i mean to say, if i configure warmspare using physical Lan port of MX95 and it gets internet via Fortigate. Would it be workable solution ... View more

For reference for the documentation team, this page does list the licensing correctly. https://documentation.meraki.com/Platform_Management/Product_Information/Licensing/Subscription_-_MX_Licensing   ... View more

To even further my point: If you look at the license naming you will see these two devices marketed as small: So according to the subscription t-shirt sizing these are the small tiers and we already have the XL tier. So to complete the set we will need new medium and large tiers 😉 ... View more

This is another case why Meraki needs to make the disable client sampling on specific ports configurable instead of the only excluse uplinks at it does now. In many designs you have 2 internet providers on opposite ends of the campus where you can't just use dumb switches between the ISP router and the MX WAN ports due to no fiber supports.  So then you need to be able to pass that traffic on the same switches but on a dedicated WAN VLAN. For these ports we should be able to disable the client sampling feature. ... View more

Yes there are some posts on this community where Philip explains how you can use SAML attribute claims to add a SAML attribute named "vpnpolicy" which then contains the string that matches the name of a Meraki group policy. You will however need to have Meraki support enable the Client VPN SAML group policy feature. Please refer here: https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/137691 ... View more

Avec les Cisco Meraki MX, le contrôle du Source NAT reste assez limité : par défaut, tout le trafic sortant est traduit avec l’IP publique principale de l’interface WAN, et il n’existe pas d’option native pour appliquer un NAT sortant différent par VLAN ou par client vers plusieurs IP publiques du même subnet. Les IP publiques supplémentaires sont surtout prévues pour des usages comme le 1:1 NAT ou le port forwarding entrant, pas pour segmenter le NAT sortant. Les joueurs peuvent accéder à Ile De Casino depuis un ordinateur, une https://jeux-casino-iledecasino.com/  tablette ou un smartphone. Pour contourner cette limite, certaines architectures placent un routeur ou un équipement NAT en amont afin de gérer la traduction par sous-réseau ou par flux. Par ailleurs, côté SD-WAN, le MX ne prend en charge que deux liens Internet (WAN1 et WAN2) ; il n’est donc pas possible d’utiliser un troisième lien WAN distinct (WAN3) pour définir des préférences de routage ou de flux. ... View more

That's about the map I have in my head 😉  Only part I didn't have is the left most column since I wasn't working in IT then. ... View more

This is because they still need to figure out how they will license the C9200, C9400,C9500, C9600 series that don't have a cloud management license past 2029. ... View more

The standalone switch must be connected to your stack instead and never directly connected to MX devices due to the spanning-tree issue. You always should connect your MX devices to 2 devices if possible but not more. So you build your network topology with your switches, they are the center of your network while your MX'es are at the edge.  So you have 2 stacked switches as distribution switch (and access if you have a small network) that connect with two cables to every other switch stack (or individual switch if not stacked). Below an example where the MX'es are connected to the switches acting as distribution layer switches. ... View more

If you are an MSP, consider using SAML to log in to the Meraki portal.  Once fully deployed, you'll see a list of clients to access when you log in. https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Operate_and_Maintain/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard   Another easy solution is to use an Enterprise-style password manager that can store MFA and share credentials.  BitWarden is an example. ... View more

I also don't like multiple locations sharing the same STP topology.  That is just asking for trouble. If the circuit is provided through the router of the ISP and that router will only be connected with an individual link towards your switching then yes I would definitely disable STP on that port, but on that port alone.  Alternatively you could also ask the provider if they could put a BPDU filter on their interface leading to your own switches. ... View more

I understand that this is a current limitation of the dashboard, not something documented, and it also seems to be a real system limitation, not just a user interface bug. ... View more

I think workflows is a visual representation of API handling that comes with it's own environment to run the code on.  So this is very handy since you don't need to set up your own "server" to run your code on.  And since it can talk to just about anything it is a nice centralized place to do stuff. I have only dabbled in it a bit on a need to have basis. For example: during our years of operation we have multiple orgs in our msp portal that are pointing network flows to our cloud based syslog for troubleshooting purposes.  Since not every engineer documented it and has forgotten of a few we now need to loop through all our orgs to find which networks have syslog server configured to our server.  So I'm working on that 😉 ... View more

The Cisco networking sub can contain W7 AP's, C9350 switches and 8K routers. You can freely combine these with MR, MS, MT etc.. licenses in the same subscription. You only need to make sure the amount of the devices are correct. ... View more

Not sure about that.  But since the settings aren't that hard you could use the API to copy the identical settings from network to network. ... View more

Hi StevenPPAA,   Can you tell how did you access to the LSP on a 9200CX ? I try 198.18.0.1 directly connected to the switch but it seems not working....   Many thanks ... View more

We discovered that when using two hubs in a hub‑and‑spoke AutoVPN topology across different locations, the backend routing must be identical; otherwise, certain destinations will be unreachable. Some of my remote sites have unstable internet connections, and at times the tunnel to my primary hub would go down and fail to recover. The secondary tunnel did not have a full routing view of the environment like the primary hub. According to Meraki Support, AutoVPN will only attempt to recover a tunnel once both tunnels are down. Just an FYI :). ... View more

Seeing this as well, been logged out every morning. ... View more

It is the normal copper, 1G connection.  Here is a screenshot of one of the ports behaving this way. ... View more

vMX is now available in beta for KVM and ESXi with the latest firmware 26.1.2.   KVM Deployment Guide: https://documentation.meraki.com/SASE_and_SD-WAN/MX/Install_and_Get_Started/Installation_Guides/vMX_Setup_Guide_for_KVM   ESXi Deployment Guide: https://documentation.meraki.com/SASE_and_SD-WAN/MX/Install_and_Get_Started/Installation_Guides/vMX_Setup_Guide_for_ESXI   Images:  https://software.cisco.com/download/beta/1970167152 ... View more

I was in a "panic" because the neighbour advertised the default route. But you are right, the networks needs to be specific. But it still installed the default route when I had a 10.100.0.0/16 filter 😕 - With all the benefits of it being a higher priority for all spokes in autovpn ...  thats where the panic came from 🙂 So something is definitely going on there. ... View more

When the spare comes online: it downloads the same configuration as the primary (as required for Warm Spare) it establishes VRRP heartbeats with the primary it synchronizes required HA state (DHCP leases, monitoring, etc.) it transitions into the Spare/Passive role while the primary remains Primary/Active Only now is the Warm Spare pair fully operational. Remember that both MXes must be the same version.   The documentation provides all the additional details. ... View more

La première chose à vérifier est le routage des deux côtés, en particulier côté Huawei, afin de s'assurer que les sous-réseaux derrière le MX105 sont bien annoncés dans AutoVPN et ne chevauchent aucun réseau du MX95. Il faut également vérifier que la liaison montante en mode routé du MX105 est autorisée à acheminer le trafic VPN dans les deux sens et qu'aucun pare-feu ni aucune politique de sécurité du centre de données Huawei ne bloque le trafic ESP ou UDP après l'établissement du tunnel. J'ai aussi constaté des problèmes où la NAT ou un routage asymétrique en amont interrompt le trafic de retour, même si AutoVPN affiche un état vert. Aujourd’hui, le casino en ligne casinos sans verification https://gtamodding.fr/casino-en-ligne/sans-kyc/ est devenu une alternative pratique aux établissements physiques. Un simple ping de bout en bout permet généralement d'identifier l'origine du problème. ... View more

I have only used them in C9300s (where they work fine), I have some MS130s I could try the 1Gb ones with, but I think you already have the 10Gb ones working in MS225s, so that wouldn't prove anything.  Either way as mentioned above they aren't supported in MS switches for some reason... ... View more