Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join now- About JpAlvesCroce22
About JpAlvesCroce22
Community Record
13
Posts
1
Kudos
1
Solution
Badges
Aug 6 2025
11:26 AM
Thanks for the prompt response. The problem with the proposed solution is that we only have a single LAN between our MX-250 and the C9407. The default gateway for the wireless network is the C9407, not the Meraki. What we're considering is running a Python script using the API to assign the group policy based on the client's IP address. Do you have any other alternatives?
... View more
Aug 6 2025
10:31 AM
Dear all, my organization is requesting the following configuration, and we are encountering some issues or limitations. Request: The business is requesting that we limit access to a specific Wi-Fi network, which is accessed using MR36, 33, etc. devices with Enterprise licensing. This network is only accessible to IoT or PINpad devices, which must access a specific domain list; all other traffic would have to be denied or discarded. Technical scenario: As previously mentioned, the Wi-Fi network is comprised of MR devices. We distribute it using Catalyst C9200 equipment. The default gateway for that network is a Catalyst 9407r, which connects to an MX-250 to access the Internet. Client tracking is done through IP addressing, since the MX-250 doesn't have direct addressing. The device that has the VLANs and addressing is the C9407r. Note: The MX-250 has an Advanced Security licensing level. What would be your recommendation for applying this type of request? We used the MX-250's Firewall rule set, but it didn't work very well, as it drops traffic and doesn't handle URLs very well. We've noticed that the Layer 7 firewall only has the option to deny and disallow a specific list of URLs, for example. Would it be possible to apply a whitelist only to a specific IP segment?
... View more
Oct 31 2024
5:28 AM
Hi @zerkerotz , it's a pretty simple question, but did you check that the user's device does not have a permissive policy applied (Whitelist)?
... View more
Oct 31 2024
5:24 AM
1 Kudo
Hello community, how are you? I just wanted to tell you that we found the problem that caused interruptions when renegotiating PPPoE connections. The problem was in the large number of IP objects assigned to the L3 Firewall of the Mx64 devices. After optimizing the rules, we returned to normal behavior. I proceed to end the thread
... View more
Oct 30 2024
12:23 PM
Hi, I'm having the same problem. Has anyone had an answer to this problem?
... View more
Oct 4 2024
5:30 AM
Malwina, thanks for the reply and the information. Regarding failover, we have “Graceful” (default selection) configured on all our Spokes. In addition, we have some SD-WAN policies, with which we route one of the Spoke segments to certain destinations through WAN2 (PPPoE) "Prefer WAN 2. Fail over if uplink down." We have this configuration that way, due to the performance of the WAN links. What suggestion could you give us? Use WAN failover and failback behavior "Immediate"? On the other hand, I continue to verify the behavior of the PPPoE negotiation and I see that the Mx-64 devices take between 2 and 5 minutes in some cases, generating many VPN tunnel connectivity change true/false entries. In addition, we have Mx-85 as Spoke in some locations and we see that the negotiation is a few seconds. What could be the reason for that?
... View more
Oct 3 2024
10:51 AM
Hello everyone, I am an administrator of an organization that has about 150 Spokes, in which we have a double WAN link. Wan1 PPPoE with dynamic IP assignment and a renewal every 12 hours.It is important to mention that the ISP of Wan1 provides DHCP-IPV6 In Wan2 we have an ISP which provides us with the service through static IP on Radio link equipment. The problem we are having is that when renegotiating the PPPoE (every 12 hours), the Spoke is affected generating interruptions of a few minutes, until it manages to negotiate correctly. Currently our Spokes are with Mx64 with Firmware MX 18.107.10 I would appreciate if anyone has had this same problem or knows what may be happening. Thanks and Greetings to all
... View more
Labels:
- Labels:
-
Auto VPN
Aug 22 2024
12:47 PM
Thanks for the reply @Ryan_Miles . Perfect, then we can say that to carry the default traffic (0.0.0.0./0) to another Firewall device that is on the same LAN as our Hub, it is necessary to have the propagated route 0.0.0.0/0 via the navigation Firewall. Would it be necessary to propagate it through the auto-vpn?
... View more
Aug 22 2024
11:57 AM
The hub is configured in router mode, effectively with a default route pointing to the LAN (Browsing Firewall)
... View more
Aug 22 2024
10:48 AM
Hello everyone, how are you? To put it in context, I'm taking over the management of a new organization and we don't have much communication with the previous administrators. I'm checking the routing and they have deployed something that catches my attention and I think it's misapplied. The scenario consists of a central site as a hub and 50 locations as spokes. Full tunnel is applied through Auto-VPN, but the central site also announces the default route 0.0.0.0/0 to the spokes of the organization. So in the routing table I have three entries 0.0.0.0/0 and two correspond to "Meraki VPN:Static Route" The question is... if I eliminate the route 0.0.0.0/0 that is announced from the central site and leave only the "IPv4 default route" Checkbox enabled, shouldn't it be affected since they do the same thing?
... View more
Labels:
- Labels:
-
Auto VPN
Aug 13 2024
5:27 AM
Hey @PhilipDAth Thanks for the reply. It is clear that I am not going to get a simple solution. From what I have been looking at, the SD-Wan Plus license is not a requirement, only for exclusions based on applications. Likewise, taking this path would imply making a design change to the Networking architecture and we have to evaluate that with more time. The other alternatives would have to be seen together with our cybersecurity team, since we are using Umbrella (Roaming-Client). Ultimately, I understand that there is no current capacity in the Mx devices that can solve this problem. Thanks!
... View more
Aug 12 2024
9:15 AM
It is possible to obtain the Cloudflare Worker segment, the problem is that these same Workers resolve many URLs, which we do not want to be consumed in a centralized way. It would have to be a solution like the internet breakout in reverse, since we do not have Full-tunnel in our Auto-VPNs Would it be possible to route through FQDN?
... View more
Aug 12 2024
7:33 AM
Hello everyone! I'd like to comment on a problem that we need to resolve in our organization. Currently, the internet is resolved locally in each of our Spokes. The requirement we have is that we need to resolve some URLs centrally through one of our central sites (HUB). The problem is that the site to be resolved does not have a fixed IP address, since we resolve it through Cloudflare Workers and the address rotates. Can you think of how I could resolve this point? Thanks!
... View more
Labels:
- Labels:
-
Auto VPN
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1147 | Oct 31 2024 5:24 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 1147 |
© 2025 Cisco Systems, Inc.
