Meraki

MartinLL · ‎Mar 11 2025

Hi Gang, I'm currently constructing a lab with Meraki AccessManager and EntraID. However after following the documentation for the setup i get the message "connection invalid". However i'm struggeling with figuring out what the issue could be. I see a note in the docs about EntraID lincesing, but it is very unclear on what the actuall requirement is. Currently im running the Free Tier option. Anyone had any issues/experiense with AccessManager and EntraID integration yet?

MartinLL · ‎Feb 19 2025

You need to contact Meraki support so they can move you over to a shard that has this enabled. I recommend that you only do this for test orgs.

MartinLL · ‎Feb 19 2025

You need to use SAML if you dont have any radius service like ISE that can forward your authentication to an MFA server. Read here. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration

MartinLL · ‎Feb 19 2025

Most likely because the NAT gateway only serves Azure devices instanciated in the VNET where the NAT gateway is then. At this point, if it has to be in azure you must deploy an NVA. Azure firewall basic is not that bad price wise.

MartinLL · ‎Feb 13 2025

Hmm, what if you add the ip address of the 3. party site you wanna reach to the split tunnel config, then on the azure side you add an UDR to the vMX subnet that points the anyconnect ip pool back to the vMX? In theory that should work with the NAT gateway.

MartinLL · ‎Feb 13 2025

Dont use the vMX instance public ip. In fact i'm pretty sure that you cant. The vMX VM public IP is not something the vMX can NAT to, so you wont reach the internet that way. What i would do instead is to pin all traffic egressing the vMX towards Azure to an Azure Firewall or something. This way you can create DNAT/SNAT rules on the Azure Firewall, have your vendors whitelist the AZFW Public IP and reach it that way instead. look at my post history. I have explained this setup a few times. if you have more questions after reading my posts feel free to ask.

MartinLL · ‎Feb 12 2025

Just passed the Implementing and Configuring Cisco Identity Services Engine Exam at Cisco Live. So for the remainder of the year ill definitely focus on putting some more ISEing on the Meraki Stacks i manage 🙂

MartinLL · ‎Feb 10 2025

I ran into this exact issue when migrating a customer from Cisco Classic to Meraki SD-WAN. When i pre-staged the location all active Meraki sites wanting to reach that locations subnet got blackholed. To solve this you would need a way to dynamically advertise the routes. Azure Route Server as you mentioned can be used for SD-WAN. If possible i would try to ditch the non-meraki VPN tunnel and instead add a second Meraki vMX to the SD-WAN in Azure. Both vMX'es will be active, but the traffic flow is controlled with BGP. This way you dont need to re-program all your UDR's in Azure so that they point to the secondary vMX.

MartinLL · ‎Nov 27 2024

No not in production. But in theory it should be possible. Route all traffic from the vMX VNET to the AZFW, but create a few entries for the Meraki stuff that exits locally. Like the Dashboard IP ranges and VPN registrar.

MartinLL · ‎Nov 4 2024

Sounds like traffic is still being blocked then. You can look at the live firewall logs on the MX. See if that gives you a clue into whats going on. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Logging

MartinLL · ‎Nov 4 2024

Great job everyone! 💚

MartinLL · ‎Nov 4 2024

That very much depends on your network needs, users, tunnels etc. Check out the Sizing tool, it will help you select the correct MX model 🙂 Meraki Sizing Tool

MartinLL · ‎Nov 2 2024

Try to create the query variable before you pass it in the requests function. Like this for example. params = {'networkID': '12345'} Then response = dashboard.organizations.getOrganizationDevices(params=params)

MartinLL · ‎Nov 1 2024

I belive you will find what you are looking for here. Meraki Licensing - License More Devices vs Renewal - Cisco Meraki Documentation

MartinLL · ‎Oct 31 2024

Nice!

MartinLL · ‎Oct 31 2024

Try software upgrades or ease up on some advanced security settings if it is within your security policy to do so. If not the best option would be to upscale your MX to MX450. You can also try to reduce the amount of tunnels that terminate if its a vpn hub. You can do this by disabeling the active active tunnel on your spokes. Failover will be slow but you can conserve a good amount of system resources that way as well.

MartinLL · ‎Oct 30 2024

No, Geo-Blocking applies to both directions. No way to only apply it inbound to my knowledge. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

MartinLL · ‎Oct 30 2024

Undestandable. Good luck to you!

MartinLL · ‎Oct 30 2024

Your MX will still communicate with meraki cloud through the physical IP configured on your MX. Outbound internet for clients and SD-WAN/VPN uses the VIP. Also, if your MX cant reach the maraki cloud after a config change it will reboot and return to the last known safe config after a while. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Behavior_during_Connection_Loss_to_Cisco_Meraki_Cloud But if you want to shorten the possible downtime it is always smart to have a resource onsite.

MartinLL · ‎Oct 30 2024

Check out this thread. In the posted solution you can find some templates and alert settings you can use with webhooks. https://community.meraki.com/t5/Dashboard-Administration/Custom-webhook-templates-are-network-specific/m-p/222953#M7628 Depending on your ticketing system you might need to write a reform script that maps key value pairs from meraki to values your ticketing system understands. The example in that thread is for Service Now. https://documentation.meraki.com/General_Administration/Other_Topics/Webhooks

MartinLL · ‎Oct 30 2024

This one is for Meraki MR and VLAN tagging. https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging_on_MR_Access_Points For your downstream switch you need to make it a trunk port. On your router you create a new SVI or subinterface depending on what you are using today. which vendor do you use for your switch and router/firewall?

MartinLL · ‎Oct 30 2024

Maybe you can add a new VLAN and subnet to your site and bridge a new ssid then move the devices there? That way you can keep your old setup and isolate the AIPhone devices instead.

MartinLL · ‎Oct 30 2024

For a time the MS will act as a flat L2 switch, but in time it will stop forwarding packets. To do anything with it you need to add it to the dashboard and license it. Same goes for making it forward packet again.

MartinLL · ‎Oct 29 2024

It could be a firewall rule or layer 2 isolation stoping you from connecting to your AIPhone device. You can check that in the meraki dashboard. Follow this link and see if you find something that helps 🙂 https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules It could also be that your SSID is running in NAT mode. That would take a bit more work to solve. https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP

MartinLL · ‎Oct 29 2024

Hi and welcome to the forums! Here is a few links for you to check out. https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/Meraki_SD-WAN https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance

About MartinLL

MartinLL

Martin Lystad

Community Record

Badges