Yep, great feedback, GreenMan.   The upstream/L3 switch that you mention will be the decision maker in this scenario.  In the future, they are considering a separate MPLS WAN (via Cisco ISR connected to distro Meraki425) that will also inject dynamic learned routes into the distribution. I like OSPF from the MXs for the dynamic nature of failover as I can get creative with some of the OSPF metrics for granular path selection.  Granted it my be overkill in this situation and I am aware of the longest prefix match for route selection,   VOIP and site-to-site file sharing (CIFS) is currently driving the need for full mesh.  This customer has no on premise servers anywhere (100% in the cloud) which I have never actually run across before.  There is no HUB.  We have sized their larger sites (~200 people) with MX100s and smaller sites (~50 people) with MX84s.  The design was for warm standby failover but we fully licensed both in case we needed to downshift to a dedicated VPN concentrator and dedicated NAT mode firewall to handle the load.    Thanks for the discussions.  As always, I welcome any feedback. ... View more

Thank you for your response GreenMan.  I have seen the Deployment Guide in the past, but thank you for bringing it to my attention again.   The customer (relatively small) has 6 remote sites, they will initially be using the MXs as both an Internet edge security appliance and AutoVPN termination device.  I am assuming that the dedicated VPN Concentrator (Passthrough mode) recommendation is for scalability reasons, which we will address as the customers grows to a larger number of locations.  But yes they will be doing full mesh AutoVPN for the foreseeable future.   I assume that there are no immediate "gotchas" with this?     The design calls for the MXes to connect to a pair of stacked Meraki 425 distribution switches that will be running OSPF to the access layer (MS250 stacks).    The need for dynamic advertisement of VPN learned subnets is great for dynamic failover to/from a future MPLS connection.  That will be handled by a Cisco ISR router also running OSPF to the Meraki 425 distribution. ... View more

Thank you PhilipDAth    The key to me is that it will form an OSPF neighbor relationship and advertise via the LAN interfaces (not the WAN) interfaces.   Is that indeed the case?  Also, I have read a couple of Meraki guides that indicate the VLANs must be "disabled" for this functionality to work.  Any insight here?     ... View more

Thanks Adam.  Maybe I should clarify my question.  I am not concerned with Inbound (internet into MX) translation here.  This is typically accomplished with 1:1 static NATs or some form of Port Forwarding (static PAT).  My question is will the MX perform outbound dynamic translation for any LAN facing subnet that is in the local route table; including static routes pointing to subnets reachable via next hop LAN interfaces?   In my situation I will have an MX configured in NAT mode.  The WAN interface is connected to an Internet circuit, the LAN interface is connccted to a L3 switch.  Local VLANs are disabled under “Addressing & VLANs ”. Static routes are configured for internal reachability. ... View more

Will the MX appliance advertise the VPN subnets via OSPF out of the LAN interfaces? ... View more