The answer is 84.   The two hubs have two links each, creating 4 x AutoVPN tunnels.   The 20 spokes will each form an AutoVPN tunnel to each WAN port on the hubs, so 20 x 4 = 80.   80 + 4 = 84. ... View more

Thanks for the replies. The Best Practices showed me how to combine the ACLs. However the final rule leaves out TCP traffic that was being deny above. The stateless nature of the ALCs certainly makes them tricky. Also with a 128 limit, the inability to use a port range or list of subnets, the ALC only seems appropriate for denying all traffic between VLAN. Thanks for the help. ... View more

I looked at the API, and I thought that one only worked for the MX (since its called WAN1 🙂 ) If this works, then its the way to go. Thanks.   PS: I have not tried it, because there where "only" 50+ APs and I just "grinded" my way through them.   ... View more

As a matter of fact, it was possible to register devices in China on the global dashboard in the past, but as described, communication to the global cloud may become unstable. I have currently registered the equipment in China on the Chinese dashboard as described. A very troublesome Chinese government policy has been promulgated in recent years, but it seems that there is no choice but to follow it. They especially hate cross-border encrypted communications that are not under their jurisdiction. https://documentation.meraki.com/zGeneral_Administration/Support/Information_for_Users_in_China >Overview >Cross-border Service Availability   I currently have equipment in China and Japan, also use China and Global Dashboard. The benefits of Meraki are spoiled because the Organization is inevitably split. BTW, adding APs within China to the Chinese dashboard should not be a problem in itself. If you are able to access the Chinese dashboard from Germany without any problems. If you can't register APs within China to the Chinese dashboard, that's another matter. ... View more

I have a customer looking at using these in fridges and refrigerated trucks.  If they had to actually run structured cabling into each fridge - it would be cost-prohibitive.   They have many hundreds of fridges.  They have just two DCs.   You can see which is the bigger market. ... View more

They are.  Freenet VPN.  I was hoping to keep them completely off the network.   ... View more

No.  ... View more

Try taking the camera right up to the switch and use a standard patch lead to plug it in.  Note it might take 10 minutes to come online the first time because it encrypts its internal SSD.   Do you see link lights?  Is your firewall letting it talk to the cloud?   Is your switch an 802.3at PoE switch?   ... View more

I'm with @GreenMan .  Disable the WiFi on the Z3 and get something like an MR36.   The first thing you'll notice is the better coverage the MR36 provides.  You can position the MR36 closer to the middle of where you need coverage (you still need to get a cable to it). If you need, you can then getting a second MR36 for MESH.  Note that your throughput drops by more than 50% when using WiFi through that MESH MR.     Going sideways; I've had a good experience using the DLink power link extenders (which extend your network over the power lines in your house) ... ... View more

I would use one supernet for all your clients, and another for the production networks.   For example, 10.16.0.0/16 for clients and 172.16.0.0/16 for production.  Make the third tuple the site identifier.  For example, a single site might use 10.16.34.0/24 for clients and 172.16.34.0/24 for production.   Then you can create broad VPN firewall rules like 10.16.0.0/16 is denied access to 172.16.0.0/16.  Instantly with one rule, every client network is denied access to every production network. ... View more

@rbnielsen  I just made a wish too. 🙂 ... View more

Hi -    To resolve error message 628 in Event Viewer when attempting to connect to a Meraki VPN, do the following:   1. Navigate to Control Panel > Network and Internet > Network Connections > right-click the VPN profile > Properties 2. Security tab > click "Allow these protocols" then select: Unencrypted Password (PAP)  Challenge Handshake Authentication Protocol (CHAP)  Microsoft CHAP Version 2 (MS-CHAP v2)    3. Save the changes 4. Reconnect  Regards,   Dalton Woolsey ... View more

Here are the news:   I wrote to Meraki helpdesk after an test-update on one of our MR45:   "Great, it´s working now. But: you reduced the functionality. Isn´t it better to complain at Microsoft or Intel to provide a proper driver for the wireless-devices?"   this is the answer:   "... Thats great news! You are correct, ideally this would not be required at all. Please be assured that this issue is on-going, we still have our teams working on this issue, it has not been forgotten about. The fix we have used here is only a temporary work-around. Whilst I do not have an ETA on a true fix, we at Meraki are still looking into this. This fix was simply aimed to get you up and running whilst we proceed. We will let you know via this case as soon as a full solution is found. Kind Regards ..."   ... View more

Maybe the same issue as described here:   https://community.meraki.com/t5/Wireless-LAN/poor-WLAN-quality-with-MR45/m-p/100512#M14855   ... View more

Same issue - CRC errors comes and go. Is there any alert been setup on CRC errors from Meraki yet? ... View more

Usually its a matter of looking at the security events in the Security Centre in the Meraki Dashboard, and then whitelisting those IPS signatures.   Of course, you first have to satisfy yourself that the alerts are false and the PDFs don't actually contain a threat. ... View more

The switch port configuration is fine as NAT mode is being used.  In fact, being an access port is more desirable since it won't participate in spanning tree at all.   Start by looking over your logs.  What does the Meraki event log say?  What does the Catalyst log say?   Are there any other non-Meraki APs also connected to this network?  If so, you might be triggering their security causing clients to be disconnected. ... View more

Just to keep you updated - spoke with a support engineer who was very helpful. He could capture/witness the roaming issue from watching the logs and is going to try to replicate the issue using a testing set-up.    Meanwhile I also did some testing of my own.  Fully disabling 802.11w for affected SSID (instead of 'Enabled - allow unsupported clients') seems to have solved the roaming issues. This also solved an issue where the iPhone would be unable to associate with the network when connecting to the SSID for the first time. (eventually after reconnecting many, many times, it would successfully connect) I'm interested to see if my findings are in line with the testing results from Meraki Support  Also, for security reasons I would like to be able to set 802.11w to 'Enabled - allow unsupported clients' again without it affecting roaming capabilities. Please note that per Apple's documentation: "802.11w's protected management frames (PMF) interoperate with iOS and iPadOS support for 802.11k, 802.11r, and 802.11v." (https://support.apple.com/en-us/HT202628). ... View more

If you mean the ports and services the clients on the network are using then you can use the Traffic analytics page. To get the information however your network needs to be configured to use traffic analytics and to report specific hostnames. ... View more