The answer is 84.   The two hubs have two links each, creating 4 x AutoVPN tunnels.   The 20 spokes will each form an AutoVPN tunnel to each WAN port on the hubs, so 20 x 4 = 80.   80 + 4 = 84. ... View more

I have a customer looking at using these in fridges and refrigerated trucks.  If they had to actually run structured cabling into each fridge - it would be cost-prohibitive.   They have many hundreds of fridges.  They have just two DCs.   You can see which is the bigger market. ... View more

>We only have one MV and one MR unit which we are using as test units while we review our wifi and CCTV systems.    Think of it this way - rather than running in a cable for each sensor and allocating a switch port - you now need to install a single MR to support all of the sensors.  Sounds much simpler to me ... ... View more

No.  ... View more

The quickest way would be to use the API (configure WAN1 for an AP). https://developer.cisco.com/meraki/api-v1/#!update-device-management-interface    You don't even need to write code.  You can just use the curl command once for every AP.  Then just plug in each AP once where it can retrieve its new config, and then deploy. Something like (untested): curl -L --request PUT \ --url https://api.meraki.com/api/v1/devices/{serial}/managementInterface \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header 'X-Cisco-Meraki-API-Key: xxx' \ --data '{ "wan1": { "vlan": 7 }}'   ... View more

Try taking the camera right up to the switch and use a standard patch lead to plug it in.  Note it might take 10 minutes to come online the first time because it encrypts its internal SSD.   Do you see link lights?  Is your firewall letting it talk to the cloud?   Is your switch an 802.3at PoE switch?   ... View more

We completed migrating our last DMVPN client (we had a lot) a couple of years ago to Merai AutoVPN.  Every single client is so much happier with their shift. ... View more

I'm with @GreenMan .  Disable the WiFi on the Z3 and get something like an MR36.   The first thing you'll notice is the better coverage the MR36 provides.  You can position the MR36 closer to the middle of where you need coverage (you still need to get a cable to it). If you need, you can then getting a second MR36 for MESH.  Note that your throughput drops by more than 50% when using WiFi through that MESH MR.     Going sideways; I've had a good experience using the DLink power link extenders (which extend your network over the power lines in your house) ... ... View more

I would use one supernet for all your clients, and another for the production networks.   For example, 10.16.0.0/16 for clients and 172.16.0.0/16 for production.  Make the third tuple the site identifier.  For example, a single site might use 10.16.34.0/24 for clients and 172.16.34.0/24 for production.   Then you can create broad VPN firewall rules like 10.16.0.0/16 is denied access to 172.16.0.0/16.  Instantly with one rule, every client network is denied access to every production network. ... View more

Usually its a matter of looking at the security events in the Security Centre in the Meraki Dashboard, and then whitelisting those IPS signatures.   Of course, you first have to satisfy yourself that the alerts are false and the PDFs don't actually contain a threat. ... View more

The switch port configuration is fine as NAT mode is being used.  In fact, being an access port is more desirable since it won't participate in spanning tree at all.   Start by looking over your logs.  What does the Meraki event log say?  What does the Catalyst log say?   Are there any other non-Meraki APs also connected to this network?  If so, you might be triggering their security causing clients to be disconnected. ... View more

I would download nmap and run a scan against its IP address.  Then you have measured the actual answer.  Otherwise you can only document things you know about - you can't document something you don't know exists. https://nmap.org/download.html  ... View more

I forgot to mention, I have used the MS425, MS350-24X and MS225 a lot.  They are 100% rock-solid reliable.   One other tip.  If you are going to be connecting Catalyst and Meraki switches at the same time to the same network, change your spanning tree protocol on the Catalyst to using MST ("spanning-tree mode mst" - just this one line change on each Catalyst). Otherwise, you can get subtle spanning tree issues. ... View more

Rather than expressing my bias towards them first , check out these threads by other people: https://community.meraki.com/t5/Switching/MS-390-when-is-it-ready-for-action/td-p/80612    And you mostly see mosts from unhappy people who bought them: https://community.meraki.com/t5/Switching/MS390-DO-NOT-BUY/m-p/95581  https://community.meraki.com/t5/Switching/MS390-LLDP-topology-issues/m-p/92618      Back to my bias again.  I'm also a Cisco Partner.  I would not put an MS390 into a client at this point in time.  Maybe in a couple of years, I'll re-look at it.  I think it will take this long to get on top of the bugs. I don't want the damage to our reputation by installing core infrastructure like switching that does not operate 100% reliably.   Based on some comments you have made (I have made a guess about the size of your network); I typically use MS425-16's for network cores or server access blocks.  They are an all 10Gbe SFP+ switch.   I'm also a big fan of the MS325-24X series for mid-size network cores.  Each one has 24 copper ports, 8 of which are MGig, and 4 x SFP+ ports.  You can stack them together and get a really good density of Gigibat, MGig/10Gbe copper and SFP+ ports.   For the access layer blocks, you could also look at the MS355 series (lots of MGig if that is important to you).   I mostly use MS225's (which have built-in 10Gbe SFP+ uplinks) which I 10Gbe connect back to the MS425's. ... View more

Going completely sideways; the MS390 has a bad reputation due to the high number of bugs and defects.   Consider using something else unless you enjoy grief after you've installed the kit. ... View more

Also not that MS L3 ACLs are stateless.  This can start making things tricky if you use them on multiple VLANs and want to do anything other than a layer 3 ACL. ... View more

As I understand it, PMKSA is a per AP cache.  It can only be used if the AP has seen the client recently and the cache of the key is still valid.   You would need to make the iphone roam to a different AP and then roam back again to see this (I would expect).     My initial thoughts are that you don't have a problem ... ... View more

You can use the sandbox. https://developer.cisco.com/sandbox.html  ... View more

Are you talking about people using a domestic VPN service for privacy to bypass content filtering? ... View more