Because a system is cloud managed doesn’t mean you’ve given a third party company full control of your network any more than trusting that the firmware installed on a Cisco/Aruba/Huawei device doesn’t provide a back door to your system for that organisation.   No user data passes through the Meraki cloud it only used for control, and Meraki have very strict controls and procedures in place about who has access to what. You can find a great deal of detail on this at https://meraki.cisco.com/trust. It is also possible to completely block access to your organisation if you believe it is sensitive: I understand that this is a big step for some people, but I’d say it’s less of a risk than storing data in Microsoft OneDrive/M365, AWS, Azure or GCP - where the hosting company potentially has access to real information about your company and what it does. To that end I know that Government organisations in a number of jurisdictions trust the Meraki network platform, whereas they have specific M365 environments (deployed by Microsoft) specifically for Government and their agencies to meet their data storage requirements.   All up every customer should understand how their network is controlled and where their data is or isn’t stored, but please make sure that what you are communicating to clients is accurate and valid.     ... View more

Is 172.20.20.1 the ASA, or is the ASA after that gateway? Which Source IP did you use when you did the ping from the MX?     ... View more

Meraki switches do running Spanning Tree Protocol (rapid spanning-tree to be precise), but other than the priority of switches there is nothing more that you can configure. However, they do follow all the normal STP rules that you’d expect. ... View more

Have a look on the ASA and the DVR if you can as it looks like there is nothing at all coming back from the other end. It’s most likely either a routing issue from the MX - either to or from the DVR - so try pinging each device you expect in the path from the MX until you get a failure (starting with 172.20.20.1), or it’s a firewall/access-list.   Does the ASA have a default route for unknown IP addresses? ... View more

Can you do a longer capture (maybe on the LAN interface of the MX?) to see what responses are coming back from the DVR, if any. That packet only appears to be the SYN of the TCP handshake, or is that all you are seeing?   Are there any ACLs or firewalls on the DVR itself to prevent access from public IP addresses (or unknown IP addresses)? ... View more

Looks like you’re doing a port forward from the WAN IP address of the MX to 192.168.14.3. Is there a route towards that network on the MX? The route you’ve posted is for 192.168.15.0/24, which doesn’t encompass the address in the port map. ... View more

Just in case you still need a hand....   WAN interfaces can either use only their dedicated WAN IP address (in routed/NAT mode), or you can create a virtual IP address that moves between the primary and standby MX when failover occurs LAN interfaces only have a single IP address that is configured on the primary MX. This IP address is passed to the standby MX when failover occurs (so you only need one IP address on the LAN for two MXs) VRRP messages only occur between the primary and secondary MX appliances on LAN interfaces - but they occur on all configured VLANs (be aware of this if you have multiple connections between the MXs) VRRP messages occur at Layer 2, hence why you don't need a separate IP address on each of the MXs on the LAN side (this is confusing for anyone who has used HSRP) ... View more

I assume you've tried all the basic stuff.... From the computer on Site 2 - check that you have the DNS nameservers set as the domain controller IP address in the DHCP options (that's how Windows clients find the Domain Controller) try pinging the Domain controller by IP address (login with a local account), this will prove you have connectivity try pinging the Domain controller by hostname, this will prove you have DNS working and DNS suffix or search domains try pinging the Domain controller by FQDN, this proves DNS is working (even if the suffix/search domains aren't) ... View more

I’ve seen clients with about 20 AutoVPN spokes pushing about 150Mbps of traffic through a MX84 configured as a concentrator. The worst the MX performance was hitting was around the 50 mark, so still headroom in it. ... View more

The biggest downside with the solution is that you can’t configure WAN2 on the secondary MX in a different manner to the primary, but usually that’s a small price to pay, and may not be an issue. For instance WAN2 on the primary may be a 100/40Mbps internet circuit, and on the secondary it may be a Cat6 LTE - which may give a similar performance. ... View more

Yep, connect one ANT-25 antenna to both the top ports, and another ANT-25 antenna to both the bottom ports. The difference with the MR84 (being a 4x4 access point) is that all the ports are dual band (so both 2.4GHz and 5GHz) and you want to have the antennas covering the same area so that all the smarts of 802.11ac Wave 2 work as expected. ... View more

The only way I could think of doing that is to get creative with a script and an API, and see what can be done there. Something along the lines of alerting via a Webhook on movement, then have a script to a trigger a number of snapshots on the camera, that you then post somewhere. It’s a basic outline, but should be achievable. ... View more

@NickHorton I believe what you are referring to is what Meraki have called ‘Motion Recap’, where it blends frame together to show the motion.   You should be able to disable this on the Motion Alerts page under the Camera Settings.   ... View more

Sure, no worries.   1) The 802.1x processes by themselves allow for a user to be authenticated and for a VLAN to be assigned to the port. With the original 802.1x once a user was authenticated and VLAN assigned there was no way to change the authorisation on the port until the user physically disconnected and reconnected. Modern systems required that if security conditions change the authorisation of the port can be changed, and hence in the last five years or so switches have supported CoA to enable this. You need a RADIUS server that supports CoA (e.g. Cisco ISE, Aruba ClearPass) if you’re going to use it, but for standard 802.1x almost any RADIUS server can be used. See here, https://documentation.meraki.com/MS/Access_Control/Change_of_Authorization_with_RADIUS_(CoA)_on_MS_Switches   2) There is a document (which I can’t find now) which outlines the compatibility of Cisco ISE with Meraki MS switches. From memory they don’t support URL redirect, and they definitely don’t support TrustSec/SGT (the MS390 is slightly different, but best not go there). EDIT: found the document https://community.cisco.com/t5/security-documents/how-to-integrate-meraki-networks-with-ise/ta-p/3618650   Hope this helps. ... View more

When RSTP is disabled on a port, the port takes no part in spanning-tree, so it always passes traffic. It won’t send BPDUs, and it won’t process incoming BPDUs (so essentially they get dropped). The recommendation is generally not to disable RSTP as if you do get a loop it will take down your network. ... View more

The MX only forms it’s AutoVPN tunnel on the WAN ports, so you won’t be able to get the SD-WAN working if you’re using a LAN port on the HQ MX. ... View more

If you don’t want to purchase a concentrator for the head-end then the only other option with the Meraki solution is to get a route to the internet from the MPLS network. This could be one that the MPLS service provider can provide and manage for you (it only needs to be small, and just needs a NAT for outbound traffic). The alternative is you can add yourself if the MPLS provider lets you inject a default route into MPLS network (obviously you then need to ensure the routing is correct and that it’s secure - similar to the concentrator model, but slightly different). ... View more

Hi @BeniMaurer welcome to the exciting world of Meraki. If you hit any bumps with your projects then don’t be afraid to post int the forums, it might just be something someone knows how to fix. ... View more

It depends how many switches you have and the variety between port configurations. If there is a small number of switches or the switchports are all configured pretty much the same, then it’s pretty straightforward to configure through the Dashboard - select multiple ports and configure all the ports in one hit. Obviously there may be Layer 3 interfaces and the like to configure too, but the bulk of the configuration is normally the ports.   If there is a bit more variety between the switch port configurations then I’d look to the API. You can write a script to extract the current configuration from a port and write it to the new switch. It may take a bit of effort, but will be way less mundane and hone your scripting skills. There’s probably something to do this (or very close to this) already on GitHub. ... View more