I agree with this 100%.  We have been moving to redundant inexpensive links at a lot of our sites in lieu of older expensive Metro and MPLS connections.  The failover and load balancing is seamless and the sites become far less of a headache for us to manage.  Not to mention the cost savings.  ... View more

It may mention it in the docs or video but in our experience, it is best to configure the downstream LACP ports first then the upstream to avoid losing connection.  Otherwise, you have to physically move the cable to a different port to get the switch back online to take its config.  Have other ports configured as backups in case you need to do this.   ... View more

My experience has been much different than @PhilipDAth.  Stacks seems to always give me trouble.    @cvashel2 keep us posted on how it goes.  I'd be interested to know if Philip's more streamlined method works out so I can try using it in the future.   ... View more

@PhilipDAth wrote: They may not work @Adam.  If you change an uplink ports configuration, and the MX can not connected to the cloud, it automatically rolls the change back (to prevent you cutting the MX off and making it unmanageable). Agreed, based on his failover comment I'm assuming he has redundant connections since he was otherwise wanting to just disable one of the interfaces.  ... View more

The only options I'm seeing from both the dashboard and the local config page is to change the port between DHCP and static.  Could you just change the primary uplink on Security Appliance>Traffic Shaping and the 'Primary uplink' option?    There doesn't appear to be a way to disable the port.  I suppose you could just change the static IP or gateway to break one of the WANs if you had to but that isn't a particularly elegant solution.  ... View more

I looked at one of our networks.  Looks like you may have to delete the stack, then create it with the 3 desired switches.  Based on my prior experience with stacking, make sure you do it during a maintenance window.  It'll likely cause some outage.  Also verify your wiring between the 3 switches so they have redundancy.  How are you wiring them? ... View more

I've also tried to accomplish this and I'm fairly certain it isn't possible.  The NAT will only be for external traffic coming in.  Everything going out will go through the MX WAN IP.  Depending on your use case, the only real option would be to put an L2 switch outside of your MX WAN interface.  Have one cable going to the MX WAN interface and another going to your switch VLAN or device and then you could give those devices the WAN IP directly although they will not be going through the MX.  I guess conceptually if it is for a guest network you could also have a separate, cheap, router that is connected to the WAN that you route traffic to/through.   ... View more

I agree with @jdsilva   When the light is on in the room it'll likely switch back to color.   ... View more

You could also isolate your VPN clients to just the resources they need, ideally non PCI data/network.     Segmentation ... View more

I see that the MX400 comes with dual 275W power supplies as you specified.  Are they modular/replaceable or integrated? ... View more

According to this https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf   That MX450 supports 1000 concurrent VPN tunnels.  So even if every one of your 150 branches had dual connections that would still only be 300 tunnels.  Although I'd keep an eye on the utilization.   ... View more

Great to hear that you got to the bottom of it.  Thanks for coming here to close the loop.  ... View more

I'm looking at building something like this for us as well so we have some consolidated dashboards.   There is enough information available via API that it should be doable.   ... View more

Do you have a different switch type you can try or do you have a POE injector?  However unlikely, it could be something with the MR firmware and those particular type of switches POE.  If we keep making individual changes we should be able to track it down by process of elimination.    So far I got that this is happening on multiple networks, to all the AP's connected to those cisco SMB switches via POE.  I assume this happens daily? ... View more

All of the ports with the small outage are APs? And all are on the same switch?  Are there any APs on that switch that don't have the small outage? ... View more

I'll be interested in following this.  Right now I just go to switch>switch ports in the networks using 802.1x and run something along these lines as a search to find those types of ports.    (vlan:6) AND (ap:Open) ... View more

@BlakeRichardson wrote: @Adam not really. Its a shame that Meraki is behind its competitors in this regard. My workplace has invested heavily in Meraki and we are having to use a different brand because of the limitations in L3 ACL. Its a shame really. I totally agree.   What types of ACLs are you creating where the quantity is so large?  I'm just trying to think of other options to look for possibly unconventional ways to solve your design.   ... View more

@kusumanegarait wrote: The upstream connection is on good connectivity. Could this affect by PoE on Switch Device? Yes if the upstream connection is solid but the MR is getting those blips I'd suspect something between the switch and the AP causing occasional interruptions.  Try moving it to a new port, also run a cable test etc... ... View more

All of the certificate control should/would be done via the RADIUS/NPS server.  Otherwise, you are basically looking to use the Meraki AP as a Man in the Middle.  Can the person(s) that manages the RADIUS make changes needed for you?  I believe the function you are using is when clients have and use a certificate to authenticate?  Which is basically similar where the Meraki AP just forwards the request to the RADIUS server.  Are you looking for a way to still allow your users to authenticate if they don't have a valid certificate?    Sorry for all the questions, I'm just trying to fully understand what you are trying to accomplish so I can come up with a best practice.   ... View more

That summary report would be most useful for environments experiencing a consistently high load or long durations of a load so definetly worth looking at.  In my case, we had intermittent spikes which otherwise wouldn't show up in that style of averaged report.   Although possibly capturable via the API with a shorter timeframe?  Maybe if they gave the ability for the timeframe to be dropped from 1 day to smaller timeframes like 1 hour etc it could become more interesting.  ... View more

We do EAP-TLS   Basically, we set up one of our Win servers as an NPS server with this configuration https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication   Then we use GPO to push the SSID information to the clients with autoconnect.  Although this step isn't technically required it just makes connecting a little more transparent since your users won't need to know the SSID or the PW.    Then on the Meraki AP SSID you just point it to your NPS server IP with valid credentials and the users computer or domain user authentication will get passed to the NPS server for validation.  That will determine if your user can connect or not.  The AP, more or less, acts as a relay.     ... View more

@lpopejoy wrote: @Adam, thanks.  So support wasn't even able to provide input on your MX84 "overtaxed" issue?  Sadly not really.  They keyed in on the fact that our total clients were well over what the MX84 was rated for.  We were getting occasional spikes in latency, random dropped pings, and choppiness on our Cisco VOIP calls.  We spent a lot of time troubleshooting the circuit and figured it was worth the effort to test/try the larger model MX.  And magically all the issues went away.  A little visibility into the device CPU utilization etc would have made the whole process much easier to troubleshoot.  ... View more