Client Tracking in Full Stack Environment

StormTrooper
Here to help

Client Tracking in Full Stack Environment

I am in the process of designing a site using the full Meraki stack.

 

All Layer 3 routing will be done on the "5th floor" stack,

All other switches and switch stacks (other floors) will come from this Core stack, with a Single transient VLAN passing all external destined traffic to the MX .

 

This is a combined network, and I am looking at the best method for Tracking Clients ?

According to the Meraki documentation, I can’t track by IP as this isn’t supported in a combined network.
Tracking by client MAC address isn’t an option for us, because the switches are doing the layer 3 and the downstream clients are not on the same broadcast domain as the MX.

 

Our only option seems to be the Cloud tracking, which is still in beta. 

Does anyone have any advice as to how the Cloud tracking works and good/bad experiences with it, and will it provide the client tracking information?

14 Replies 14
SoCalRacer
Kind of a big deal

This is a good place to start.

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client_Tracking_Options

 

Some basic explanation of how it works.

Cloud Track

Cloud Track is a Meraki technology that leverages network topology and device information to uniquely identify and track clients. It uses an algorithm that intelligently correlates client MAC and IP addresses seen across the Meraki stack, allowing the security appliance to generate a unique identifier for each client in a combined network with other Meraki devices. This is specifically useful when there are Meraki MS switches routing layer 3 between end clients and the security appliance, which segregates broadcast traffic containing the client's MAC address.

This method should be used only if the network has downstream layer 3 routing devices that are all Meraki devices. In this deployment scenario, tracking by IP would otherwise require the security appliance to be split into a separate dashboard network, as tracking by IP is not supported in combined networks. Tracking by MAC would fail to identify end client devices due to the layer 3 boundary, associating downstream client traffic to the routing switch and negatively affecting network usage numbers in dashboard.

Note: Cloud Track does not allow the MX to identify clients connected to an SSID utilizing NAT mode with Meraki DHCP, even for MRs in the same dashboard network.

Hi thanks for getting back so quickly.  Yep, looked through this document already, just wondered if anyone has actually implemented this in a production environment.  Conscious that Cloud Track is still in Beta...

I have not implemented it yet.

 

I would bet @PhilipDAth or @jdsilva have though!

jdsilva
Kind of a big deal

Sorry, I haven't 😞

I have clients using CloudTrack and it seems to work well.

 

Note that for doing per client group policy clients still need to be layer 2 adjacent to the MX (or on an MR), but for just monitoring and reporting it works great.

Nash
Kind of a big deal

I've tried this for one client, but not getting accurate names was a problem so I had to swap them back to mac address tracking and deal with its inadequacies. I'd like to eventually move them back to cloud tracking when it's a little bit less beta.

PhilipDAth
Kind of a big deal
Kind of a big deal

>I've tried this for one client

 

How long ago did you try it?

Nash
Kind of a big deal

Maybe 4-6 weeks ago? Fairly recently.

Lukef
Here to help

We have also tried and are running cloud track, however often downstream devices show as offline when it isn't the case.

 

cmr
Kind of a big deal
Kind of a big deal

Cloud tracking didn't work for us in a full stack environment.  Most devices were seen twice and flipped every few hours between one of the identities and the other.  We were told that as we had followed the normal best practice of connecting both MXs of an HA pair to two switches in a stack, it was known not to work, so we reverted to MAC.

ITConnect
Conversationalist

cmr, I have a similar setup to you.   Full Meraki stack.  Two MX250s security appliances in HA connected to two MS425 switches stacked.   I initially set client tracking to "Unique client identifier"  which didn't work well.  I wasn't able to find clients I knew were online.    So, I have switched to "MAC address" tracking.   This is working better, but I am still getting duplicate client entries.  Typically one off-line client entry showing connected to the MS425 stack and one on-line entry showing connected to the actual downstream switch port.  Are you seeing the same?    I am wonder if this is do to where I am doing routing.  Where are you doing routing?  On the MX, MS, or both?      I am currently doing routing on both.  I have VLANs that require special group policies and firewall rules on the MX250 HA and all other VLANs on the MS425 stack.    My thinking is the MS425 stack would be faster at routing internal traffic.   Hopefully Meraki can get client tracking working better with the recommended campus design.  

cmr
Kind of a big deal
Kind of a big deal

We are routing on the MS only, so the only client that the MX sees is the MS itself as we are in MAC tracking mode like you.  When looking at clients if you select only security appliance clients do you see only the duplicated entries?  The MS should indeed do near wire speed routing whereas the MX will be routing in software so will definitely be slower with more latency.

ITConnect
Conversationalist

cmr,  Thanks for confirming that routing on the MS switches should provide the best performance and thanks for leading me to selecting different pull-down options when looking for clients.   For reference, I am attaching screenshots showing what a client entry looks like from the view of "All", "only security appliance clients", and "only switch clients".   The "only switch clients" seem like the best option for me to get accurate client information. 

 

Client "All" screenshot - Two client entries - same MAC - one on-offline connected to MS425 core stack - one online connected to actual switch port.

Client All.jpg

 

Client "only security appliance clients" screenshot - Two client entries - same MAC - both connected to the MS425 core stack -  one on-line - one off-line

Client Security.jpg

 

Client "only switch clients" screenshot -  One client entries connected to actual switch port and on-lineClient Switch.jpg

 

 

cmr
Kind of a big deal
Kind of a big deal

@ITConnect, good to know that the only switch clients view works for you too. 👍

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.