We have one Meraki MS425 configured as an L3 switch to do routing with a transit VLAN so we can connect six buildings together. One building has the internet connection for the whole network. Right now we just have one fiber run going from each building to the Meraki MS425. Here is how we have routing configured on that MS425:     VLANs 10, 30, 40, 50, and 60 are all buildings that have just that one VLAN respectively (and associated subnets 10.1.x.x, 10.3.x.x, 10.4.x.x, 10.5.x.x, and 10.6.x.x), and this MS425 has the .1 virtual interfaces for each of those subnets. Each of those subnets has their own servers (DHCP, DNS, etc.) and all internet traffic passes through this MS425 and the transit VLAN of 172.16.100.0 to get to the building with the internet connection. The next hop IP of 172.16.100.1 is a virtual interface on the upstream switch (Cisco Catalyst) that has the firewall and internet connected to it (and it has it's own DHCP, DNS, etc. in the 10.2.x.x range). I've whitelisted the DHCP servers on VLANs 10, 30, 40, 50, and 60 and this is what this switch sees for DHCP:   What surprises me is what the VLAN 10, 30, 40, 50, and 60 Meraki switches are seeing in terms of DHCP - they are seeing DHCP traffic from other VLANs, and I'm not sure why this is. Here is the view from a switch on the VLAN 30 network:   The port on the MS425 with the transit VLAN that connects it to the VLAN 30 is configured this way: Port status Enabled Type Trunk Native VLAN 30 Allowed VLANs all Access policy Open Link negotiation Auto negotiate (10 Gbps) RSTP Enabled (Forwarding) STP guard Root guard Port schedule Unscheduled Port isolation Disabled Trusted DAI Disabled UDLD Alert only Tags none PoE n/a Peer SGT capable Disabled Storm control Enabled Port mirroring Not mirroring traffic Stacking port Disabled   Here's how the port on the other end of that fiber connection is configured on that VLAN 30 network that's connected to the transit VLAN: Port status Enabled Type Trunk Native VLAN 30 Allowed VLANs all Access policy Open Link negotiation Auto negotiate (10 Gbps) RSTP Enabled (Forwarding) Port schedule Unscheduled Port isolation Disabled Trusted DAI Disabled UDLD Alert only Tags none PoE n/a Peer SGT capable Disabled Storm control Enabled Port mirroring Not mirroring traffic Stacking port Disabled   Why is DHCP traffic crossing VLANs with this setup, and what's the best way to deal with it? ... View more

I'm trying to resolve an STP problem which has taken our whole network down the last two days, and I want to make sure I have the ideal MSTP configuration on our Catalyst 6509 for interoperating with all our switches, especially Meraki but also some legacy HP.   Initially I had this configuration on our core switch when I transitioned it from PVST to MSTP:   spanning-tree mode mst spanning-tree extend system-id spanning-tree mst 0-1 priority 8192 spanning-tree vlan 1-4094 priority 8192   We're a school district, and I set this up during the summer when very few staff were in the buildings. Reading up on  MSTP there were suggestions about creating regions and instances, so I added this:   spanning-tree mst configuration name region1 instance 1 vlan 3-4, 6-8, 12-16, 100, 110, 120, 200, 300, 999-1000   I didn't see effects, positive or negative, to adding this. Are they necessary or helpful in any way, or should I just remove the region and instance to the core switch?   For further mitigation today I added "spanning-tree guard root" to all ports on the Catalyst 6509 and added this to the config:   spanning-tree portfast edge bpduguard default     I'm hoping this will help prevent spanning tree from going totally haywire again. ... View more

We have yet to change over to Managed AppleIDs in our district high school because teachers in each individual class have traditionally had their own curriculum app needs that change during a semester, and so our established compromise that dates back many years due to both our limited IT staffing and that the fact that there didn't used to be Managed AppleIDs is to allow students to create their own personal AppleIDs (however they want) and then on our managed iPads (about 3500) we white list the apps in the Meraki MDM as the teachers request them, which allows the students to install the apps themselves.   We don't let students delete apps, and this can create problems especially on the 16GB iPads since they have so little app storage, and our remediation is to have students manually back up their data to the cloud, wipe their iPad, and have them reload everything that they need. In addition, if an iPad has a hardware issue or is damaged beyond usability and the student hasn't backed up recently, it means they loose their work. Moving to Managed AppleIDs will give students access to enough iCloud storage so that they should all be able to backup their iPads to iCloud which will be a big benefit to them.   Our IT staff is a total of 5 people to support about 6700 students and 700 staff. We collect the iPads at the beginning of the summer and don't wipe them, we keep track of what student has what iPad and return it to them so if they take care of it, they have the same iPad for all four years of high school.   Since Managed AppleIDs can't download apps from the app store and using those AppleIDs is intended for managed devices like ours the design intent is to deploy the apps to individual devices. That can be done with tags in the Meraki dashboard, but how best to manage this with limited staffing and resources is the question. Per-app tags could be cumbersome for 390+ apps. We are using tags right now for the widely deployed apps. The other way to do it is to create tags for the classes, and then associate the apps with those class tags, which could reduce the number of tags needing to be applied and simplify deploying groups of apps to iPads as students enroll and unenroll from classes since the number of tags to change on each iPad would be smaller. Our student information system is Infinite Campus, and I'm wondering if there would be a way to automate some/all of this through class rostering, maybe with periodic data exports from Infinite Campus and leveraging some custom scripts and the Meraki APIs for tagging iPads?   Also related to this project is how to automate the iPad owners... currently this been a mostly manual process (exporting data from Infinite Campus, hand editing it into a CSV, then manually importing it into the Meraki MDM at the start of each school year) but there is some automation possible since Infinite Campus can integrate directly with Infinite Campus for regular synchronizations and there is the ASM Sync functionality in the Meraki MDM to get owners into the Meraki side of things. Question is, what is the transition process going from a manually managed owners list to an ASM Sync? How are collisions handled in this scenario, i.e. what will happen to the iPads that already have owners assigned from the manually curated owners list when the ASM Sync happens with the same owners coming in?   Also we are in a holding patter on going through with the Apple School Manager domain verification (which is a prerequisite for SIS synchronization) because we know some percentage of staff and students have created personal AppleIDs in our domain and I know that collisions there will trigger communication users from Apple to move their personal AppleIDs to another email address and we haven't wanted to do that during a semester but also need to make sure we've communicated this change ahead of time to everyone in district so they aren't surprised by it (knowing exactly what they're going to see when the collision happens would also help us with what to communicate to them...)   We are collecting student iPads soon for the summer, and traditionally do not collect staff iPads. We've been letting staff manage most of the apps on their iPads, can we continue to do this when synchronizing with Infinite Campus in Apple School Manager and then doing an ASM sync in the Meraki MDM? I think it would be an impediment to teachers being able to test and screen prospective apps if they couldn't install and uninstall the apps they're interested in themselves from their school issued devices, and other than the iCloud storage I don't see a big advantage for teachers to use Managed AppleIDs for that reason.   Ultimately I'm trying to come up with the ideal transition process for moving to managed AppleIDs for the district high school. How does this sound:   1. Tell all staff and students that if they have AppleIDs in our school's domain they need to change them to use another personal email address by a certain date. 2. Verify our domain with Apple School Manager on that date. 3. Ask all staff and students to back up any data on their iPads they want to keep because we will be wiping them as part of moving to managed AppleIDs. 4. Collect all staff and student iPads and wipe them (wipe them because otherwise apps installed by students with their personal AppleIDs will never get removed from those iPads and would quickly create storage space issues for massive numbers of our student iPads). 5. Set up Infinite Campus synchronization in Apple School Manager. 6. Do an "ASM full sync" in the owners list in the Meraki MDM (and deal with any collision issues...) 7. Make sure the owner -> iPad mappings are correct in the Meraki MDM. 8. Set up all the class tags in the Meraki MDM and associate them with the needed whitelisted apps as soon as that data is available. 9. Since I assume there is no automated way to use rostering data in Infinite Campus to tag iPads for what class a student is in to give them the apps they need, manually tag iPads based on owners so that they have the right class tags, which will give them the apps they need. Throughout the school year the app to tag mappings will need to be updated/maintained in the Meraki dashboard as well as the class tags for each iPad so the right apps get installed/removed as needed on every managed device.   I assume there is no way to give teachers granular selective access to the Meraki dashboard such that they could maintain their own lists of apps for their classes, and individual app requests for classes would have to go through our IT staff throughout the school year?   Does this plan make sense? Am I missing anything? Has anyone else done this transition and have any other tips or suggestions? ... View more