This is the email
Thanks . @ww . There is one more query that I didn't address in the email: what is the target of that Ip´s ?
I wonder if whether he should open it in his firewall or than the Meraki firewall . In case he will need to opend thoose ip´s range
The email is real.
The IP's/ports need to be open on any firewall and ACL that sits between the Meraki devices and the internet.
The firewall rules guide in the dashboard help menu will indicate if there are any rules that are only applicable to certain devices.
I don´t know feature of this about Meraki. If I go to organization - help firewall Meraki discovers What devices have you connected in the network .Meraki, that it can use to determine the scope of the rules you need to apply?
I got a few of these emails too and don't think there is actually anything upstream blocking access on the networks I was alerted for. I suspect of the thousands or millions of devices out there there are many false positives that get sent. I wouldn't be too concerned if you know there is nothing upstream from your MX. It seems possible some of the new services on those new IP's were actually not responsive for some period and caused some emails to go out.
Thank you for bringing this up. We have been working internally to send updated messaging that will hopefully help clarify better the situation.
Nodes that are offline but still claimed in a network were also scoped in, so BrandonS is very correct that you may encounter some false positives.
My recommendation at this stage is to check the upstream firewall rules where you can. If you are unsure of which ones you need to address, raise a case to Support via Dashboard please (so we can keep the telephone lines clear for emergencies) and we can assist in identifying the affected notes.
@athan1234 , the Help > Firewall info page should be updated with the new IP addresses. I'm not sure what feature you are referring to, but there is effectively no change in functionality or expectations on how communication to Cloud works, you would just need to ensure that if there is an ACL capable third party device upstream that may have restrictions implemented, that the new range is included in the rule for device to Cloud connectivity.
Hope this helps team, but please don't hesitate to @ me if you have any further doubt.
We manage 24 organisations totalling >15.000 Meraki devices. Most of them are not filtered, but some are.
It would be extremely helpful to have some kind of more detailed report on which (online) devices can not connect to the new ranges.
Furthermore, in the email it was stated that there already was a mailing regarding this change in februari, but i never received that one. This possible hi-impact change on such a short notice of only 2 weeks is really bad operating practice, in my humble opinion.
I opened a case, but a case is always coupled to a single organisation. We hope to have a more general solution really soon.
- Are there ip addresses in the new ranges that we can ping to test connectivity?
- is it also possible to test the connectivity using API's?
Hey @joopv ,
Just wanted to circle back here that I got further information on your questions.
Regarding the IP addresses you can ping, you can use 18.104.22.168 and 22.214.171.124, but please make sure you don't end up using them in monitoring systems or whatnot, as we can move them around or take them out depending on needs.
In other words, you can use them for the purpose of carrying out ping tests for this matter only.
Regarding the API, that's a bit more complicated, because you are only allowed to reach out to a server where you have API credentials. I would also always recommend to use api.meraki.com for your calls .
Please bear with us as we are working on tooling to provide you to help verify which networks are in scope and which not. We should have news for you soon.
Hey @joopv ,
I completely understand and can only apologise for the disruption. Unfortunately, at the moment, the only recommendation I can give is to continue to work with Support and we can help verify and scope down.
I'm unsure why you would not have received the initial notification in February; I am aware of a few instances where they have been intercepted by email filters and marked as marketing, so that may be an angle to explore.
We have taken all the feedback onboard and continue to discuss internally.
I also asked about the two questions. My personal take (please take it with a pinch of salt until I have confirmation) :
I believe that some of the addresses in the range may be pingable, but I cannot confirm which ones.
I would not expect API calls to be accepted until the go live.
Hey @Testarossa ,
These are not changes that you would need to make on your Meraki MX, but rather on an upstream firewall (if you have any), that could potentially restrict access to those IP address ranges.
Hope this helps!
Hello @GiacomoS , The Help--> Firewall info the two public ranges are updated on the table.
So there si no need to make changes by my side? Or the way how there are set up on the Firewall Info we should add to the rules on the firewall?
My recommendation is still to check your upstream firewall (not your Meraki device), to ensure that the new ranges are allowed. In my experience most firewalls allow outbound flows, so unless you have specific restrictions or you require inbound traffic as well, you are probably not in need to take any action, but I would nevertheless recommend a review of those firewall rules.
Hope this helps!
It's too late now, this case was published in the document.
Cloud Maintenance New IP Ranges 2022 FAQ - Cisco Meraki
> Last updated: Oct 13, 2022
I found it while looking for the latest documentation.
Unless you are actively blocking those currently, which sounds unlikely baed on your question then you should not have to do anything except ensure anything upstream from your network is not blocking.
Short answer: no need to do anything in most cases. Those who need to make changes would know how and where.