From a performance perspective, yes in theory it's better to prune, but in practice, just allow all and avoid the management overhead. ... View more

9300X. ... View more

Yeah as is you will need to cycle the ports once the sites comes back online... It's really not ideal. There is also a risk that you don't notice before the users as the AP will be online and connected to the management network even thou the port isn't authenticated... ... View more

I wonder if it has anything to do with the service DNSCRYPT not running on the MX. Meraki has a bug where the service stop running so DNS traffic tunneled to Umbrella stops working. A restart to of the MX solves the issue, but it might or might not come again. They don't know why it happens atm. ... View more

The only way do deal with silent devices is by either configure the device to use DHCP or to set the access VLAN to the VLAN the device should be in, and make sure that control direction is only out in the access-policy. This way the traffic should be able to reach the device, and the return traffic should trikker authentication. ... View more

Its not a solution. Where does it go from the L3 switch? It goes back to the MX. Where does it go from the MX? To the L3 switch. Until TTL reaches 0.   Meraki needs to add the ability to create static routes towards the WAN. As long as you can't do that, then there isn't a good solution. ... View more

Any ETA on this? Getting a bit tired of having to do maintainance windows for minor changes 😉 ... View more

I is 4 bytes lower on MX16. ... View more

Is there an ETA on this fix? ... View more

Great information! My only experience so far with secure connect is the dcloud lab, so it's nice with some feedback from the real world.   Number 1 should definitely be an exception by default.   Regarding number 2. What do you mean by it isn't supported? What is preventing you from using the Umbrella hubs as exit hub on the hub in the DC? And why can't traffic from spokes to the DC go directly and not via Umbrella?   The fact that you can't do local breakout based on domains and wildcard domains is a big problem. That being said, when you go down this path it is expected to put in quite some work on bypassing umbrella completely or doing selective decryption for different destinations/applications. That's the same for all vendors. ... View more

Meraki also uses a public IP in the NAS field when AP's and Switches probes the radius server to see if it is alive. Meraki also uses public IPs for BGP router ID's when enabling BGP and for the APs when they are in mesh.   It's really strange to see these public IPs show up at seemingly random places. ... View more

Hi Gary.  This documentation states you can set the umbrella “mx” as an exit hub. Is this not possible when doing secure connect? I thought it was essentially the same.  https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide   why does the VMX need to be in routed mode? ... View more

I am asking about management and deployment of secure client, which is part of secure connect.This is the documentation from the Meraki page, but it leaves out some details. https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now_Remote_Access   What I am curious about is whether secure client used for secure connect can (or shouldn't) be managed / deployed via Secure-X / XDR. Is there anything special about the installation file generated by Meraki and Umbrella or is it just the normal installer with a profile that can be used with any type deployment. When I read the documentation is sounds like I am able to deploy the secure client XML whatever way I want.   I find it hard to only talk about Meraki when talking about secure connect, when it seems to be a combination of Meraki, Umbrella and secure client. ... View more

I don't think that is related. The document describes SSO for the Meraki and Umbrella dashboard. ... View more

In the PVT today they mentioned a list of hidden features which support can enable. One of them was disabling peering between hubs. If you are receiving the same routes in both dcs it is recommended to enable this feature to avoid asymmetric routing.   ... View more

@Ryan_Pascoe Thanks, that makes a lot more sense.   That also means the MS390 is a beast with Meraki GP compared to a C9300 with dACL, but I guess thats the advantage of using an access-list that exists locally on the switch. ... View more

200 ACE across the switch?! Does that mean if I make a gp that allows dns, dhcp, blocks rfc1918 and allows anything else. That would be 5 aces. I would only be able to apply it on 40 ports?  ... View more

Do you need to clear the upstream cache even when doing failover to warmspare? That sounds ridiculous. ... View more

So how has it been running?   I wonder why this is still not public or early access via the dashboard. ... View more

The thing. It's is already running this way 🙂   Bare in mind that there is a dedicated VLAN for the WAN subnet between the ISP and the MXs WAN ports.    I'm just wondering if it could have performance impact or if client identifier is only used for monitoring purpose.  ... View more

Unfortunatly that's not a solution.     ... View more