Did the slow down happen after you added the MX100, or after you added the AD controller? Which one of the two changes resulted in the slow down? ... View more

Test the AD controller directly.  From a CMD prompt go:   nslookup server <ip address of AD controller> www.google.com   Does www.google.com repsond in a reasonable period of time? ... View more

I assume you mean you have added the AD controller as a DNS server under DHCP.   I would try running a DNS query against the AD controller and make sure it can resolve queries properly. ... View more

I haven't personally used it, but this script has had some attention for being able to create firewall rules from the CLI using Python for the MX platform.   https://create.meraki.io/build/mx-firewall-control-python-script/ ... View more

This is an overview page and includes a link to a webinar if you want to lean more. https://meraki.cisco.com/solutions/sd-wan ... View more

Actually the second port can be re-configured, but it can only be done by support, and you have to open a ticket to do it.  On the whole it is a pain in the arse, so I wouldn't do it unless you already have the kit and really need to.   If it is a for a small low density area, have you considered using the MR30H? https://meraki.cisco.com/products/wireless/mr30h ... View more

For Gig1/1/2 and 2/1/2 you wont need to configure anything on the ports themselves.  You just need to aggregate that.  Follow this guide: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports#Selecting_Aggregate_ports ... View more

For  GigabitEthernet1/0/1 you want something like:     Below is the most probably config for For Gig1/0/4GigabitEthernet1/0/1.  Note that "switchport voice vlan 7" only has affect for an access port - and the port is forcibly configured as a trunk port.  Also "spanning-tree portfast" will do nothing, as it is also only used for an access port.     ... View more

Good discovery @NolanHerring  - thanks for letting everyone know. ... View more

I just had a thought.  Because you are plugging in a new "default gateway" (aka it is moving from the Dell to the Meraki) the MAC address of that gateway is changing.   Perhaps this might just require someone to clear the ARP table on the remote end.   Did you try doing some pings from the MS250 to the indivudual hosts during the last cut over?  I guess you should do some pings now before the next cut over - to verify that the devices will respond to a ping. ... View more

I don't know for certain.   I believe that when the user logins their MAC address becomes "authorised" on the Meraki side.  That MAC address authorisation will remain in affect for the configured period.   The ongoing authorisation has nothing fuether to do with AD until it expires. ... View more

ps. I gave up on using Powershell for scripting.  One of the issues with it is that when you start powershell running for a one off job (such as a triggered event or task scheduler (for example)) it has to instantiate the whole .Net engine.  This can take a couple of seconds.  If you are trying to run a lot of single fire operations this creates big problems.   The .Net instantiation is a really slow process, and inherent in the powershell architecture - so can not be fixed.   .Net apps suffer the same issue when you recycle their application pools in IIS.  I have clients with apps where IIS can't process any requests for 5 minutes after a pool recycle.     You may find moving off to other scripting languages like Python will be your best fix. ... View more

First I would remove all the compulsory sleep operations you have.  The rest is taking long enough without adding those. Start-Sleep -Milliseconds 200   The next thought on my mind is weather this is static routes on an MX or MS.   If it is on an MX have you considered using route tracking? https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Static_Route_Tracking ... View more

Did the MS250 come online in the Meraki Dashboard?  It needs to do that to get its config.   It sounds like you only had a single port in your port-channel in the VM environment.  It should still work not having a port-channel configured on the Meraki side, but just something to consider.   I notice if I try to manually configure the port speed I only get 1Gb/s options as well.   Did the link light come on for the 10Gbe SFP+?  Is the server definately using 10Gb-SR as opposed to LRM or something else?   Below is an example of an MS250 that has a 10Gbe SFP+ plugged into port 25 going to a VMWare server environment.  This is how it should look. ... View more

@jdsilva only a single policy can have a schedule.  So if the Morning policy has a schedule, you can not attach a second schedule to the Afternoon policy. ... View more

You should be able to just put: play.google.com In the block list.  Note that it doesn't take affect immediately.  And if has recently been accessed then the existing flow will be cached.  Once that flow expires the rule will take affect.  Having to wait 10 minutes is common. ... View more

If it was me, I would just expand your pool of IP address space for the devices that are attaching.   Note that you do expose yourself to a possible DHCP exhaustion attack using the approach you are using (and you are in a school ...).  With a DHCP exhaustion attach you can download existing attack tools, and all they do is send DHCP requests using different MAC addresses until the DHCP server has no IP address space left to give out to real clients.   The second approach I would use is to just use a NAT mode SSID.  With 16 million IP addresses it makes a DHCP starvation attack improbable.  With the hashing method that Meraki uses with a NAT mode SSID to generate DHCP client addresses - it is probably impossible. ... View more

Templated networks can have unique /24's per site - and it sounds like you should be using templates. https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple_Networks_with_Configuration_Templates#MX.2FZ1_-_Template_VLAN_IP_Address_Range_Allocations Then if you change the template every site will get updated automatically.   It will be a big effort to change over.  You'll want to create a template by copying an existing network first (to get most of the settings).  Set the template to use unique addressing.  Then you can bind one network at a time to the template.  note that when you bind a network to a template it will loose the existing subnet assigned - so you will need to go into the bound network afterwards and configure the subnet you want to use again.   Using a template will make sure all of your sites are configured identically. ... View more

I'm not completely clear on your requirement.   Is it that you have two groups of users, one is connectd via WiFi, and the other is wired - and you want WiFi users to have one set of rules and wired to have another?   If so, I would create two VLANs on your MX. One for the WiFi users, and one for the wired user.  Then create a group policy policy for each, and apply it to the VLAN. https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Appliance     ... View more

Is their something wrong with the built in IR light? ... View more