You can still assign vlans on the SSID's. You just can't assign the same tag as the native vlan on the switchport. In the event you want an SSID to tag clients into the same VLAN that is native on the port, just leave that SSID as setting no VLAN tag. ... View more

I don't nearly know the L2TP+IPSEC stack well enough to answer this but (assuming it's accurate), this is a very good write up why this issue occurs:   https://forum.mikrotik.com/viewtopic.php?t=132823 ... View more

Is the SSID the clients are connected to setup in Meraki NAT mode? NAT Mode with Meraki DHCP - Cisco Meraki Documentation ... View more

It sounds like the download is being blocked by AMP or IPS. This applies between VLAN's as well as internet traffic. It does not impact https traffic (port 443) as that communication is encrypted, and therefore the MX cannot inspect the traffic. Threat Protection - Cisco Meraki Documentation ... View more

It sounds likely that you have a firewall or proxy (or other security device) that is performing SSL inspection by inserting its own TLS certificate in the communication flow. You need to bypass this in order to have the application work correctly. ... View more

They don't sound like a particularly helpful MSP. If you have any type of Administrator account to the Meraki dashboard, you should be able to retrieve this information yourself. Assuming you don't you might be a bit stuck. Support will only be able to help you so far if you can't prove affiliation/ownership of the organization/network. ... View more

No, as a ready-only admin, the only 'changes' you can make are power cycling and performing cable tests on switch ports. ... View more

These days NGFW's are essentially fully fledged routers with inspection capabilities. They're typically very flexible with how many and which ports are configured as WAN ports and LAN ports. Some are also modular to add additional ports. They're also much more likely to be able to do policy-based routing for multiple WAN interfaces, along with failover preferences and full IPv6 support. ... View more

To answer some of your questions:   1. No, this is not possible with Meraki devices. The Meraki MX line support a maximum of 2 active uplinks with the ability to add a 3rd as a backup. You can't set failover precedence for specific ports.  2. The Content Filtering page on the dashboard allows you to check content categorization of a given URL. 3. Meraki supports ipv6 but only in dual stack. Starlink WAN connections are possible/supported.   To be honest, by the sound of your use case, you'd be better served with a NGFW (Next Gen Firewall), which is not a product Meraki has. You'd be looking at something like a Cisco Firepower/Fortigate/Sophos/Checkpoint/Palo Alto (to name a few options). ... View more

I'm not actually sure. I don't think I've ever seen a rule before that's all blank. I would have assumed the dashboard wouldn't let you save it. Typically a block all outbound traffic rule would have "Any" for all of the source and destination IP's and Ports. ... View more

As has been stated above, there's no issues if you're using VLANs in the 1-1000 range. That said, it's a good practice to specify the VLAN's that you actually use into an explicit allow list, matched on both sides of the trunk. ... View more

A bit of semantics:   Change: Added vMX-XL specifications; added note "Dual power supply models have an active/standby redundant power supply and do not provide combined power."   This note was added (correctly) to the "MX-Series" section of Portfolio Capabilities in the document. The section is just listed incorrectly here - vMX's are virtual and thus don't have power supplies. ... View more

It's definitely true that you can't download Secure Client from software central without a valid contract. At the very least, that should be in a note at the top of the document. ... View more

You can block specific IP's in the MX Layer 3 firewall rules under Security & SD-WAN -> Firewall. I'd also suggest blocking some of the security related categories under content filtering. ... View more

Fair point, I would assume so. I forgot that Device Uptime had been added for AP's as well (and is now finally showing in my dashboard!!) ... View more

Hope this answers your questions:   Remote access SSL VPN: Requires Any connect licensing separate from Advanced Security DLP: Not a feature of the Meraki MX. You would deploy in tandem with another security solution. Web Filtering: Layer 7 rules and content filtering is supported. More limited than a NGFW however WIDS: The MX does support IDS/IPS or traffic through it but no additional WIDS capabilities    If all of those are a must have, it might be worth looking into Cisco Umbrella integration and Cisco Any connect for a full SASE solution (Cisco Secure Connect) ... View more

A few questions to better understand:  - You mention you have Umbrella appliances. Are these the appliances that the clients are trying to use for DNS? Are you able to point an nslookup directly to your Win2022 DNS servers and validate whether that works?  - Are you trying fully qualified domain names or just friendly names? Does that make a difference? ... View more

There's the possibility that if the AP does actually reboot is quick enough, you may not see a drop in connectivity reported on the dashboard. If it's a relatively known or small number of AP's, I'd consider running constant pings against them and check if any of them drop/disconnect. ... View more

This is good advice.   As others have said, there's a few different methods you can use to track them down.  - BPDU Guard (if they're running STP)  - Looking for multiple MAC addresses on a single port.   The latter will be the more accurate way of tracing, however you need to know your environment well enough to understand in what scenario's you might be seeing that behavior. You might see this from certain laptop docks performing MAC address passthrough, servers running virtualization, switchports connecting to AP's etc.   If you have a lot of switches in your network, you might consider using the API to do the data gathering. You can output to CSV files and then do a lot of filtering in Excel. ... View more

Built in administrator accounts will still work as usual. SSO accounts will actually login using a slightly different portal URL (specified as part of the setup). ... View more

As @jimmyt234 said, if you don't want the VLAN to communicate to any sites across the AutoVPN, it's easiest to disable it for that vlan under Sd-WAN -> Site to Site VPN settings.   Otherwise if it's just specific sites, the site to site outbound firewall rules need to be used. ... View more