Found it 👍 https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Cloning_Networks_and_Organizations_in_Dashboard Cloning Network Settings with Configuration Sync Sometimes it is convenient or necessary to copy configurations from one network to another. If an Organization has multiple networks, it is possible to copy an existing MX or MR network configuration to another network. For MXs in particular, the traffic shaping and content/security filtering settings can be copied. Note: Configuration Sync cannot be performed with a combined network or a network bound to a template ... View more

Hi @Phil Where did you see the referenced quote "Note: Configuration Sync cannot be performed with a combined network." ? I've searched but can't find it, in fact the documentation site doesn't really have any reference to config sync, only working with Templates, and cloning existing networks. ... View more

Hi Philip Thanks for the reply. After discussion w our Meraki SE, it was explained the one-armed vMX has the public IP as the 'outside' and the internal Azure NIC as the 'inside' interfaces - and rules can be applied much like any other firewall i.e. looking at the perspective of inbound & outbound. As we are replacing an incumbent Juniper firewall, which has ingress & egress policies we are replicating those. The customer is security conscious of their Azure environment and wants to control ingress to it, and control access out form it (presumably being used as an attack plane into the rest of their SD-WAN environment.) My comment was really around the template missing the inbound section, whereas when you don't bind the network to  a template you can specify inbound and outbound rules.  Ian 😀 ... View more

Hi yes we have deployed in Azure.   2 things; i. Unable to browse to the public IP ii. There isn't the option to specify an external src IP in the 'Security Appliance services' section in firewall   Oddly enough if you bind the network to a template you can specify the IPs that can access the 'Web (local status & configuration)' page.   Have you tried this yourself ? ... View more

I have the same q. Any lurkers ? My reqt is pretty similar - have built 100+ sites (network envy of >400 😉) individually, but want to edit URL filtering directly, either in one go or probably by using a small number of templates applied in groups, to handle a staged implementation. Yes, we can use the API, but a GUI method is even more widely available. ... View more

Brave man - bleeding edge !  ;-] I guess you know too, I did a 'upgrade now' and it says scheduled for 6 or 7m time, if you go and reschedule and do another 'upgrade now' it claims to start it immediately saving the wait. ... View more

@cmr Thanks again. 👍 All went fine, customer reports no users reported any disruption to service. Not that I think they would have noticed anyway. ... View more

Hi All I have just come off the phone to Meraki TAC. The failover is not stateful. So TCP resets all round, but device available achieved by failover and fallback. Ian ... View more

Is an MX HA pair stateful ?? Same thing here, users asking for impact statement. According to the doc referenced elsewhere https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practices_for_Meraki_Firmware#Appliance_Network_with_Two_MXs_in_an_HA_Configuration "  the dashboard will automatically take steps to minimize downtime when upgrades are performed to ensure a zero-downtime MX upgrade "   Will a tcp state table be copied across or will tcp connections be reset ? My understanding ref @cmr 's comment, SIP phones - once call setup has taken place - will be keeping the call going between endpoints and unless the call flow, or one of the endpoints, is via the device being upgraded there is no impact. If the SIP server is via the device in q, I can see a hit, but I would have thought it would be very quick if 'zero downtime' is the reality. ... View more

Hi MerakiDave It would be great to get clarity on this. Am upgrading a pair of MX450s tonight and the customer is not going to want to hear there's a 50min delay, like @cmr . Also clarity on the timings. I know the scheduler drop-down only allows it on the hour, but other posts here suggest these get pushed back at 20m intervals, or is that coincidence and it's random, as it's a cloud based service and has to service lots of folk, and depends on load at any given time ? ... View more

hi Is this documented anywhere ? I had assumed that would be the process but cannot find it in Meraki documentation. ... View more

We share your pain ! In our instance we decided to get the carrier to strip VLAN tagging on the cct, rather than go with beta code. But if you like living dangerously there is a fix starting in 15.37 https://community.meraki.com/t5/Security-SD-WAN/New-15-37-firmware-fixes-MX250-450-WAN-VLAN-issue/m-p/99714   ** N.B. ** Security appliance firmware versions MX 15.37 changelog IMPORTANT NOTICE This is a beta version for the next major MX release. Due to this, we recommend taking additional caution before upgrading production appliances. Where applicable, MX 14 releases will provide a more stable upgrade alternative.   😱 😁💣 ... View more

Hi That links broken, does anyone have an up to date one ? Ian ... View more

I've had it confirmed by TAC that you have to enable a DHCP server on the vlan, not just able to get it to act as a DHCP/BOOTP relay. So we can; a) Act as an ip helper / dhcp-relay and NOT a BOOTP forwarder, or b) Act as a DHCP server (i.e. not a dhcp relay), and act as a BOOTP forwarder   Seems a bit contradictory; a) Forward DHCP multicasts as unicasts, and DO NOT Forward BOOTP multicasts as unicasts; or b) Forward BOOTP multicasts as unicasts, and DO NOT Forward DHCP multicasts as unicasts ... View more

Update, we are told (Meraki TAC) this relates to a VLAN tag on the WAN configuration. Apparently an old issue seen strips the VLAN tag from the port config. We are seeing this. When you first connect a unit to the WAN and it connects to the dashboard, then tries to download firmware, if you look at the Uplink config in the dashboard, the dashboard has stripped the VLAN tag from the link. We have been told to add this to the dashboard before the next reload/download happens and it should go fine. What appears to be happening is the VLAN tag gets stripped, the MX can no longer see the dashboard and it recovers itself by rolling back. ... View more

not the REST API but the Dashboard API https://nxxx.meraki.com/api/v0/organizations/organizationid/devices/ ... View more

Joel - can I DM you for the Meraki case # please ? We have what appears to be a similar issue, and when I asked Meraki tech support if it was related to this post they couldn't say as I didn't give the ticket no. for him to compare with. The behaviour we see is the dashboard tells us the units are on 14.42 but Meraki tech say this has failed and they are actually on 12.24, and the dashboard actually is reporting the 'desired' not the running version. The units go offline for 8-10mins roughly every 2.5hrs. My understanding is that they never achieve their initial image download from the dashboard so try continuously rather than using the default schedule (weekly?) ... View more

Hi PhilipDAth   I'm not sure I follow the suggestion above. The boot options only appear when the Meraki vlan is set to 'Run a DHCP' server. So you can't specify 'Relay DHCP to another server', and bootp options i.e. ip helper and bootp forwarding appear to be mutually exclusive in the dashboard DHCP, Vlan definition page. ... View more

@bford1  That's a real pain for you. Did you get much joy in the end. I too am on the same path. I realise that you cannot import combined networks, so I want to start with the MX's, then maybe bind a pre-defined template, depending if that works or not. Did you have your serial numbers pre-defined per location ? ... View more

Split tunnel. There is a NAT set up for the return traffic, but I don't see that would necessarily dictate the outbound traffic. i.e. there is a hide-mode NAT (port-forwarding) set up for this internal host when egressing the WAN2 uplink of the MX.   So going out that would hide the internal src IP behind the MX WAN 2, but would that make the traffic go that way itself, I don' think so.   Anyway thanks for your input and I have learnt something. I have got rid of the SD-WAN, VPN traffic, Uplink Selection Policy, and used a Uplink selection, Flow preference, Internet traffic rule instead.   Thanks for your interest. But no stats unfortunately, other than to look at the WAN usage in the Appliance status page :[ ... View more

Hi Yes i was - now you have explained the sections I am surprised it was behaving like it was. My VPN traffic , Uplink selection policy had WAN2 as the preferred uplink option (with mandatory failover) AND the traffic filters Windows Ofice365, and a custom expression tcp from an inside host to any host, external port number. So a very crude kind of policy routing, i.e. "if it comes from here" AND "the destination port is X", THEN use uplink WAN2. ... View more