Thanks to both of you! The phones are on their own vlan and the app is a web app that so far seem to be working just fine with no modification, but I really like Philip's links. Perhaps I'll configure some of that for Teams. ... View more

@pjc26.x will continue to get security and functional fixes, just not new major features.  Hence the support up to 26.99 when we are only on 26.8.1 at the moment.  I think that if you configure a network that has a mix of devices with 27.x then the newer devices will get 27.x and the older ones will get the latest 26.x.  Obviously you cannot use new functional features that rely on 27.x.   We have been doing a bit of rationalising and have been replacing the 802.11ac Wave 1 APs at sites with only a few with Wave 2 APs from sites where most are Wave 1, thereby allowing us to use the new features in the now all Wave 2 sites if required. ... View more

Hi, thanks for the response. In your case was the NPS able to see the authentication attempts or did they not reach it?   I've noticed the same problem now at some other sites in this Meraki template group. All these sites routers have a similar setup so it doesn't really narrow it down between the Meraki config and the ISR config.   Meraki states that about 40% of attempts fail at association and 50% at authentication for all the problem sites.   Wired connections are still working and they are on the same VLAN as the WiFi so I don't see where the problem lies yet. ... View more

Best practices is to back up configuration before making changes. So, if you are re-configuring a switch you need to be able to pull a current config backup.   Change the cloud --> changed the switch = original config gone. ... View more

Yeah I noticed, but luckily there is another way. I went to to switch -> switchstacks and over there you can create the L3 interfaces.   Thank you all for your help, much appreciated! ... View more

Good to know. Btw this behavior is different from AP's.  There having no VLAN in the box is the norm since you usually leave the AP mgmt untagged on the switchport. ... View more

what the heck?  ... View more

We are working towards bringing adaptive policy to the MX and should support most of the current platforms out today from a hardware perspective. Official support has yet to be determined but we are hoping for a beta of SGT being carried over AutoVPN on MX sometime Q1 FY21.  ... View more

ISE is not required but does make assigning SGTs to an Access_accept incredibly easy. You can assign tags in a few ways. 1. Statically to a switchport or an SSID, dynamically via RADIUS av-pair, and in the near future, you will be able to create Network Object Groups and map them to SGTs as a fallback tagging mechanism. ... View more

I got it mixed up: It's when your route comes from another source than BGP and is preferred over the BGP route it only displays the preferred route source (like VPN peer). ... View more

Our Mac guru has found a workaround by adding a script that runs everytime the VPN is connected. ​ https://akrabat.com/routing-specific-traffic-to-the-vpn-on-os-x/ ... View more

Heh, that reminds me of the days as a cable technician. We had alot of customers where the cable entered the house in the basement and the different coax cables to the outlets throughout the house also arrived there, so we had to put the modems there.  And later we had these modem/routers with Wi-Fi. Of course since most of the Belgian houses are concrete between floors and have stone walls Wi-Fi was really poor and we couldn't do much to help them unless they were smart enough to have some UTP's through the house where we could attach an access point.  Later we also had these powerline homeplugs which went from 14Mbit PHY to 85 Mbit PHY second gen and later up to a few 100 Mbit.  But you were still limited to the quality of the electrical installation and possible interfering electrical devices (usually led lighting with poor power supplies causing drops in the homeplug communication.. then you would go there and see that problem and try to find old telephone cables you could replace with utp cabling by trying to pull the telephone cable out while having the utp attached... those were the days 😉 That ISP in more recent times used a protocol TR069 to communicate with those secondary AP's or powerline homeplugs with wifi in them to get the same SSID config as the modem/router. ... View more

I did create one manually with the same name but have deleted it to run the script.   Yes, I am running it from an administrative PowerShell?   ... View more

@isi  hi kindly check it can help you    http://go.teridion.com/rs/192-YYN-618/images/Meraki%20Deployment%20Guide.pdf ... View more

Yes to question one. If you run the newer beta you'll even get better logging where the SA's will be mapped to the correct traffic selectors. Question two well you can have multiple VLANs but it's not true IPsec so I don't think it actually works with phases and negotiations.  Everything is rather orchestrated with the cloud. ... View more

@PhilipDAth, an AireOS based Cisco WLC does not have the ability to do LACP, only static LAG is supported. So basically you cannot do this with a Meraki switch. You'll only be able to use the classic one port active for an interface and another backup. ... View more

I found the connected switchport to also be a good indicator of traffic. You'd of course need to only have the source connected to said switchport to reliably see the in and output. ... View more

You could , but you would either have to create a local host file for each PC or have a DNS server that you have access to the host file that you can set-up the A records on.   You would still have to use SMB for access to the remote site.     ... View more

Meraki devices are easy to work with but they're not the most flexible. Flexibility and features are inverse proportionate to ease of configuration and use. You can easily achieve the tasks it supports but it's really hard to wigle it into positions it's not made for.   The supported features sofar are: NAT your subnets to the interface IP address. NAT one external IP (from a pool) to one internal IP NAT external IP (from a pool) to a specific insde host and port. Static NAT over VPN if you need NAT over VPN and only if you ask support. You could make a wish. The NAT feature I myself wish for is rather due to the depletion of IPv4 address space and that is to be able to NAT to an IP pool that is not related to your WAN uplink.  So you could have private address space in uplink and a full /29 as a NAT subnet that is routed towards your uplink IP or vIP. ... View more

If the addressing of the ISP comes from the same pool then it's going to be a flat VLAN.   But I don't see any problem here. Just define an external VLAN on the switch and put both MX'es and the ISP router on their own ACCESS ports on that VLAN.  Or if it's tagged, then TRUNK but only allow the external VLAN. Then make sure your switch if it is also serving internal clients all trunks towards other switches DO NOT allow the external VLAN across them. ... View more

Allright, how about a recap of what is essential. So your two original MX'es need to be in the main Meraki Dashboard org so they can do autoVPN where one is a Hub and the other can be a spoke pointing to the Hub.  If you want local internet traffic breakout (do not enable default route checkbox on the spoke).   The other MX has to be in a completely separate Dashboard org because you'll otherwise include that MX in AutoVPN and you cannot have the same subnets behind two different NAT mode MX'es unless they are an HA pair. Example: Imagine the following addressing: IPsec remote LAN subnet: 10.0.1.0/24 Hub site internet subnet: 198.51.0.0/24, upstream router .1, MX AutoVPN hub .101, MX IPsec VPN .201 Hub site client LAN: 10.1.1.0/24 Hub site transit between AutoVPN Hub MX and IPsec VPN MX 10.1.255.0/30 where AutoVPN Hub is .1 and IPsec VPN is .2 AutoVPN spoke site client LAN: 10.2.1.0/24 The AutoVPN spoke is the easiest to configure: just have the local VLAN with subnet: 10.2.1.0/24 included in autoVPN and make sure you connect to the Hub site MX as a spoke. The AutoVPN hub has the two VLANs defined 10.1.1.0/24 and 10.1.255.0/24 and you need to add a static route towards 10.0.1.0/24 via 10.1.255.2.  The local VLAN 10.1.1.0/24 and the static route to 10.0.1.0/24 must be included as the local AutoVPN subnets. The IPsec VPN has a single local VLAN with subnet 10.1.255.0/24 with itself as .2 and needs static routes towards 10.1.1.0/24 and 10.2.1.0/24 via 10.1.255.1.  You will need to put that MX as a Hub and include the static routes as local VPN subnets and then create that org wide's IPsec config towards the remote site where the remote subnet is 10.0.1.0/24. Then you should be golden.  You'll have to make sure not to mix IP's between the orgs.  You could of course use the supernets 10.1.0.0/16 and 10.2.0.0/16 instead of the /24's as long as there are no overlaps because that is where you could get weird behavior. ... View more

Hi @GIdenJoe apparently they let that one slip a little in advance via the release notes. 😀  MR46E will use the same smart antennas as MR53E.  Thanks for the feedback on additional indoor smart antenna types, like more of a yagi perhaps for warehouse applications, I'll inject that feedback to the team.  Best to also get this request up through your Cisco Meraki reps so they can follow the feature request process and add your account to the list and help prioritize such requests.   ... View more

Yes, it seems that way, meaning we end up buying Dell Force10 switches for the datacenter and they aren't the easiest to work with... ... View more