The only way I l know of is to change the client tracking setting (and then you can change it back again) - but you can't do this for all network setups. https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client-Tracking_Options    The most common reason I've seen for "Device removed from network" is when a client is manually added to the dashboard (such as pre-provisioning a new client with group policy) and then it never connects.   It might also be the Dashboard has not seen the client in a while. ... View more

@cmr @KarstenI  - Turns-out that our last mile circuit provider had their end of the circuit at the demarc configured wrong. As soon as they fixed it, speeds became normal.     So, at this point, our first VPLS connection is up-and-running successfully.   I'm going to go home and get some sleep now.   Cheers!   Twitch   ... View more

@Bruce- It appears that your theory about excessive STP activity is correct:     **Update** I just spoke with support and they told me the overall STP topology looks stable, and that these events in the log are most likely not having much of an impact.   ... View more

The Meraki world is not different than normal Cisco world. Having that vlan100 on both MX and core switch and acting as management vlan for switches doesn't sound good for me. That's the only thing that I want to point.   We have similar setup in our location.  I have the management vlan on MX which is a native vlan on the MX port and acting as management for switches, then another vlan on the switch core for management of the access points. I need another vlan just because S2S VPN, but in your case another vlan for AP's is not needed.   ... View more

@Inderdeep- Yup. You helped to reinforce it though. 😉   ... View more

I'm not aware of this kind of device but when I have seen this happen in the past it is because the device has a "burned in" IP address, and even though it is configured with a different address, it still uses the burned-in one for some packets.  You could confirm this with a long-running packet capture.   I have most commonly seen this with security cameras where they use the magic burned-in IP address for initial configuration.  You fire up the configuration app, and it tries to talk to the magic IP address knowing that no matter what configuration the user has given it, it will work. ... View more

>Where do you typically put the management VLAN - on the layer 3 switch, or on the MX?   MX.  You can screw up the internal routing, VLANs, etc and as long as you have a connection to the Internet, you can fix it remotely. ... View more

Also I would do both a UDP and a TCP test.  AutoVPN uses UDP mostly.   If there is no traffic shaping, you would expect them to get the same result.  If the results are different ... ... View more

@PhilipDAth  That would be ideal, and I agree completely. Unfortunately, it's not a decision I get to make. I made the request, but I was asked to see if I could get the test working without needing to spend money on a separate internet circuit.   So, I separated the two networks in the Dashboard and I was able to get the MX and switches connected to the Internet using our existing circuit. Not ideal, but so far so good.   Twitch ... View more

I ended up running a building to building bridge from Ubiquity. ... View more

Well, damn. The situations you inherit sometimes...   Thanks, @cmr. New onmi antennas are being installed tomorrow. Hopefully it's not too late. ... View more

Full information of OSPF on MS switches https://documentation.meraki.com/MS/Layer_3_Switching/MS_OSPF_Overview ... View more

Thanks @BrandonS. I appreciate the info. That confirms what I suspected as far as how the MX would handle the trunk and the VLANs.   No worries on the VPLS stuff. Up until a few months ago I had never even heard of it. The learning curve has been rather interesting, but thanks to several fine folks out here on the forums I think I have a good understanding of how to get it to work correctly. I hope...  😬   Twitch         ... View more

for my $.02,  there are settings to prevent devices from roaming as long as there is a tiny bit of signal.  older cisco wireless phones for example can be set to a power saving mode that restricts it's radio from even looking at other APs to see if there is better signal until it nearly looses the one it has.  Could be your scanners were designed that way to extend battery life. ... View more

Thanks for the thoughts.  looking like the industrial hubs behind the AP is the primary problem.  at one of the locations, i can connect the power meters directly to the AP ethernet port and they work fine.  When the meters are behind the switch, they lose connectivity.  Part of the problem could be the meters don't initiate any communications.  The metering "system" polls the meters.  ... View more

@Greyston It almost sounds like you would be better to hardwire an outdoor WAP rather than using an outlet on a wall thus avoiding contacts getting dirty.    If you are having trouble with your Meraki Rep I would look for another in your area.    Where are you located, possibly there is another community member close to you that might be able to help.  ... View more

Excellent news @Twitch, glad you got it sorted.   I find these sort of bizarre situations are all what communities are about as someone somewhere might have had a relevant experience. ... View more

@Twitch yep, what you’ve said is correct, you should be able to use private IPs on the VPLS and then NAT them to public in your data centre. You just need to give some though as to how you are going to do that. Are you going to have VPN concentrators that terminate tunnels from the remote sites, and the hand-off to other firewalls (possibly MXs) that then do the NAT; or are you going to go without VPNs which means you’ll lose some visibility into the site as all traffic gets NATed at the remote MX. You could go with a no-NAT solution at the remote sites, but then that would mean a potentially higher overhead in managing your route table - and you’ll likely need support to enable a few things. ... View more

Congrats to the winners! ... View more

Well lookie there. I just learned something. Thanks for the documentation link. That page is very helpful. 👍 ... View more

@Twitch whilst it is true that VPLS is effectively layer 2, so you could have just switching, this would mean that your broadcast domain spanned all your sites and the switches would need to perform spanning tree negotiations etc, across all sites.    We have MX HA pairs at each site and their WAN ports can directly see each other.  As we have two WANs we can load balance across the two links.  If you had a switch at each site, you *could* use LACP to bond two ports (VPLS WANs) together but I think this would be a horrible mess if and when there was any congestion or packet loss etc.   In short, I wouldn't get rid of the MX at each site just yet. ... View more

Hey Darren - that's crazy, but par for the course. Folks just don't think about the environmental conditions when it comes to technical equipment. You can talk until you're blue in the face about it, but the negative impact never reaches the gray matter on the receiving end. By the time they finally realize the extent of the problem, it's too late.    Thanks for the suggestion. I think that's exactly what I'm looking for.    Cheers!     ... View more

@Twitch wrote: I am an old school command line guy, and sometimes things don't "click" in my brain with the GUI interface.  So am I ... Yes, adapting the Meraki "thinking" is sometimes difficult. I also have problems from time to time. 🙂 ... View more

Your interpretation is correct, the items in that allow list on the Threat Protection page are related to the AMP engine, so any sites you explicitly allow there get excluded from malware scanning.  But agreed, the items you listed certainly look like you would want them blocked, not allowed.  Look up whatever the URLs happen to be.  That's for the AMP piece, and the same concept for the IPS basically applies, but it's possible there was something legitimate being blocked which prompted them to put something in the allowed list.    Also, just a thought, see if you can go back in the change log, see if or what else was changed around the same time, and also see if you can correlate the changes with anything you might see in a Security Center report if it was within the last couple weeks.  You might be able to go back further if there were Security Center email reports configured, as long as you can retrieve those emails.   ... View more