You will only be in your grace period if your overall Dashboard is over-subscribed.   Bear in mind that in Co-termination, there's no concept of having a license tied to an indivudal device;   Dashboard simply counts the licences claimed for a particular model and compares it to the number of devices of that specifc model that are assigned to a Network in that Organization.   Provided the claimed license count is less than or equal to the device count, you are compliant and Dashboard will be happy.   Those counts are shown in a table on the License info page. Are you sure your Dashboard is in Co-termination? ... View more

The firewall / UTM capabilities of an MX aren't based upon NGFW - containerised or otherwise - they are natively part of the MX.   Some of the associated security tools used by NGFW and MX are common to both though;   e.g. Snort for IDS/IPS and AMP... ... View more

You really need a Network for each site. Create the new Network by cloning the existing one - then edit the bits in the new Network to make it relevant / accurate to/for the other location. https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Cloning_Networks_and_Organizations_in_Dashboard ... View more

Is your Organization (Dashboard) using Co-termination?   (most Dashboards are) You can check under Organization > License info. If so the key thing is that everything is licensed together - so must be renewed together  - you'll see in that page a single expiry date for everything. To extend that date out significantly, you'll need one licensing order that provides coverage for all the meraki devices in that Org that you still want to be working, once that renewal has been applied. ... View more

IF you have multiple VLANs at your site - or tunnels that go somewhere other than SIG - the MX can provide protection related to those flows that never hit SIG.    You need tunnels to SIG (or some other central breakout) because of the apparent need to use a common source IP.   I would certainly be pushing your SaaS providers as to why they still insist on this though, TBH.   But - by funnelling everything through SIG, you also get a more common approach to security, all managed in one place and applied  'near you' (your Cisco DC, wherever you are).   Cloud security such as SIG also offers greater scalability than a small appliance - particularly useful for intensive processes, such as TLS decryption. You might also want to progress on from SIG to Cisco Secure Connect, which is effectively SIG in the Meraki Dashboard, but with added capability for centralised secure remote access also using that common policy - no need to choose any particular MX to point AnyConnect client at...  ... View more

It's really difficult to be able to help here without visibility of your Dashboard.   Basically I'd call Meraki Support on the phone and work through a case with them - firewall rules should apply to all users connected via a VLAN having that MX as their Default Gateway - assuming said traffic is routed, rather than bridged.   Contact details via ? > Get help & cases in the Dashboard - then click the MX tile and follow either Call support team or Call me now, bottom right ... View more

Is your Default route set to pass traffic to Umbrella via a tunnel? (worth clarifying what mean by Umbrella too - are we talking SIG or Secure Connect?) Bear in mind too that, depending on the MX firmware and what traffic is involved, deny might take a little while to kick in. ... View more

Certainly worth a try, given the circumstances you describe;   there are just more and constant variabilities using anything WiFi. ... View more

That's fine - just mark your own comment as the solution...  😂😉 ... View more

What switches are you using? - I don't believe it's across the board yet - off the top of my head C9300-M and probably MS390 don't support it. ... View more

From the Smart Ports documentation: SmartPorts - Automations is currently available in Early Access. To use this feature, please enable SmartPorts from the Organization > Configure > Early Access page on your Meraki dashboard. To use APIs for Early Access features, also enable Early API Access via the same Early Access page.   https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/SmartPorts ... View more

It's not quite what you described - just wondered if you'd seen / tried this:   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing_Clients   This can also be done via MAC Authentication Bypass and an appropriate central RADIUS server (like Cisco ISE), in conjunction with 802.1x - this would be the recommended way for anyone looking at mulitple sites, I'd say ... View more

As CMR suggests, if it's your email, simply change the associated password and check out availability of any 2FA tools.   I would recommend SAML too - in fact;  user-specific accounts more generally.   How would a problematic change be attributable to one admin, if you needed to follow disiplinary (even criminal) processes, if there's no specific accountability? ... View more

Further to PhiIip's suggestion, maybe talk to your ISP about getting that kind of traffic blocked at their end, before it also consumes your WAN bandwidth?   Depends how transient it is, I guess ... View more

Yes - this will work, provided the coverage is adequate.   I ended up getting a cable pulled in, in the end. ... View more

There's no specific change from a default config, to retain footage during a loss of pure connectivity, but I would just check your Quality & retention settings - whether you have Motion-based retention enabled or a Recording schedule set up.   for motion-based, you should still get the last three days anyway - the camera only starts snipping out static footage once it's three days old.  Schedules record nothing outside the prescribed timeslots. Assuming all is OK there, I'd maybe see if you can replicate the issue and involve Meraki Support in troubleshooting. ... View more

It sounds like the ask is for prospective Guest WiFi users to be able to request Internet access using a method similar to https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest   but using Slack as the conduit, rather than email.   This isn't possible natively, right now (in fact, this is the first time I've heard this ask).   I guess it might be possible to do something via the API and some back-end tooling.   The best bet would probably be to talk to an Ecosystem partner - someone like SpashAccess around this. ... View more

Why set up the link between the link between the Catalyst and the MX as a trunk?   While you can do this, it doesn't add much, as you can't operate multiple SVIs over that link.   I'd just go for an access setup in your chosen VLAN, without any tagging.   Hard to say if the MX is appropriate as a purely internal firewall, without knowing exactly what you're wanting from it, though it is certainly true to say this is a fairly rare deployment scenario for an MX.   Remember that, by default, traffic between different VLANs is permitted by an MX - you'd need to configure specific deny rules.    You might also want to look into using no-NAT on the WAN interface:  https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Appliances ... View more

I'd expect some content, for a rogue in one or more of these : "wiredMacs": [ "00:11:22:33:44:55" ], "wiredVlans": [ 0, 108 ], "wiredLastSeen": 1526087474 ... View more

I'd be very careful about using containment, particularly if that SSID is not reported as a rogue (i.e. connected to your wired network);   it's potentially a DoS attack on your part, on a public unlicensed area of spectrum.  If it's just someone else's nearby network, check how it may or may not be affecting your own setup through co-channel interference (the Wireless > RF Spectrum menu)    If it's not overlapping greatly with the channels set on your AP(s) - or is only seen faintly - I'd just leave it TBH.   If it is interfering significantly, maybe have a look at wider spectrum usage where you are and maybe manually set channels (and things like channel width) in your RF Profile - under Wireless > Radio Settings ... View more

MXxxW existis because not all MXs are / need to be / can be locked away in the bowels of a building.   The best use case I came across for these was for a customer who hired out large meeting rooms / small offices for relatively short periods and wanted to stand up a secure 'office in a box' at very short notice - simply by sticking the MX on the desk.    Getting coverage from there was not a problem, with the built-in antennas. For me this comes back to good practise for WiFi ; survey what's needed on a site-by-site basis. It's then about using the right tool (or right set of tools) for the right job. I should probably have caveated my own initial comment too;  'in most cases'  probably reflects the larger businesses I cover.   In SMB 'most cases' might well best suit an appliance with built-in Wi-Fi. ... View more