Thank you. I made this: Merakicode/RogueAirMarshallAllIn1CSV at main · jadexing/Merakicode Pretty happy with this.  ... View more

THis is the info I was looking for. Thank you much!  ... View more

Is your Organization (Dashboard) using Co-termination?   (most Dashboards are) You can check under Organization > License info. If so the key thing is that everything is licensed together - so must be renewed together  - you'll see in that page a single expiry date for everything. To extend that date out significantly, you'll need one licensing order that provides coverage for all the meraki devices in that Org that you still want to be working, once that renewal has been applied. ... View more

We are Paying for Umbrella SIG Advantage. https://documentation.meraki.com/MX/Site-to-site_VPN/MX_and_Umbrella_SIG_IPSec_Tunnel but it is not configured as mentioned because we need to keep static IP addresses. We were going to test this functionality, but never did get that far (AT&T will just stop replying to tickets and it's been 9 months of torture trying to get them to help get this all working). From what I read in that article, it seems like it indeed will change our Public IP which is something we can't do. (Technically it is partially configured, they created the tunnel but it is not established or up and running). That said, I do have Intelligent Proxy and SSL decryption enabled on all of our policies and all Secure Clients have Umbrella installed and enabled. As far as I understand, though, the firewall policies in Umbrella won't have any affect without the Tunnel up and running hence the all are registering 0 hits over the last 30 days).  I was kind of hoping that in the interim I could use the built-in Meraki firewall rules to at least get some cover for an upcoming audit, but it only seems to be applying to the SD-Wan users and users connecting via Secure Client, the rest of the users on the LAN aren't affected by these settings as far as I can tell (tested by trying to get to an external http service I have running on an unconventional port out on DigitalOcean; I can reach it fine on the LAN despite there being no "allow" rule for this port but when connected via Secure Client and or on the SD-Wan network, I cannot access the site indeed).  ... View more

Some Apple documents that might be of interest for some. https://support.apple.com/en-jo/guide/deployment/dep3b0448c58/1/web/1.0 <- See the AutoJoin section, for some "dbm" numbers.   https://support.apple.com/en-gb/guide/deployment/dep98f116c0f/web <- See the "Selection criteria for band, network and roam candidates" for some "trigger" values, how much better the new signal must be, and preference in wide channel, and "Wi-Fi generation" when roaming.     ... View more

That's fine - just mark your own comment as the solution...  😂😉 ... View more

Thanks for the feedback. I'll see about logging a ticket. ... View more

It's not quite what you described - just wondered if you'd seen / tried this:   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing_Clients   This can also be done via MAC Authentication Bypass and an appropriate central RADIUS server (like Cisco ISE), in conjunction with 802.1x - this would be the recommended way for anyone looking at mulitple sites, I'd say ... View more

As CMR suggests, if it's your email, simply change the associated password and check out availability of any 2FA tools.   I would recommend SAML too - in fact;  user-specific accounts more generally.   How would a problematic change be attributable to one admin, if you needed to follow disiplinary (even criminal) processes, if there's no specific accountability? ... View more

Further to PhiIip's suggestion, maybe talk to your ISP about getting that kind of traffic blocked at their end, before it also consumes your WAN bandwidth?   Depends how transient it is, I guess ... View more

It sounds like the ask is for prospective Guest WiFi users to be able to request Internet access using a method similar to https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest   but using Slack as the conduit, rather than email.   This isn't possible natively, right now (in fact, this is the first time I've heard this ask).   I guess it might be possible to do something via the API and some back-end tooling.   The best bet would probably be to talk to an Ecosystem partner - someone like SpashAccess around this. ... View more

Why set up the link between the link between the Catalyst and the MX as a trunk?   While you can do this, it doesn't add much, as you can't operate multiple SVIs over that link.   I'd just go for an access setup in your chosen VLAN, without any tagging.   Hard to say if the MX is appropriate as a purely internal firewall, without knowing exactly what you're wanting from it, though it is certainly true to say this is a fairly rare deployment scenario for an MX.   Remember that, by default, traffic between different VLANs is permitted by an MX - you'd need to configure specific deny rules.    You might also want to look into using no-NAT on the WAN interface:  https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Appliances ... View more

Client will always land on the same VLAN. I'll have to look into making it layer 2.   Thanks ... View more

I'd be very careful about using containment, particularly if that SSID is not reported as a rogue (i.e. connected to your wired network);   it's potentially a DoS attack on your part, on a public unlicensed area of spectrum.  If it's just someone else's nearby network, check how it may or may not be affecting your own setup through co-channel interference (the Wireless > RF Spectrum menu)    If it's not overlapping greatly with the channels set on your AP(s) - or is only seen faintly - I'd just leave it TBH.   If it is interfering significantly, maybe have a look at wider spectrum usage where you are and maybe manually set channels (and things like channel width) in your RF Profile - under Wireless > Radio Settings ... View more

MXxxW existis because not all MXs are / need to be / can be locked away in the bowels of a building.   The best use case I came across for these was for a customer who hired out large meeting rooms / small offices for relatively short periods and wanted to stand up a secure 'office in a box' at very short notice - simply by sticking the MX on the desk.    Getting coverage from there was not a problem, with the built-in antennas. For me this comes back to good practise for WiFi ; survey what's needed on a site-by-site basis. It's then about using the right tool (or right set of tools) for the right job. I should probably have caveated my own initial comment too;  'in most cases'  probably reflects the larger businesses I cover.   In SMB 'most cases' might well best suit an appliance with built-in Wi-Fi. ... View more

If you're being up-front with the purchaser, please remind them that they will need to license the switch, in order to use it. ... View more

Thanks both @ww and @GreenMan . That architecture change more or less worked. Maybe a different thread for this but I noticed with this method I can no longer then do Local Internet Breakout (eg, for some traffic I want to break out locally on the VLANs where source based default route -> Hub has been applied) any solution to this? ... View more

Are you sure you really want to do it based upon VLAN?   Any QoS plan should ideally take into account not just the relative importance of the traffic, but also how things like latency, jitter and packet poss affect the application.  It's often the case that the applications that really need QoS wouldn't necessarily  be characterised as the most important.   It's also commonly the case that there's a real mixture of time-sensitive applications and applications with different levels of business criticality running over the same VLAN. ... View more

The MT12 leak detector might work.   It presumably works by sensing the change in current through the sensor cable, so I'd think you could use it as an open/closed detector. ... View more

Thank you, Sir. it works on this plan. Now I want to have to enable IGMP into the specific VLAN on SSID.   Been followed this doc: https://documentation.meraki.com/General_Administration/Other_Topics/Multicast_support#IGMP_Support_on_the_Cisco_Meraki_Switch   But I want to know how to test the IGMP works. Since my AV vendor keeps saying to enable IGMP on AP. ... View more

One trick I've found, to at least discourage employee use of the Guest SSID:   make (true) Guests actually authenticate to access.   Then require them to re-auth regularly.  Because they'll probably only do it once or maybe twice for a brief visit, it's not too much of an inconvenience to them.   But for employees who are there very regularly, it will become a pain and they will most certainly use a different, more appropriate, more friction-free approach if you provide them with one.   Something like Trusted Access or maybe iPSK, for examples. ... View more

You will also need to configure the AP (and the upstream network) to be able to reach public DNS, to resolve the Meraki cloud IPs. ... View more