I’ve seen clients with about 20 AutoVPN spokes pushing about 150Mbps of traffic through a MX84 configured as a concentrator. The worst the MX performance was hitting was around the 50 mark, so still headroom in it. ... View more

The biggest downside with the solution is that you can’t configure WAN2 on the secondary MX in a different manner to the primary, but usually that’s a small price to pay, and may not be an issue. For instance WAN2 on the primary may be a 100/40Mbps internet circuit, and on the secondary it may be a Cat6 LTE - which may give a similar performance. ... View more

Great idea @cmr, we can all make our own 😀 ... View more

What about a Meraki hoodie... there were some MX one’s around for a short while, but maybe we need an API one for the scripters. ... View more

Yep, connect one ANT-25 antenna to both the top ports, and another ANT-25 antenna to both the bottom ports. The difference with the MR84 (being a 4x4 access point) is that all the ports are dual band (so both 2.4GHz and 5GHz) and you want to have the antennas covering the same area so that all the smarts of 802.11ac Wave 2 work as expected. ... View more

The only way I could think of doing that is to get creative with a script and an API, and see what can be done there. Something along the lines of alerting via a Webhook on movement, then have a script to a trigger a number of snapshots on the camera, that you then post somewhere. It’s a basic outline, but should be achievable. ... View more

@NickHorton I believe what you are referring to is what Meraki have called ‘Motion Recap’, where it blends frame together to show the motion.   You should be able to disable this on the Motion Alerts page under the Camera Settings.   ... View more

Sure, no worries.   1) The 802.1x processes by themselves allow for a user to be authenticated and for a VLAN to be assigned to the port. With the original 802.1x once a user was authenticated and VLAN assigned there was no way to change the authorisation on the port until the user physically disconnected and reconnected. Modern systems required that if security conditions change the authorisation of the port can be changed, and hence in the last five years or so switches have supported CoA to enable this. You need a RADIUS server that supports CoA (e.g. Cisco ISE, Aruba ClearPass) if you’re going to use it, but for standard 802.1x almost any RADIUS server can be used. See here, https://documentation.meraki.com/MS/Access_Control/Change_of_Authorization_with_RADIUS_(CoA)_on_MS_Switches   2) There is a document (which I can’t find now) which outlines the compatibility of Cisco ISE with Meraki MS switches. From memory they don’t support URL redirect, and they definitely don’t support TrustSec/SGT (the MS390 is slightly different, but best not go there). EDIT: found the document https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/3618650   Hope this helps. ... View more

When RSTP is disabled on a port, the port takes no part in spanning-tree, so it always passes traffic. It won’t send BPDUs, and it won’t process incoming BPDUs (so essentially they get dropped). The recommendation is generally not to disable RSTP as if you do get a loop it will take down your network. ... View more

The MX only forms it’s AutoVPN tunnel on the WAN ports, so you won’t be able to get the SD-WAN working if you’re using a LAN port on the HQ MX. ... View more

If you don’t want to purchase a concentrator for the head-end then the only other option with the Meraki solution is to get a route to the internet from the MPLS network. This could be one that the MPLS service provider can provide and manage for you (it only needs to be small, and just needs a NAT for outbound traffic). The alternative is you can add yourself if the MPLS provider lets you inject a default route into MPLS network (obviously you then need to ensure the routing is correct and that it’s secure - similar to the concentrator model, but slightly different). ... View more

Hi @BeniMaurer welcome to the exciting world of Meraki. If you hit any bumps with your projects then don’t be afraid to post int the forums, it might just be something someone knows how to fix. ... View more

It depends how many switches you have and the variety between port configurations. If there is a small number of switches or the switchports are all configured pretty much the same, then it’s pretty straightforward to configure through the Dashboard - select multiple ports and configure all the ports in one hit. Obviously there may be Layer 3 interfaces and the like to configure too, but the bulk of the configuration is normally the ports.   If there is a bit more variety between the switch port configurations then I’d look to the API. You can write a script to extract the current configuration from a port and write it to the new switch. It may take a bit of effort, but will be way less mundane and hone your scripting skills. There’s probably something to do this (or very close to this) already on GitHub. ... View more

Welcome @GregLiu. There's plenty to learn about the Meraki APIs - there's a technical forum just for them. If you haven't already found it, it's also worth checking out the Meraki section of Cisco DevNet, that's got some great stuff to get you going with Meraki APIs, https://developer.cisco.com/meraki.  ... View more

Welcome Cody. I hope you're able to get an insight as to some of the things that can be done with the Meraki solution from the forums. And there's plenty of people ready to make suggestions if you find yourself stuck anywhere. ... View more

Welcome Bernard. Sounds like you have a lot of interests and experience there. So far as simplify, automate and secure go you’ve found the right product in Meraki - just add your favourite scripting language to the Meraki APIs and off you go. There’s a bunch of great people in here who can help point you the right way if you get stuck. ... View more

For straight 802.1x assignment of a VLAN when a user first connects to the network, CoA isn’t required. Enabling CoA configures the switch to listen for CoA messages from the RADIUS server. This allows some more advanced servers, e.g. Cisco ISE (there are other vendors too), to tell the switch to perform the authorisation of the switch port again, so allowing the VLAN to be changed after initial authentication has been performed. This is useful where the RADIUS server has separate threat feeds, or is performing ongoing posture monitoring and can detect, or be informed, of a change in the client state.   There is also a new feature that you may be interested in too called Group Policy ACL, https://m.youtube.com/watch?v=nekC3_z5SDk. It’s akin to dACLs on the Cisco Catalyst. I can’t find any information on the Meraki site about it, but it was included in the MS14.5 release notes - so you’d need to run the beta code train. ... View more

@Paul_H Are you sure on the "Cisco ISE is only NAC that can hand out SGTs"?   In a pure Cisco Catalyst environment this may be the case as you need Cisco ISE to no only act as the RADIUS authenticator, but also to authenticate the infrastructure and create the source SGT to destination SGT matrix that is then downloaded to the switches when requested.   In a pure Cisco Meraki environment I was under the impression that the infrastructure is authenticated by the Meraki cloud, and the source SGT to destination SGT matrix, i.e. the Adaptive Policy matrix, is also managed by the Meraki cloud. Using these alone you can statically assign a port to an Adaptive Policy Group. If you introduce 802.1x (for dynamic Adaptive Policy assignment) then my understanding is that all the RADIUS server needs to do is return the AV Pair to assign the SGT number. Now admittedly this is in the Cisco AV Pair format, but so long as the RADIUS server can return this pair in the required format then surely it can inform the switch which Adaptive Policy to use? Or have I missed something?   (Don't get me wrong, ISE is an awesome platform, but is it really needed for a simple Meraki network using dynamic Adaptive Policy?) ... View more

Just to add to this, the Advanced License is only relevant to the MS390. Adaptive Policy is available now, you have to be on Per Device Licensing and you need to be on the MS14 ‘beta’ firmware - it’s built on, and is interoperable with, Cisco SGT technology. ... View more

In addition to what @ww wrote, there is a key point when adding the MPLS circuit, as you intend to. By bringing the MPLS circuit into the Layer 3 core too, whether via a firewall or not (depending on your security requirements), you’ll provide a path to the internet from the MPLS network, which is required for the AutoVPN to work over the MPLS network. And the tunnels that form over the MPLS will also be able to reach the one arm concentrator. ... View more

I don’t know if there was a change. A lot of people seem to be reporting the same thing across all browser types (I’ve had problems on Chrome and Safari). Solutions generally include Reload (Ctrl+R), opening in Incognito/Private mode, or clearing the cache.   Hope this helps. ... View more