Hello,
Is there a way to know which client/device on a Meraki network is using which uplink i.e. WAN 1 or WAN 2 other than in traffic shaping where you can put a WAN connection as a preferred network.
Thanks
All devices use the preferred Uplink to the internet unless you have:
@TheAlchemist With load balancing enabled I don't remember if there's a way to validate which uplinlink the client is using, but I'm almost 100% sure it's not possible.
Same. I just looked at the syslogs of FLOW and the uplink is not included
You can see the uplink decision of VPN trafic but not for Internet trafic I'm afraid.
Thanks much for your thoughts and information. Yes, I do not see a way yet of confirming which device would be using which Uplink WAN connection with load balancing enabled. Would be handy to know though.
If you look at the flow logs you should actually be able to derive your WAN interface since the translated IP is a part of the flow_start and flow_end logs. See below for an example:
Sep 25 19:49:15 _gateway 1664128155.858797804 FW_Home flows src=192.168.101.xxx dst=23.1.xxx.xxx mac=70:1F:3C:XX:XX:XX protocol=tcp sport=40042 dport=443 pattern: allow tcp && (dst port 80 || dst port 443 || dst port 8080) && (src 192.168.0.0/16)
Sep 25 19:49:15 _gateway 1664128155.858828752 FW_Home ip_flow_start src=192.168.101.xxx dst=23.1.xxx.xxx protocol=tcp sport=40042 dport=443 translated_src_ip=213.118.xx.xx translated_port=40042
Sep 25 19:53:20 _gateway 1664128400.494255104 FW_Home ip_flow_end src=192.168.101.xxx dst=23.1.xxx.xxx protocol=tcp sport=40042 dport=443 translated_src_ip=213.118.xx.xx translated_port=40042
Where can I see the flow logs in the Meraki Dashboard. I don't recall this seeing in Dashboard.
Cloud management and spammy logs don't go hand in hand 😉 Only the eventlog is available on the dashboard. For all other logs you need to define a syslog server somewhere in your network.
I have been testing with a ubuntu vm on my pc at home to get these logs. 😉
@GIdenJoe I installed rsyslog on an ubuntu VM but seems like its giving info which could be found in Meraki dashboard Event log. I am using tail -f /var/log/syslog to see the event messages.
your syslog extract has more details.
That means you are only sending the system eventlog to your ubuntu machine. Please go to network-wide and check your syslog configuration. You need to add the tag Flow in there to enable flow logging.
oh yes, thanks. They are filling up the VM storage fairly quickly.
Yep, it's a challenge with quick filling up diskspace.
I've got a colleague that's working with a script to select between flow logs vs flow_start and flow_end logs. Apparently my colleague noticed that the flow_start and flow_end logs which also show NAT information always write to the log even if that specific rule is not set to disable logging.
And then in that script you can merge different sources going to the same IP/port with hitcounters. This is useful to start adding more specific firewall rules. Oh well, busy busy 😉
It's not a MX logs on dashboard, It's a reporting for a Syslog servers.
It's a bit of a sledgehammer to crack a nut - but how about using packet capture against Internet 1 / Internet 2, filtered for your specific destination?
Definitely, will setup port mirroring on MS switch and run pcap captures continuously.