Dashboard Troubleshooting with Packet Capture

SOLVED
Chris_Skees
Meraki Employee

Dashboard Troubleshooting with Packet Capture

Want to learn more about using the Meraki dashboard packet capture to troubleshoot network issues?

Check out this video that walks through a VPN troubleshooting scenario and shows you how to use the dashboard packet capture feature to solve the issue.

 

 

This video is from the Troubleshooting with Meraki module in our free Intro to the Meraki Platform course! Check out all the modules in this course on the Learning Hub

1 ACCEPTED SOLUTION

@RaphaelL If you have switches in your network, may be worth exploring the 'Switch Port Management Privileges' described in the below documentation.

 

Be aware that the packet capture settings will apply to the entire network.

 

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Managing_Dashboard...

 

Here is my quick test:

- Create a port management privilege called 'packet-capture' and select an existing switchport tag.

- Assign the admin with the access privilege 'packet-capture' under the organization > administrators, just like how you assign privilege to other admins.

- The administrator will have very similar visibility and control to a normal 'read-only' network admin but with additional #1 packet capture enabled for the whole network, # 2 write permission to specific switchports configured in port management privilege based on the tag you choose.

 

Hope this is helpful.

View solution in original post

11 REPLIES 11
RaphaelL
Kind of a big deal

Do we know if the packet capture role will ever be available to network operators that are not Org Admin or Net Admin ?

Phi-L
Meraki Employee

Hey @RaphaelL! Currently the packet capture tool is limited to either network-wide or org-wide admins with write access (this means that read-only access and monitor-only and guest ambassador permissions won't work either). I can't say for certain if this will change in the future, but for now this is the case. 

What's your use case? Are you looking to manage the Meraki dashboard outside of the dashboard via a hypervisor or something similar? 

RaphaelL
Kind of a big deal

We are a big company splitted in multiple teams. So our network teams manage , configure and monitor our Meraki environnement , but some teams would like to be able to do packet captures but the network team do not want "random" people being Org admins 

 

Our real world example : SOC would like to have the rights to do packet captures in cases of forensic investigation but the NOC doesn't allow people from SOC to be Org admins / Net admins.

 

At the moment the SOC has to contact the NOC for every packet capture that they want to do.

 

Thanks 🙂 

@RaphaelL If you have switches in your network, may be worth exploring the 'Switch Port Management Privileges' described in the below documentation.

 

Be aware that the packet capture settings will apply to the entire network.

 

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Managing_Dashboard...

 

Here is my quick test:

- Create a port management privilege called 'packet-capture' and select an existing switchport tag.

- Assign the admin with the access privilege 'packet-capture' under the organization > administrators, just like how you assign privilege to other admins.

- The administrator will have very similar visibility and control to a normal 'read-only' network admin but with additional #1 packet capture enabled for the whole network, # 2 write permission to specific switchports configured in port management privilege based on the tag you choose.

 

Hope this is helpful.

RaphaelL
Kind of a big deal

Can this 'privilege' be assigned to a SAML administrator roles ? That would be ideal !

 

And by the way, thanks for the quick and detailed replies ! love it

Once a port management privilege is created,  you should see it in the 'Access' dropdown when assigning privilege to your SAML role. So, this should work too. 

RaphaelL
Kind of a big deal

Thanks a lot for the reply 🙂  

 

This should only work on MS right ? If the network is combined and contains a MX , we won't be able to capture let's say S2S trafic or anything on the MX ? ( Not that a big deal breaker )

This will work as long as the network contains MS products and the packet capture will be enabled for the whole network not just MS.

Let's say an MX+MS+MR network,  once port management privilege set as packet capture allowed and assigned to an administrator, the admin should be able to perform packet capture on all nodes in that network.  

RaphaelL
Kind of a big deal

Hi , 


I'm currently testing this feature. 

1- Let's say I have 300 networks with a network tag 'Packet_capture_enabled' , when going to organization > administrators , and selecting the Tag 'Packet_capture_enabled' I can't select the Port management Privileges. I can only select the privilege IF I manually add the 300 networks to the administrator Privilege.

2- Upon looking at the OpenApiSpec , I don't see any endpoints to configure Port Management Privileges ( since they are Network-Wide ). We have over 1500 networks, this might be hard to do without APIs. 

 

 

RaphaelL_0-1657716500588.png

 

 

RaphaelL_2-1657716582051.png

 

 

Thanks , 

Both are valid points. So the Access privilege options are based on the target network selected. When using the network tag to scope network(s), there will be only four default privileges, given different networks might contain different device types. 

 

You are right about no API support for port management privilege setting.  And unfortunately, the Update an Administrator  endpoint currently does not support the custom access privilege either (in your case Packet_Capture) . I bet there is some good reasons for this, but it may be worth reaching out to your Meraki sales team and submitting a feature request to evaluate. 

 

{
"errors": [
"'access' must be one of: 'full', 'read-only', 'guest-ambassador' or 'monitor-only'"
]
}
 
PhilipDAth
Kind of a big deal

Boundless Digital offer a role-based access control system for the Meraki Dashboard.  You might want to check out that service.

https://www.boundlessdigital.com/network-management/meraki-automation/role-based-access-control/ 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.