Meraki

thomasthomsen · ‎Sep 29 2021

You "kinda" have some of that functionality now with "SecureConnect" - That reconfigures your AP ports, and actually authenticates the AP on the port, so win win. If only they would extend this functionality between switches, and make it so you could for example limit the number of VLANs on the secured port (or have a SecureConnect port template config you could change, one for APs one for switches, and so on 🙂 ), then it would be absolutely awesome.

thomasthomsen · ‎Sep 29 2021

Yeah we could push a GP, but on a layer 2 switch would that be "honoured" at the switch ? or would that only be applied on the MX's layer 3 interface ? - We like port isolation because it blocks all the way down between clients on the same vlan. We could of course have gone SGT's (Adaptive policy or whatever its called in a Meraki setup), but time and money. And SGT's do not yet extend all the way across MX's and AutoVPN, so just for this small scenario it was kinda overkill, the day it does (extend across MX's and autovpn), it will be a super solution 🙂 . - So our quick and dirty solution for now was port isolation, but then we "kinda" ran into this problem with some ports (devices) that might not "need" it. We use dot1x for everything, so it would have been nice if we could have toggeled that port isolation switch using a radius response. Thanks for all the suggestions and comments.

thomasthomsen · ‎Sep 29 2021

We are using CoA for other things in this setup, but it cannot solve my "layer2" port isolation problem.

thomasthomsen · ‎Sep 29 2021

I was thinking about using GP, and ACL, but I think my "problem" would explode in number of ACL's and GPs.

thomasthomsen · ‎Sep 29 2021

Can you send a response from the radius server that puts the port into port isolation (or not) together with vlan and all other "normal" settings. I cant find anything about it , so Im guessing no, but someone might know for sure 🙂 Thanks Thomas

thomasthomsen · ‎Sep 27 2021

Then let us parse it to syslog, anything.

thomasthomsen · ‎Sep 24 2021

I rebooted, downgrade , and so in, Nothing helped until I removed Hong Kong from the blocked country list. I think Meraki should make a "current status" page of their nodes, AND their partner services, so we can keep up in an online and "realtime" way.

thomasthomsen · ‎Sep 24 2021

Uhhhh nice, didnt know you could get support to do that. But that would fix his problem, absolutely 🙂

thomasthomsen · ‎Sep 24 2021

Dont worry, already done. But Im just one man 🙂 @everyone , please use that "Give your feedback" button ... absolutely use it.

thomasthomsen · ‎Sep 24 2021

Ahhh there is the problem. https://community.meraki.com/t5/Security-SD-WAN/Google-com-incorrectly-Geolocated/m-p/129810/highlight/false#M32352 But you are COMPLETELY in the dark here on a MX. So please, development, make this visible in eventlog or security center when things are blocked by geo.

thomasthomsen · ‎Sep 24 2021

So that might explain my problem. https://community.meraki.com/t5/Security-SD-WAN/No-quot-google-quot-services-all-of-a-sudden-What-the-beeb-is/m-p/129808#M32350 Now my wish is to have the eventlog or security center represent when something is being blocked by Geolocation, because you are completely in the dark as to what is going on.

thomasthomsen · ‎Sep 24 2021

So all of a sudden none of the Google services where working on my lan here. So I started troubleshooting , I thought it was my local (PC) firewall that was doing something(tm), but when i did some packetsniffs on LAN and WAN I could see the packet reacing the MX on LAN but nothing on the other side ...... I then tried from the "tools" of the MX to ping google.com and youtube.com just because they are both google services. This is the result. There is nothing in the evenlog abut blocking google.com or youtube.com There is no ACL that does this. There is nothing in the security center. So kinda hard to troubleshoot any future ... Does anyone want to venture a guess ? I have also disabled content filtering , amp and IPS, just to test. Same thing. Downgraded from 16.x to 15.x , same thing ....

thomasthomsen · ‎Sep 15 2021

Hmmm one more thing I cant find in the documentation. Does a SSID tunnel to MX count as a site-to-site tunnel ? towards the maximum number of site-to-site tunnels a certain MX HW appliance can handle ?

thomasthomsen · ‎Sep 15 2021

Thanks, it was just not very clear from the Documentation I think.

thomasthomsen · ‎Sep 15 2021

I cant seem to find this information. I know that the AP creates a tunnel to the MX. And I know that when the MX is in "NAT" mode, I can select the VLAN from the dropdown list. But when the MX is in concentrator mode it just says : (Enter a VLAN id, or leave blank) If I enter lets say 100 here, will the contrator mode MX (thats only connected on the WAN port) tag packets from this SSID out with VLAN 100 on that WAN port ? /Thomas

thomasthomsen · ‎Aug 31 2021

So ... I'll just mark my own answer as the solution ... *DOH*

thomasthomsen · ‎Aug 31 2021

I found my mistake: The devil WAS in the what I called : "it's just a "stupid" switch with not port security or anything configured on it." Used an MS for that, default configured. In that default configuration : "Flood unknown multicast traffic" is not enabled". So ... of course VRRP is having a semi hard time. That fixed it. Thanks for listening to my worries / rants.

thomasthomsen · ‎Aug 31 2021

Ahhhh .. Think I figured it out. Stand by, I'll let you know ...

thomasthomsen · ‎Aug 31 2021

In front of this, right now, is just a MX84 with no rules. So I dont get why they are in Master / Master it does not make any sense ...

thomasthomsen · ‎Aug 31 2021

Just got my first set of MX105's ... nice 🙂 What's not to like. Redundant field replaceable PSU's in the box, both copper and SFP WAN ports, all good. Until i configured them for HA in VPN concentrator mode. Now they are just stuck in Master / Master ... very strange. Im thinking it might be the MAC address VRRP bug thing, but I have not experienced that bug yet, and don't really know what to look for in packet captures here. And you cannot downgrade them to 15.xx The network Im working with here is pretty simple. It's just for getting them online and such. Connected WAN 3 on each boks (in the configuration these then become WAN1) to a switch in the same VLAN and then to the internet. It's just a "stupid" switch with not port security or anything configured on it. Just a flat vlan to go to a gateway for internet access. Configured HA and then VPN Concentrator - pretty straight forward. But now stuck in Master / Master. Its very strange. PS. Both of them claims that there is a connection on their USB port in the dashboard. I dont know why. Maybe a UI bug. - Because there is NOTHING connected to that port on either of them. /Thomas

thomasthomsen · ‎Jun 9 2021

I wonder what the lead time is for those boxes 🙂

thomasthomsen · ‎May 12 2021

Any news on this ? I have just started to see the same thing.

thomasthomsen · ‎Apr 7 2021

The topic might be a strange question. But we found a "lot" of Meraki hardware that we had forgotten all about in one of our warehouses. We have the order number, and would just add that to our dashboard, so we do not have to add all serial numbers individually (could take some time). But we are not allowed because the license "bundled" inside that order number has run out. Is there another way to add all these devices ? We will of course have to buy new licenses for them. /Thomas

thomasthomsen · ‎Feb 22 2021

But how did you do this ? Did you use Flow preferences ? (because here I can only select WAN1 or WAN2 in the prefered uplink). Or did you do the NAT thing as described somewhere above here ? Im curious. Thanks Thomas

thomasthomsen · ‎Nov 17 2020

Sorry to wake this old tread 🙂 Im interested in what you did here (because to me its not quite clear). But does your solution give you the option to route a guest vlan out another public IP then the one the MX has for itself ?

About thomasthomsen

thomasthomsen

Thomas Obbekær Thomsen

Community Record

Badges