Guess I will just play around with the rules and see how they impact each other. Thanks Sarvjit ... View more

Default Deny All rule is for Dual Stack and not just IPV6.  We haven't touched it so that must be the default. ... View more

Thank You. ... View more

Thank you ... View more

Thanks. I will try that, but ultimately Meraki needs to have a solution for Third Party VPN that allows L3 inbound rules to be created. ... View more

Thank you. ... View more

Thanks ... View more

I suspect it will be a hybrid of those 2 approaches above. I will do some testing in our lab. Thanks ... View more

I don't think source based route will work in this scenario (internet traffic still needs to go out the local ISP at HQ). Basically, we want all DC subnet traffic to use AUTOVPN  as secondary route to the DC if primary route fails (Metro-Ethernet).   Thanks Sarvjit ... View more

Thanks Brash. That makes sense. ... View more

If you have the default L3 rule "allow all"  and no L7 rules doing any kind of deny. Then you should be good. The problem has to be on the other end (SQL side). Typically for this you want 1433/1434 UDP/TCP open (default ports) for communication to SQL (however that's up to whoever setup SQL on the other end) but as stated you are not denying outbound traffic so you should be good on your end. I would check with the other side to see if they are blocking inbound connectivity to the SQL instance. ... View more

One additional note, make sure you don't have a Layer7 rule blocking access to this SQL resource, again that rule would apply to outbound traffic only. ... View more

It almost sounds like you want to access a SQL server (somewhere on the internet) from inside your network. If that is the case the default L3 rules I believe are allow all (unless you are denying outbound). If you do not have a L3 rule denying then you should be good to go accessing any services. You also do not need an inbound rule for this traffic as the FW is stateful and will allow that same traffic (initiated from internal network) inbound.   If the SQL server is on your internal network and you want to allow access to this server externally then you will need a Port Forwarding rule (1:1 NAT rule or 1:Many Nat rule if you want to use a Public IP other than the one you have assigned to your WAN interface, assuming you have multiple public IPs allocated to your company).   BTW: from a security perspective I would not allow inbound access to your SQL server directly, since I dont know what application you are using I can't make any recommendations on how to best to allow secure access.   ... View more

I received another response from Meraki support on this. Same thing as before. Anyone from Meraki look at issues in this forum?   Response from Meraki: they are aware of this on-going issue and have attached my case/ticket to the parent case.   As I stated I opened a case for this at least 6 months ago with the same type of response.   I can only say that I am disappointed that Cisco/Meraki does not take these type of issues seriously or they would have had a fix by now. ... View more

When you setup the configuration of the SPARE you are giving it the configuration it needs on the WAN side (just make sure the WAN is cabled up to the spare). Once you boot up the spare the configuration will be deployed to the spare. I believe the configuration is deployed to the spare via the Primary FW (assuming everything is cabled properly on both WAN an LAN side, its important that the LAN side be cabled up on both primary and spare and all VLAN's on the LAN side properly presented to both primary and spare from your switches) ... View more

During the spare configuration it asks you if you want to use the existing PRIMARY MX WAN IPs, or if you want to use a VIP configuration (each MX would have its own PUBLIC IP's + a VIP Public IP -- So you would need to have at least 3 Public IPs in that scenario assuming you only have one ISP).  Then boot up the Spare and it should work, in essence you are configuring the WAN links for the SPARE without booting up the spare first. ... View more

one additional item to note, once you add the spare you need to configure how the spare (while it is still powered off), you have to decide on using the mx uplink IPs (WAN) or virtual uplink IP (WAN side as well). Once that is done, power on the spare and should be good to go. ... View more

We have always cabled up the spare (while powered off) (identical to the Primary). Then added the spare via the dashboard to the network. Then powered on the spare, this has worked for us every time. We have never configured anything on the spare in the past, assuming everything is cabled up properly (WAN and LAN ports).   ... View more

Its not supported, however, we have aggregated ports from multiple switches/ports (physical switch stack) and it seems to work (in production enviornment), we have been using this configuration for almost a year without issue. The switchs (stacked) will use spanning tree to block one of the aggregated ports. We have tested by unplugging one of the aggregate ports from the switch side, traffic flows across the 2nd aggregated switch port almost instantaneously. I'm not suggested you try it but just replying with my experience.  ... View more