Meraki

Community

Which device using which WAN

TheAlchemist
Getting noticed
‎Oct 7 2022 2:19 PM
‎Oct 7 2022 2:19 PM

Which device using which WAN

Hello,

 

Is there a way to know which client/device on a Meraki network is using which uplink i.e. WAN 1 or WAN 2 other than in traffic shaping where you can put a WAN connection as a preferred network.

 

Thanks

0 Kudos
14 Replies 14
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 7 2022 2:42 PM
‎Oct 7 2022 2:42 PM

All devices use the preferred Uplink to the internet unless you have:

  • Load balancing configured
  • Flow preferences configured
  • a 1:1 NAT config to the other uplink for a host
  • a failed preferred uplink
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 7 2022 4:28 PM
‎Oct 7 2022 4:28 PM

@TheAlchemist  With load balancing enabled I don't remember if there's a way to validate which uplinlink the client is using, but I'm almost 100% sure it's not possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 7 2022 4:40 PM
‎Oct 7 2022 4:40 PM

Same. I just looked at the syslogs of FLOW and the uplink is not included

 

You can see the uplink decision of VPN trafic but not for Internet trafic I'm afraid. 

TheAlchemist
Getting noticed
‎Oct 8 2022 7:53 AM
‎Oct 8 2022 7:53 AM

Thanks much for your thoughts and information. Yes, I do not see a way yet of confirming which device would be using which Uplink WAN connection with load balancing enabled. Would be handy to know though.

In response to TheAlchemist
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 10 2022 10:02 AM
‎Oct 10 2022 10:02 AM

If you look at the flow logs you should actually be able to derive your WAN interface since the translated IP is a part of the flow_start and flow_end logs.  See below for an example:

 

Sep 25 19:49:15 _gateway 1664128155.858797804 FW_Home flows src=192.168.101.xxx dst=23.1.xxx.xxx mac=70:1F:3C:XX:XX:XX protocol=tcp sport=40042 dport=443 pattern: allow tcp && (dst port 80 || dst port 443 || dst port 8080) && (src 192.168.0.0/16)
Sep 25 19:49:15 _gateway 1664128155.858828752 FW_Home ip_flow_start src=192.168.101.xxx dst=23.1.xxx.xxx protocol=tcp sport=40042 dport=443 translated_src_ip=213.118.xx.xx translated_port=40042
Sep 25 19:53:20 _gateway 1664128400.494255104 FW_Home ip_flow_end src=192.168.101.xxx dst=23.1.xxx.xxx protocol=tcp sport=40042 dport=443 translated_src_ip=213.118.xx.xx translated_port=40042

In response to GIdenJoe
Pavithran
Here to help
‎Oct 12 2022 6:04 AM
‎Oct 12 2022 6:04 AM

Where can I see the flow logs in the Meraki Dashboard. I don't recall this seeing in Dashboard. 

0 Kudos
In response to Pavithran
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 12 2022 8:04 AM
‎Oct 12 2022 8:04 AM

Cloud management and spammy logs don't go hand in hand 😉  Only the eventlog is available on the dashboard.  For all other logs you need to define a syslog server somewhere in your network.

 

I have been testing with a ubuntu vm on my pc at home to get these logs. 😉

In response to GIdenJoe
TheAlchemist
Getting noticed
‎Oct 23 2022 9:31 AM
‎Oct 23 2022 9:31 AM

@GIdenJoe I installed rsyslog on an ubuntu VM but seems like its giving info which could be found in Meraki dashboard Event log. I am using tail -f /var/log/syslog to see the event messages.

 

your syslog extract has more details.

0 Kudos
In response to TheAlchemist
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 26 2022 9:08 AM
‎Oct 26 2022 9:08 AM

That means you are only sending the system eventlog to your ubuntu machine.  Please go to network-wide and check your syslog configuration.  You need to add the tag Flow in there to enable flow logging.

In response to GIdenJoe
TheAlchemist
Getting noticed
‎Nov 3 2022 4:16 PM
‎Nov 3 2022 4:16 PM

oh yes, thanks. They are filling up the VM storage fairly quickly.

0 Kudos
In response to TheAlchemist
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Nov 5 2022 1:18 PM
‎Nov 5 2022 1:18 PM

Yep, it's a challenge with quick filling up diskspace.
I've got a colleague that's working with a script to select between flow logs vs flow_start and flow_end logs.  Apparently my colleague noticed that the flow_start and flow_end logs which also show NAT information always write to the log even if that specific rule is not set to disable logging.

And then in that script you can merge different sources going to the same IP/port with hitcounters.  This is useful to start adding more specific firewall rules.  Oh well, busy busy 😉

0 Kudos
In response to GIdenJoe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 12 2022 6:16 AM
‎Oct 12 2022 6:16 AM

It's not a MX logs on dashboard, It's a reporting for a Syslog servers.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee
‎Oct 10 2022 5:05 AM
‎Oct 10 2022 5:05 AM

It's a bit of a sledgehammer to crack a nut - but how about using packet capture against Internet 1 / Internet 2, filtered for your specific destination?

In response to GreenMan
TheAlchemist
Getting noticed
‎Oct 13 2022 11:51 AM
‎Oct 13 2022 11:51 AM

Definitely, will setup port mirroring on MS switch and run pcap captures continuously.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.