Still waiting for approval for our first CW9164 order ... But I would expect to see the same features. ... View more

Yes, these subnets need to be included into the VPN traffic. ... View more

Are the external subnets part of your Split-Tunneling definition? ... View more

As far as I understand it, we lose everything that is not "normally" available on the Dashboard. ... View more

With AnyConnect, the easiest way is to let the RADIUS server return a filter-id that matches a dashboard group-policy. ... View more

The first question that comes to mind here is "Why are you hiding your SSID"? 99% of the given reasons (like more security) doesn't work that way. ... View more

Damn, wrong link ... Yes, luckily at least one other paid attention ... 🙂 ... View more

I've done it as a PoC. You have to tell Support to enable SAML for AnyConnect and then just follow the guide: https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_SSO_with_Azure_AD We didn't implement it later because with RADIUS the ISE was able to easily return Group-Policies for differentiated user-access. ... View more

Can you post your Split-Tunneling list? Perhaps there is a mistake in the syntax (like wrong mask for the network) that could show this error. ... View more

Well deserved Raphael! Welcome to the most elitist and prestigious club in the world of IT communities! 😀 ... View more

Welcome to this very nice community. You'll surely have done the right decision and will have much fun! 🙂 ... View more

Damn, why didn't I find that post ... ... View more

The ISE will help that each user/device will get the right classification for the segmentation. The needed Device depends on the Security you want to have: For Basic L3 control, a L3 switch could do the job. For Advanced L3/L4 control I would go for a Firewall like the ASA running on a Firepower platform. For L7 control we need a NGFW/IPS. For some implementations I place the routing on the MX with Adv. Security License, but only when most of the traffic is going to the cloud anyway. If there is a very high amount of local User/Server-Traffic I typically use FTD on a Firepower platform as the throughput per $ is better compared to the Meraki MX (even with HA). And there are better ways to integrate it. ... View more

Without a license, you are also not allowed to use AnyConnect on any other platform ... ... View more

A couple of my customers do it also this way. But if I am in charge I typically follow the approach to keep my stacks small (two to four switches). I am a little coward and each stack is it's own failure domain. The likelihood of a stack-failure might not be large, but I had large stacks that completely failed. With smaller stacks the impact is reduced and with virtual stacking I do not see any drawback in the maintenance. The only drawback is that now we need more SFP+ ports in the core because we have more stacks. And there the MS425 is again my choice. ... View more

As @DarrenOC says, it all depends. And if you only have 4 Access-Stacks, I would also think about a 355s core/server-switch. But the moment I plan for more than four access-stacks, I would also directly go for a MS425 as the core/aggregation. ... View more

You don't specify what your AP needs to be capable off. So the general advice would be "any of the actual APs" Meaning Wifi6 or better. My device of choice was the MR44 for a quite long time. This changed for some customers to the MR57. Just because an highly expensive AP that you get delivered is better than a less expensive AP that you get delivered in 300 days. ... View more

Have you ask yourself if you really need a faster MX? I have a couple of customers with 1Gig internet and even running a MX84. For sure they can't reach Gigabit-speed, but also when they had the slower Internet before, they never got to the max. And being "restricted" to 600 M will be sufficient for nearly everyone with a network that is small enough for an MX68. ... View more