Remember also;  the MX is, by default, a firewall.  If traffic is deemed to be 'outside VPN'  (e.g. if a local VLAN is set to 'VPN off'') then it will be NAT'ed behind the IP address of the chosen WAN uplink, through which it egresses.   If that uplink is connected to the MPLS, you will need to bear this in mind, within the MPLS routing.   Moreover, if you wish some kind of server, on the LAN side of the MX, to be accessible, via an inbound request over the MPLS, you will have to set up port forwarding or an inbound NAT,  otherwise unsolicited inbound packets are, by default, dropped. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Forwarding_rules   Meraki has been working on a 'no-NAT' feature, but this is in beta, for the time being:   https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Appliances     ... View more