That is what we are considering.  I was hoping for an easier solution within Meraki itself. ... View more

425's at the core, 390's and one 355 at the L3 level, 125's for the L2's at the outlying departments. ... View more

As I read it, that's 3000 between ACL rules, GP, and SSID rules. I still might hit that and therefore need to look for a different solution. ... View more

Is that 3,000 for my whole network or or per GP?  I think you mean on my network, but I want to make sure I understand. ... View more

Meraki Dave.   Thanks for all that information.   We are a campus with many separate buildings. Many have 3 WAP's in a dorm. Larger areas have multiple WAP's with overlaps. Some of the dorms are near the main buildings and overlap can occur. When I took over our Meraki infrastructure two years ago, I saw a screen where it simply displayed circles around each WAP with red-orange-yellow circles which would map out rough coverage. This is what I was hoping to find again.   Or was this the Heat Maps? I didn't remember seeing anything over time nor moving clients. (Although I had already found those very nice features.)   The immediate need for it has now passed, but I would like it for the future.. Either the Location analytics or the Heat Map were where I thought it might be.   Thanks everyone for the help. -Greg ... View more

I have 96 WAPs.   I thought I recall one which let me view overlapping areas from WAP's and not users moving around over time. ... View more

MS switching is only allowed 128 ACL rules.  They also do not support port ranges.  However they are allowed in Group Policies and MR AP's.   This is stopping us from fully blocking key subnets off from the rest of the network.  I just cannot be done for us with this above limitation. ... View more

Bruce,   There are devices on the 390's and the 125's.  I guess that makes the whole thing a problem.   This is a new installation this Summer.  I'm contacting my reseller to learn more about how to work around this without changing the whole subnetting from 172.1.30.x to 172.30.x.x.  That would be a big, big project.   Can you link me to a document or posting where all of the issues with the 390's are outlined?   Thanks again. ... View more

Bruce,   Flipping the rule:  does this protect the server from something malicious getting to it?  That is part of our goal. ... View more

Bruce,   Thanks for the info.   The 425's are my core switch stack.  The MS390's are my "hubs" to the other areas of my network.   The ACL rules I am adding are under Switch/Configure/ACL.  I was assuming these applied from the 425's and down.  I am not familiar with any ways to add ACL's directly to the 390's.   The driver for for implementing on the 390's?  I didn't know I was doing this.  See above.   Flipping the return traffic?  I'll have to think on that one. ... View more

Bruce,   Thank you for the info.   My issue is this:  I have VLAN's which are spread across multiple subnets.  Example (but not real):   172.128.30.x/24 and 172.129.30.x/24 are in VLAN 30, each subnet on a different MS390.    I would like to create an overall rule preventing VLAN 30 from getting to 172.100.120.x/24.  Right now, each has it's own subnet rule.  Because I have to do this for each VLAN's over six different MS390's, I need six individual subnet rules in the ACL list.   Lets say I need to limit the ports to a print server to limit exposure.  I need two ports open.  VLAN 30.  That takes twelve rules.  I'm going to be sunk up against the 128 limit. ... View more

UCcert   My core switches are MS425-32's.  Then connected to MS390-48UX's.  Then the final switches are MS125's. ... View more

cmr   I have found the limit on port ranges.  You can do them on SSID's, so it's confusing. ... View more