Guys   Thanks and I am playing with PagerDuty and using WebHooks, but this is still with the 5 min limitation - I looked at Auvik but could not get it working, although it does look like it could work well.   I may have to persevere.....     ... View more

I got your back.   ... View more

I found that anything less than a 30 second delay was sketchy. It might toggle the PoE or it might not. I think it depends on timing and latency. The ping idea is clever and I'm disappointed in myself for not thinking of it myself.   I guess I'll need to make a get-client type call to grab the IP address, but that should be easy enough. This should speed up the script considerably. Thanks for the idea! ... View more

@cmr I'm at the low level design/ building instructions phase of the design. So it will be while before I get my hands on the hardware. ... View more

@PhilipDAthOhh Is it , this is on SOPHOS XG Firewall. ... View more

>Could you elaborate more on "we do all client management via Amazon AWS" ?   We operate a SOCKS proxy tunneled through SSH via a server located in Amazon AWS.  Any remote manage of clients is done via that.  It also logs every IP flow through it, and connectivity to it is authenticated using an SSH key. ... View more

Another top tip for locations:   You can set up locations based on network requirements, say for example you can have an Ethernet only network location by removing all other network interfaces by judicious use of the minus button.   Another good use of the locations is to check to see if networking issues can be troubleshot down to an interface. Say a client can't connect wirelessly: Make a test location, do the Apply and see if this resolves. If it does all you have to do, in the original location, is remove and re-add the errant interface (in this case the Wi-Fi, with - followed by an +) and don't forget the Apply.   ... View more

Thanks for the snazzy new shirt!     ... View more

They had to enable the feature.  They as in support. ... View more

Maybe I wasn’t too clear with my story, but my iPhone, MacBook and Apple TV were the only connected devices. All were connected on 802.11ac with a Tx rate of 867Mbps and MCS9.   When I tested the MR33, I’ve shut down the other AP’s to prevent interference. Permitted minimum bandwidth speeds is set to 54Mbps.   Your recommendation regarding the channel width doesn’t apply in my scenario as I am looking for maximum speed. ... View more

+2 for higher DH groups now.   I'd also kill for a higher client VPN setting. Support can bump you to AES-128/DH14, but it is still not great! ... View more

Are you in Windows? Try accessing it via IE and see if UAC is interfering. Once I'd told IE to allow it, I was then able to pull copies into Postman via Chrome. ... View more

I currently run this way.  I have a read only login to my main ISPs Meraki dashboard to gain some visibility, then I have my own Meraki dashboard to configure our own devices.  Works really well, and when you log into the Meraki website initially, it allows you to choose which dashboard you want to work with.  It's quite slick actually. ... View more

Thanks for the input ... View more

We use a Meraki MX as a Firewall appliance and have DMZ networks on it. Essentially create a separate VLAN for each DMZ and in the Firewall rules, deny all access from the DMZs to the Internal network and other DMZs. We then connected the MX to a core router that has another MX handling the SD-WAN VPN. This allows you to restrict DMZ access as @cmr said. ... View more

I would create separate DHCP pools for guest and dev with attendant vlans, tag the vlan on the SSID, and utilize wireless client isolation instead. It's more work up front, but leads to better client experience long term.   @Nash Agreed. 👍 ... View more

No need for a USB-to-console-dingus to get access to the unit locally . ... View more

Yes that was dry sarcasm. I’m one of em. Er, was? ... View more

Windows tries to use the client VPN credential to authenticate to remote resources by default.   Two solutions:   1. Setup RADIUS authentication using NPS so that you can log into the VPN using your Active Directory credential. This is my preferred solution wherever possible.   2. Edit your phonebook to force the VPN connection to use your AD credential. I usually do this with PowerShell, since I don't have any environments where a client needs to use not their Windows credential to authenticate to a server.   Step one: Open PowerShell ISE Step two: If you don't see a white pane, hit CTRL + R to open it Step three: Paste the following block into the white script pane, and run it:   $PbkPath = Join-Path $env:APPDATA 'Microsoft\Network\Connections\Pbk\rasphone.Pbk' (Get-Content -path $PbkPath -Raw) -Replace 'UseRasCredentials=1','UseRasCredentials=0' | Set-Content -pat $PbkPath   ... View more

It was a great week! Cracking up at just how paralyzed my face is... I swear I thought I was smiling in that photo. 🤣   Not pictured: The friendly doggo who wandered around the training lab for two of the three days, especially if you had snacks. Did she get snacks? No. Did she HOPE for snacks? ETERNALLY. ... View more

Mini cows!?!? Sign me up! ... View more

What does your network topology look like? Or more specifically, what's upstream from the switches? ... View more

"If the MX is configured as a Hub, it will build VPN tunnels to all other Hub MXs in the Auto VPN domain (in the same same dashboard organization). It will also build VPN tunnels to all Spoke MXs in the Auto VPN domain that have this MX configured as a hub. If all MXs in the Auto VPN domain are configured as Hub then the Auto VPN has a full mesh topology." That reads a lot better!   It's a 128-bit AES cipher. I added that it's an AES cipher to the "How Auto VPN Works" section under #3, it's in the image that you mentioned was grayed out, and it's in the "Auto VPN vs Non-Meraki Site-to-Site VPN" section.   I am personally always negotiating with our internal teams to find a balance of detail we can share, and I appreciate the feedback around why this information is helpful. I understand why missing those details is frustrating, and I'm always pushing for more. This is good, but I would suggest that it states AES128 plainly. We see this question every now and then here in the community, and it's still a requirement for audit purposes for many organizations to be able to state what level of encryption is being used on their IPesc tunnels. I totally get the way Meraki operates and how you control what information you share, but in my mind this sort of thing should be stated clearly, and plainly for all to see. It's not part of any secret sauce. Thanks @CameronMoody. Great work here!     ... View more

@CarolineS 👌 ... View more

Each solution has its own advantages and purpose.   Teamviewer and Google remote desktop are really designed for remote desktop and they're really good at that. Although I hate the issues I have with teamviewer and their "commercial use suspected". So I've recently switched to Google remote desktop, but it's not as good yet imo. I thought logmein had gone under, but apparently not.   VPN brings devices into remote networks and are therefore more flexible. Accessing file shares or other resources like databases works just like when you're local. So you can also use the regular software clients you always use. You also don't need a computer in the local network that you "take over". So concurrent connections are no issue. ... View more