Which device using which WAN

TheAlchemist
Getting noticed

Which device using which WAN

Hello,

 

Is there a way to know which client/device on a Meraki network is using which uplink i.e. WAN 1 or WAN 2 other than in traffic shaping where you can put a WAN connection as a preferred network.

 

Thanks

14 Replies 14
KarstenI
Kind of a big deal
Kind of a big deal

All devices use the preferred Uplink to the internet unless you have:

  • Load balancing configured
  • Flow preferences configured
  • a 1:1 NAT config to the other uplink for a host
  • a failed preferred uplink
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
alemabrahao
Kind of a big deal
Kind of a big deal

@TheAlchemist  With load balancing enabled I don't remember if there's a way to validate which uplinlink the client is using, but I'm almost 100% sure it's not possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RaphaelL
Kind of a big deal
Kind of a big deal

Same. I just looked at the syslogs of FLOW and the uplink is not included

 

You can see the uplink decision of VPN trafic but not for Internet trafic I'm afraid. 

TheAlchemist
Getting noticed

Thanks much for your thoughts and information. Yes, I do not see a way yet of confirming which device would be using which Uplink WAN connection with load balancing enabled. Would be handy to know though.

GIdenJoe
Kind of a big deal
Kind of a big deal

If you look at the flow logs you should actually be able to derive your WAN interface since the translated IP is a part of the flow_start and flow_end logs.  See below for an example:

 

Sep 25 19:49:15 _gateway 1664128155.858797804 FW_Home flows src=192.168.101.xxx dst=23.1.xxx.xxx mac=70:1F:3C:XX:XX:XX protocol=tcp sport=40042 dport=443 pattern: allow tcp && (dst port 80 || dst port 443 || dst port 8080) && (src 192.168.0.0/16)
Sep 25 19:49:15 _gateway 1664128155.858828752 FW_Home ip_flow_start src=192.168.101.xxx dst=23.1.xxx.xxx protocol=tcp sport=40042 dport=443 translated_src_ip=213.118.xx.xx translated_port=40042
Sep 25 19:53:20 _gateway 1664128400.494255104 FW_Home ip_flow_end src=192.168.101.xxx dst=23.1.xxx.xxx protocol=tcp sport=40042 dport=443 translated_src_ip=213.118.xx.xx translated_port=40042

Pavithran
Here to help

Where can I see the flow logs in the Meraki Dashboard. I don't recall this seeing in Dashboard. 

GIdenJoe
Kind of a big deal
Kind of a big deal

Cloud management and spammy logs don't go hand in hand 😉  Only the eventlog is available on the dashboard.  For all other logs you need to define a syslog server somewhere in your network.

 

I have been testing with a ubuntu vm on my pc at home to get these logs. 😉

TheAlchemist
Getting noticed

@GIdenJoe I installed rsyslog on an ubuntu VM but seems like its giving info which could be found in Meraki dashboard Event log. I am using tail -f /var/log/syslog to see the event messages.

 

your syslog extract has more details.

GIdenJoe
Kind of a big deal
Kind of a big deal

That means you are only sending the system eventlog to your ubuntu machine.  Please go to network-wide and check your syslog configuration.  You need to add the tag Flow in there to enable flow logging.

TheAlchemist
Getting noticed

oh yes, thanks. They are filling up the VM storage fairly quickly.

GIdenJoe
Kind of a big deal
Kind of a big deal

Yep, it's a challenge with quick filling up diskspace.
I've got a colleague that's working with a script to select between flow logs vs flow_start and flow_end logs.  Apparently my colleague noticed that the flow_start and flow_end logs which also show NAT information always write to the log even if that specific rule is not set to disable logging.

And then in that script you can merge different sources going to the same IP/port with hitcounters.  This is useful to start adding more specific firewall rules.  Oh well, busy busy 😉

alemabrahao
Kind of a big deal
Kind of a big deal

It's not a MX logs on dashboard, It's a reporting for a Syslog servers.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

It's a bit of a sledgehammer to crack a nut - but how about using packet capture against Internet 1 / Internet 2, filtered for your specific destination?

TheAlchemist
Getting noticed

Definitely, will setup port mirroring on MS switch and run pcap captures continuously.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels