TTechclick All lessons
Cisco Meraki · Switching (MS) · L2/L3 SwitchingInteractive · L1 / L2

Cisco Meraki MS Switching — Stack It, Route It, Filter It, Prioritise It

Eight switches behaving as one. A VLAN that routes itself. An ACL that quietly permits everything unless you say otherwise. Voice that never stutters. Skip the manuals — pick a topic below, watch a packet route live, ask the AI tutor, and you're done in 11 minutes.

📅 2026-05-31 · ⏱ 11 min · 3 interactive demos · 🏷 10-Q assessment + AI Tutor inline

What you'll be able to do

⚡ Quick Answer

Cisco Meraki MS switching made visual — stack 8 switches in a ring, build a Layer-3 SVI, write a stateless ACL, and map DSCP to a CoS queue in 11 minutes. Watch packets route live, dodge the management-IP overlap trap, and pass the ECMS switching questions.

Read as:

Pick a topic — jump straight to it

1

Stacking

Up to 8 switches in a ring = one logical box, one config, fast failover.

 2

Layer-3 / SVI

Give a VLAN a gateway IP and route between VLANs on the switch itself.

 3

ACLs

Stateless, top-down, and the last rule secretly permits everything.

 4

QoS

Map DSCP to a CoS queue so voice survives when the uplink is full.

One wrong assumption that breaks every new Meraki engineer

New L1 engineers open the Meraki dashboard and assume a switch stack is "just cabling a few switches together." It is not. A stack becomes one logical device — one config surface, one set of SVIs, shared spanning-tree. Cable it wrong and you don't get a faster switch; you get a loop, a split stack, or a silent black hole.

The second wrong assumption is sneakier: that an ACL blocks traffic by default like a firewall does. On Meraki MS, the opposite is true — the final, invisible rule is Permit Any Any. Forget that, and your "lockdown" ACL lets everything through. We'll unlearn both myths, the visual way.

In plain words: stacking is like turning five separate billing counters into one long counter with one manager — customers (packets) get served faster and if one staffer leaves, the others carry on. An SVI is the "you-are-here gateway desk" for each floor (VLAN). An ACL is the security guard's checklist — but this guard's last line says "if not on my deny list, let them in." QoS is the VIP queue at a temple — devotees with a VIP pass (DSCP tag) skip ahead when it's crowded.

Architect lens: design the access layer as stacked pairs/rings for deterministic failover and a single management object per IDF; push L3 termination as far down as the model budget allows (collapsed-core vs three-tier). Treat the Permit-Any-Any default as a posture decision — explicit-deny-then-permit at the distribution edge, and remember ACL and QoS share a 32-entry L4-port-range budget per switch, so spend it deliberately.

Meraki MS access-to-core architecture with a stacked access layer Diagram showing the Meraki cloud managing a ring-stacked access layer of three MS switches that route VLAN 10, 20 and 99 via SVIs up to an MX gateway. Meraki Dashboard cloud control plane mgmt / config MX gateway uplink trunk PHYSICAL STACK — one logical switch (ring) MS350-1 ACTIVE (lowest MAC) MS350-2 member MS350-3 member 40G stacking cables — ring closes back to switch 1 Shared SVIs (Layer-3 gateways) VLAN10 10.10.10.1 · VLAN20 10.20.20.1 · VLAN99 10.99.0.1
Figure 1 — The cloud manages everything; the ring stack behaves as one switch and hosts the gateway IPs (SVIs) for each VLAN.

Warm-up — predict before you read

Three quick gut-checks. Wrong answers are the whole point — they show you exactly what to fix.

Pre-check · 1 of 3

A colleague says "just add a deny rule, Meraki blocks the rest automatically like a firewall." On a Meraki MS, is that right?

Correct: a. Meraki MS ACLs are stateless and end in an implicit Permit Any Any. You must add explicit denies above it. This is the opposite of a firewall's default-deny.
Pre-check · 2 of 3

You enable L3 on an MS stack and the management IP 10.10.10.250 stops responding. Your first SVI is VLAN10 → 10.10.10.1/24. Likely cause?

Correct: b. On an L3 MS stack the management IP subnet must not overlap any SVI subnet. 10.10.10.250 sits inside 10.10.10.0/24 — the same subnet as the SVI — so polling/pinging the mgmt IP drops. Move mgmt to a separate subnet.
Pre-check · 3 of 3

Voice calls stutter only when the office uplink is busy. Which Meraki MS feature fixes it?

Correct: b. QoS only matters under congestion. A rule mapping voice DSCP (e.g. EF / 46) to a higher CoS queue gives those frames a bigger slice of the congested uplink so calls stay clean.

The vocabulary, in six taps

Flip each card. These six terms appear in every Meraki switching ticket and ECMS question.

🧱
Physical stack
tap to flip

Up to 8 switches joined by rear stack cables into one logical switch, ideally in a ring so any single cable failure is survivable.

📍
SVI
tap to flip

Switched Virtual Interface — a per-VLAN gateway IP on the switch. Only VLANs with an SVI can be routed. MTU is fixed at 1500.

🛡
Stateless ACL
tap to flip

Each packet judged alone, top-down, first-match. No return-flow memory. Final implicit rule = Permit Any Any. Max 128 per network.

🎚
DSCP → CoS
tap to flip

DSCP (L3 marking) maps to a CoS egress queue 0–5. Queues 6 & 7 are reserved for control protocols. Higher queue = more bandwidth under congestion.

⚙️
Mgmt IP
tap to flip

The switch's cloud check-in IP — separate from every SVI. On an L3 stack it must not overlap an SVI subnet, or it goes dark.

🌳
RSTP root
tap to flip

The center of the spanning tree. Set your chosen root to priority 4096. Beware: templates don't push priority to stacks — they keep 32768.

① Stacking — eight switches, one brain

Picture an IDF rack at Infosys Pune with three MS350s. Cabled as standalone units, that's three configs, three failure domains, three things to patch. Sneha instead cables them into a ring stack — now it's one logical switch in the dashboard.

S
Sneha at Infosys racks three MS350s, cables stack-port to stack-port (1→2→3) and then 3 back to 1. In Switching > Monitor > Switch stacks she selects all three and clicks Create. The switch with the lowest MAC auto-elects as Active; the rest become members.

Two stacking flavours. Most MS models use physical stacking over dedicated rear ports. The MS420/MS425 also support flexible stacking, where any SFP+ port (minimum 10 Gb/s) becomes a stack port — handy when switches sit in different racks. Pick the cable speed by model: 40 G on MS210/225/250/350/410/425, 100 G on MS150/355/450, and 480 G on the MS390 and cloud-managed Catalyst 9300.

Pause & predict

Sneha's three-switch stack is cabled 1→2→3 but she forgot to cable 3 back to 1 (a chain, not a ring). Switch 2's stack cable later fails. What happens?

The stack splits. In a chain, losing a middle cable isolates the switches on the far side — they drop out of the stack and may reboot to re-converge. A ring would have kept everyone connected via the alternate path. Always close the ring; it's the single biggest stacking hygiene rule.

A stack gives you two redundancies for free: Layer-3 gateway redundancy (the SVIs survive the loss of the active member) and Layer-2 dual-homing (a downstream device can uplink to two different stack members and stay up). One uplink to the stack reaches every member.

Symptom: a stack member shows "offline" minutes after you create the stack

What you see: one member greyed out in Switching > Monitor > Switches, occasional stack re-convergence reboots.
Cause: usually a half-seated or wrong-speed stack cable, or a firmware mismatch between members. Fix: ensure all members run the same firmware before stacking, re-seat both ends of each stack cable, and confirm the ring is physically closed. Remember every MS member (except MS390/Catalyst, which share one) needs its own management IP.

Quick check · Q1 of 10

Sneha needs to stack two MS425s that live in adjacent racks with no rear-port reach between them. What's her cleanest option?

Correct: a. The MS420/MS425 support flexible stacking — any SFP+ interface (10 G minimum) becomes a stack port, so switches in different racks join one logical stack. A plain trunk is not a stack; the MX cannot merge switches into a logical unit.

② Layer-3 / SVIs — when the switch becomes the router

Without L3, every VLAN needs the MX (or an external router) to talk to another VLAN — traffic hairpins up and back down. Enable an SVI on the switch and VLAN-to-VLAN traffic routes locally at line rate. Path: Switching > Configure > Routing & DHCP.

R
Rahul at TCS creates an SVI for VLAN 20 (servers): name SVI-Servers, subnet 10.20.20.0/24, interface IP 10.20.20.1. Clients on VLAN 10 (gateway 10.10.10.1) can now reach the servers without touching the MX. The golden rule he repeats: only VLANs that have an SVI can route, and the interface IP can never equal the management IP.

▶ Watch inter-VLAN routing on the SVI

Click Play. A laptop on VLAN 10 reaches a server on VLAN 20 — routed entirely on the MS stack.

① CLIENT 10.10.10.42 wants 10.20.20.10 (different subnet → send to gateway)
② TO GATEWAY Frame sent to VLAN10 SVI 10.10.10.1 — the switch's L3 interface for that VLAN
③ ROUTE LOOKUP Dest 10.20.20.10 is directly connected via SVI VLAN20 (10.20.20.1)
④ ACL CHECK Stateless ACL evaluated top-down on ingress — no deny matches → implicit Permit Any Any
⑤ REWRITE Switch rewrites L2 header; dest MAC = server's MAC on VLAN20, src MAC = SVI20
⑥ DELIVERED Server 10.20.20.10 receives it on VLAN20. No MX hop — routed on the stack.
Press Play to step through inter-VLAN routing. Next advances one stage.
Decision flow for enabling Layer-3 routing on a Meraki MS switch A flowchart deciding whether a VLAN routes, which model tier is needed for OSPF or routed ports, and the management-IP overlap check. Need VLAN-to-VLAN routing? SVI on that VLAN? no SVI = no routing No Traffic stays L2 / hairpins up to the MX router Yes Need OSPF / routed ports? Yes OSPF: MS250+ Routed ports/IPv6/BGP: MS390 / Catalyst 9300 No (static OK on MS150/210/225) ⚠ FINAL CHECK before commit Management IP subnet ≠ any SVI subnet Default route must NOT point to a local SVI
Figure 2 — Decide if a VLAN routes, match the feature to the model tier, then clear the management-IP-overlap gate before you commit.

Model tiers matter. MS150 / MS210 / MS225 do basic L3 — SVIs, static routes, DHCP relay — but no OSPF. MS250 and up add OSPFv2, DHCP server and VRRP warm-spare. The MS390 and Catalyst 9300 add routed ports, IPv6 L3 and BGP. A static route's next hop must live in a subnet that already has an L3 interface, and a default route can't point to an SVI on the same switch (routing loop).

Dashboard — first SVI on Rahul's TCS access stack 
Switching > Configure > Routing & DHCP > Add interface
  Name:           SVI-Servers
  VLAN:           20
  Subnet:         10.20.20.0/24
  Interface IP:   10.20.20.1        # NOT the management IP
  Default gateway:10.20.20.254      # MX/uplink — first interface only
  DHCP:           Relay -> 10.99.0.5
Expected result (Switching > Monitor > Switches > L3 routing) 
Interface   VLAN  Subnet           Interface IP   Status
SVI-Servers  20   10.20.20.0/24    10.20.20.1     routing
SVI-Clients  10   10.10.10.0/24    10.10.10.1     routing
Note: brief service blip while L3 hardware tables rebuild.
"My switch won't ping its own SVI" — that's normal

Classic Meraki MS switches (every model except MS390) cannot ping their own L3 interface, and once L3 is on, the switch prioritises forwarding over answering ICMP. So a failed ping from the switch to its own SVI is expected, not a fault. Test routing from a real downstream client instead — that's the only valid proof.

Pause & predict

Rahul sets the VLAN10 SVI to 10.10.10.1/24 and also leaves the stack's management IP as 10.10.10.250/24. Commit succeeds. What breaks, and when?

The management IP goes intermittently dark. The mgmt IP 10.10.10.250 overlaps the SVI subnet 10.10.10.0/24. On an L3 stack, that overlap causes packet loss when the cloud pings/polls the mgmt IP — the switch may even flap "offline" in the dashboard while still forwarding user traffic fine. Fix: put the mgmt IP on a dedicated, non-routed subnet.
Quick check · Q2 of 10

A team needs OSPFv2 between the access stack and the core. Their access switches are MS225s. What must change?

Correct: b. OSPFv2 is supported from MS250 upward. MS150/210/225 are L3-light: SVIs, static routes and DHCP relay only. BGP is MS390/Catalyst-only — and you can't bolt it onto an MS225.

③ ACLs — the rule that's permissive by default

Meraki MS ACLs are stateless: each packet is judged on its own, with no memory of the return flow. Rules run top-down, first match wins, on ingress, and apply network-wide to every switch. The trap: the final, invisible rule is Permit Any Any. So an ACL with only "allow" rules and no explicit deny changes nothing — everything was already allowed.

P
Priya at HCL must stop the guest VLAN (10.30.30.0/24) from reaching the server VLAN (10.20.20.0/24). She adds one allow rule for guest internet and assumes servers are now off-limits. They aren't — the implicit Permit Any Any still lets guests hit the servers. She needs an explicit deny rule, placed above the implicit permit.

▶ Watch a packet fall through the ACL

Guest-VLAN packet aimed at the server subnet. Watch which rule matches first.

① PACKET 10.30.30.5510.20.20.10:445 (guest trying SMB to a server)
② RULE 1 allow · TCP · src 10.30.30.0/24 · dst any · dst-port 443 → no match (port 445 ≠ 443)
③ RULE 2 deny · any · src 10.30.30.0/24 · dst 10.20.20.0/24MATCH → DROP
④ STOP First match wins — evaluation halts. The packet never reaches the implicit Permit Any Any.
⑤ WITHOUT RULE 2 Remove the deny and the packet falls to the implicit Permit Any Any → guest reaches the server. The exact bug Priya hit.
Watch stage 3: the explicit deny is what actually protects the servers. Stage 5 shows what happens without it.
Dashboard — Priya's working guest-isolation ACL (Switching > Configure > ACL) 
# Rules run top-down, first match wins. Order matters!
1  allow  TCP  src 10.30.30.0/24  dst any            dport 443    # guest HTTPS out
2  deny   any  src 10.30.30.0/24  dst 10.20.20.0/24               # block servers
3  deny   any  src 10.30.30.0/24  dst 10.10.10.0/24               # block staff VLAN
#  (implicit)  Permit Any Any  <- everything else still allowed
Expected result 
Guest 10.30.30.55 -> 10.20.20.10  : DROPPED (rule 2)
Guest 10.30.30.55 -> 1.1.1.1:443  : ALLOWED (rule 1)
Guest 10.30.30.55 -> 8.8.8.8:53   : ALLOWED (implicit permit)
Symptom: "stateful" thinking — return traffic blocked unexpectedly

What you see: you allowed outbound but replies seem dropped, or a rule blocks more than intended.
Cause: MS ACLs are stateless — there's no automatic return-flow allow, and the VLAN field matches the source VLAN on ingress. Fix: reason about each direction separately, and keep narrow allows above broad denies. Cap: max 128 ACLs per network, and L4 port-range rules share a 32-entry budget with QoS.

Quick check · Q3 of 10

Priya's ACL has the deny-to-servers rule placed below a broad allow any src 10.30.30.0/24 dst any rule. Guests still reach the servers. Why?

Correct: a. First match wins. A broad allow above the deny matches the guest-to-server packet and evaluation halts — the deny is never reached. Move the specific deny above the broad allow.

④ QoS — keeping voice clean when the pipe is full

QoS does nothing on an idle network — it only matters under congestion. On Meraki MS you define network-wide QoS rules at Switching > Configure > Switch settings. Each rule matches traffic (protocol, VLAN, source/dest port) and tells the switch whether to trust, set or modify the DSCP value, then maps it to a CoS egress queue.

Eight egress queues exist, but you only assign 0–5; queues 6 and 7 are reserved for L3 and L2 control protocols. When the uplink congests, higher-numbered queues get a bigger slice of bandwidth. Voice (DSCP EF / 46) goes in a high queue; bulk backup traffic stays low.

▶ Watch voice jump the queue under congestion

A VoIP packet and a backup-traffic packet arrive together on a congested uplink.

① ARRIVE VoIP frame DSCP EF (46) and backup frame DSCP 0 hit the switch together
② QoS RULE Rule: trust DSCP for VoIP VLAN → keep EF; map DSCP 46 → CoS queue 5
③ CLASSIFY VoIP → queue 5 (high) · backup → queue 1 (low)
④ CONGESTION Uplink saturated — scheduler favours higher queues for bandwidth share
⑤ EGRESS VoIP frame leaves first → call stays clean; backup waits its turn. No DSCP rule = both share equally → jitter.
QoS = trust/set the DSCP, map it to a CoS queue, let the scheduler favour high queues under congestion.
DSCP-to-CoS queue mapping on a Meraki MS switch A mapping chart showing common DSCP markings flowing into CoS egress queues 0 to 5, with queues 6 and 7 reserved. DSCP marking → CoS egress queue DSCP (L3 marking) EF (46) · voice CS5 (40) · video AF31 (26) · signaling AF21 (18) · data DSCP 0 · best-effort CoS egress queue (you set 0–5) Queue 5 — highestvoice Queue 4video Queue 3 Queue 2 Queue 1 — best-effort Queues 6 & 7 = RESERVED L3 & L2 control protocols — not assignable Wider bar = larger bandwidth share when congested
Figure 3 — Higher-numbered queues win bandwidth under congestion. You assign 0–5; 6 and 7 are reserved for control traffic.
Meraki MS switching deploy order cheat-sheet A five-step timeline from claiming switches to verifying, listing the dashboard path and the one gotcha for each step. Deploy order — the safe sequence 1 Match firmware all members same mismatch = flap 2 Cable the ring Monitor > Switch stacks close the loop 3 Build SVIs Configure > Routing mgmt ≠ SVI subnet 4 ACL + QoS deny above implicit permit share 32 L4 entries 5 Verify test from a client not by pinging SVI Set the RSTP root to priority 4096 Templates do NOT push STP priority to stacks — they stay at default 32768. Set priority directly on the stack and confirm the elected root in the dashboard.
Figure 4 — Print this. Firmware → ring → SVIs → ACL/QoS → verify, with the one trap to avoid at each step.
Quick check · Q4 of 10

A team tags VoIP with DSCP EF but tries to assign it to CoS queue 7 in the dashboard. It won't save. Why?

Correct: a. On Meraki MS you map a DSCP tag to a CoS queue between 0 and 5. Queues 6 and 7 are reserved for L3 and L2 control protocols and aren't user-assignable. Put voice in queue 5.
Pause & predict

A 2025 advisory flags CVE-2025-20352 — an SNMP stack-overflow exploited in the wild. It hits MS390 and Catalyst 9300 on Meraki CS 17 and earlier. Your access stack is MS350 + one MS390. What's your move?

Patch the MS390 firmware past CS 17 and lock down SNMP exposure. The MS350 isn't in scope, but the MS390 in your stack is. Upgrade to a fixed CS train, restrict SNMP to trusted managers, and confirm in Organization > Firmware upgrades. Always check whether an advisory's affected models actually exist in your network before you panic — or relax.

Common mistakes & the fixes that save your evening

Symptom: the stack "lost" your STP root after a template push

What you see: an unexpected switch became RSTP root; convergence got slower. Cause: STP bridge-priority set in a switch profile only propagates to standalone switches; stacks keep the default 32768. Fix: set priority 4096 directly on the stack and re-check the elected root. Also: never let an MS be root when bridging into a PVST+ fabric — it drops to legacy STP mode.

Three pro habits that prevent 80% of MS tickets

1. Keep the management VLAN/subnet completely separate from every SVI subnet — the #1 silent L3 outage. 2. Order ACLs specific-deny-first, broad-allow-last, and remember the implicit Permit Any Any. 3. Validate routing from a real downstream client, never by pinging the switch's own SVI (classic MS can't, and L3 deprioritises ICMP anyway).

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from Cisco Meraki documentation + community threads. For live prod issues, share your Switching > Monitor > Switch stacks view and ACL list at chat.techclick.in.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the maximum number of switches in a single Meraki MS physical stack?

Correct: b — 8. Up to eight MS switches can be configured in a single physical (or flexible) stack. Cable them as a ring so any one cable failure is survivable.
Q6 · Apply

You add a static route on an MS350: subnet 172.16.40.0/24, next hop 192.168.99.5. The route won't apply. Your SVIs are on 10.10.10.0/24 and 10.20.20.0/24. Why?

Correct: d. A static route's next hop must live in a subnet that already has an L3 interface (SVI). 192.168.99.5 matches neither SVI subnet, so the switch has no way to reach it. Add an SVI in that subnet or fix the next hop.
Q7 · Apply

An L3 change on an MS350 stack causes a brief packet loss across user VLANs at commit time. Is this a fault?

Correct: b. On MS210/225/250/350/355/410/425/450, L3 config changes require flushing and rebuilding the L3 hardware tables, so a brief blip is documented and expected. Make L3 edits inside a change window.
Q8 · Analyze

A guest-isolation ACL has: rule 1 allow any src guest dst any, rule 2 deny any src guest dst servers. Guests still reach servers. Best fix?

Correct: a. First-match-wins means the broad allow (rule 1) matches and stops evaluation before the deny (rule 2). Reorder so the specific deny sits above the broad allow. You can't delete the implicit permit, and MS ACLs are always stateless and ingress.
Q9 · Analyze

After enabling L3 on an MS stack, the dashboard intermittently shows a member "offline" though user traffic flows fine. Mgmt IP is 10.20.20.250/24; an SVI is 10.20.20.1/24. Root cause?

Correct: c. The mgmt IP 10.20.20.250 sits inside the SVI subnet 10.20.20.0/24. On an L3 MS stack that overlap causes packet loss when the cloud polls the mgmt IP — hence the intermittent "offline" while forwarding works. Relocate the management IP to a distinct subnet.
Q10 · Evaluate

A campus needs sub-second gateway failover and a single management object for the access layer. The hardware is MS350s (stackable, support VRRP warm-spare too). Which design is the better recommendation, and why?

Correct: b. Where hardware supports it, stacking is the recommended L3 redundancy design: one logical switch, shared SVIs, single management object, and faster failover than VRRP warm spare. Warm spare is the fallback when stacking isn't possible. Pushing all L3 to the MX reintroduces the hairpin you were trying to remove.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🗣 Explain it back (self-explanation)

In your own words: why does a Meraki MS ACL with only "allow" rules change nothing — and what one rule fixes it? Type it, then teach it to a teammate today. Teaching cements memory faster than re-reading.

📤 Teach a friend on WhatsApp

⏰ Lock it in — spaced recall

Memory fades without revisiting. Opt in and we'll nudge you to re-test this lesson in 3 days and again in 10 — the spacing that beats cramming.

📖 Glossary

SVI (Switched Virtual Interface)
A per-VLAN Layer-3 gateway IP on the switch. Only VLANs with an SVI can be routed; SVI MTU is fixed at 1500.
Physical / flexible stacking
Joining up to 8 switches into one logical unit — over rear stack ports (physical) or over an SFP+ port at ≥10 G (flexible, MS420/MS425).
Stateless ACL
An access list that judges each packet independently, top-down, first-match, with no return-flow memory; ends in an implicit Permit Any Any.
DSCP
Differentiated Services Code Point — a 6-bit Layer-3 priority marking (e.g. EF/46 for voice) the switch can trust, set, or remap.
CoS queue
On Meraki MS, the egress queue number (0–5 assignable; 6–7 reserved) that determines bandwidth share under congestion.
Warm spare (VRRP)
Two L3 switches acting as redundant gateways via VRRP; slower failover than a stack and two separate management surfaces.

📚 Sources

  1. Cisco Meraki Documentation — Switch Stacks (max 8, ring topology, cable speeds, active election, per-member mgmt IP). documentation.meraki.com
  2. Cisco Meraki Documentation — MS Layer 3 Switching and Routing (SVI fields, model tiers, OSPFv2/BGP support, mgmt-IP-overlap rule, hardware-table flush). documentation.meraki.com
  3. Cisco Meraki Documentation — Switch ACL Operation (stateless, top-down first-match, implicit Permit Any Any, 128-ACL cap, ingress VLAN). documentation.meraki.com
  4. Cisco Meraki Documentation — QoS / MS Switch Quality of Service Defined (DSCP→CoS queue 0–5, queues 6–7 reserved, Switch settings path). documentation.meraki.com
  5. Cisco Meraki Documentation — Configuring & Determining the RSTP/STP Root Bridge + Meraki Community (template doesn't push STP priority to stacks; set root to 4096; PVST+ legacy mode). community.meraki.com
  6. Cisco / Eclypsium advisory — CVE-2025-20352 SNMP stack-overflow, MS390 & Catalyst 9300 on Meraki CS 17 and earlier, exploited in the wild (2025).
  7. Cisco Learning Network — 500-220 ECMS (Engineering Cisco Meraki Solutions) Exam Topics, MS switching objectives. learningnetwork.cisco.com

What's next?

You can switch and route. Next we move to the edge: the Meraki MX security appliance — how AutoVPN builds a full mesh with one click, hub-and-spoke topologies, and where SD-WAN+ steers traffic over the best path.

Next · Meraki MX & AutoVPN SD-WAN → ← All lessons
⭐ XP
0%