Is the LED red while the switch is running okay? Or is it changing to red when it hangs? ... View more

@MerakiDave wrote: Looks like wishing for "more wishes" references http://i.imgur.com/fshlvOb.gif which seems to work so might be a malformed URL they need to fix.   It isn't ;). Something to do with XSS security measures.   Refused to load the image 'http://i.imgur.com/fshlvOb.gif' because it violates the following Content Security Policy directive: "img-src 'self' ... View more

For your information: I received the e-mail 2 days after the CMNA training took place. De nada! ... View more

Sorry for replying in English, I don't speak Portuguese.   When I completed my CMNA I received an e-mail with a link to an image that could be used in my e-mail signature: "Having completed the training, you can now use the CMNA logo in your email signature to indicate your status as a Certified Meraki Networking Associate. You can also download your PDF certificate on the CMNA page at merakipartners.com (Partner participants) and merakitools.com (Cisco participants) by selecting the "Download your CMNA Certificate here" link at the top of the page."   "CMNA logo" was a hyperlink to that image.   Afaik CMNA doesn't have a number associated to it like CCIE does (at least I don't see it anywhere). For my CMNO I do have a number. ... View more

@PhilipDAth wrote: I tend to use Content Filtering for doing the automated blocking.  You could use categories like: Bot Nets Malware Sites Confirmed SPAM Sources These are dynamically updating lists.   Better yet .... move to Office 365 and get rid of the problem all together. 🙂 @PhilipDAth does that apply to incoming connections over port forwarding/1-to-1 NAT too? I was wondering about that. ... View more

You should always be able to trial Meraki equipment for at least 30 days. Get in contact with a Meraki Rep so you can POC with the real thing.   Regarding your questions, you can create your own splash pages and indeed using PHP require any information you deem necessary before you allow clients to connect to the network. The client mac will be made available to your splash page. You can also save all that information in a database if you want (check local laws for privacy regulation though).   Info about the custom splash pages is here: https://create.meraki.io/guides/captive-portal-api/ Also check this github that's linked from that page, it's some sample php based splash page with login: https://github.com/jbergler/meraki-php-excap And finally some info also here: https://documentation.meraki.com/MR/Splash_Page/Configuring_a_Custom-Hosted_Splash_Page   Edit: I gave the example of PHP, but indeed, any language can be used. The whole process just uses standard HTTP POST and GET. Also not that all my comments are specifically about custom splash (excap) not custom themes. ... View more

Are you trying the WinXP tunnel via the same network as the other clients? Depending on the NAT configuration the connection is sometimes established in a different way.   I assume you've double checked the configuration on WinXP to make sure you didn't miss a step.   If you're using the Dynamic DNS name of your MX84, check to see if it resolves to the correct IP address on the WinXP.   Does anything show up in the event log for that client:   If not, then I'd take a packet capture on the MX when the WinXP machine is trying to establish it's connection to see if the messages come in and when it breaks. If they don't, make sure you've forwarded UDP 500 and 4500 to the MX on your firewall/router(s) sitting between the internet and the MX if there are any. ... View more

You can actually specify a list of IP addresses and ranges in the remote IPs field of port forwarding and 1-to-1 NAT.   More info here: https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_Appliances   Apart from that I think the L7 and L3 firewall are for outgoing connections, but I read conflicting info so I'd have to test to be sure. Perhaps someone will comment on that point. ... View more

Could you post the output of the ipv4 part of the "route print" command on the laptop? ... View more

@jdsilva wrote: @merakisimon The wrong picture is up on the product page.   https://meraki.cisco.com/products/switches/ms450-12   Classic copy paste error 😁 ... View more

Just thought of this: Could be a wrong subnet mask setting on the AXIS camera. That may cause this kind of issue where it can respond to one IP in the range but not another. ... View more

Here's an example of what you should see in a packet capture: ... View more

Couple of questions: The laptop is the initiator of the pings right? You say both machines are on the same VLAN, that's the device that's pinging and the device that's supposed to be answering right? What can the laptop ping? Can it ping anything? If it's a specific device the cause might be an (erroneous) static arp entry on the laptop. On windows you can check the ARP table using the arp -a, see if the IP you're pinging is in there. If it is, check if the MAC-address is correct. Have you made a packet capture on the port the laptop is connected to? This should allow you to see what's going on. You should see the following phases (assuming they're indeed both on the same VLAN): ARP broadcast trying to resolve the IP you're pinging to a MAC address (unless the MAC is already in the ARP cache) ARP unicast reply from the addressee, this lets your laptop know which MAC address it can be reached on ICMP unicast directed towards the just resolved MAC address ICMP unicast reply from the addressee You say you're sure it's the firewall because you have no issues when you connect your laptop to the same switch. What about the same port. Port configuration might not be identical. ... View more

It should be. The info note next to the L3 firewall states: "Filter traffic from LAN clients to the Internet, to hosts on other VLANs, or to hosts across static LAN routes. You can enter IP networks as your Source or Destination using CIDR notation (A.B.C.D/X). You can also enter a range of ports into the Src port or Dst port fields. For instance, a rule could be configured to block any traffic on ports 1024 through 60000 by entering 1024-60000 into the Dst port field."   Keep in mind that it may take some time for these to become active, the config needs a few seconds to synchronized and existing connection might be unaffected. Disconnecting and reconnecting the client you're using to test might help. ... View more

Are you talking about named vlans? That's not supported on Meraki: https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-cisco-meraki-vlan-override-limitations/td-p/3473486 ... View more

Sexy! Good to see that the uplink ports don't need to be sacrificed for stacking like on the MS425 too! ... View more

It isn't included. SKUs are in the datasheet: Meraki 40GbE Stacking / Uplink Cable, 0.5 Meter MA-CBL-40G-50CM Meraki 40GbE Stacking / Uplink Cable, 1 Meter MA-CBL-40G-1M Meraki 40GbE Stacking / Uplink Cable, 3 Meter MA-CBL-40G-3M ... View more

Does this help: https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_Attribut es     ... View more

You can set the CoS for a VLAN in "Switch/Switch Settings":     Some more info here: https://documentation.meraki.com/MS/Other_Topics/MS_Switch_Quality_of_Service_Defined   To limit which devices end up in this VLAN there are several options. Most people will either use an Access Port with a specific VLAN (static assignment) or use 802.1X (dynamic assignment): https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Dynamic_VLAN_assignment_via_802.1X_(RADIUS)_for_MS_Switches   You can do this with 3d party RADIUS server or with Cisco ISE: https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/5936-discussions-aaa-identity-and-nac/64121/1/how-to_86_integrating_meraki_networks.pdf   See also these links specific to voice deployment recommendations on wired and wireless networks with Meraki: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Configuring_the_MS_Access_Switch_for_Standard_VoIP_deployments https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MR_Wireless/Wireless_VoIP_QoS_Best_Practices ... View more

Are you deploying it for AutoVPN purposes? If not, be careful not to confuse yourself with that guide as it's geared towards AutoVPN concentrator deployment 😉 ... View more

In what subnet did you put the switch's IP?   If it's an IP in the VLAN 200 subnet, and the management VLAN on the switch is set to 1 (the default) and you don't allow VLAN 1 to cross the link to your MX (which from your description only allows VLAN 100) then the switch will not ba able to access the internet via MX84 NATing. It simply won't reach the VLAN. So change the port configuration on the MS (port 😎 to allow VLAN 1 (and VLAN 1 should also be defined on the MX, which it by default is).   If it is in a subnet that gets NATed by the HP Router then that might work too, but then you'll have to change the management VLAN on the switch to VLAN 200. ... View more

Well I believe the guide I sent you should work for Z-series too. I haven't got a Teleworker device on hand so I can't check but I think they use the same configuration pages for the "Addressing & VLANs" and firewall aspects. ... View more

Are you sure you want to do that? The teleworker really is a small device meant for only one user. It doesn't do any of the advanced security features that the MX does... The MX can do firewall on a stick. This article is similar to that use case: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security_Appliance ... View more