The published rules for the MV's contain a dst of ANY as shown below:
We are not permitted to have an 'any' dst - does anyone know if Meraki publish anywhere what the actual destinations are?
Solved! Go to solution.
After raising a support case I got a really helpful response and explanation as to why they publish the dst as ANY as per below:
Thanks for getting in touch with us here at Cisco Meraki! I'll be happy to provide support on this case.
So for the MV Cloud Archive specifically, it's port 443 you'll want open outbound on any upstream device. The destination catch-all of any I believe, is shown because it will change based on where you choose your organisation's location to be and thus the corresponding data centre, details found here: https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Creating_a_Dashbo...
Depending if you fall into APAC, EU, or NA data centres the destination IP for archival you require may differ but here is a list of potentials depending on your config:
APAC - https://cloud-archive-upload.apa.vision.meraki.com 13.112.106.253
EU - https://cloud-archive-upload.euc.vision.meraki.com 3.65.231.194
NA - https://cloud-archive-upload.use.vision.meraki.com 3.225.48.233
Please note, our recommended, supported configuration is for the destination to be set to any so please bear this set configuration in mind for any future troubleshoot. Wishing you a good weekend, let me know if I can assist further!
I have used the relevant FQDN as the dst as I did an NSLOOKUP and got a different IP so I guess there is more than one dst IP for the FQDN.
It's how Meraki works.
It's of no use to me if our ppl wont permit an ANY dst.
Surely they must know what their devices connect to.
HI @Dunky - Somebody within Meraki will have this information.
@GreenMan - sorry to pick on you but you're the first name that popped into my head. Are you able to source this info or inquiry internally?
NTP is using *.pool.ntp.org which is essentialy 0.0.0.0/0
Thanks, I guess that will be uk.pool.ntp.org then for deployments in the UK.
Try doing a packet capture on "port 53". This will show you the DNS queries being made. Create rules to those destinations instead,
Yeah thats what I am gonna have to do, just thought it stramge why Meraki dont publish dst IP/subnets or FQDNs for one particular rule
After raising a support case I got a really helpful response and explanation as to why they publish the dst as ANY as per below:
Thanks for getting in touch with us here at Cisco Meraki! I'll be happy to provide support on this case.
So for the MV Cloud Archive specifically, it's port 443 you'll want open outbound on any upstream device. The destination catch-all of any I believe, is shown because it will change based on where you choose your organisation's location to be and thus the corresponding data centre, details found here: https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Creating_a_Dashbo...
Depending if you fall into APAC, EU, or NA data centres the destination IP for archival you require may differ but here is a list of potentials depending on your config:
APAC - https://cloud-archive-upload.apa.vision.meraki.com 13.112.106.253
EU - https://cloud-archive-upload.euc.vision.meraki.com 3.65.231.194
NA - https://cloud-archive-upload.use.vision.meraki.com 3.225.48.233
Please note, our recommended, supported configuration is for the destination to be set to any so please bear this set configuration in mind for any future troubleshoot. Wishing you a good weekend, let me know if I can assist further!
I have used the relevant FQDN as the dst as I did an NSLOOKUP and got a different IP so I guess there is more than one dst IP for the FQDN.