Hey, the Meraki design is as follows. The MX250's inside your Datacenter need to be in concentrator mode to be able to use BGP. So if you're using NAT mode right now you will need to have a big change.  That also means if you want your servers inside that datacenter to breakout to the internet they will need a separate router/firewall.   Once your DC's have concentrator mode MX'es they will peer using iBGP to the branch locations but they will use eBGP to peer with the router or switch in the datacenter.  The design is like this so you can use AS-prepending for the secondary datacenter so traffic needs to go to the primary datacenter.   And you can even load balance some branch offices via DC-A and others via DC-B.   The whole setup is explained here: https://documentation.meraki.com/MX/Networks_and_Routing/Border_Gateway_Protocol_(BGP) ... View more

Brash is correct and to add to his post: On the Traffic shaping page use the internet preferences and use the localnet: with the IP subnet of your guest to select that traffic. ... View more

Then how is your core switching setup? Normally these days if you have two separate locations where all your access switches are connecting to then you would have a long distance stack in place (if you are running purely Meraki, then that would be MS425 series of switches).  All access switches have active active links to both core switches and the Palo Alto firewalls should be connected to an access layer stack at each location. Then if an entire location would fail the secondary Palo would take over sending gratuitous ARP to say it is now serving as gateway to the internet.  Since all your access switches are dual uplinked using multichassis port-channels (aggregations) you would not have any outage on the switching side.   If you however deviated from this design we would like to know.  Preferably with a quick visio drawing using hierarchical logical drawing, not subway map type links.   UDLD however is limited to a single link and is actually meant to be used on fiber links only because you usually have multiple physical fiber strands in most fiber links where one part goes upstream and the other downstream.  UDLD is meant to shut down your link (enforce mode) if it detects one of the directions is not working.  Since if it wouldn't do that you could have a unidirectional loop if STP messages no longer reach the other switch and opening an alternative path completing the loop.   So the fiber links running between your switches must have UDLD enforce on if you want to avoid this unidirectional loop. ... View more

I'm also hoping for C9200 series support so more affordable switches can be an option. I also have a wishlist for expanded features that can make use of the larger TCAM space and more advanced chips the Catalyst switches have 😉 ... View more

If you have not seen any UDLD messages saying you have unidirectional links you should have no problems in that regard.  Changing to enforce will only shut those links down if they are unidirectional.   Slow STP convergence in RSTP can only happen in a count to infinity problem and that can only happen in a ring topology which I hope you are not running. ... View more

EAP-TTLS is quite widely supported but you would need to test before going into production with that. I'm not sure about MFA however keep in mind that MFA is not something you want to enforce for wireless and wired network access since every time you roam you may have to approve your connection of you're not doing a fast roam.  That would be a usability nightmare 😉 For VPN MFA is certainly a must have but the config in ISE for VPN is not something I have tried yet. ... View more

Depending on the firmware version of your gear, you could be using UDP/7351 for cloud connectivity or TCP/443.towards the Meraki Cloud for manageability. However the MX'es themselves use a 3 step uplink connection monitor (ICMP, DNS and an HTTP request(not HTTPS)) and if these are succesful the MX is in an UP state locally. So I believe your ISP is only blocking TCP/443 traffic since that would be needed for the cloud connectivity part.   If you're doing a full tunnel for internet traffic then this would indeed not disrupt users.  However local breakout should experience issues then unless that traffic was primarily directed to the other WAN. ... View more

That's on my TODO list 😉 It would be very handy however if the DHCP binding table and DAI binding to port mapping would be something you could query from the switch (perhaps via a REST API call?) Because that won't be an easy thing to troubleshoot without that ability. ... View more

From what I read in your comment I have to assume the implementation is still buggy and needs some troubleshooting from Meraki. This is the same issue I had when I tried it on my home connection.  It worked for a while and suddenly it didn't take even on ports that were trusted. ... View more

If you're using user credentials it would not matter what device you are using as long as it supports EAP-TTLS/PAP on it's supplicant.   I'm not too familiar with windows stuff and AAD but if you can add machine credentials other than windows OS pc's in AAD then I don't see a reason this wouldn't work.   The flow from what I have read is as follows. Your supplicant provides the user or machine credentials depending on the configuration via the EAP session to AAD.  Then for the authorization part, ISE makes an ROPC call to AAD to get the group member ship of the user to use in the authorization rules. ... View more

I've had mixed results with that feature at home alas.  I'm running a Cisco EWC with C9120AX AP's on a Meraki MS210-24P and once on a night suddenly the switches started blocking all packets coming from the whitelisted MAC addresses of the AP's causing my EWC deployment to fail.  So I had to disable the feature again.  I have yet to do another run at this soon.   Normally you have two ways to allow non-DHCP clients. You can put the port on trusted or add a static entry for a specific MAC address. Especially ports containing Access Points are important to check because if you have SSID's that don't enforce DHCP and you actually need static IP clients you will need to or add them all to your allowlist or whitelisting those ports but then you can't enforce DAI on wireless clients. ... View more

If you have an AP for spare of another AP you can temporarily use as capture device use that one and put the AP in the same location where the test occurs and just wireless capture while you try connecting with that windows 8 machine.   You can then filter on only management frames without beacons to see what steps the laptop actually took. This is the filter: (wlan.fc.type== 0) && !(wlan.fc.subtype == 😎   Then you could see the windows 8 machine doing following steps: Probe request (general or for the specific SSID). Authentication (towards the AP) Authentication (from the AP) Association request Association response (should be OK with an association ID) After that there is a 4 way handshake but you'll have to disable the current filter to see that. Btw has the SSID been manually entered onto the device or are you relying on the method to select the SSID and then input the key? ... View more

Click open the AP model combobox and select the model MR33. ... View more

It could be another way of looking at it but you could have a group policy on that user (if WiFi on the AP) or via 802.1X (on switches) to put that user in another VLAN that is not passed to a site to site peer. ... View more

And do you see MR33 in the AP model filter? Would those 7 repeater AP's perhaps be the MR33's you're looking for? And can you also show 1 band instead of 2? Because your screenshot to another answer contains 85 + 1 + 7 AP's but in this radio settings page you only see 22 radios dual band that means 11 AP's. ... View more

You will need to provida A LOT more detail before any troubleshooting can occur.   Are you talking about an autoVPN remote peer or a non-Meraki VPN IPsec peer? In case of the latter are you reaching from this site or from a remote Auto VPN peer towards something over an IPsec peer (in that case won't work). In case of AutoVPN, is the tunnel UP between both sites?  If yes is there a site to site firewall entry? Is the device at the remote site correctly configured. ... View more

If your AP's are listed in the same network as where you are checking the radio settings for you have to make sure you are checking the correct band (2.4, 5,6 or all) and that there is no filter selected.  The boxes up top lets you filter AP models for example. ... View more

The vMX is Azure does not support NAT mode yet. Also the vMX is only intended to be used as a AutoVPN/SD-WAN hub.   To secure the traffic from your servers going to the internet you need to use the native Azure policy or use a full firewall solution like Cisco FTD or a 3rd party vendor. ... View more

It may be a good effort to test first. It makes sense it will bounce tunnels that are effectively changed.  However if you put the same data that is already there I would be hard pressed to believe it would bounce those unchanged tunnels.   However measuring = knowledge so you might want to have a test bed in a different org and check those. I don't have a lab with those devices to test this out. ... View more

I'm not proficient with cloud however I do know you need to add routes for your branch sites in Azure if you are not using BGP and vice versa you will need to announce the Azure vm nets on your Meraki vMX towards the branch offices. So in Azure you will need to add static routes pointing towards the IP of your vMX. And on the vMX on the site2site VPN page you need to add the local networks. ... View more

Aironet IE is something from Aironet AP's, not Meraki AP's.  I don't think they have added the feature. If you are doing a survey with a tool like Ekahau you can edit the measured AP names and just use the mac address to compare to the dashboard AP's. You do have to account for the last hex character counting up for each SSID.  So you best search for the last 4 digits and ignore the last one. ... View more

I'm curious about that bridge_anyconnect_client_vpn_firewall.  Since normally client VPN rules are in the regular firewall ruleset would that mean a group policy applied to a client vpn user or would this be a new area to place anyconnect VPN firewall rules? ... View more

It's time to whip out that hairdryer 😉 ... View more

X marks the spot 😉 ... View more