Usually its a matter of looking at the security events in the Security Centre in the Meraki Dashboard, and then whitelisting those IPS signatures.   Of course, you first have to satisfy yourself that the alerts are false and the PDFs don't actually contain a threat. ... View more

The switch port configuration is fine as NAT mode is being used.  In fact, being an access port is more desirable since it won't participate in spanning tree at all.   Start by looking over your logs.  What does the Meraki event log say?  What does the Catalyst log say?   Are there any other non-Meraki APs also connected to this network?  If so, you might be triggering their security causing clients to be disconnected. ... View more

I would download nmap and run a scan against its IP address.  Then you have measured the actual answer.  Otherwise you can only document things you know about - you can't document something you don't know exists. https://nmap.org/download.html  ... View more

I forgot to mention, I have used the MS425, MS350-24X and MS225 a lot.  They are 100% rock-solid reliable.   One other tip.  If you are going to be connecting Catalyst and Meraki switches at the same time to the same network, change your spanning tree protocol on the Catalyst to using MST ("spanning-tree mode mst" - just this one line change on each Catalyst). Otherwise, you can get subtle spanning tree issues. ... View more

Rather than expressing my bias towards them first , check out these threads by other people: https://community.meraki.com/t5/Switching/MS-390-when-is-it-ready-for-action/td-p/80612    And you mostly see mosts from unhappy people who bought them: https://community.meraki.com/t5/Switching/MS390-DO-NOT-BUY/m-p/95581  https://community.meraki.com/t5/Switching/MS390-LLDP-topology-issues/m-p/92618      Back to my bias again.  I'm also a Cisco Partner.  I would not put an MS390 into a client at this point in time.  Maybe in a couple of years, I'll re-look at it.  I think it will take this long to get on top of the bugs. I don't want the damage to our reputation by installing core infrastructure like switching that does not operate 100% reliably.   Based on some comments you have made (I have made a guess about the size of your network); I typically use MS425-16's for network cores or server access blocks.  They are an all 10Gbe SFP+ switch.   I'm also a big fan of the MS325-24X series for mid-size network cores.  Each one has 24 copper ports, 8 of which are MGig, and 4 x SFP+ ports.  You can stack them together and get a really good density of Gigibat, MGig/10Gbe copper and SFP+ ports.   For the access layer blocks, you could also look at the MS355 series (lots of MGig if that is important to you).   I mostly use MS225's (which have built-in 10Gbe SFP+ uplinks) which I 10Gbe connect back to the MS425's. ... View more

Going completely sideways; the MS390 has a bad reputation due to the high number of bugs and defects.   Consider using something else unless you enjoy grief after you've installed the kit. ... View more

Also not that MS L3 ACLs are stateless.  This can start making things tricky if you use them on multiple VLANs and want to do anything other than a layer 3 ACL. ... View more

As I understand it, PMKSA is a per AP cache.  It can only be used if the AP has seen the client recently and the cache of the key is still valid.   You would need to make the iphone roam to a different AP and then roam back again to see this (I would expect).     My initial thoughts are that you don't have a problem ... ... View more

You can use the sandbox. https://developer.cisco.com/sandbox.html  ... View more

Are you talking about people using a domestic VPN service for privacy to bypass content filtering? ... View more

I don't know the answer.   I think it should work.  They are just TwinAx cables after all.  They just happen to be 40Gbe TwinAx that's all. ... View more

To add to the brilliant response by @CN , Meraki devices only use their static config if they can communicate with the Meraki cloud using it.  Otherwise, they attempt to use DHCP.   So something about the static config does not allow the device to talk to the cloud. ... View more

Can you post some screenshots of what the dashboard looks like with these sensors? ... View more

If you are referring to the WPA2-PSK, I have not seen that behaviour.   If you are referring to the RADIUS secret, I have not seen that behaviour.     I have seen issues with web browsers auto-completing the "password".  You go into the dashboard, change some other setting, and without realising the browser has been really helpful and auto-filled in a "password" field for you (like the PSK field), overwriting what was there. ... View more

99.9% of the time this is related to client drivers.  If you have anything with an Intel WiFi chipset go directly to Intel and get the latest driver. Don't use a manufacturer-provided driver.  Many manufacturers are slow to incorporate the Intel bug fixes.  Sometimes years behind.   Are you using WPA2-PSK (which should be fast) or WPA2-Enterprise mode (which will depend on your RADIUS server and settings)? ... View more

One special note is that L3 firewall rules are stateful - group policy firewall rules are not.  This doesn't usually have an impact unless you have a pair of interfaces on them both with group policy applied and suddenly they can't talk to each other without grief. ... View more

Thinking about this further @Tom_FF ; I think I would approach the school about getting a larger Internet circuit (or a second one and load balance if that is more economic).   Otherwise, it's like an Art school limiting the quality of artistic creation.  Something about that just doesn't seem right. ... View more

First; I am gobsmacked that Safari doesn't support 4k content yet.   The solution proposed by @ww  is a good option.  The HTML player will downshift quality automatically if there is not enough bandwidth.   However, if you do nothing this will also happen if your Internet circuit experiences congestion.  If you are not experiencing congestion then you will be able to experience 4k - which I would have thought would have been a plus for your use case. ... View more

Which SAML provider are you using? ... View more

One thing you can do is allow a template to randomly assign subnets to the site VLANs, and then you can go in and just change them to what you want. At least this way you would keep all the other benefits of using templates.   Also note that you will need to open a case with support to disable AutoVPN strict IP address checking.  Otherwise, you won't be able to sub-allocate a /16 into smaller chunks to use in one site for different VLANs. ... View more

No that is not possible.   I can tell you I have transitioned off using this approach quite a bit.  I still use VLANs, but I tend to use per-device group policies enforced by the MX for security. Then you can have three different devices all on the same VLAN but all with different firewall rules.   https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies    If you are using group policies in a template this can be very powerful.  Let's say device type "x" gets compromised.  You can make one change in one place, and block just that device at every location from having network access. ... View more