For more HA design approaches, please see @KarstenI's excellent article. ... View more

Hello - we have seen this issue across multiple locations.  We have a combination of MX68s (approx. 100) and an MX450 across multiple circuits, providers, etc.  We had the same L7 country code block list for all locations but not all experience the issue making it harder to troubleshoot.  In general, I understand other countries might be involved in Internet traffic but we have not updated these rules in years and the issue seems to have surfaced over the past few months.  The fix was to delete the L7 rules from the affected firewalls and I have slowly been adding back countries to the block list.  Also, it would be nice to be able to report what rule is blocking traffic but apparently (according to Meraki support) we are not able to get granular detail.    The MX68s are generally at MX 18.107.7 and the MX450 is at MX 18.107.9.   I should also mention that one of the sites inbiz.in.gov did fully load after about 4 minutes.  Once we removed the L7 rule it loaded in about 1-2 seconds.  The HAR file did not indicate any sites external to the US that I  could find. ... View more

Maybe Meraki will surprise me with working port profiles next Christmas. Sanata can you hear me....🎅 ... View more

SLO would be expected to be initiated by the IDP, instantly revoking access via the Meraki. It's up to the implementation to correctly support it, which Meraki seems disinterested (as evidenced by this very long, very old, and very ignored forum thread) ... View more

We do not enable rogue AP containment. ... View more

Hi Oscar, It could be a cosmetic bug. I suggest to call in with that case and have the Support Engineer tshoot live with you. I have seen some cases like this, where it is a cosmetic error.   Cheers, Ivan ... View more

OK this aged like milk 😉 ... View more

I built a stack of four MS355s today. I mounted and cabled them based on the order of their serial numbers. This turned out (not surprisingly) to be the same order as the MAC addresses. After I built the stack, the Switch Stack Overview page showed them in the reverse order. I opened up a ticket and was advised that there's no way to change this, but that renaming the switches (from the MAC address) should be done anyways. Later, after renaming the switches, they did end up showing up in the correct order in the Overview page. So, I wonder if they are sorted the wrong way only when they do not have a name set. The IP address order is currently the same as serial/MAC/physical order, and it was almost certainly the same when I created the stack; so I don't think that the IP address plays a role. In any case, it would improve the deployment experience if this could be fixed or at least answered by a KB. I also noticed that blinking the switches didn't work for one of the four switches. This was only tested when they were in a stack. ... View more

Hey, Are you still facing this issue or is it resolved now? ... View more

There have been cases where the RX power is a tad too high on the receiving end and you get constant errors.  However the link did stay up without any CRC errors. Usually it is not a problem but something to think about. The MA-CBL-TA-1M is usually a better option if you want to connect a server or another switch in close proximity.  And it is much cheaper too. 😉 ... View more

These switches support EAP and MAB (radius without EAP session). So you need to integrate your radius server with the switches. ... View more

AutoVPN works as follows. Each autovpn peer will try to reach two Meraki VPN registries. It announches it's own WAN IP and port it is using inside fields in packets going upstream So when a NAT exists between the MX and the registry the packet L3 and L4 header will be altered by having the public IP and port.  So the VPN registry knows what the private WAN IP and port is AND the public side.  This data gets forwarded to all the peers so they can attempt to form their VPN tunnels directly by using hole punching through the NAT. This can of course fail if there is an upstream router/firewall only allowing specific ports outbound.  In that case you have to manually select an UDP port and fill in your public IP.  That way all peers will attempt connection through that IP and port. ... View more

yes, I am still pointing to same DNS Server as before. ... View more

@GIdenJoe wrote: Ok great.  I will have to perform an OTA then to verify. The compare feature in Wi-Fi Explorer Pro is great for showing the differences between two SSIDs. ... View more

No CRC errors, negotiated to 1G-Full, and I get greater than 100M downlink, just .07 uplink when connected to a 2.5G port.  If I move the exact same cable to an identically configured 1G only port on the MS130 then I get full speed both directions. ... View more

It appears so... ... View more

So where did I configure the setting of the 1 hour limit per day? is it in the Meraki dashboard splash page frequency or in the radius server or captive portal itself?   ... View more

The most likely usage is some kind of internal traffic redirection. I really would like to know. ... View more

10 Gig SFP+ ports are backwards compatible with 1 Gig SFP's.  25 Gig SFP28 ports are backwards compatible with 10 Gig SFP+ and 1 Gig SFP modules. 100 Gig QSFP28 ports are backwards compatible with 40 Gig QSFP+ ports. 🙂 ... View more

Sorry to reopen this thread, but I want to see if I understand how UDLD and STP guard should be set up on my topology. Here's the high level image from the dashboard. Very simple hub-spoke. Single uplinks from IDFs (either a stack of two or just a single switch) run back to MS425. Do I enforce UDLD and loop guard both ends, or just the uplink port for the IDF?   ... View more

Keep CG off until you get EAP-TLS going using a root CA and the server certificate on the NPS server. If PKI is not setup, you will have to ensure its functioning first issuing both client and server certs. We ended up spinning up a new hidden SSID and a new NPS server for the EAP-TLS configuration. SSID is being pushed via GPO too all Win 11 workstations via WMI filter. Works well after re-enabling credential guard. My statement earlier about running both policies on the same server was not accurate. Order of precedence with EAP 1st was not working correctly for us with NTLM on the same NPS server, we had to roll back a day after testing in production. Mixed results with Win10 workstations using the cert, some were trying to use NTLM and not connecting successfully. Both Win10 test machines connected when testing prior to rolling to production from different remote sites over S2S tunnel. ... View more

@JohnFro as said by others, it really depends on what features you use.  We use some of the same CBS350 switches for HD video distribution as they are controlled by the vendor we use.  If you only use them as isolated access switches and have the version with 4x 1Gb ports, then an MS120-48 is nearest, but if you use more features, you could need all the way up to an MS250-48. ... View more

It seems like you have a few options: 1. Hire a wireless consultant 2. Install at least one AP in every room (mounted horizontally) 3. Accept that performance will not meet expectations of IT or users ... View more