I would go 5Ghz only, and disable 2.4Ghz.  2.4Ghz causes so many problems.  It is common for 5Ghz devices to attach to 2.4Ghz and cause intermittent issues. ... View more

The GPS in a mobile device is power hungry.   Weather a user experiences any difference will depend on weather other apps they use also use location services.  If they did the user wont notice any difference.  If they didn't then they now have something extra turned on using power that they did not have on before.   Amongst my clients I haven't had anyone report any difference in their battery lifetime,     I guess this will depend a lot on the device.  Take Android for example, it will automatically remove CPU time from apps not used frequently, but differnt manufacturers use different triggers for this.  Often the triggers are related to how much battery the device currently has. ... View more

How are you simulating failure?  Pulling out the WAN cable?   If so that is abnormal.  This may be related to the carrier you are using or the USB stick.  Have you got a different kind of USB stick that you can try? ... View more

Also is the MR33 being powered by a 30W 802.3at switch, an 802.3at power injector or a power cube?   If you are only using 802.3af they can retard their performance.  If you go Wireless/Access Points it will report its power source. ... View more

To me this is showing clients authenticating/deauthenicating.  Are you using WPA2-Enterprise mode?  If so, is this AP correctly configured in the RADIUS server?  Is the RADIUS server showing any logs?   You should take a look at Wireless/Wireless Health and see what it reports.   It is possible you are being attacked and someone is sending de-auth frames.  Check out Wireless/Air Marshall.  You don't want to see any Rouge SSIDs, spoofs or malicious broadcasts. ... View more

Use bridge mode instead of NAT mode on the SSID.   Turn off 2.4Ghz if you can.   Failing that take a look at Wireless/RF-Spectrum to see how much spectrum is available.  If it is used a lot you may need to deploy additional access points to try and reduce the contention of your clients trying to get access to RF airtime.   I would also check out Wireless/Wireless Health, and see if there are any general issues showing up.   I guess you could also check Wireless/Air Marshall to see if you are being attacked.  You don't want to see any Rouge SSIDs or Spoofs or malicious broadcasts.   Also if you are not running at least 25.13 you should upgrade to that. ... View more

You could also make the period longer than a day.  This wont affect most users as they are not coming back.  Users staying for longer periods of time then wont need to keep getting re-sponsored. ... View more

Perhaps check out this switching example. https://documentation.meraki.com/MS/Layer_3_Switching/Layer_3_Switch_Example ... View more

ps. I tend to change the output to "Download" so I can load it into Wireshark. ... View more

If you start in Network-Wide/Clients, and then click on the client, packet capture shows up near the top.   You could also go Network-Wide/Packet Capture, and create a packet capture like the below: ... View more

The site to site non-Meraki VPN configuration is organisation wide.  By default every MX will try and build the VPN.  The tags are used to limit which MX's should attempt to build the VPN. https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#Peer_availability   When you say to include a VLAN in a VPN it is included in both AutoVPN and non-Meraki VPNs.  You can't specify a seperate list only for non-Meraki VPNs.   With these limitations it may not be possible to build the non-Meraki site to site VPN and have it work in this case because of the overlapping subnets.     On the ASA side it could be done, because the ASA supports doing subnet NAT based translation for VPNs - you could make this work - but this is an advanced configuration. ... View more

With switches all the packet forwarding is done by the silicon.  The CPU and memory are used by things like dynamic routing protocol updates, spanning tree calculations, and the like.   Unless you have at least 10,000 layer 3 routes in your network you probably don't have to worry about CPU or memory.   Throughput can be gauaged from the Network-Wide/Clients view.  If you are only using the Gigabit ports, then your maximum throughout would be 2 x 24 Gb/s, or 48Gb/s.  So if you don't see the graph getting close to this you don't have an issue. And even then, you could then consider using the 10Gbe ports for high traffic generators/sinks.   ... View more

You'll probably enjoy April the 29th. ... View more

Correct. ... View more

If they are worried about the RADIUS traffic being sniffed then they should use PEAP, EAP-TLS or EAP-TTLS to protect the authentication.  I would not be sending authentication details over clear text.   I don't see much point in adding another layer encryption over the top again. ... View more

No it is not free - but it is a fully fledged MFA. ... View more

The reason why there isn't much effort is Microsoft have only made a half-hearted effort at providing MFA outside of the core Office 365 family of products.   You might want to consider one of the more serious MFA providers like Duo. ... View more

You could put the MX in both subnets (disabled DHCP for the 192.168.100.0/24 subnet).  Then for the one client statically configure it with the gateway of the MX for the 192.168.100.0/24 subnet. ... View more

In that case your options are limited.  The 192.168.100.0/24 subnet will be able to talk to 192.168.1.0.24 via NAT, but 192.168.1.0/24 will not be able to initiate traffic into the 192.168.100.0/24 subnet. ... View more

I have a couple of thoughts.   Any chance there is more than one DHCP server on this network (by accident)? Any chance you have a layer 3 router (not the default gateway) attached to this network and it is doing proxy arp? Any chance Windows Internet Connection Sharing is enabled on some machines?  This causes Windows to run a DHCP server and returns the client machine itself as the gateway (and in ARP replies)?     ... View more

Specifically - what traffic are you referring to?   All traffic to and from the Meraki cloud is encrypted.   Are you referring to client traffic being bridged to the local LAN?  In which case, why can't the local LAN be trusted?   If you are wanting to securely tunnel traffic to a perimeter network then you could consider using an MX, and have the AP send the traffic over a VPN. https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide#SSID_Tunneling_to_an_MX_VPN_Concentrator ... View more

On your MX add a static route for 192.168.100.0/24 pointing to 192.168.1.200 - so you have that bit correct.   Is by chance this other gateway a firewall or performing NAT between its LAN and WAN IP?  You will need to stop that it make this working.     It may be simpler to take over the 192.168.100.0/24 on the MX, and get rid of the other router. ... View more