Meraki

KarstenI · ‎Oct 13 2024

Two features you can adjust gradually without breaking too much are to increase the min rate and reduce the transmit power. But better let someone do a validation who knows how this works.

KarstenI · ‎Oct 13 2024

Hopefully not, RX-SOP is a guaranteed way to break a network if not understood completely.

KarstenI · ‎Oct 13 2024

That would be a completely new feature. Put it in the feedback box in the lower right corner of the dashboard. And I would assume that this will be available as Cloud NAC sooner or later.

KarstenI · ‎Oct 12 2024

Local Auth is not meant to be implemented that way. Although I initially thought it would be a good idea to have it handled by my own CA, just keep in mind that *every* AP needs to get a certificate from your CA. It doesn't make any sense if there is no automatic approach to enroll all APs in your CA. With the Meraki CA, it is automated. It's not that it wouldn't be possible, but it would probably take a lot of effort for Meraki to make it work for private CA solutions.

KarstenI · ‎Oct 10 2024

We recently had a discussion where someone thought of putting a FreeRADIUS in front of the ISE as a RADsec Proxy to overcome the limitations. But no, I think these Cisco components really should have common features for securing RADIUS. Another option, that won't work in all cases, is sending RADIUS through an IPsec VPN. The ISE can terminate IPsec, or a VPN device in the same data center can be used for this. But it won't help for our switches and APs where we would also need an additional VPN-device per location.

KarstenI · ‎Oct 9 2024

Nope, you won‘t … 😉 This is the last year in Prague. They are looking for a new place for next year.

KarstenI · ‎Oct 8 2024

To my knowledge, this isn't supposed to work as RADsec is different from RADIUS over DTLS. Meraki implemented the first, Cisco ISE only the second, and they are not compatible.

KarstenI · ‎Oct 7 2024

Not to Phoenix, but to WLPC EU in Prague in two weeks. My 10Talk will be about WPA3 192-bit mode.

KarstenI · ‎Oct 1 2024

@DarrenOC It's either 3-Way or 4-Way ... And Congratulations to @sungod; welcome to "big ones" 😀

KarstenI · ‎Sep 29 2024

@PhilipDAth I think you mean CLCs and not CEs: https://www.cisco.com/site/us/en/learn/training-certifications/training/learning-credits.html#tabs-35d568e0ff-item-194f491212-tab

KarstenI · ‎Sep 11 2024

The "just hit return" doesn't work for me. I have to first hit the tab, and then the new value is taken. With return, everything I enter is removed. This new feature sucks.

KarstenI · ‎Sep 10 2024

Friends don't let friends use transition mode. 😉

KarstenI · ‎Sep 10 2024

This looks so good; I wish I had this from day one of SAML ...

KarstenI · ‎Sep 10 2024

Do you know if this can also be done with Duo? If so, I'll also try to activate it.

KarstenI · ‎Sep 8 2024

We have to wait until it either works again or there is an official statement of the end of the Meraki Insiders program. I assume it will be the first option.

KarstenI · ‎Sep 7 2024

Works as expected: But I also always have a 5 GHz SSID. IMO, it's too early to rely on PSCs only. All Security types work as expected: And I am on v30.7

KarstenI · ‎Sep 5 2024

No, the SSID has to be configured either for MAB or for 802.1X. What you want is only possible on wired ports.

KarstenI · ‎Sep 5 2024

Different models from the Catalyst 9300-M line are the replacements.

KarstenI · ‎Aug 30 2024

You are right. 1: All your VLANs that you want to route internally. 2: typically a default route is fine here. 3: Routes to all VLANs that you configured in Step 1. But also all VLANs that you need to segment for security. For example your DMZs. Depending on the environment, I have all my VLANs here and not on the L3-switch.

KarstenI · ‎Aug 29 2024

Who is 10.45.0.2? Have you tried a packet capture to see what is happening? My typical occurences of this error is when I have some suboptimal routing where traffic from the firewall is sent to the switch and directly back to the firewall.

KarstenI · ‎Aug 29 2024

Switch-QoS is independent of any load. It should re-mark the traffic if configured correctly. Can you show a screenshot? And where did you capture? It has to be on the outgoing port of the first switch or more upstream.

KarstenI · ‎Aug 29 2024

The 350/355 were my default Core-Switches in the Small business area. If I ignore the SVI-bugs that some customers some unplanned downtimes, I was quite happy with them.

KarstenI · ‎Aug 29 2024

It's expensive, but some equivalent devices are even cheaper. All in all, my (very short) calculation is that switching will get more expensive in the future. IMO, it's still the right way.

KarstenI · ‎Aug 29 2024

You always have a kind of Subscription for AnyConnect. There are three models: Subscription per Person that uses the Cisco Secure Client. Every User needs a license. The term is typically three or five years (which have the best price/value ratio) and after the term it has to be renewed. Same as 1) but you "buy" the license (it is perpetual). But for Updates of the client you need a service contract. Licensed per device, but this is only useful if you have many users but only a small amount of them connect at the same time. Again, you need a service contract. In 99% (just a guess) option 1 is the way to go. https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/secure-client-og.html

KarstenI · ‎Aug 26 2024

This is quite limited. You need to make sure that the rest of the network routes traffic to the best exit point in your network. Without an IGP on the MX, it is likely some IP SLA on the L3-switches in front of the MX to determine if the primary connection is alive. If not, the internal routing gets manipulated to route the traffic to the other buildings infrastructure.

About KarstenI

KarstenI

Karsten Iwen

Community Record

Badges