Just one thing to add, almost as an aside: using OSPF on the MX, in the way described, is not an option here;   OSPF on MX advertises AutoVPN branch subnets to the upstream DC neighbour only - it does nothing in relation to underlay networking (e.g. the default route).   The MX also does not learn any subnets from upstream of the internal router.    Hence the title of the related KB article:    https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets It should also be said that, even for the VPN subnet re-distribution use case, OSPF has been largely superseded by using eBGP, which is far more feature-rich:  https://documentation.meraki.com/MX/Networks_and_Routing/BGP ... View more

@AxL1971    This is why many companies contract-in wireless site surveys to a Cisco partner, who can afford the right tech and have the appropriate experience - cos they are using it for many customer, frequently.   Remember that a site survey is more of a tested design operation, so experience is really important;    the tool, by itself, won't give you all the answers. ... View more

If your APs are connected via Meraki switches, there's no need to use scripting to reboot / switch off APs - use MS Port Schedules.    While you're switching them off, why not leave them off (overnight?) to save some energy and CO2s https://documentation.meraki.com/MS/Access_Control/Port_Schedules ... View more

Did you follow the configuration guide?   In my experience, doing it just using Windows wizards etc. never works - you need to follow the step-by-step guide carefully for your version of OS:   https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview Check out the Network-wide > Event log for details of what the MX is seeing too.  You can, of course, also ask for assistance from Meraki Support. ... View more

If I recall, BIDI involves send and receive over the same fibre core.   I don't believe Meraki switches support this. ... View more

While Advanced Security protections do add load to any MX, they aren't enabled by default and just enabling those features alone shouldn't restrict throughput that much  (see Page 3 number for the MX64 column here:  https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_VPN_peers).) I'd check that you're on the latest stable firmware release and contact Meraki Support if it stays the same. ... View more

Model-dependent, your MS switch will provide critical temperature alerts, if you enable it (Network-wide > Configure > Alerts > Switch    (if the option isn't there, your switch model doesn't support it). https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alerts_and_Notifications#MS_Alerts   But MT10 is probably your best option ... View more

I was looking only to help with the original question.  😉 In my experience, there are a number of compelling reasons for choosing VPNC over routed mode for the majority of Hubs - with licensing cost not really a part of that design calculation. I also can't help feeling that, whilst I understand people don't want to pay for features they will not be using, the overall 'cost' in time and complexity of needing to specify (and separately renew) licensing for individual devices probably outweighs the extra spend from a simple one-choice, applied to all approach - given the majority of networks have greater numbers of Spokes (where you want Adv Sec/SD-WAN+) than Hubs. ... View more

I'm not 100% sure, but I have a feeling this must have to do with the recommendation that Hubs are configured as One Armed Concentrators - with just one uplink. ... View more

Yes - webhooks are about alerts, rather than events.   You can pull the event log though, via the Dashboard API:   https://developer.cisco.com/meraki/api-v1/#!get-network-events ... View more

You can't do this on the same SSID - the 'MAC-based access control (no encryption)' and 'Enterprise with my RADIUS server' config options are mutually exclusive.     Remember that, as per the description, the MAC authentication option does not result in an encrypted WLAN session between the client and the AP as Enterprise 802.1x does.   I'd recommend you look at using Identity PSK with RADIUS (assuming you;re using a reasonably recent MR access point model and firmware).   iPSK combines WPA2-PSK authentication / encryption with a check of the client MAC address.   https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication Note that this would still be a separate SSID to your Enterprise 802.1x SSID - but you should be able to use the same RADIUS server for both. ... View more

As others have suggested - you probably need to focus on why the port went down   (and how it came back up again)    the STP messages you're seeing are expected, for a port going down, then recovering later. ... View more

Can I ask what you're looking to do using this? Note that an MX automatically obtains a publicly visible DNS hostname - which you can then use as a destination for things like Client VPN, instead of needing to use the public IP address, which may change from time-to-time, depending on your Internet service:   https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS) ... View more

I found this was pretty easily fixed using Rain-X - I'm sure there are other similar products out there, too:   https://rainx.co.uk/rain-x-products/rain-x-rain-repellent/ ... View more

L2 isolation doesn't prevent broadcasts and multicasts from being generated.   Proxy ARP within broadcast suppression will help with this, to some degree and client devices are generally better these days at handling resultant traffic in some volume than previously, but not to the level of a /16 subnet, I would think. https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Broadcast_Suppression_and_Control_Technologies_for_MR_Access_Points   ... View more

Woah there!   I chose my masks carefully...   /23 =  c. 500 clients   /22 = c. 1,000 clients.   = basically doable (think:  short DHCP leases)  but /16 = > 65,000 clients!     That's a big jump and not one I'd recommend.   But there are certainly advantages if you can stick to layer-2 roaming.   One thing to bear in mind - unless you have contiguous coverage between buildings on a campus (i.e. outdoor APs etc.) then clients are not even going to need Layer-2 roaming everywhere, as they won't remain associated between buildings anyway.  It's also much less likely to be manageable to extend the same VLAN between buildings on a campus.   The analogy comparing floors in the same building with different buildings on a campus isn't necessarily the best, unfortunately.   Mind you;  even in a building, maintaining coverage between floors can be a significant challenge anyway (stairwells and lift shafts are difficult and expensive to fully cover).   All these things make a difference. ... View more