Sorry to resurrect an old thread, but I thought the use of the native vlan was not within best practice. Instead of using the native vlan, could one just tag the mgmt vlan on that same link that the transit vlan is on? ... View more

Thanks for the info, @Bruce and @DarrenOC I'm good to go! ... View more

I hear what you are saying, and it makes sense....except if I NAT between a 10 address and a 172 address, I'll end up double NAT-ing, which I would like to avoid. I'll advise further after I've spoken with the supplier, but imposing another router/NAT in the path may be the only wy forward if they are unwilling/unable to give addresses 😞 ... View more

Now I'm gonna move the goalposts, sorry.....its been suggested that I could use the inbuilt MAC capabilities of the MX to do what I need, so create a firewall rule to block everything, apply that, then use a client rule to whitelist the clients by MAC address. That should work OK, but I believe setting the firewall deny-all rule will prevent the existing ports on dot1x from working. That being the case, I will have to whitelist all devices and can't use dot1x even for the devices upobn which it works.   Is the situation as I describe, or have I misunderstood something   Thanks   Jim ... View more

@CptnCrnch nailed it.   Remember too - if you need to be more granular about who can access what, across a VPN tunnel - down to devices within the VLANs at either end - you can also configure VPN firewall rules:   https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#VPN_Firewall_Rules These are configured separately from general inter-VLAN/Internet firewall rules.   Look under Security & SD-WAN > Configure > Site-to-site VPN ... View more

Thanks! ... View more

@MilesMeraki is correct, there is no hit counter for this type of thing. ... View more