Yes, its an EA. So i can use MX-100 licenses as vmx-L and Mx-68 as vmx-S ? ... View more

Take a look at the documentation too.     https://documentation.meraki.com/MX/Site-to-site_VPN/Primary_and_Secondary_IPsec_VPN_Tunnels ... View more

Your understanding is correct. If both MX WAN ports are on the same L2 from the ISP and the /29 is delivered on the wire, assigning VIP (.4) plus additional public IPs (.5, .6) works: VIP handles AutoVPN and Client VPN without interruption, while DNAT rules against .5/.6 float seamlessly during warm-spare failover.   Just add the additional IPs under Security & SD-WAN > Configure > Firewall, set up your DNAT rules, and point all VPN traffic at the VIP.   Refer to the Meraki Documentation: https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX   https://meraki.cisco.com/blog/2014/08/1many-nat-for-meraki-mx/     ... View more

Both MX devices need L2 connectivity to each other to pass their VRRP keepalives.  So the FTD uplinks must either be a bridge group or interfaces connected to intermediate switches to split between both MX units. ... View more

The MX does not support aggregated links or LACP. ... View more

How are you assigning the 1.1.1.0/29 pool? Is it something that you have picked yourself?   1.1.1.1 is a public-ly routed subnet, so I would very much avoid using that on the WAN interfaces of the MX. Considering also that when Meraki Devices go offline and loose their Uplink Connectivity, they tend to be arp'ing a 1.1.1.1 address.    If you do not have a public routed subnet assigned that you can use, try to stick to RFC1918 addresses.  ... View more

 ipad has been enrolled, ade status pushed, however still it shows the attached error. Moreover it is not getting supervise also. What could be the problem  ... View more

We have lan public ip pool that's routed on wan ip pool. Here mux having one of the ip assigned from wan ip pool. So can i use lan public ip pool to assign each meraki mx uplink ip and one vip ... View more

Hi Vishal,   Yes, that is correct. Meraki MS classic switches (excluding MS390) are unable to ping their own Layer 3 Interface. KB: https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing#Pings_Destined_for_a_Layer_3_Interface ... View more

Correct.  It can only be configured via Powershell - which is what the web page creates for you. ... View more

Independent of your topology failovers will happen in two scenario's. 1) Both WAN's are down in the primary (in this case the primary MX will send a VRRP message that excludes the primary firewall as active forwarder). 2) The spare unit no longer gets any VRRP messages from the primary.  ( if the active firewall is still there then you will have an active active scenario with instability as effect ). ... View more

Access VLANs are fine, you just usually cannot trunk VLANs over an unmanaged switch. ... View more

You don't have to have Duo.  You can use any Idp that supports geographic restrictions.  Another example is AzureAD/EntraID with an appropriate licence for conditional access.   I'm just giving you what is required to do what you have asked.  You need to buy all the appropriate bits of the solution for it to work.  Buying only some of the bits ... well that just wont work. ... View more

Yes exactly that.   Reserved IP is taking those IP addresses out of the DHCP scope. ... View more

Yes, all the traffic will go through spare MX ... View more