Nice. Thanks for the reply! ... View more

Perfect 👌 Yeah we will only run Adaptive Policy capable devices on networks we want to enable it on. ... View more

If it's in a test tenant make sure that you set the email field to be the same as your UPN on your entra id user. This one slipped my eyes when I went through the documentation.  ... View more

Hi, When this post was created that was indeed the case. But now you can deploy it in routed mode and use L4-L7 features with the advanced security license as long as you run 19.1 ->   If you deploy in routed mode internet access should work since the vMX will do NAT. You can also use it as a firewall on a stick for VNETS in this setup. You just need to add a route table to the spoke subnets pinning all traffic to the vMX LAN interface in the HUB VNET.   Check out this FAQ for more info. I think it will give you most of the answers you seek 🙂 vMX NAT Mode Use Cases and FAQ - Cisco Meraki Documentation ... View more

I would use a FEX or a switch that is designated for single homed connections if possible.       If none of the above is possible i would do it this.   Create vlan on both Nexus switches.   Best practise is to keep non vpc vlans off the peer-link and use a dedicated interface/portchannel. But using the peer-link works as well. Do what fits your setup.   Then you should plan your stp topology. The MX forwards BPDUs un-modified so the nexus switches will see each other's BID. Use that to plan your forwarding and alternate ports.   If you get the stp topology wrong nothing bad will happen, but your data path will be through the MX instead of your peer link/dedicated l2 interface. Considering this it might me smart to split the MX vlan out of the default MST domain and create a dedicated one just to reduce the potential fallout.   Imagine how easy this would be if the MX just could do portchannel....   What ever you do, don't enable bpdu filter on those ports... made that mistake in my early career. Still remember the feeling in my gut when the terminal went unresponsive 😬 ... View more

I will! Thanks! ... View more

Ah. Yeah i know the issue... pushing back on a lot of bad policies my self... good intentions but bad execution.   It would be interesting to see if you pick up probes on the consentrator MX if you unset the tunnel health check IP. It should still send the probes bit with a destination address of 0.0.0.0.   I cant say that i have tried that feature out in. I avoid L2 tunneling where i can. ... View more

But you are running catalyst SD-WAN no? Why not reduce the complexity of your guest network solution and drop it in a separate guest VPN instead of dubbel tunneling?   Anyhow, seems like the tunnel is up. Have you tried to capture traffic in the MX vpn consentrators? You should be able to capture the de-capsulated packets there. ... View more

And now its merged with main. New provider version 1.1.7-beta is out 🙂 Thanks everyone! ... View more

Fyi there is a commit do the dev branch of the repo with a possible solution now. 🙂 ... View more

Done. Here is a link to the issue. Thanks for the replies 🙂 https://github.com/cisco-open/terraform-provider-meraki/issues/274 ... View more

Thanks for the tip, but unfortunately it did not solve the issue. rules wrapped in a tolist using locals: locals { firewall_rules = tolist([ { comment = "Deny-RFC1918." dest_cidr = "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" dest_port = "any" policy = "deny" protocol = "any" src_cidr = "any" src_port = "any" syslog_enabled = false }, { comment = "Allow-corp-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_corp src_port = "any" syslog_enabled = false }, { comment = "Allow-iot-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_iot src_port = "any" syslog_enabled = false }, { comment = "Allow-guest-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_guest src_port = "any" syslog_enabled = false } ]) } resource "meraki_networks_appliance_firewall_l3_firewall_rules" "sb3_fw_l3" { network_id = meraki_networks.sb3.id rules = local.firewall_rules }     Dashboard:     Copy of the state file block for firewall rules. { "mode": "managed", "type": "meraki_networks_appliance_firewall_l3_firewall_rules", "name": "sb3_fw_l3", "provider": "provider[\"registry.terraform.io/cisco-open/meraki\"]", "instances": [ { "schema_version": 0, "attributes": { "network_id": "xxxxxxxxxx", "rules": [ { "comment": "Allow-corp-outbound-to-internet.", "dest_cidr": "any", "dest_port": "any", "policy": "allow", "protocol": "any", "src_cidr": "10.100.2.0/24", "src_port": "any", "syslog_enabled": false }, { "comment": "Allow-guest-outbound-to-internet.", "dest_cidr": "any", "dest_port": "any", "policy": "allow", "protocol": "any", "src_cidr": "10.120.2.0/24", "src_port": "any", "syslog_enabled": false }, { "comment": "Allow-iot-outbound-to-internet.", "dest_cidr": "any", "dest_port": "any", "policy": "allow", "protocol": "any", "src_cidr": "10.110.2.0/24", "src_port": "any", "syslog_enabled": false }, { "comment": "Deny-RFC1918.", "dest_cidr": "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16", "dest_port": "any", "policy": "deny", "protocol": "any", "src_cidr": "any", "src_port": "any", "syslog_enabled": false } ], "rules_response": [ { "comment": "Allow-corp-outbound-to-internet.", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "any", "src_cidr": "10.100.2.0/24", "src_port": "Any", "syslog_enabled": false }, { "comment": "Allow-guest-outbound-to-internet.", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "any", "src_cidr": "10.120.2.0/24", "src_port": "Any", "syslog_enabled": false }, { "comment": "Allow-iot-outbound-to-internet.", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "any", "src_cidr": "10.110.2.0/24", "src_port": "Any", "syslog_enabled": false }, { "comment": "Default rule", "dest_cidr": "Any", "dest_port": "Any", "policy": "allow", "protocol": "Any", "src_cidr": "Any", "src_port": "Any", "syslog_enabled": false }, { "comment": "Deny-RFC1918.", "dest_cidr": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16", "dest_port": "Any", "policy": "deny", "protocol": "any", "src_cidr": "Any", "src_port": "Any", "syslog_enabled": false } ], "syslog_default_rule": null }, "sensitive_attributes": [], "identity_schema_version": 0, "dependencies": [ "meraki_networks.sb3" ] } ] }   The order in the statefile matches what i see in the dashboard. I just dont get why it reorders the array. ... View more

It is indeed an array. This is the terraform resource for L3 firewall rules. resource "meraki_networks_appliance_firewall_l3_firewall_rules" "sb3_fw_l3" { network_id = meraki_networks.sb3.id rules = [{ comment = "Deny-RFC1918." dest_cidr = "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" dest_port = "any" policy = "deny" protocol = "any" src_cidr = "any" src_port = "any" syslog_enabled = false }, { comment = "Allow-corp-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_corp src_port = "any" syslog_enabled = false }, { comment = "Allow-iot-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_iot src_port = "any" syslog_enabled = false }, { comment = "Allow-guest-outbound-to-internet." dest_cidr = "any" dest_port = "any" policy = "allow" protocol = "any" src_cidr = var.subnet_prefix_guest src_port = "any" syslog_enabled = false } ] }   This is how it ends up in the Dashboard.       I deleted all rules above and pasted the same array into postman. Postman body: { "rules": [ { "policy": "deny", "protocol": "any", "srcCidr": "any", "destCidr": "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16", "comment": "Deny-RFC1918.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.100.2.0/24", "destCidr": "any", "comment": "Allow-corp-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.110.2.0/24", "destCidr": "any", "comment": "Allow-iot-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false }, { "policy": "allow", "protocol": "any", "srcCidr": "10.120.2.0/24", "destCidr": "any", "comment": "Allow-guest-outbound-to-internet.", "srcPort": "any", "destPort": "any", "syslogEnabled": false } ] }   Postman response: 200 OK "rules": [ { "comment": "Deny-RFC1918.", "policy": "deny", "protocol": "any", "srcPort": "Any", "srcCidr": "Any", "destPort": "Any", "destCidr": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16", "syslogEnabled": false }, { "comment": "Allow-corp-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.100.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Allow-iot-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.110.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Allow-guest-outbound-to-internet.", "policy": "allow", "protocol": "any", "srcPort": "Any", "srcCidr": "10.120.2.0/24", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false }, { "comment": "Default rule", "policy": "allow", "protocol": "Any", "srcPort": "Any", "srcCidr": "Any", "destPort": "Any", "destCidr": "Any", "syslogEnabled": false } ] }   Dashboard:         Everything is identical in the array. The only difference is how i populate the fields in terraform. I'm just pointing to some variables defined in variables.tf   Here they are: variable "subnet_prefix_corp" { type = string default = "10.100.2.0/24" } variable "appliance_ip_corp" { type = string default = "10.100.2.1" } variable "subnet_prefix_iot" { type = string default = "10.110.2.0/24" } variable "appliance_ip_iot" { type = string default = "10.110.2.1" } variable "subnet_prefix_guest" { type = string default = "10.120.2.0/24" } variable "appliance_ip_guest" { type = string default = "10.120.2.1" } variable "subnet_prefix_mgmt" { type = string default = "10.130.2.0/24" } variable "appliance_ip_mgmt" { type = string default = "10.130.2.1" }   It looks like Terraform is somehow re-ordering the array. But i'm not sure how or why 😕  ... View more

I just did the Meet AI Assistant for Networking and Introducing the Cisco Campus Gateway!   The AI module was nice and i look forward to trying it out in some of my larger deployments.   Campus Gateway was nice, but i wish there was some hands on in the module. Maybe something for a more advanced campus gateway track 🙂 ... View more

I WANT IT   My desk is too clean.... ... View more

Route everything back to the hub.   You are not mixing traffic. Its just that traffic arrives on the one armed vpnc encapsulated and leaves un-encapsulated or vise versa.   Now why in the world would you do that? Would you do that with any regular border firewall? And this is if i look past the technical challenges with doing this. Or am i missunderstanding your question? ... View more

Yes for the hub. Spokes brake out to internet localy.   You run BGP is the SDWAN as well, then configure a LAN BGP peer to the downstream router to exchange datacenter and SD-WAN routes. Bgp peering also occurs between the hub and spoke over the SD-WAN tunnel.   Everything from 10 spokes to 100+. ... View more

Hm. Maybe its because LAN BGP is fairly fresh? The customers i have running on this setup works like a charm. There is also the additional benefit of not needing to have an external NAT device for the one-armed VPN-C. ... View more

Honestly at this moment i think it comes down to if you want to full tunnel or not.   I do some work i larger datacenter/provider networks and i deploy most hubs in routed mode with lan bgp.   This allows me to follow the datacenter building blocks by connecting WAN to the PE routers categorized as "outside/untrusted" and the LAN side directly in customer context/vrf and carry that traffic across the mpls core to all distributed services.   This is more of a policy win rather then technical. But many providers handle segmentation this way. ... View more

Wow! Amazing effort by an equally amazing community! Congratulations all! ... View more

MM_NO_STATE means that it cant establish phase 1 of the tunnel. It could be some issues with Dyndns and how the ASA and MX resloves the names. Did you try setting it up with the assigned IPs instead of dns name just to see if it comes up? ... View more