This is by far my biggest drawback with Meraki, otherwise I use these where I can.   I've learned to utilize the syslog functions (we use Rapid7.)  It would do so much for Meraki to be able to show a live monitor (like Palo, Fireppower and others...) With over 45 Meraki sites, it log fills up quick!     Not sure if it would ever be in the cards... But maybe, just maybe. lol   -my 2 cents. ... View more

>- When a failover occurs a GARP is not sent for the 1:1 NATs therefore in the case of a failover anything that uses our 1:1's stop working   I haven't run into this issue before.  I'm guessing whatever upstream device you are using is requiring this.   >- The hit counters on the firewall rules don't work.  I have verified this and also have confirmation from tech support.   Agreed.   >Client VPN.  There isn't a way to apply different rules to users since you can't assign a static IP to a VPN client and the MAC address is not registered on the firewall so you can't apply a group policy to it.   Negative.  I do this all the time.  You get the user to VPN in once (I typically do it myself the first time to test everything is working and they are getting the correct access), and then apply the group policy to that connection.  The group policy is applied against the user, not any MAC address in this case.  Then you use group policy firewall rules to control what they can access.   >No way to positively verify that firewalls rules are working as intended.   Agreed.  I wish this was better.   >Failover order doesn't make sense.  At least not to me.    I guess this is a matter of perception.  The idea is that the warm spare does not kick in unless the primary unit has failed.  That can either occur because the physical unit has failed, or it has lost all connectivity to the Internet. Typically you connect your primary circuit to both MX units, but this does require a routed /29. In your case, you should plug your two best circuits into your primary MX, and your backup circuit into the warm spare.   Ageed - they are difficult to use a DC style environment.  They have a particular vertical feature set, and they work great in that vertical.  Once you start going outside of that things get tough or you have to make compromises. ... View more

So I ran a test on the weekend using the following   Primary WAN1 - ISP1 Primary WAN2 - ISP2 Secondary WAN1 - ISP1 Secondary WAN2 - not used.   This did work.  There is an issue though.  When I tried to force a failover from the Secondary to the Primary using the dashboard I got a message stating that I needed to configure the WAN2 port and it would not let me switch.  I had to go in and unplug the cell device, force the failover and plug it back in.   Next I have to try Primary WAN1 - ISP1 Primary WAN2 - ISP1 Secondary WAN1 - ISP1 Secondary WAN2 - ISP2 - we want this as a last resort ... View more

That does not work properly.  I tried that.  What ends up happening since the group policy can not attach to a MAC address the group policy over time gets randomly assigned to different systems.  I have a policy for IT staff.  There are only three of us.  When I go in and look at the client list that policy is currently assigned to 10 different systems. ... View more

So I now know what the issue is.   When a failover occurs Meraki does not do a GARP for the 1:1 NAT addresses.  Therefore the upstream device does not get updated.  This is from the Meraki documents.  Their solution is tell you to reboot the upstream device.   So as far as I am concerned this is a major major flaw in the Meraki failover routine.   It can take hours for the upstream device to refresh its ARP table meaning any services you are offering through those NATs will be down for hours.  Defeats the whole purpose of having a failover. ... View more

The default has to permit any remaining traffic to to traverse after all the higher preceding policies have been applied, this permits blocking of restricted packets from policies at higher levels and the remainder to flow. ... View more

I don't want to block by country.     The rule states "Deny - countries - Traffic not to/from - list of countries   So that to me means that traffic to a country not on the list is denied and traffic from a country not on the list is denied.   This is much easier than having about 180 countries on a deny list, much easier to manage. ... View more

I emailed the person who emailed my but I don't think I tried that one.  I will do so.   Thanks ... View more

I think I may have a solution that will work for you.  I was able to get full redundancy using this configuration across multiple switches.   ... View more

jdizzle, yes.  That is what we discussed and have to figure out.   The engineer I am working with did have a working setup similar to what I am trying to do in his lab except he was using Meraki switches instead of Catalyst but that is minor.  I have his notes on the setup so that should help. ... View more

The MX beta firmware 15.3/15.4 allows NO-NAT configuration. I debated using it and opted to run with turning off NAT on the port on the device ahead of the MX, so there is not a double NATting issue. Optionally, I can turn the NATting back on to test what occurs . . . ... View more

OK.  So the answer is no, that there is not a way to have multiple subnets.  I have looked at group policy and it is not going to work in our case for a number of reasons.   Thanks for the replies ... View more

That is correct Gordon. ... View more

One option that may work is would be to use a Group Policy (network wide > configure > group policies) for the special users that should be able to access the site. Put website.com/login in the whitelisted URL section for that group policy, but also include website.com/login in the blocked URLs under the regular content filtering page. The whitelisted pattern in their group policy should take precedence over the blocked pattern. ... View more

Once you have the shipping email from Cisco you can add your devices to the dashboard.  From this point on you can configure the devices.  There is no need to wait for the devices to arrive. ... View more

Hi Gordon,   Just as a point of clarification, the MX84 only has SFP ports, not SFP+. They are only 1Gbps capable and not 10Gbps.    I'd hate for you to order the wrong SFP modules if you thought they were SFP+.   Jason ... View more