Don't take the term "virtual stacking" too literal. It is actually a marketing term for the feature that lists all your switchports from a dashboard network on one page, nothing more.   It does open the abilities to config ports over multiple switches in one go by using the correct filters.   The term virtual stacking should NOT be mistaken for flexible stacking which is the term you believe the MS125 should be able to do, but it does not support any kind of real stacking.   Flexible stacking is the term used to modify normal ports to stackports.   The only switch in the Meraki portfolio that supports flexible stacking is the MS425 aggregation switch. ... View more

Hmm are you sure both ends use the same SFP kind? Most SFP's are NOT multi speed, so usually a 10G SFP cannot transmit 1G.  Yes there are exceptions but the standard SFP's are not that 🙂   SFP's adhering to the same standard like 10G SR should linkup just fine independent of the brand used. Only some DAC cables of other vendors can give trouble on some devices (usually not Meraki).   So there is no link negotiation on these SFP's. Are you sure the MS225 is detecting the 10G-SR SFP correctly? Also are you sure you're not using a stackmember that is an MS210 instead of an MS225 to uplink? ... View more

The firewall has it's L3/L4 rules and it's L7 content filters.   Group policies can also contain these rules but can dynamically pushed to a network client. However group policies can also apply to a wireless client and then it's the AP firewall that counts.   These rules in group policies can override the firewall or in case of content filtering it can work additive to the existing policies. ... View more

Don't forget if you're routing between VLANs on the MX you're not only passing the MR but also the MX and you can be blocked at any of the two touchpoints.   So having the allow local lan, or specific subnet/IP on the MR is one thing, but if you're still blocking the traffic on the MX then yes you won't reach the printer. ... View more

When the users installed the CA certificate of your domain, did they actually install the cert or just copied it to their store? If it is correctly installed do they actually select the correct ca cert for server validation in the WiFi profile? ... View more

I tested it using MS authenticator and it seems to work fine with the OTP it generates every time. Now I can make a wish and have them support face-id 🙂 ... View more

Hey Philip, I'm from Belgium 🙂 But would you know by chance this would also work on Microsoft Authenticator? I already use that app because my company is heavy into Microsoft and all 2 factor auth's run via that app. ... View more

Nice!  We did have to work with a European reseller though. ... View more

Welcome Mike the vocalist!  Don't drop the mike before you're done talking 😉 You'll indeed find some stuff being different than regular Cisco and it's important to know when to not follow the Cisco guidelines because there are some huge cultural differences between the two product stacks. ... View more

Heh, I have the same problem with the WiFi stand not being wide enough to support MR46 and above without mounting it diagonally on the bracket. 🙂 ... View more

This is why I extensively use the "virtual stacking" feature. In every org I always apply tags to ports with identical configuration (except name ofcourse) and always use the tag to filter the correct ports so I always have consistent configuration across the board. Ports to end users have the access tag and a descriptive tag for the VLAN used. Ports between switches always have the trunk and isl tag. Ports between switch and ap always have the trunk and ap tag, and so forth. Also make sure you make some good filters before tagging is applied to the new switches. Learning to use the stack:part of name port:1-12 always helps to quickly select correct ports. ... View more

He still fits between the rails! 😛 ... View more

That person that configured loop guard on endpoint ports does not understand STP. It only makes sense to use BPDU guard on access ports to endpoints.   Since I haven't seen any Meraki network using OOB cloud access I have never been able to implement loop guard because dashboard configuration does not allow it. ... View more

Maintaining fewer major releases is easier I guess 😉 ... View more

People use LC-LC or LC-SC patches all the time, no problems expected there. ... View more

If you use the Add-VpnConnectionRoute cmdlet it should really add those routes to the VpnConnection and thus always installing it in your pc's routing table when you dial the VPN. I have an example on my own pc here: Step 1: verification of the VpnConnection object itself: PS C:\Users\yyyyyy> Get-VpnConnection -Name "EXAMPLE" Name                  : EXAMPLE ServerAddress         : EXAMPLE-xxxxxxxx.dynamic-m.com AllUserConnection     : False Guid                  : {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} TunnelType            : L2tp AuthenticationMethod  : {Pap} EncryptionLevel       : Optional L2tpIPsecAuth         : Psk UseWinlogonCredential : False EapConfigXmlStream    : ConnectionStatus      : Disconnected RememberCredential    : True SplitTunneling        : True DnsSuffix             : IdleDisconnectSeconds : 0 Important here is that SplitTunneling is True. Step 2: Verify if the VpnConnectionRoute is present in your configuration: PS C:\Users\yyyyyy> (Get-VpnConnection -Name "EXAMPLE").Routes DestinationPrefix     : 10.100.5.0/24 InterfaceIndex        : InterfaceAlias        : EXAMPLE AddressFamily         : IPv4 NextHop               : 0.0.0.0 Publish               : 0 RouteMetric           : 1 PolicyStore           : As you can see I have only added one /24 network. Step 3: Dial the VPN Step 4: Verify the network adapter and your IP on the VPN: PS C:\Users\yyyyyy> ipconfig Windows IP Configuration PPP adapter EXAMPLE: Connection-specific DNS Suffix .  : IPv4 Address. . . . . . . . . . . : 10.100.15.6 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : Step 5: Verify windows routing table PS C:\Users\yyyyyy> route print =========================================================================== Interface List 107...........................EXAMPLE 32...xx xx xx xx xx xx ......Intel(R) Dual Band Wireless-AC 7265 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0         0.0.0.0           192.168.101.X   192.168.101.XX   35 10.100.5.0      255.255.255.0     On-link         10.100.15.6      26 10.100.5.255    255.255.255.255   On-link         10.100.15.6      281 10.100.15.6     255.255.255.255   On-link         10.100.15.6      281 81.165.XXX.XX   255.255.255.255   192.168.101.X   192.168.101.XX   36 192.168.101.0   255.255.255.0     On-link         192.168.101.XX   291 192.168.101.XX  255.255.255.255   On-link         192.168.101.XX   291 192.168.101.255 255.255.255.255   On-link         192.168.101.XX   291 =========================================================================== Persistent Routes: None Here you can clearly see the 10.100.5.0/24 network being available through the VPN adapter at 10.100.15.6. Also the 81.165.xxx.xx address references the Internet IP of the MX I'm connected to. ... View more

If you correctly added the VPN-ConnectionRoute then when you dial the VPN you could to route print in cmd and you should see the destination via your VPN adapter.   Also you can verify if your route has been added by issuing this in powershell; (Get-VPNconnection -name "nameofyourvpn").Routes If the route is shown in last command and in route print after dial, then you probably have not allowed the VPN subnet access to the internal net on your regular firewall rules. ... View more

Each member port of a bundle must send LACP information where the actor System ID is identical between both ports. If one member fails it will not be added to the bundle. In above pictures I have taken an lacp packet capture between a meraki core switch stack (where two different stack members are downlinked in the bundle) and the access switch which is a single switch where port 49 and 50 are uplinked and bundled in a port-channel. So on each side both ports send LACPDU's with the same ACTOR ID but a different ACTOR PORT ID for it's own system and the peer ACTOR of the other side. If you capture both switchports leading to the server you have 100% proof that the Windows host is not behaving if you cannot see any LACPDU's on the second port. I hope this helps. ... View more

OK, then you'll need to verify if the NIC team is sending LACP packets back to the switch. Please run a packetcapture on the Meraki switch on any port of the bundle. The capture filter you'll need is: ether host 01:80:c2:00:00:02 Normally you should see lacp packets from both the source MAC addresses ( switch and server ). If one side is not transmitting any then the problem lies there. ... View more

Your lacp timers are wrong. You should always use slow timers in lacp on Cisco products. ... View more

I'm trying to read your question correctly: Do you mean you now have 1 site that has a non-Meraki VPN to Azure and you want to add a second site that also talks to Azure but not to each other? If it is true, allow me to explain below: The hub and spoke settings indeed apply to AutoVPN only (that means Meraki to Meraki in the same org). You always need at least one hub in your network and I believe if you set the new site to spoke you'll need to select at least one hub.  So indeed they will connect via AutoVPN.  Or if you configure them both as hub then it will yield the same result. So you have two ways to block communications between the two sites: 1) You configure both sites in their own org.  Do know this will also split your licensing, so you'll need separate orders if you do a renewal or something. 2) You can keep them in a hub/spoke config but you'll need to add some rules to the site-to-site VPN outbound firewall ruleset.  Just put denies between both networks ( maybe use a supernet if the network design is solid ) and make sure you have an allow any below it so you can reach all the rest.  Or only allow the Azure subnets as destination.  These rules will apply to both networks. ... View more