Hey folks,   Could use some ideas here. I currently work for a state agency, at a school district. Every single agency in the state, has to work with our state IT department. I'm just going to call them XYZ. XYZ has certain policies and procedures we have to work around, and it creates a TON of logistical issues. As such, I'm a network admin, but my ability to access and modify things ends at our switch. The router and firewall are all handled by XYZ, and as such, I'm not allowed (or even able) to do anything with them.   We currently have 4 VLANs broadcast in the schools. Protected, Student, Guest and BYOD. BYOD used Google OAuth, but Guest, Protected and Student are all separate, and there's no relay between them, so none of them talk.   Currently right now the set up is that every school has two servers. One is a Linux CentOS DHCP server, which runs DHCPD for the Protected network and some VMs for a handful of other things, and the other is a Windows machine that had some magic performed on it (I believe it's the multiplexor protocol from Microsoft) that managed to virtualize the internal NIC card and allow it to have 4 VLANs - It's a single ethernet port which gets an address on the Protected, but has 3 other "virtual network ports", each assigned on the other VLANs, and it runs a DHCP server for Student, Guest and BYOD. I have absolutely no idea how this was set up or how it manages to work. I've only ever dealt with Windows DHCP for a single scope, and when using VLANs, we used the router/appliance (WatchGuard, Aruba, etc etc) for DHCP and VLAN configs.   I want to acknowledge that it's a total hack job that was created out of necessity and lack of resources, and it wasn't created by me. I absolutely hate this set up and I'm looking for ways to simplify it.   Where my problem comes in, is that the district has acquired a new building, and we're going to be using it for a handful of people. These same VLANs will need to be broadcast there (minus Student), and we're trying to avoid having to set up two physical servers like in the other schools. My first instinct was to get a Meraki switch that had DHCP functionality built into it, but upon watching a set up of it, I almost immediately saw a roadblock, in the form of the MX IP field.   We don't have an MX security appliance. We've got a router that's 100% controlled by the state, and they will not run DHCP on there, which means I need DHCP to come from another source. Is it possible for any of the Meraki switches to run their own DHCP server, and have them point the gateway to the router that we currently have? I called in and spoke to a Meraki rep, and while I'm sure he's good at his job, I could barely understand a word he was saying due to the accent. Is there ANY Meraki device that fits this bill?   If there isn't a Meraki device, does anyone know of any other sort of device that does? I've looked at DNSBox and a few others, and they're all MASSIVE overkill for what we need, on top of being too expensive for a school district. Any help or other ideas would be appreciated.     ... View more

Hey folks,   I work for a school district as the Network Admin. I'm in charge of 16 buildings and almost 10,000 devices/users.   Recently over the last year, for reasons unknown, Meraki has started to report mDNS names over DHCP host names. Because I work for a school district, blocking kids from the protected Wi-Fi and steering them towards the BYOD Wi-Fi has been a never ending battle.   This slow change I've seen to where a majority of devices are reporting mDNS now is causing some massive problems. Every single Chromebook, Android phone, and Smartboards are reporting back as these names. A serious number of iPhones and iPads are doing it. We're now also having Windows devices doing it.   At this point, there's a 50/50 shot that I'm blocking something legitimate instead of a rogue device on the network. This is starting to cause a MASSIVE headache, and tons of problems all over the district. At one school I ended up inadvertently blocking the entire administration staff's district issued cellphones from the network. I've inadvertently blocked Smartboards in the middle of class, and teachers while they're in the middle of Zoom calls or teaching.   I'm completely stuck right now. I can't risk having personal, unauthorized devices connected to the network that prevents a security vulnerability, but I also can't keep blocking teachers and admins.   For reference, we are using MR52 access points, and MS225 switches, with CentOS Linux DHCP servers. On a call with Meraki they basically just said "Oh well that's just how it is, nothing we can do," which I find completely mind-blowing. Being that we're the literal poorest district in the state (we only got the Meraki equipment from a massive one-time grant from the State), we have no money to purchase any of the MX appliances.   Is there anything at all I can do? I can't manually rename 10,000+ devices in the dashboard. I wrote a group policy to disable mDNS broadcasts, but it doesn't help us at all with the Macs, Chromebooks, Smartboards, iPhones, iPads and Android devices. I did write a new group policy to disable mDNS, but for whatever reason the Windows devices are still reporting back that way. We do not have SCCM (can't afford the licensing) or other options that we can push out new passwords to the Protected network, we would have to manually do this on every device, which simply isn't feasible.   This is extremely frustrating, and I'm not sure of a good way to fix it. Anyone found a solution? ... View more

Hey folks,   I've just started a position at a school district that uses Meraki systems for everything. So far I like them quite a bit, but I'm not familiar with them at all, having previously come from small businesses that had basic network equipment, and a slightly larger company that utilized Ubiquiti. So I've got a question about a task I've been given to solve, that I'm kind of hitting a wall on:   We have three Wi-Fi networks. Protected LAN, Guest (for guest of the district only, limited to 15 IP addresses as this network doesn't go through our proxy) and a BYOD that authenticates through AD for teachers and students to use their own devices. For the purpose of this, we are focusing on Protected and BYOD. The issue we have is that people keep putting their devices on the Protected LAN network, because kids and teachers dislike having to login to the network so frequently.   What I've been asked to do, is reduce the number of sign-ins that are required. My manager was hoping we could have a scenario where someone logs in once, and then their device/login is remembered for a long period of time, ideally all school year, but realistically anything less to encourage people to use BYOD rather than Protected. Is there a way for me to achieve this? I've found where the BYOD network options are, but haven't been able to find anything about registering devices for a period of time.   Thanks in advance. ... View more