Thanks for the tip.   However, every time Meraki breaks something on the Stable channel, I'm told to upgrade to the Stable Release Channel or Beta channel for a fix.  Does anyone else see a problem with this?    I do realize that there are few options other than downgrade or upgrade or workaround, but please stop breaking "Stable".  That's what the other release channels are for.  ... View more

l7_firewall, not content filtering...   syslog...   May 11 11:13:08 72.198.16.239-1 logger <134>1 1652285588.003245509 appliance l7_firewall src=192.168.40.37 dst=208.67.222.222 protocol=udp sport=53082 dport=53 decision=blocked   Meraki Support Engineer...   "The Layer 7 blocks for OpenDNS (208.67.220.220) appear to be due to the fact it is being classified as advertising. Unfortunately, the workaround for misidentified traffic is to remove the corresponding rule which you have done. Alternatively, Meraki Support can roll the network back to 15.44 which uses a different method for identifying traffic." ... View more

@HealthPrime wrote: L7 has broken lot of stuff it blocks 8.8.8.8 but category is blank , i have a ticket open but no time frame  for resolution for L7 NBAR issues reason its managed by Cisco and not meraki Cisco owns Meraki, but this will never be an acceptable excuse, regardless.  I'm on "stable" firmware.  It should be "stable"...meaning it doesn't break things that used to work.  ... View more

Context...   Subject: RE: Cisco Meraki Case 08036081: layer 7 FW completely broken and [ ref:_00D606uBw._5006Q1pmBUt:ref ]   Hello Craig, Thank you for reaching out to Meraki Technical Support. I have added the information from this case to an internal tracker so our engineering team is aware of this issue. The Layer 7 blocks for OpenDNS (208.67.220.220) appear to be due to the fact it is being classified as advertising. Unfortunately, the workaround for misidentified traffic is to remove the corresponding rule which you have done. Alternatively, Meraki Support can roll the network back to 15.44 which uses a different method for identifying traffic. If you would like to proceed with the rollback, it would require a call to Meraki Support during the maintenance window. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Network-Based_Application_Recognition_(NBAR)_integration Kind Regards, Austin Conley Network Support Engineer .:l:.:l:. Cisco Meraki     ... View more

See my reply to CptnCrnch.  I don't expect anyone that doesn't work for Meraki to be able to help.  I'm ranting (or complaining), yes, but also warning, and hopefully shaming.  Or should I just through all my complaints in the "make-a-wish" well?  ... View more

Clearly, I'm ranting.  I'm not sure what more context you would need, but there is no help anyone that doesn't work in Meraki engineering can provide. Support already provided some work-arounds (not to be confused with a solution). Roll-back firmware or disable the rule. BTW, I'm on a "Stable" release. Some might also refer to it as a "customer complaint"....you know...since this really, really expensive product simply stopped working as advertised.  I now suspect it's due to a botched rollout of NBAR in version 16.x of the firmware.  So, basically poor quality control, testing, etc. Someone was just so excited to roll it out, they didn't bother to test it properly, I guess.  I'm also warning any would be customers that are smart enough to read forum posts before a purchase.  The Layer 7 firewall does not work as advertised and is clearly broken.   I'm also, hopefully, shaming someone at Meraki, but those are high hopes, I realize.  ... View more

Yes, it's the L7 Advertising rule classifying OpenDNS as "Advertising".  I'm not using Umbrella.  ... View more

"Modern operating systems use a number of tracking prevention methods that can resemble the behaviour of many hosts behind a single NAT IP. Therefore NAT detection may also cause alerts for legitimate traffic that may not be related to NAT.  It is recommended to tune the alert frequency to a suitable value for your network, then investigate to determine whether further action should be taken."   So, it might be real, might be false positive...and we're supposed to go investigate them all?  I'm not sure this is very helpful.  ... View more

I think the song is called "My First Casio", composed by "some managers 4th-grade child".  ... View more

Don't hold your breath.  I asked for this several years ago.  ... View more

Yes, they will take down your entire network even if there is only one device with an expired license.  It's very draconian. One of the things that go in my hate column for Meraki.   ... View more

That's nice if you have 2 WANs to work with.  ... View more

And network saturation shouldn't be that difficult either.  I already input the maximum bandwidth for each WAN on the traffic shaping page (A).  The MX already records and reports on real-time (or near-time) usage (B).   If B >= (A - X) for more than Y mins, then send alert.     Let me pick X and Y.     "Wide use case" for any alert is easily accomplished by letting the admin pick the threshold/s.  But I'm sure the devs at Meraki can/already have figured this out.  Whey they refuse to do so is a never ending source of Meraki hate for me.    Phillip, you had the same concern when I complained about this same lack of alerting for high-CRC and packet loss, last year.  Again, it's already reported on in the switch page of dashboard.  The simple, obvious solution is the same.   Thresholds.    They even have thresholds already defined for CRC and packet loss that light up with different colors in the dashboard, but no option to get an alert for this common network condition either.  F***ing pathetic!    Why?  Seriously, this sh*t is so aggravating.  We pay WAY too much for this kind of half-baked design and lack of any real/meaningful response from Cisco.   https://community.meraki.com/t5/Dashboard-Administration/hard-to-imagine-why-there-isn-t-an-alert-for-high-CRC-and-packet/m-p/18655   I've seriously come to conclude that Cisco is simply being stingy with data.  Alerts cost money.  Probably fractions of a penny, but they add up.  Why wouldn't Cisco be motivated to restrict and limit alerts at every opportunity.  Why would they give us any choice in the matter.   It's not like they haven't thought about something as basic as network health alerts...then again?  ... View more

Yeah, it's not rocket science.  They obviously collect the data.  Implement a threshold and add it to the alert page.  I'm sure the devs at Meraki can figure it out.    Even on a network where I have the overpriced Meraki Insight add-on, I still can't get a simple alert for this incredibly common problem.    What really boggles my mind is that I have to even ask for this seemingly basic alerting function for a common network issue...and I'll probably be ignored (or patronized and told to submit a wish) and never get it.  None of my wishes ever come true.  Even for the most simple, obvious, no brainer tweeks or additions.    I love a lot of things about Meraki, but things like this really piss me off and make me wonder WTF is going on in the design meetings.   When I say I have a "love/hate" relationship with Meraki, this is exactly the type of thing I'm thinking of when I think about all the hate.    I don't want to have to learn how to query the API just to get bare bones basic alerting on a very common network issue.  I have a million other things on my plate, like most of us do.  ... View more

I'm actually amazed it took this long to get some training programs in place. The roll-out has seemed very haphazard/disorganized/half-a**ed. And why are the classes sizes so limited anyway? It's virtual. Your Cisco. I'm sure you could easily expand the class size if you wanted. What gives? I'd make a wish, but my wishes never come true. ... View more

@EliseK, I don't see a form on this page, no matter which date I click on. Just blank white space to the right on the dates. I'd paste a screenshot if I could. I've tried this in Chrome and Safari. https://meraki.cisco.com/webinars/signup/2690/ecms1%3A-north-america-sessions/.   Update: I tried from another computer and it's working, so something wrong locally. ... View more

Also, I really hope I'm not going to have to travel 1000+ miles just to take EMS2. Please add more cities for those of us that aren't lucky enough to live in (or near) one of the 3 most expensive cities on the planet. San Francisco, London or Sydney are the only 3 cities listed on the Interest form. Better yet, add a virtual option. I can't imagine anything that couldn't be covered virtually. We are talking about cloud managed networking gear, right? ... View more

I'd love to be able to register for EMS1. No mater which date/time I click on, there is no form displayed. I've tried this in Chrome and Safari. Does this mean the sessions are full? A note to that effect would be nice. ... View more

I spoke with a Meraki rep the day before it happened...sorting out the licensing.  He didn't warn me either, even though he clearly noticed the problem.  In retrospect, I think he was trying to tell me...but didn't make it clear at all.   In any event...there is absolutely no valid reason to disable the ENTIRE org over one measly Z1 license.   Cisco could easily just disable the one Z1.  Again, heavy-handed is a radical understatement. It's also potentially dangerous and even life threatening in a different environment like a hospital.   ... View more

This is the other point of confusion.  Said unlicensed Z1 had been on my network, unlicensed, for at least a year. Some other licenses were set to expire today, but I renewed those.  So, this one Z1, that had been on my network, unlicensed, for at least a year, was cause to disable my ENTIRE org?     Again, what if this was a hospital with thousands of devices.  You shut down the ENTIRE hospital over one measly Z1 license?!?   I can't be the only one that sees a problem here.   There is absolutely no valid technical reason Cisco couldn't simply disable the one unlicensed device instead of the ENTIRE org.   ... View more

Are you serious?  DOS = denial of service.  The method used is irrelevant.   ... View more

Yep.  Figure out the solution.  That I had to be down for 30 mins and navigate your incredibly rude shut out until I was able to track down my customer number is inexcusable.  Are we meant to have these numbers tattooed on our bodies?    Disabling the entire org over one device license is F'ing absurd.  Like, off the rails F'ing absurd.  As I stated in another response....heavy-handed would be a radical understatement.  What if I was a hospital (iIm not) and we didn't renew a license for one measly Z1 at some doctor's house...you would have shut down the entire hospital network over a $30 license.  Un-F'ing-real! ... View more