@Coupe2112 wrote: I'm going through the same thing now, in particular with Facebook (what a PIA) and had to whitelist the following to finally get it to work fully (for now)...   facebook.com doubleclick.net fbcdn.net l.facebook.com external-ams3-1.xx.fbcdn.net static.xx.fbcnd.net scontent-ams3-1.xx.fbcdn.net Did the fbcdn.net not capture the bottom three? or maybe *.fbcdn.net ... View more

I've used both. If you want maximum support and visibility go with the Meraki SFPs.  As @PhilipDAth pointed out, they are not too much different in price from other leading vendor SFPs.   ... View more

For each of the two networks, do they have unique LAN/DMZ addresses?  Are you using any of the Site to Site VPN features of the MX?  If a computer from one of the LANs wants to talk to a computer on the LAN of the other network what path does it take?  Does it go out one MX and back in the other or is there a local path? ... View more

This may be an opportunity to consolidate those connections to the MX as redundant load balance links (WAN1 and WAN2).  But with that aside.  Do you have to select the network drop-down box on the left to go to each MX or do they show up like this in the dashboard?   ... View more

What type of authentication is the SSID setup for?  I assume 802.1x?  Have you tried changing it to WPA2-PSK to test? ... View more

More questions sorry: 1.  Do you have two active internet links total?  Or are two internet links connected to each ASA separate? 2.  Are the MX84's both in the same dashboard network or different networks?  If they are in the same network only one will be active.  If they are in separate networks they can both be active at the same time.  ... View more

@Mikanator wrote: one can already schedule different dates for the upgrades to occur.  By "stage" are you referencing a set order/matrix to auto apply when new versions are released? I believe the staged upgrades only work on switches.  ... View more

Congrats winners.  You'll now be stylish.  ... View more

Sounds good, let me know how you make out.  ... View more

Are you NATing them to a public IP or do they have a true public IP assigned to their WAN interface?  But having one of them on a separate network connection should eliminate the issue altogether. ... View more

We don't use that feature very heavily but my understanding is that it uses a Java VNC client.     https://documentation.meraki.com/SM/Other_Topics/Systems_Manager_Remote_Desktop ... View more

We had issues doing this as well since the MX's need to be distinct public IP to allow the VPN tunnel to establish.  Otherwise, they are trying to establish a tunnel over the same circuit.  If you have another connection you can use for one of the MX setups it would make it easier.  Otherwise they need to have different public IPs assigned.   ... View more

Interesting, my understanding is that the device keeps trying to connect to its upstream WAN regardless of how long it takes for that upstream device to come up.  An example of trying to reproduce this would be to power on the switch and to wait 15 minutes to plugin an upstream network interface to it.  I do this all the time in my office when I'm staging switches and it comes up pretty quickly once I connect the upstream link.  Could you try bouncing the port/uplink from the ASR920 to the MS320?   ... View more

Agreed, the only way to have two MX's in the same network is if one is a spare.  Otherwise, they'd need to be in separate networks.  If the ASA is operating where the MX isn't then there is likely an interface, route or other configuration that wasn't migrated fully? ... View more

Are you staging these by connecting them both to the same upstream switch/internet or will this be their permanent configuration?  What is your ultimate goal?  Any reason to just not have had one MX if they are both at the same site with whatever needed firewall restrictions? ... View more

Isn't UltraVNC or VNC primarily for LAN connections to your clients?  Where things like Teamviewer etc is for remote management?     For LAN connections we use Dameware so we don't have to have a preconfigured agent on the workstation.  ... View more

If you just want to limit per client or per SSID bandwidth you can do that on the SSID without a policy.  Policies would be for more customized things like different content filters etc...  Or possibly bandwidth restrictions for a specific client.  ... View more

This article has the instruction on configuring the DMZ.  https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security_Appliance   Routing for things is destination based so you'd have some control over that.  ... View more

@kevinl wrote: @Adam, curious about the exact mechanism that you use for the per-VLAN traffic shaping. Is that done by Group Policies, and Bandwidth -> Custom Bandwidth Limit?  Then you use the Addressing & VLANs page on the MX to tie each VLAN to the relevant Group Policy?  (I was thinking this might be a good answer to clients who complain that unlike classic Cisco Cats, the MS series switches do not have built-in bandwidth limiters so they can't shape bandwidth to what the tenant has paid for) Thanks, Kevin Hey Kevin,    Here is the exact steps we use to setup a new tenant. 1.  Security Appliance>Addressing & VLANs and we setup a /24 VLAN.  For simplicity I try to make the third octet match the VLAN number.  Example 10.17.2.0/24 for VLAN 2.  MX IP 10.17.2.1 2.  Security Appliance>DHCP, I turn on DHCP and I usually set .1-.50 as reserved so they could assign any static IPs they need.   3. Security Appliance>Firewall, I setup rules to block their subnet from talking to any other tenants.  You can supernet this depending on how your subnets are configured 4.  Security Appliance>Traffic Shaping, I setup a traffic shaping rule to limit their subnet to the bandwidth they subscribed to.  You can do this by setting custom expression "localnet:10.17.2.0/24" without the quotes and then specify the bandwidth   We now have Meraki APs in the building so next I go to  Wireless>SSIDs and I configure an SSID and do bridge mode and tag it with their VLAN.    Lastly I setup a physical port on the switch as access VLAN x.  This is the port going to their tenant suite(s).  From there they can connect a switch and hookup whatever ports needed and they'll get DHCP from the MX.   ... View more

What type of devices are you managing?  Chrome OS devices? And are these devices local (LAN) or remote? ... View more

Sadly this type of stuff has to be audited.  Sometimes you can sort by name and see if there is a duplicate or similar name indicating that a device may have been replaced.  Otherwise, you may have to reconcile against outgoing employees to see if devices have been retired or removed.  It's one of those things that is easier to keep up on than it is to go back and figure out each one.  We deal with this same issue for our managed AV.   ... View more

Agreed, depending on the data you'd basically have to do your own API call and make a "feed" for the desired recipient and you could limit and lock that down accordingly.  ... View more

I like the twinax cables for simplicity.  They also tend to cost less than getting the SFP's and fiber.  And to generally answer your question.  SFP will work in an SFP+ port but an SFP+ device will not work in an SFP port.   ... View more

@mmmmmmark wrote: And this is another wish. It would be nice if the end user got some kind of splash screen if they tried going to a website hosted in a country that's blocked. Instead they think there's a problem with "the internet". Agreed right now they get no message and, worst yet, it doesn't even get logged in the event log for us to identify.  ... View more

We had a similar deployment/issue.  Unfortunately, the chromecast devices don't have the ability to set a passcode or other security measure.  They are pretty much insecure open devices.  So the only option is to isolate via vlan or to just name them and trust that people will cast to the correct device(s).    In some of our conference rooms we use this solution for a more secure option.  It's a lot more expensive but may be of interest depending on your application  https://www.barco.com/en/product/clickshare-cs-100 ... View more