Thanks for your quick response. Understood, provided I need anyconnect VPN, I must deploy vMX with no Av Zone.   Still a couple of doubts related to vMX redundancy in Azure:   In case you must deploy vMX in two different AZ Regions, then I think you can't solve the HA using Azure Functions.   I think best approach is deploying two standalone vMX hubs, each inside one of the peered Regions. Ok, you have to pay for two meraki licenses. However, you do not have to worry about complex HA scenarios or adding the route server (still do not know how vMX can run BGP against it as I read it required BGPoIPSec)   vMX in Region 1 would publish vnets in Region1 and vMX in region2 would inject vnets in Region 2.  Inside Azure, UDRs for subnets in Region 1 would route the on-prem prefixes towards vMX in Region 1. UDRs for subnets in Region 2, towards vMX in Region 2. All of this is a simplification, because in real world there is a FW applicance between server vnets and the vMX. So UDRs would point to the FW and FW to the vMX. It should work.    In this scenario I am aware subnet UDR for the vMX would require specific routes towards the customer server vnets towards the FW appliance. So AutoVPN decapsulated traffic will be sent to the FW from the vMX. However, I have to study how the vMX will send outgoing traffic to the FW.   When you deploy a vMX, Azure provides you with a basic ENI so you automatically get Azure internet access and vMX registers with Meraki cloud. So once registered, I will need to modify it to make control and also AutoVPN and Annyconnect traffic to be sent to the FW (as we do for on-prem Hubs). Azure assigns you a dynamic IP in your vnet and sets Azure vnet-reserved DGw .1 as vMX DGw. I suppose changing vMX subnet UDR to route 0.0.0.0 towards the FW IP would work: Traffic towards vnets would pass the FW, traffic towards internet would also be sent to the FW. And I guess Azure would still apply source nat to internet traffic sourced by the vMX vnet IP. Is my assumption right?       ... View more

Actually I had the exact same question.  I am trying to give access to security teams to a site network, but only for the firewalls/MX appliances.  From what I gathered here, it seems I would have to create two networks for each site - one with all the wireless, switching, IoT, etc. devices, and one with the firewall appliances.  I know it works, because I accidentally did this with switches and APs in different networks with similar names.  However this seems like alot of extra legwork.  Is this something Meraki is looking into in the future?  Is my understanding of the current capability correct? ... View more

Thanks xaviervalette   I have already passed the exam 🙂 ... View more

Yep, it's a challenge with quick filling up diskspace. I've got a colleague that's working with a script to select between flow logs vs flow_start and flow_end logs.  Apparently my colleague noticed that the flow_start and flow_end logs which also show NAT information always write to the log even if that specific rule is not set to disable logging. And then in that script you can merge different sources going to the same IP/port with hitcounters.  This is useful to start adding more specific firewall rules.  Oh well, busy busy 😉 ... View more

Yes!!! you are right is better for me /24 ... View more

You need some datacenter interconnect that supports your VXLAN needs.  However you can use Meraki MX devices to connect your branch offices to both datacenters if those are configured in concentrator mode.  You can then load balance branches coming in DC-1 and others to DC-2 if you use BGP between your MX'es and the routers in both Datacenters who will be handling the VX-LAN and routing outside of the datacenter. So in effect there is no Meraki device that does the VXLAN technology or other layer 2 DC interconnect technology but the Meraki devices are used to connect all your branches towards those services.   You should checkout the BGP documentation: https://documentation.meraki.com/MX/Networks_and_Routing/BGP ... View more

@Pavithran If you upgraded to MX16 then the 15.44.3 would disappear, it only remains as you have some MXs on MX15. ... View more

@johnplance  try It:   *googleadservices.com* googleadservices.com www.google.com:443/HTTPS accounts.google.com:443/HTTPS googledrive.com:443/HTTPS drive.google.com:443/HTTPS *.drive.google.com:443/HTTPS docs.google.com:443/HTTPS *.docs.google.com:443/HTTPS *.c.docs.google.com:443/HTTPS sheets.google.com:443/HTTPS slides.google.com:443/HTTPS talk.google.com:5222/XMPP (needed only for Backup and Sync) takeout.google.com:443/HTTPS gg.google.com:443/HTTPS script.google.com:443/HTTPS ssl.google-analytics.com:443/HTTPS video.google.com:443/HTTPS s.ytimg.com:443/HTTPS apis.google.com:443/HTTPS *.clients[N].google.com:443/HTTPS *.googleapis.com:443/HTTPS *.googleusercontent.com:443/HTTPS *.gstatic.com:443/HTTPS *.gvt1.com:443/HTTPS lh[N].google.com:443/HTTPS [N].client-channel.google.com:443/HTTPS clients[N].google.com:443/HTTPS inputtools.google.com:443/HTTPS sites.google.com:443/HTTPS sites.google.com:80/HTTP sites.google.com:443/HTTPS *.sites.google.com:443/HTTPS *.googlegroups.com:443/HTTPS ipv4.google.com:443/HTTPS ipv4.google.com:80/HTTP ... View more

We can uplink statics tracking on SD-WAN traffic shaping.   > Add the WAN IP address of remote peers just to make sure that there is no ISP connectivity issue. > Appliance status -> Uplink section will help us to see if there is any packet loss and latency.   We usually see these disconnections because of ISP circuits. ... View more

It's under Monitor Appliance Status     ... View more

Communication between two Non-Meraki VPN Peers cannot be achieved through Meraki VPN. Because you cant send the Non-Meraki VPN Peer A subnet to Non-Meraki VPN Peer B subnet from Meraki devices as a  local subnet.    You have to configure a direct VPN tunnel between two Non-Meraki VPN Peers to establish their communication. ... View more

Its a limitation of using IKEv1.  IKEv1 allows only one SA at a tunnel, secondary SA will not be formed until the primary is deleted. Use IKEv2 to fix the issue. It allows multiple SA at a tunnel and the traffic flows seamlessly.   Another Temporary workaround is it use higher prefix on the Meraki.  Instead of allowing various 10.20 segment , configure one static route with 10.20.0.0/16 and enable it on VPN.   ... View more

IKEv1 supports communication between only two CIDR in a tunnel. Example : 10.1.10.0/24 can communicate to 10.2.10.0/24 but if other subnets wants to establish a tunnel with same peer subnet then the traffic gets dropped as IKEv1 doesn't support multiple CIDR communication. ... View more

  > What is the cost of the running VMx in Azure? Is it cost effective.    It is when you have lots of sites.  Not so much when you only have a couple.,   > How is the internet security handled if we are using the internet link from Microsoft.    It runs as a VPN concentrator only.  It does not provide firewall, content filtering, IPS or other security functions.   > What is the best approach for HA in Azure.   I haven't seen any options for doing HA in Azure with a VMX. ... View more

Guys,   Any fix for this.   Regards, Pavithran C ... View more