A per SSID limit is the maximum bandwidth for a given SSID, per access point. The calculation you mentioned above works in theory, but it assumes that your guests will be equally distributed across all available Access Points, which in the real world is very unlikely.   Additionally, 500kbps bandwidth for a given user is realistically worse than having no wifi at all. For most websites and web applications these days it will be too show to be usable. ... View more

Your MX is receiving an IPv6 address on the WAN because the ISP is distributing one via DHCP6. There is no way to disable the MX from receiving this address.   If you believe it's causing an issue, contact your ISP and ask that they disable IPv6 on the link. Or you could try contacting Meraki support and see if they can disable it on the MX from the backend (not sure if this is possible or not)       ... View more

Congratulations! Well deserved by all. ... View more

That's really interesting. I'd never thought about how air pressure alone would impact the ability for cooling.  It hasn't come up as an issue so far (and I don't plan on installing Meraki gear on mount Kosciusko) but good to know nonetheless. ... View more

Despite being an advocate of Meraki gear, an MX75 is pretty expensive for a home network.   If your only requirement is a Cisco device that does L3 routing with 1Gbps throughput and you're comfortable with Cisco CLI, you could always pick up a second hand Cisco router or L3 switch cheaply. Old Cisco ISR's probably go pretty cheaply. Or something like an RV340 would probably do the job. ... View more

Agreed - altitude would be a more appropriate factor for MR's. I can't imagine altitude itself would have nearly as much of an impact on general equipment functionality than the related changes in temperature and humidity. ... View more

What do you mean by limited connectivity? What is the symptom youry seeing?   It shouldn't really matter but one significant difference between phones and laptops is that phones will but default use a randomised MAC address (that doesn't match any vendors address space) rather than their true hardware MAC address. ... View more

You'll most likely find that people tend to design their networks differenly based on requirements. There's really no hard and fast rule for a lot of what you're asking.   That said, a few comments to help get you started: - Read up and understand where different firewall rules apply. For example MX L3 firewall rules don't apply to traffic transiting a site-to-site VPN. You would need site-to-site VPN firewall rules for this traffic. - Apply firewall rules as close to the source as possible - When planning the rules remember, someone has to maintain them. Complex rulesets quickly become overwhelming if they're not very well documented. Sometimes it's easier to be a little more open for the sake of simpler rules and thus fewer mistakes in creating and maintaining them. - Meraki has many places to put firewall rules (MR, MS, MX, group policy etc.) I suggest try bring consistent for wherever you place the rules. There's nothing worse than trying to troubleshoot a problem through a tonne of rules across multiple locations. - An "Allow all traffic going to internet" rule is basically "a deny traffic not going to the internet" rule - deny 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ... View more

Multiple. Firewall rules, RADIUS config to name a few. As I said, there's a few things to check that should help narrow it down. ... View more

A few things to check would be:  - That there's no ports blocked between AP and RADIUS server  - That the AP's IP Address is configured in the RADIUS server as an allowed client it will accept requests from   A few other things you can try are running a RADIUS test from the dashboard (https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise#Testing_RADIUS_from_Dashboard) and checking the logs on the RADIUS server  ... View more

I should clarify that here I'm talking about 2FA via authenticator apps such as Google Authenticator or Duo. Multi Factor Authentication can actually be achieved in other ways such as certificates and/or AD device/user security groups (via a radius server) ... View more

MFA for wifi auth is doable via WPA2 Enterprise and a radius server that supports MFA integration.   That said my experience is that MFA is rarely used for this as it can is it creates a poor user experience. MFA will be required every time a user reauths. For some laptops, this can include being woken up from lock or sleep (when it goes into low power mode). Also anyone who is on the fringe of the wifi range and encounters disconnects may keep getting requests for reauth. ... View more

Ekhau is more or less the industry standard. But as @alemabrahao mentioned, it is expensive and does generally require some training on how best to use it ... View more

That's a good question. Probably best to ask your Cisco rep. ... View more

You can place Meraki AP's into survey mode https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Conducting_Site_Surveys_with_MR_Access_Points ... View more

Licenses typically show invalidated if they've been claimed and then unclaimed in the dashboard. Check the org change log to verify if that's the case. Otherwise it's probably best to contact Meraki support to confirm the reason they have been invalidated ... View more

You can find the info in either the switch's event log, or by sending to an external syslog ... View more

You're spot on. In fact, the below doc desribes exactly what you've said and shows an example of what the "firewall info" page should have (source being dashboard IP's, destination being public IP of RADIUS server) RADIUS Proxy for WPA2-Enterprise SSIDs - Cisco Meraki ... View more

Correct. All access points (MR's) use the same license SKU's.   Switches (MS) and Security Gateways (MX) have license SKU's that differ depending on the model. ... View more