Is this email true or fake ?

athan1234
A model citizen

Is this email true or fake ?

My customer wants to know if a Meraki email he received is legitimate or spam.
 
I am looking at the Meraki firewall rules, but I cannot see those IP addresses mentioned in the email.

 

This is the email 

 
 

Hello there,
 

We have updated our Firewall Info page to include new IP ranges to support future growth of the Meraki platform.
 

You are receiving this notice because devices in one or more of your Meraki networks are unable to reach our platform through these new IP ranges. To continue to benefit from Meraki cloud management, it is necessary to open access to these IP addresses in the firewalls upstream of your Meraki devices. If you have multiple organizations please reach out to meraki support to determine what organizations are impacted by this change.
 

What is changing?
We are expanding the IP address ranges for Meraki devices to connect to the Meraki cloud to include 216.157.128.0/20 and 158.115.128.0/19. The Firewall Info page has been updated to reflect these new ranges. The first notice about new IP ranges was proactively sent out on February 8, 2022.
 

How are these IP ranges used?
The new IP address ranges that Meraki devices will use to communicate with the Meraki platform are within the 216.157.128.0/20 and 158.115.128.0/19 subnets.
 

These IPs are all Meraki owned and operated, and are in the scope of IP ranges that we utilize to deliver our service. This new address pool will allow Meraki to keep expanding its services and coverage of the Meraki cloud platform.
 

What do you have to do?
To maintain reliable connectivity to the Meraki platform, please allow the IP address ranges mentioned above in the firewalls upstream of your Meraki devices. If there are restrictive firewalls or ISPs providing internet access to your Meraki devices, please ensure that these connections are opened as per the Firewall Info Page.
 

We recommend that you conduct a full review of all of your firewall rules to identify any that include both of these subnets and update accordingly. Please do not remove existing firewall rules for the dashboard as these new IP addresses are in addition to the old ones, not replacements.
 

When is this taking effect?
Connections to the Meraki platform will begin using the new IP ranges from October 1, 2022. Any devices which cannot reach these ranges cannot be guaranteed connection to the Meraki cloud platform, may receive delayed configuration updates, or otherwise may result in a degraded experience. More information about this change can be found here.
 

Please reach out to Cisco Meraki Support if you have any questions.
 

Thank you,
The Cisco Meraki Team

20 Replies 20
ww
Kind of a big deal
Kind of a big deal

Its legit. But it can also be send if you have devices that are not online

athan1234
A model citizen

Thanks .  @ww  . There is one more query that I didn't address in the email: what is the target of that Ip´s ?
I wonder if whether he should open it in his firewall or than the Meraki firewall . In case he will need to opend thoose  ip´s range 

Brash
Kind of a big deal
Kind of a big deal

The email is real.

The IP's/ports need to be open on any firewall and ACL that sits between the Meraki devices and the internet. 

The firewall rules guide in the dashboard help menu will indicate if there are any rules that are only applicable to certain devices.

athan1234
A model citizen

I don´t know feature of this about Meraki. If I go to organization - help firewall Meraki discovers What devices have you connected in the network .Meraki, that it can use to determine the scope of the rules you need to apply?

jay_meraki_5
Conversationalist

Thanks for confirming, we have an email of the same to allow the new Meraki DC ranges, we will get it allowed.

joopv
Getting noticed

We also got the same email re. a 800 sites network, and i wonder how to find out WHAT site is causing this warning.

BrandonS
Kind of a big deal

I got a few of these emails too and don't think there is actually anything upstream blocking access on the networks I was alerted for.  I suspect of the thousands or millions of devices out there there are many false positives that get sent.  I wouldn't be too concerned if you know there is nothing upstream from your MX.  It seems possible some of the new services on those new IP's were actually not responsive for some period and caused some emails to go out.

 

 

- Ex community all-star (⌐⊙_⊙)
GiacomoS
Meraki Employee
Meraki Employee

Hey team,

Thank you for bringing this up. We have been working internally to send updated messaging that will hopefully help clarify better the situation.

Nodes that are offline but still claimed in a network were also scoped in, so BrandonS is very correct that you may encounter some false positives. 

 

My recommendation at this stage is to check the upstream firewall rules where you can. If you are unsure of which ones you need to address, raise a case to Support via Dashboard please (so we can keep the telephone lines clear for emergencies) and we can assist in identifying the affected notes. 

 

@athan1234 , the Help > Firewall info page should be updated with the new IP addresses. I'm not sure what feature you are referring to, but there is effectively no change in functionality or expectations on how communication to Cloud works, you would just need to ensure that if there is an ACL capable third party device upstream that may have restrictions implemented, that the new range is included in the rule for device to Cloud connectivity. 

 

Hope this helps team, but please don't hesitate to @ me if you have any further doubt.

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
joopv
Getting noticed

We manage 24 organisations totalling >15.000 Meraki devices.  Most of them are not filtered, but some are.

 

It would be extremely helpful to have some kind of more detailed report on which (online) devices can not connect to the new ranges.

 

Furthermore, in the email it was stated that there already was a mailing regarding this change in februari, but i never received that one.  This possible hi-impact change on such a short notice of only 2 weeks is really bad operating practice, in my humble opinion.

 

I opened a case, but a case is always coupled to a single organisation.  We hope to have a more general solution really soon.

 

more questions:

- Are there ip addresses in the new ranges that we can ping to test connectivity?

- is it also possible to test the connectivity using API's?

 

GiacomoS
Meraki Employee
Meraki Employee

Hey @joopv ,

 

Just wanted to circle back here that I got further information on your questions.

Regarding the IP addresses you can ping, you can use 158.115.141.145 and 216.157.133.187, but please make sure you don't end up using them in monitoring systems or whatnot, as we can move them around or take them out depending on needs. 

In other words, you can use them for the purpose of carrying out ping tests for this matter only. 

 

Regarding the API, that's a bit more complicated, because you are only allowed to reach out to a server where you have API credentials. I would also always recommend to use api.meraki.com for your calls .

 

Please bear with us as we are working on tooling to provide you to help verify which networks are in scope and which not. We should have news for you soon.

 

Many thanks!

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
GiacomoS
Meraki Employee
Meraki Employee

Hey @joopv , 
I completely understand and can only apologise for the disruption. Unfortunately, at the moment, the only recommendation I can give is to continue to work with Support and we can help verify and scope down. 

 

I'm unsure why you would not have received the initial notification in February; I am aware of a few instances where they have been intercepted by email filters and marked as marketing, so that may be an angle to explore.

 

We have taken all the feedback onboard and continue to discuss internally. 

 

I also asked about the two questions. My personal take (please take it with a pinch of salt until I have confirmation) :

I believe that some of the addresses in the range may be pingable, but I cannot confirm which ones. 

I would not expect API calls to be accepted until the go live.

 

Many thanks!

Giac

 

 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Testarossa
Here to help

in which menu could I add the Meraki cloud IP addresses: 216.157.128.0/20 and 158.115.128.0/19

Thanks

GiacomoS
Meraki Employee
Meraki Employee

Hey @Testarossa ,

These are not changes that you would need to make on your Meraki MX, but rather on an upstream firewall (if you have any), that could potentially restrict access to those IP address ranges.

 

Hope this helps!

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
igliramaj
New here

Hello @GiacomoS , The Help--> Firewall info the two public ranges are updated on the table.

So there si no need to make changes by my side? Or the way how there are set up on the Firewall Info we should add to the rules on the firewall?

Thank You

Igli

GiacomoS
Meraki Employee
Meraki Employee

Hey Igli,

My recommendation is still to check your upstream firewall (not your Meraki device), to ensure that the new ranges are allowed. In my experience most firewalls allow outbound flows, so unless you have specific restrictions or you require inbound traffic as well, you are probably not in need to take any action, but I would nevertheless recommend a review of those firewall rules. 

 

Hope this helps!

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Testarossa
Here to help

Thank you 

Testarossa
Here to help

Hi M GiacomoS

 

Thanks for your reponse

 

Best regards

MyHomeNWLab
A model citizen

It's too late now, this case was published in the document.

 

Cloud Maintenance New IP Ranges 2022 FAQ - Cisco Meraki
https://documentation.meraki.com/General_Administration/Other_Topics/Cloud_Maintenance_New_IP_Ranges...

> Last updated: Oct 13, 2022

 

I found it while looking for the latest documentation.

Testarossa
Here to help

Hi All Community

 

Where in dashboard Meraki can add a new subnets : 216.157.128.0/20 and 158.115.128.0/19 subnets.

 

Thank for your response

BrandonS
Kind of a big deal

Unless you are actively blocking those currently, which sounds unlikely baed on your question then you should not have to do anything except ensure anything upstream from your network is not blocking.

 

Short answer: no need to do anything in most cases.  Those who need to make changes would know how and where.

 

- Ex community all-star (⌐⊙_⊙)
Get notified when there are additional replies to this discussion.