Gbps module you can use the Catalyst 9000 4x1Gbps module. ... View more

The configuration looks about right, you should check to see if the VPN is being formed - Security & SD-WAN -> Monitor -> VPN Status. If there is no VPN forming then there is probably something beyond the MX 'blocking' it. And as @GreenMan says, it may also be worth putting a call in to support.  ... View more

As @UCcert stated, its technically not supported, although to connect two devices that are next to each other with MA-QSFP-40G-SR-BD modules, which would be the cheapest, still seems an expensive approach. You have two options:   Go with the Meraki supported option and purchase the required transceivers Use a third party option and hope it works (more often than not they do). In this case if you raise a support case and Meraki Support believe the transceiver is the issue they may ask you to swap to a supported transceiver before they assist further ... View more

When you setup your Site-to-Site AutoVPN (Security & SD-WAN -> Configure -> Site-to-Site VPN) you need to ensure that the local network for each location is set to 'VPN on' under VPN Participation. This effectively allows each MX to tell the other about its local networks. ... View more

Sounds like you are on the right track with head office. As you move the branch (spoke) sites over to the Meraki MX (Auto VPN) you'll most likely need to get your MPLS provider to update their routing. You'll need to make sure that the return route from the DC to the branch (spoke) is via the head office site, otherwise the traffic won't be able to get back to the head office MX and into the Auto VPN. You'll have to work with your MPLS provider on this one, hopefully its just updating the MPLS CE at the head office (and maybe the spoke), if they support dynamic routing you may be able to do it with the OSPF integration that @MerakiDave mentioned. ... View more

@UmutYasar  With the two MX appliances you connect both to two different switches in a stack, see the bottom diagram on this page, https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair - just make sure the switches are running spanning-tree (STP). With the routing I would put the MPLS CE connection into its own VLAN and have the gateway for this VLAN on the MX appliances, that way you can keep all the routing into and out of the site on the MX appliances (especially if you plan to move away from the MPLS eventually). The routing between the MX and MPLS CE will be static. As you say, the MX becomes the primary gateway for the site, and since it has a route to the MPLS CE, will route traffic there when required. Although the MPLS CE will remain physically connected to the LAN switch, logically it will be directly connected to the MX device. The only thing to be aware of here is the throughput to the MPLS CE, since its all running though the MX you need to make sure you are within the spec's of the MX device. Do you know what the throughput on the MPLS is, and what MX device do you have? ... View more