Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join now- About iores
About iores
iores
Getting noticed
Member since Nov 16, 2023
11 hours ago
Community Record
53
Posts
2
Kudos
0
Solutions
Badges
10 hours ago
Is there any maximum number of such firewall rules, and do they affect performance of MXs?
... View more
2 weeks ago
Well, in such Meraki setup where one big central "ACL" is used for VPN traffic, I have no other option but tu analyze each ACL entry.
... View more
2 weeks ago
2 Kudos
Yes, it really is horrible job. I will end up with one final ACL containing several thousand entries. I appreciate the suggestion about using description.
... View more
2 weeks ago
I was aiming more at how to create one big central ACL from hundreds of single ACLs, without the need to analyze every ACL entry. For example, if one ACL entry at location X, uses summarized prefix (10.0.0.0/8) to denote source IPs at that specific location, if I just copy this as site-to-site VPN firewall rule I could influence traffic from all locations, not just X, and I don't want to do that.
... View more
2 weeks ago
Hi, I need to translate hundreds of individual ACLs to one "big ACL" comprised of site-to-site VPN firewall rules. Since the site-to-site VPN firewall rules are applied to the whole organization, it is not just copy-and-paste. What are you experiences or suggestions to effectively perform this?
... View more
Aug 27 2025
10:04 AM
Could you please explain the third point? How would that be possible?
... View more
Aug 27 2025
9:52 AM
I forgot to mention - this is L2 aggregation LAN switch, not dedicated WAN switch. Technically, I know this should work but given Meraki design requirements, I wonder if this would still be OK? I have no other options but I want to investigate all possible risks.
... View more
Aug 27 2025
9:46 AM
Hi, I have two MXs in HA. They are connected to downstream Meraki switch. I have only one physical ISP connection. 1. Is it recommended to use downstream Meraki switch to interconnect MXs and ISP via dedicated VLAN? 2. Generally speaking, for warm spare and Virtual IP to work, do WAN ports need to be directly connected to ISP, or it can be done via switch in between? I have seen Meraki documentation where WAN ports are connected directly to ISP.
... View more
Aug 4 2025
9:33 AM
Does it apply only "from the internet" or to any source IP that arrives on WAN interface for that particular local subnet?
... View more
Aug 4 2025
8:07 AM
I understand what you are saying but, unfortunatelly, configuring DHCP server on each spoke is not an option.
... View more
Aug 4 2025
8:05 AM
Hi, I was reading this: https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Appliances . What does this mean: "... inbound traffic is not allowed through the WAN interface of VLANs with the No-NAT Exceptions override".? Does this apply only when No-NAT is used? In addition, does this and how affect AutoVPN communication? Are AutoVPN spokes able to communicate mutually?
... View more
Aug 4 2025
3:43 AM
Hi, What path will spoke use to get to DHCP if (1) full tunnel or (2) split tunnel is used? DHCP is at HQ, behind L3 core switch which is connected to the hub. My guess is that with full tunnel, all traffic will go via AutoVPN tunnel to the hub. As with split tunnel, if the DHCP needs to be reached through AutoVPN then static route pointing to DHCP should be redistributed in AutoVPN at the hub. Otherwise, it will be routed normally - decapsulated. Does this sound correct?
... View more
Labels:
- Labels:
-
Auto VPN
Jul 18 2025
4:12 AM
@Ryan_Miles How Option 2 works? If MX doesn't speak STP, this would mean (logically) that the stack is connected to itself with two links. Wouldn't STP on the stack in such case block these links?
... View more
Jul 5 2025
12:46 PM
@MartinLL I am just exploring different approaches and their implications given the Meraki best practice. Could you share techincal challenges you had with this?
... View more
Jul 5 2025
3:11 AM
Your default route is out of WAN port connecting to PE router, and you exchange all othere networks with LAN side via BGP on LAN port? What is the scale of your setup?
... View more
Jul 5 2025
3:06 AM
What do you mean by full tunnel? The concentrator has only one interface for Terminating VPN and LAN traffic. What are design implications of such traffic mixing? What are design implications if you use hub routed mode and connect both interfaces (WAN and LAN) to the same LAN next-hop, not to PE router?
... View more
Jul 5 2025
2:54 AM
What do you mean by "back out its WAN interface"? But NAT mode will have default route out of its WAN interface since this interface that is also used to connect to Meraki cloud? What is the main difference between one arm concentrator and NAT mode if hub is used with no NAT (as per my understanding, this option is now available)?
... View more
Jul 3 2025
2:50 PM
Hi, As far as I have read, Meraki one-armed concentrator and routed mode are getting more and more similar (feature wise). Are there any specific uses cases when only one mode should be used in the light that nowadays are very similar? Are there any important features that differ between them? I know that one-armed uses only WAN interface, but beside that, what are additional unique features between them that should be considered when choosing the correct deployment mode?
... View more
Labels:
- Labels:
-
Auto VPN
Jun 25 2025
12:34 PM
Yes, thanks for the information. I have read all this ibut somehow I hoped that it could be done over LAN port because two active WAN ports will be connected to private circuits cloud with no connection to the internet, as it appears now, so I am looking for alternative solution.
... View more
Jun 25 2025
9:25 AM
Hi, I was wondering if anyone tried to use LAN port for connectivity with the dashboard or it has to be one of the WAN ports?
... View more
Labels:
- Labels:
-
Other
Jun 22 2025
11:51 AM
@JeroenVercoulen But OSPF on the LAN side is enabled only if MX is in routed mode, right? Can AutoVPN subnets be advertised over LAN port if MX is in concentrator mode?
... View more
Jun 21 2025
8:32 AM
How did you managed to have connection to MPLS and internet via only WAN1 port? Was the WAN1 port in the same subnet as firewall LAN side and MPLS side?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 414 |
© 2025 Cisco Systems, Inc.
