Hello all, I have a hub-to-spoke design that I need to implement for a client where which is somewhat straightforward, however I've never done this design before so would appreciate if anyone could validate. The client has a requirement to tunnel all publicly destined traffic through their existing internet perimeter firewalls which has IPsec VPN tunnels to a cloud on-ramp web security service. Therefore my logic is to configure hub as the following priority & settings: Primary MX hub will be implemented in Split Tunnel mode (greenfield DC CoLo environment) Secondary MX Hub will be implemented in Full Tunnel mode with "Default Route" option selected (existing HQ Office, also regarded as customers existing DC environment). Secondary MX hub will also need to be in routed mode. Would this configuration work, so spokes for e.g would transit 10.x.x.x/8 networks via primary hub? And any network traffic destined to public addresses would transit via secondary hub, since the default route option is selected and static routes downstream to core switches/firewall are explicitly configured on secondary hub? I've based this logic as per documented (from Site-to-Site VPN doco) behavior when Default Route option is selected    Also done up a quick high-level diagram for further detail of proposed setup.       ... View more

Hi All, apologies if this question has already been asked. I'm in need to add 150+ static routes in total into network(s) and just wondering if there's already a public python script available to bulk import static routes? ... View more

Hi All   So I have a important project for a critical site that's running primary all Juniper hardware. We're planning to replace the core Juniper SFP switches with 2 x MS425-16 port SFP switches. While leaving existing Juniper access switches as-is for the time being.   I have two questions:   1. Is there a way of manually assign aggregation group number? I need to do this to so the numbers match up the existing aggregation ethernet groups numbers on Juniper access switches for consistency purposes (i.e AGGR/9 matches to AE9.0)?   2. Has anyone experienced any issues configuring LACP links between Meraki switches and Juniper switches? ... View more

Hey all, We're about to test out a Meraki wireless solution for a client. Part of the solution's requirement is to match the existing legacy Cisco WLC design (sitting within DMZ) for Guest Wi-Fi traffic, integrating with ISE for central web authentication. Therefore, we're going to put a MX250 (in one-armed mode) within the clients DMZ as a concentrator in order to segregate guest SSID traffic from corporate traffic. Now what I'm unsure and I'm hoping for people more knowledgeable to confirm my understanding. Since the MX250 will be configured in one-armed mode as recommended in SSID tunneling doco.   My understanding is that we can design it in a way with the MX250 WAN1 port trunked to the DMZ switch/firewall with two configured VLANS on the trunk port. With say VLAN 243 as the management/Out-of-band VLAN for MX250 AND as the tunnel endpoint for MR access points? The other VLAN 305 will be for tagged guest SSID traffic egress from MX to external FW/Internet? By doing this we're separating mgmt/out-of-band traffic.           Therefore, in terms of configuration. WAN1 port on MX250 as per below tagged with VLAN 243?   Guest SSID would be configured with traffic tagged on VLAN 305 as per below?   The doco about SSID tunneling unfortunately isn't really comprehensive, so I appreciate if anyone could validate the above.   ... View more