Sorry to resurrect an old thread, but I thought the use of the native vlan was not within best practice. Instead of using the native vlan, could one just tag the mgmt vlan on that same link that the transit vlan is on? ... View more

Thanks for the info, @Bruce and @DarrenOC I'm good to go! ... View more

I hear what you are saying, and it makes sense....except if I NAT between a 10 address and a 172 address, I'll end up double NAT-ing, which I would like to avoid. I'll advise further after I've spoken with the supplier, but imposing another router/NAT in the path may be the only wy forward if they are unwilling/unable to give addresses 😞 ... View more

@CptnCrnch nailed it.   Remember too - if you need to be more granular about who can access what, across a VPN tunnel - down to devices within the VLANs at either end - you can also configure VPN firewall rules:   https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#VPN_Firewall_Rules These are configured separately from general inter-VLAN/Internet firewall rules.   Look under Security & SD-WAN > Configure > Site-to-site VPN ... View more

Thanks! ... View more

@MilesMeraki is correct, there is no hit counter for this type of thing. ... View more