Good morning.  I'm expecting any device that I assign one of my 13 user-assignable IP addresses to to broadcast that IP.  Currently, we have a Comcast coaxial modem that is connected to a switch for distribution of the IPs.  If I put any of those IPs into any of my Meraki equipment, they immediately broadcast that IP.  The issue here is that I have a Meraki behind a Meraki.  Perhaps the Comcast router (with the fiber) needs to be reconfigured?  As it is now, my /28 IPs are useless, as I can't remotely access them, nor ping them.   Old Comcast modem (coaxial w/13 IPs) <> switch <> MX250 (core stack) and MX64 (VPN) - Works perfectly, with all assigned IPs responding externally and each unique IP is broadcast.   New Comcast router (fiber w/13 IPs) <> MX68 <> switch <> MX250 and MX64 - Fails. Each MX250/MX64 both broadcast the same IP, with is the IP from the /29 assigned to the MX68.  The /28 IPs do not respond to pings or web access.   Thanks,   Jeremy  ... View more

Thanks for the suggestion.  I tried it, but I didn't see a change, as it is still broadcasting the /29 IP (instead of the /28) and the public IP is not responding to ping/web calls.  Do I need to be in Passthrough mode, perhaps?  Actually, 1:1 NAT is not available in that mode.   Thanks,   Jeremy  ... View more

You are correct about the setup.    Comcast Juniper <-> /29 WAN -MX68-/28 LAN   If it is that freaking "No NAT" issue again, that is going to suck.  Ran into that previously with a VeloCloud-Meraki SD-WAN setup.  I do have the MX68 LAN connected to a switch that then connects to my MX250 stack and my MX64 VPN router.  Currently running 14.53 across the board for all my MX units. ... View more

Thanks for the reply, ww.   So, are you saying to take the MS250 (switch) out of the equation?  As such, for example, I'd create the VLAN 22 with a subnet of 10.22.22.0/24 and MX IP of 10.22.22.1 on the corp MX250 and configure a LAN port on the corp MX250 as Trunk/Native VLAN 22/Allowed VLANs All (or limited to Server and Voice) and create the VLAN 22 on the state MX84 with a subnet of 10.22.22.0/24 and MX IP of 10.22.22.2 and a LAN port on the state MX84 as Trunk/Native VLAN 22/Allowed VLANs All.  I'd then add a static route (or routes) on the state MX84 that states that the next hop of the corp network(s) is 10.22.22.1, while adding a static route (or routes) on the MX250 stating that the next hop of the state network(s) is 10.22.22.2?    Would I perhaps do /30 instead of /24 for the 22 VLANs, avoiding duplicate IPs that way?   Thanks,   Jeremy     ... View more

GldenJoe,   Thanks for the reply.  I'm not sure if I'm following on what makes this a bad practice.  The point would be to limit the incoming traffic on WAN2 to 2 private networks, if not select IPs.  Sure, if one of the internal corp devices got compromised, they'd have full access to the state devices, but they'd already have access to the corp devices and all VPN devices, so I'm pretty screwed at that point anyhow.  I'm just looking to avoid having to have the state office need to go over the Internet for a connection to our corp office, as it is simply across a hall.  Obviously, incoming traffic is blocked for a reason.  I'm not arguing.  I'm just trying to understand what makes it a bad practice.   As for your workaround, can you help me get a better picture of it?  Are you suggesting that I should have an MX behind an MX?  Currently, corp has an MX250 connected to an MS250.  The MS250 port that is connected to the WAN2 on the state MX is configured with the server VLAN as native and only the server and voice VLANs are allowed.  At this point, the desire is to have the state users be able to access the corp servers and the corp servers see the state printers, while the state phones see the voice controllers and the voice controllers see the state phones.  With your suggestion, are you saying for me to create a "state" VLAN, assign it to the MS250 port and have it connect to something other than the state MX WAN2 port?  I'm trying to draw it out, but I'm not seeing how it works.   Again, I'm not arguing, and appreciate the reply.  I'm just not quite understanding it.  Fortunately, the state office is not currently live, so I can test any design, as long as it doesn't negatively impact the existing corp network.    Thank you,   Jeremy ... View more

Does Meraki realize how dumb it sounds to offer USB for failover connectivity but not actually use it for a best practice???  It is crazy to me that it it seems acceptable to Meraki to need an additional router that can actually use a USB card to perform an Ethernet hand-off to the Meraki.  I didn't have to do that with SonicWALL or CradlePoint.  Don't offer a USB port, if you can't depend on using it.  Of course, I'd never have gone with the product, if they didn't support USB modems.  Especially with the significant price jump from the Z1 to the Z3, it is asinine that I can't depend on using the product, as advertised.  We have 300+ sites using USB cellular modems, due to cost and versatility.  I'm really regretting my commitment to Meraki, as they have underwhelmed in multiple areas now.  I keep waiting for their developers to "figure it out", but I can't hold my breath that long.  They have way too many things that are controlled on the back end or can't be done in general.  Lots of nice features, for sure, but definitely many poor decisions have been made, too.   ... View more

The impact to my MX250 environment may be minimal, as I use a separate MX64 to manage all VPNs and I use 1:1 NAT and no port forwarding, so a different IP (upon failover) isn't horrible.  For me, its more of a matter that all 13 of my static IPs on each circuit are being utilized.  So, I have to look to see what I can do to recoup one.  I'd prefer to do the virtual IP approach, but recouping 2 is not going to happen.  So, I'll go with the MX uplink option for now, and then likely change to the virtual uplink option when we change our primary ISP later this year.    Thanks for the good information, guys. ... View more

Good video.   That said, I'm still a bit unclear about the public IP needs.  In the documentation, it states that the "Use MX uplink IPs" option does not require additional public IPs for the Internet-facing MXes, but a few sentences further it state, "regardless of which option is selected, both MX devices will need their own uplink IP addresses for Dashboard connectivity".  So, this seems to suggest that I need 2 IP addresses per circuit with this option and 3 public IPs with the "Virtual uplink IPs" option.  Am I understanding that correctly?   Thanks,   Jeremy ... View more

They do and they are all enabled. ... View more

Yes.  I have all my Meraki endpoints (MX65) creating a VPN back to an MX64 hub at my DC.  Not ideal, as it masks the traffic across the VeloCloud network, but it is working.   Jeremy ... View more

I tested it, and it worked, but it would be an administrative nightmare, as I have several VLANs and moving the management to the VCE would really suck (even with Orchestrator).  Creating a VPN with the MX has generally worked fine and then you have full control of the endpoint networks through the Meraki.  My understanding is that a beta version of the MX firmware addresses the "No NAT" issue, but I haven't seen it, yet.  I'll be doing more testing in Q2 2019. ... View more

Now that I have the primary MX250 and Primary MS250 working correctly in my environment, I'll be moving forward with redundancy in later Feb.  While I understand that you can't build an LACP channel across the two switches, I would be able to duplicate it with a couple more SFP+ modules.  My concern with a stack is IP conflicts and possible looping.  I've already experienced issues with my MS120 switches having looping issues.  I've been testing loop guard configs, but haven't implemented anything, as I didn't want to risk any loss of connectivity to my remote sites.  That said, there have been a couple firmware releases since then, too. ... View more

Was an issue with ISP.  I'm assuming caching.  Upon router power-cycle, everything began responding.     ... View more

Internet appears to be working fine.  NATing appears to be an issue, though.  It is odd, though.  My Exchange email appears to be flowing correctly, but Nothing else relying on NAT is connecting.  Researching that now. ... View more

Heh.  Just got your message.  You got me looking at the right place.  Going to do more testing now. ... View more

Found an issue...  Had 0.0.0.0 point to 192.168.1.1.  Changed it to 192.168.1.2. ... View more

MS250 is 192.168.1.1, MX250 is 192.168.1.2 ... View more