This is what I want to do. Really no API for this? That would be quite disappointing. ... View more

Allowing only to be initiated from one side is purely done with the ACL. No need for NAT. And if there is IP overlap inside of the network, something is severely wrong.   ... View more

Why do you want to NAT here if it's going from private to private? ... View more

done! 🙂 ... View more

There is one thing that will not work: If you now have a LAG between the 3504 and the 2960, this must be removed and configured for individual interfaces as the LAG implementation on the WLC and the MS switches is not compatible. ... View more

The default port for OpenVPN is UDP/1194. If that is the port the OpenVPN server is using (it can be changed), you just have to allow this port. ... View more

I typically implement this with four blocks of lines in the Firewall rules: Block1: Allow DMZ-system to any needed destination on other VLANs Block2: Deny DMZ-Network to all RFC1918, this is the LAN and all other DMZs Block3: Allow needed traffic to "any" which is the internet in this case Block4: Deny DMZ-network to any   Yes, this is much easier with zones like on firepower. But it works good. And always remember that the Firewall-Rules do not control traffic to VPN-destinations. This is done in the Site-to-Site-VPN section. ... View more

Yes, it is typically a subscription. But not that expensive and with highly reduces support effort it will save money in the end. ... View more

No, this will not be possible with the native client (which uses IPsec btw and not SSL/TLS). And do yourself a favour and go for AnyConnect for a highly reduced amount of grey hair ... ... View more

If you want to assign differentiated permissions to VPN clients, your AnyConnect-users have to be authenticated with RADIUS (which in turn can use AD). The RADIUS server can return the name of a group-policy that restricts the users access. ... View more

The NICs don't report anything back and they don't participate in STP. The logs show a completely normal behaviour. When a port comes up it has to transition to designated to make sure the attached device will receive traffic. ... View more

This is typically the device.  ... View more

Port 4 got a link, Port 21 lost a link and got the link back. ... View more

As this is just an option in DHCP, I don't see any reason it shouldn't work. ... View more

Sadly, also the new models are restricted to only two active WAN ports. ... View more

Meraki really doesn't like to talk about roadmaps. Being able to use more than two WANs is quite often asked here in the community. But probably the core of the MX has to be changed significantly to make it work. Don't wait for it, likely it won't happen soon. But tell Meraki that you want to have this every time possible. ... View more

Woohoooooooo! Congratulation to the old and also to all the new All-Stars! 🙂 ... View more

This is what I expected when I saw this new firmware. But the documentation is not yet updated. This would be great although IMO this feature is quite useless with only the MS390 supporting it on the switch side.  ... View more

Thanks for the info. Just not sure why MS does this also when MSCHAPv2 is done through a TLS tunnel ... ... View more

Probably because everyone else just uses AnyConnect and is happy about a rock solid and powerful VPN. And no, the PLUS (or Advantage license as it's called nowadays) is not that expensive. ... View more

There is an extra Community for Meraki Go: https://community.meraki.com/t5/Meraki-Go-Community/ct-p/go This Community is about the Enterprise range of Meraki devices. ... View more

Under Wireless -> SSID Availability you can set your schedule for your SSID. ... View more

@PaulF wrote: It might be any idea to start forcing the check in of devices, both from a client perspective, and also from an MDM perspective I tried that from the dashboard, but it didn't change anything.   How can I force it on a Windows Client? They all have the Agent installed. ... View more

Also, thanks for testing the script. I'm glad that it's already highlighted some devices 🙂 I was very pleased that the script also directly took the API-Key from the environment instead from the parameter. Perhaps the CSV would be better with one client per line. It would directly give an info about the amount of affected devices. ... View more