I recommend you contact Meraki Support to help look into this further. ... View more

While Advanced Security protections do add load to any MX, they aren't enabled by default and just enabling those features alone shouldn't restrict throughput that much  (see Page 3 number for the MX64 column here:  https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_VPN_peers).) I'd check that you're on the latest stable firmware release and contact Meraki Support if it stays the same. ... View more

Model-dependent, your MS switch will provide critical temperature alerts, if you enable it (Network-wide > Configure > Alerts > Switch    (if the option isn't there, your switch model doesn't support it). https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alerts_and_Notifications#MS_Alerts   But MT10 is probably your best option ... View more

Just to add to @BrandonS '  reply, the MSP portal becomes automatically available to any user (MSP or no) if your Dashboard username (your email address) is made an Admin in more than one Organization.   Those Organizations are the ones presented to you when you login.   This allows you to choose which Org you want to be managing.  It also allows you to jump quickly between Orgs in Dashboard - and provides a summary overview of them too.   Do you recognise both the Organizations on login?   Bear in mind that when you're added to an Org, you get a notification email, in which you can confirm your admission (or not) https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Using_the_MSP_Portal_to_Manage_Multiple_Organizations ... View more

HTTPS decryption is part of the Intelligent Proxy component of Umbrella SIG, which is included with Essentials.  Check out the first line of this ready comparison: https://umbrella.cisco.com/products/umbrella-enterprise-security-packages ... View more

Yes, this is commonly done, using AP tags, to choose which APs the SSID is advertised by:   https://documentation.meraki.com/MR/Other_Topics/Using_Tags_to_Broadcast_SSIDs_from_Specific_APs ... View more

This is true, for sites using HTTPS (which is a lot of sites, these days):   https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering/Content_Filtering_Troubleshooting#Why_is_the_Meraki_block_page_not_displayed.3F Blocked sites using HTTP will generate a block page back to the client:   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_the_Default_Block_Message   To my knowledge the issue with HTTPS can't be resolved natively with the Meraki solution alone but, whilst I'm no expert on Umbrella specifically, I believe that can address this, provided the clients trust the cert which Umbrella uses for the block page:   https://support.opendns.com/hc/en-us/articles/227987007-Block-Page-Errors-Installing-the-Cisco-Umbrella-Root-CA This is likely to be a problem if your clients are unmanaged (e.g. Guest users) ... View more

I was looking only to help with the original question.  😉 In my experience, there are a number of compelling reasons for choosing VPNC over routed mode for the majority of Hubs - with licensing cost not really a part of that design calculation. I also can't help feeling that, whilst I understand people don't want to pay for features they will not be using, the overall 'cost' in time and complexity of needing to specify (and separately renew) licensing for individual devices probably outweighs the extra spend from a simple one-choice, applied to all approach - given the majority of networks have greater numbers of Spokes (where you want Adv Sec/SD-WAN+) than Hubs. ... View more

I'm not 100% sure, but I have a feeling this must have to do with the recommendation that Hubs are configured as One Armed Concentrators - with just one uplink. ... View more

Remember also that MXs can have a number of functions and the load is cumulative;   a routed mode MX in a HQ  handling (say) 150 concurrently connected VPN clients, whilst also providing Layer-7 firewalling with IPS & AMP protection for a 100 clients on the LAN will practically be able to support fewer site-to-site VPN tunnels and/or provide a lower level of throughput for all those users. Make sure to use the recommended maximum number of site-to-site VPN tunnels in your calculations, too. It is possible to monitor overall MX load using Organization > Summary report https://documentation.meraki.com/MX/Monitoring_and_Reporting/Device_Utilization ... View more

This MX device will only be useful if an administrator of the Dashboard Organization in which it is claimed unclaims it. ... View more

It's not clear, from your description, quite what's happening here - but I suggest you raise a case with Meraki Support.   https://documentation.meraki.com/General_Administration/Support/Contacting_Support#:~:text=Call%20the%20Meraki%20Support%20team,the%20Meraki%20Support%20home%20page.    Do this by telephone if it's urgent. ... View more

That's not quite right.   With appropriate config the MX will re-order packets as they exit towards the Internet, to put more important / more time-sensitive packets first.   Given that performance problems can quite often relate to contention for the available upstream bandwidth (which is often asymmetric), this can make all the difference.  Once that traffic reaches the ISP's PoP, all bets are generally off. ... View more

This is expected behaviour:   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failover If you are operating with MX to MX AutoVPN tunnels then you can use SD-WAN policies to shuffle important tunnelled sessions across to the secondary WAN link very quickly (seconds).  https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping#SD-WAN_policies For Internet-bound traffic, you can use SD-Internet policies to ensure that new flows are generated, originating from the secondary WAN link, more quickly (c. 30 seconds after the primary fails ) https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/SD-WAN_Internet_Policies_(SD-Internet) The SD-WAN+ MX license is required for this feature (required for all MXs in the Dashboard Organization)     Remember that untunnelled traffic flows are NATed to the outside address of the MX.   This session must therefore change source IP address to use the secondary WAN, so must be entirely re-initiated - thus seamless failover is not an option, regardless of configuration. ... View more

Remember too - if the traffic is being forwarded to the Internet;  while the MX can re-order packets outbound, to reflect the priority you assign to different traffic types, the likelihood is that the ISP will remark DSCP values to 0 at the earliest opportunity, thus it would receive no priority upstream. ... View more

Even when (legacy) clients aren't using multiple spatial streams, they are using antenna diversity to avoid multi-path distortion.   Thus the antennas associated with any one frequency band need to be covering the same area. ... View more

A few things are going on here: Your post title mentions MR74 (which is End of Sale), whereas the body mentions MR76.   As it happens these work very similarly (see below), but it's probably worth clarifying the detail. I think much of the first part of your question is covered by the following documentation: https://documentation.meraki.com/MR/Deployment_Guides/Mesh_Deployment_Guide     and more specifically: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Extending_the_LAN_with_a_Wireless_Mesh_Link One key thing to remember here is that there is no specific 'bridge mode' operation for Meraki MR APs;   the functionality is based around Meraki meshing, which is more general than that;   it looks to use a wireless uplink for a powered up AP who's wired uplink isn't working. You haven't said very much about how you want to logically treat clients connecting at the far side of the mesh link, which likely affects your options and matching functionality (see the docs for more) . For your question about antennas, I think you may be mixing up the guidance for different AP models, between those with dedicated radios for each frequency (MR74/6) and those supporting > 2 spatial streams, with both 2.4 and 5 GHz served by the same antenna posts (MR84/6) For the latter, the expectation wold be that a single client should be able to communicate via all four antenna posts simultaneously - in order to make use of the extra spatial streams - hence all the connected antennas need to provide essentially the same coverage.   This is also why such APs require dual-band antennas. For the former you could indeed have entirely different coverage areas for the 2.4 GHz versus the 5 GHz - e.g. 5 GHz directional antennas, on the outside of the buildings, pointing at each other, with the expectaion that the mesh link will form across that path - with a 2.4 GHz (maybe omni-directional?   or broad patch?) coverage area inside the building, for clients.   You'd obviously have to choose an appropriate antenna for each and route the cables for one of them through the wall (depending on whether you have the AP indoors or out).   You could not use this separate coverage areas concept with MR84/6 ... View more

Yes - webhooks are about alerts, rather than events.   You can pull the event log though, via the Dashboard API:   https://developer.cisco.com/meraki/api-v1/#!get-network-events ... View more

You can't do this on the same SSID - the 'MAC-based access control (no encryption)' and 'Enterprise with my RADIUS server' config options are mutually exclusive.     Remember that, as per the description, the MAC authentication option does not result in an encrypted WLAN session between the client and the AP as Enterprise 802.1x does.   I'd recommend you look at using Identity PSK with RADIUS (assuming you;re using a reasonably recent MR access point model and firmware).   iPSK combines WPA2-PSK authentication / encryption with a check of the client MAC address.   https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication Note that this would still be a separate SSID to your Enterprise 802.1x SSID - but you should be able to use the same RADIUS server for both. ... View more