Hi Guys, Need some advice on figuring out why I see "Detecting a high rate of STP topology changes" alerts on random switches (on their uplink ports) at random times. I migrated from mixed switch environment (Catalyst/HP/Aruba) to pure MS setup. Attaching topology. Core stack is the root bridge with priority 8192, default priority is 32768 and one switch has priority 36864. Core stack is 2x MS390-24 with 10G modules. Fibers goes to access switches, one switch doesn't have direct connection with core stack (the one with lowest priority on far right side). Setup was done some time ago and all was fine, then I started to get those random alerts. Don't recall if it was after some firmware update or a reboot. Maybe after MS390 swapped from MS firmware to CS... I'm not sure. One core stack switch is in alerting mode because of a firmware bug - it thinks 10G ports 1 and 2 are connected to copper ports 1 and 2 and reports vlan mismatch. This was confirmed by Meraki support. According to them it doesn't have impact on network and is already fixed in one of the beta firmware versions. Should I change root bridge priority to 0? Should I try to enable BPDU Guard on all access ports network wide? Maybe someone is connecting a switch somewhere... Other ideas? ... View more

Hi Guys! I have this interesting project of merging 2 dashboards/organization. The one managed by me will become the master one. I know more or less how to migrate devices/network/licenses between organizations but I have no idea how to approach to licensing model change. Currently both organizations are in co-term models. My org is quite small, it contains locations from one country and there is only one "budget". I have like one co-term license key for 8*MS, one key for 8*MX for example. It's fairly simple to extend licenses and figure out who is paying and for what. Organization that I'm going "absorb" is much bigger and more complex. They have like 60 devices across many countries, many owners, many budgets, many administrators and huuuuge amount of license keys where half of them are already expired. They have constant struggle to keep license status green. Nobody knows which license keys were bought be who. I guess some networks only operates because of co-term license model and countries that bought 6 or 8 year licenses keep the rest above the surface. I would like to clear this up during the merge and also avoid situation where entire org is down because someone forgets to extend their licenses. I was thinking about per-device licensing but this has some cons like for example entire org has to run same licenses for MX and we have mix of Enterprise and Advanced Security. I'm looking more towards subscription model and I would like to have separate subscription per each network. For example one network in Uganda should have one subscription containing 2*MX68, MS225 and 3*MR36 and another network there just one MX68. Did anyone have experience with changing co-term to subscription model? Is there a way to convert/split current co-term licenses keys? Should I first merge orgs and then change license model or other way around? For example, I have co-term license key with 8 MS switches and other license key with 8 MXes. I will need to split them into 8 separate subscription licenses, each with one MX and one MS and bind them to networks, right? Is this even possible? I asked Meraki support but their initial answer is quite disappointing - they said to me something completely different than can be found in official docs 😕 ... View more

Hi Guys, Maybe you will have idea what is wrong with my tunnel? I have Meraki vMX in Azure. There is also Client VPN configured with subnet 10.10.10.0/24. All my Azure resources are in 10.3.0.0/16 subnet. Then I have ipsec tunnel to non-Meraki peer (some cisco ASA). For almost a year all was working fine, then suddenly I lost comm from client vpn network 10.10.10.0/24 to remote networks behind this non-Meraki peer. I did not change config, remote side neither. Tunnel is up and I have no issues at all with comm from 10.3.0.0/16 to remote networks. I'm in contact with Meraki support - they are saying "traffic from 10.10.10.0/24 is routed through tunnel correctly". Support from remote site is saying "we don't see any traffic from 10.10.10.0/24 network going towards us through the tunnel and because of that SA between this network and our network is not building up". Which makes sense as if they initiate traffic from their subnet to my 10.10.10.0/24 subnet SA is building up and we have comm for about an hour until its terminated: Connection terminated for peer [my public ip]. Reason: IPSec SA Idle Timeout Remote Proxy [remote subnet], Local Proxy 10.10.10.0 Where is the issue and who is lying? ;D ... View more

Hi Guys, I need some advice on upgrading office core network 🙂 Should I modify anything to have fully redundant solution? How it looks: 2 CPE modems, each is connected to one of my 2 WAN switches (some Aruba Instant-on devices, not stacked, just regular link between them). From each WAN switch I have 2 links, each to different MX100 (warm spare with VIP) From each MX I have 2 uplinks, each to different MS390 (phisically stacked) Qestions: Is it normal that stacked MS390 switches have same local mgmt ip? In other switches it's normal but when I last time stacked 2xMS225 each had different mgmt ip. Only difference is that MS225s are connected to core stack (with lag) and MS390s are connected directly to MX warm spare FW. What is not working: When I put down Master MX - failover works fine. The issue is when I try to put down one of the CPE modems. They suppose to exchange vrrp through my WAN switches but ISP engineer claims that it's not the case. Both CPE are claiming to be masters and do not see each other. All ports included are in same vlan (untagged) so I don't know waht might be the issue. ... View more