That means it is not migrated yet.   The username/password authentication is likely to break once it is completed. ... View more

I wish I could give you extra kudos for this find.  Especially if it makes using the Cisco web apps more reliable.  It's one of the annoyances of working with Cisco. ... View more

I'd be happy if the Cisco web apps stopped breaking all the time.   It is a weekly occurrence for me to go into the Chrome developer tools, and delete the cookies associated with cisco.com to make web apps work again.   Wow, you have just given me an idea. I know that several of the Cisco web apps break when you exceed (I think) 255 bytes of cookie data (or maybe it is 1024; I can't quite remember now).  I'm guessing it is a WAF setting. This would permanently reduce the size of all the cookies.  It might fix my issue with the reliability of the Cisco web apps.   I will be so happy if this is the case. ... View more

I've been using SNMPv3 and AES with a customer for a good year or two without issue. ... View more

  There is no autofocus on an MV12 (fixed lens).  But good thinking.   Can you see anything unusual when you visually inspect the camera? I think I would take a gentle cloth (maybe microfibre) and try cleaning the lens.  I am most suspicious that something has gotten on it. Being in a medical setting, it's possible that some chemical has been heated, vaporised, and re-condensed on the lens.   Next thought, in desperation, try to power cycle the camera (unplug it and plug it back in again).   Next thought, in even more desperation, try upgrading the firmware.   Trying to think more laterally - image quality is affected by lighting.  Does it make any difference if you turn more lights on (if that is even an option)?  Is there any chance you are using less lighting than before?   ... View more

Have inbound firewall rules been enabled in your network?  If so, you must create firewall rules to control what is blocked.  If this feature is off, then everything is blocked by default.   https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Security_Appliances   Are there any inbound NAT/Forwarding Rules to the server?  Port forward, 1:1, anything? https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX     I just had a thought.  Is this server a DNS server for other clients? If so, if another client is making DNS requests for a "bad" DNS zone, they will appear to come from this server (client sends request to this server, this server then sends DNS request).   Is this server running an HTTP proxy, or anything else like that?   Is this a web server?  If so, it may be that something is using an exploit in the web app, and proxying requests through it.  The server would show up as clean on a scan then.  It is simply being used to hide what the attacker is really doing. ... View more

I think this link by @alemabrahao would best fit your use case. ... View more

I would use @ww approach.  It is far more bullet proof.   When using L7 - you are relying on the web site/app have a L7 classification.  What if it is not classified?   Layer 3 rules also allow FQDNs. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewall_Rules   You could also use a group policy to override the L3 rules, and then apply L7 rules.   ... View more

The most common widely accept approach is to use LLDP.  That is simply done on a Meraki switch by specify the voice VLAN. https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Configuring_the_MS_Access_Switch_for_Standard_VoIP_Deployments   Another approach, which I would only recommend if you are desperate, is to use SmartPorts, where the switch recognises the MAC address is a phone and applies a port config. https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/SmartPorts     This needs to be done at the point where the phone plugs into the network.  If the phone plugs into a switch - it needs to be done there.  It is too late by the time the traffic gets to the MX. ... View more

Have you tried running the IOS-XE software with native Meraki support and no container? ... View more

This explains the different licencing programs. https://documentation.meraki.com/General_Administration/Licensing/Meraki_Licensing   ... View more

Negative.  The "-E" licence includes everything on that list (specifically it includes AMP, IDS, content filtering and geo-IP blocking).   You can find a comparison of Essentials and Advantage here: https://documentation.meraki.com/General_Administration/Licensing/Subscription_-_MX_Licensing#Features_Highlights ... View more

You have made a typo.  The two licences you are referring to are: LIC-MX-XL-E LIC-MX-S-E You can read about the differences here: https://documentation.meraki.com/General_Administration/Licensing/Subscription_-_MX_Licensing   These are both subscription licences. "S" is for all MX6x class devices, and VMX-S. "XL" is for the MX250, MX450, MX650 and VMX-L.   The "E" on the end means it is an essentials licence.  This is what 99% of customers will use. ... View more

I have had a customer do exactly this.  It was in their R&D section.   Every developer has an MX on their desk, and they are allowed admin access to their own test network, and can replicate whatever IP configuration and VLANs they want for testing software and devices. Their MX's connect to a dedicated switch (not in their control), that connected to a dedicated VLAN on the upstream MX (also not under their control), to limit any damage they could do to the corporate network. ... View more

You can plug the WAN port into your internal network to allow the MX to connect to the cloud. ... View more

This is unlikely ever to be done.   Client information is PII data.  Many countries have laws around PII data and controlling access to it.  You lose that control as soon as you put it in an email. ... View more

If you have seperate SSIDs for WiFi5 and WiFi6, then you could use the Wireless Overview page to get a LOT of detail.     ... View more

This looks awesome!  I hope it is usable for client VPN as well.   The only other thing that could make it even better is if it supported either adding DHCP hosts to the local zone or DNS registration (allowing machines to self-register in DNS). That would allow VPN clients to talk to internal hosts by DNS name. This would be great for small companies that don't have Active Directory, and rely on broadcast name resolution systems when on WiFi or LAN to find servers, NASes, IoT devices, etc. ... View more

Going sideways, the MV13 and MV13M (M has double the storage for longer retention) are big improvements over the MV12. Perhaps this could be an opportunity to get a new camera so you can try the newer technology?   https://meraki.cisco.com/product/security-cameras/indoor-security-cameras/mv13/ https://meraki.cisco.com/product/security-cameras/indoor-security-cameras/mv13m/   ... View more

What about if we called the group "Woman of Meraki, Authentic and Noble"?  Then the acronym for the group would be WOMAN. ... View more

I don't see what the Z3 adds to this solution.  Why not remove it (simpler), and move the guest VLAN to the MX100?  Then you can create firewall rules to allow whatever traffic you like. ... View more