Meraki

KarstenI · ‎Jun 12 2021

Do you have some spare IP addresses on your WAN-side? If you do not need to keep the original WAN IPs (for example because they are whitelisted on some third-party-systems) you can start the VPN on the new network with a dummy-subnet and then just add the regular networks after the old MXes are switches off.

KarstenI · ‎Jun 12 2021

Do you only have the MXes in this network? Then it should work with your procedure. If it is a combined network which also has switches and APs, I would put the MXes in a new network to upgrade to the same version as the old MX and then remove and add the the MXes on the original network. The downtime will be a couple of minutes and if you can get a maintenance-window, this is slightly easier.

KarstenI · ‎Jun 11 2021

I always prefix the object wit a network-identifier and if there are multiple networks with similar objects I put them in a group. But yes, for templated networks, an override-feature would be nice.

KarstenI · ‎Jun 11 2021

Didn't we have this question before? And yes, there is a solution to this question!

KarstenI · ‎Jun 10 2021

@Bruce We use TPG in Australia. If I remember right they bought the "low-cost" AAPT business and provide a /29 for a more or less reasonable price.

KarstenI · ‎Jun 10 2021

But be aware that the proposed solution is only for the AutoVPN, not for internet-traffic. Our RingCentral customers are accessing the service directly on the internet and there is no way to control it based on the performance metrics.

KarstenI · ‎Jun 8 2021

Hmm ... In contrast to @Bruce I interpreted the original post in a way that all sites have already MX devices with internet and the L2 connection is an additional way to connect the sites. That perhaps needs some clarification.

KarstenI · ‎Jun 8 2021

First question is if you want to have all traffic encrypted that is passing over this connection. Then you likely can use the documentation for the MPLS-AutoVPN. If traffic over this connection can be sent in clear, without encryption, then you can configure an additional MX LAN-interface on each MX, all in the same IP subnet and configure static routes with route-tracking pointing to the other sides MXes. You do not say how many sites you have, if there are a couple of hundreds, the second option will certainly not scale.

KarstenI · ‎Jun 8 2021

And thanks for making me aware of this quiz-maker website. I think I will use that to provide some quizzes for my students in training-classes.

KarstenI · ‎Jun 8 2021

got five points, I am to slow in reading the questions ...

KarstenI · ‎Jun 8 2021

I imagined I would fail before I entered my name. Half the time was already gone ... 😉

KarstenI · ‎Jun 5 2021

I have a couple of VPNs running between MX and Cisco ASA. Works like a charm.

KarstenI · ‎Jun 5 2021

If VLAN 3 is configured on the Link to the MX and is also the VLAN configured on Port 5, you can transparently communicate from the Port5-systems to the MX. You could assign your IPs statically, but you could also use the DHCP on the MX. If you want to configure your Lab-devices statically, then configure a range of reserved addresses on the MX DHCP-server to avoid any conflicts.

KarstenI · ‎Jun 5 2021

Ok, if all devices behind port5 should be in VLAN3, then configure the port as Access with VLAN 3.

KarstenI · ‎Jun 5 2021

Is it your PC on port 5? Then it should be Access in your User-VLAN (probably 3). The Link between MX and SG is trunk on both sides with the same native VLAN and the same allows VLANs. And if you enable the DHCP-server on the MX, your client should get a DHCP-address from the MX.

KarstenI · ‎Jun 5 2021

A couple of things to question here: Why do you put an IP on the Switch-VLANs? It should be either on the MX *or* on the Switch. You only have IPs on both for the transfer-VLAN between them. You show that you have configured Port 5 as Access, but not for which VLAN. You say you get an APIPA-address but can ping the MX-IP. Probably something happened in between these two events as that can not happen.

KarstenI · ‎Jun 5 2021

I am using them on multiple organisations. With a complex firewall rule set, I would not want to work without it any more. Main "problem" is that I have very often display problems in the browser where columns are not filled or the the rules do not show up at all. But after a browser refresh all is ok.

KarstenI · ‎Jun 3 2021

How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.

KarstenI · ‎Jun 3 2021

No, that's not what I tried to say ... 😉 I was talking about how to authenticate your endpoints when entering the network. Your BYOD devices typically get a certificate enrolled and use the Meraki authentication (That is IMO one of the best features of SM). But the domain-PCs do not have a certificate from the Meraki Dashboard like the BYOD devices and have to be authenticated in a different way, for example through your Microsoft NPS. The ISE could authenticate both your BYOD- and domain systems.

KarstenI · ‎Jun 3 2021

It all depends. Do you *send* the traffic to the different destinations directly? Then it will be load balanced (well, if that feature is enabled on the MX). But if you send the stream to a distribution system (like youtube or a website where the stream can be consumed) then again, there will be no load balancing.

KarstenI · ‎Jun 3 2021

If it is one flow or even one IP-address-pair in the communication, it will go over only one ISP. There will be no load balancing.

KarstenI · ‎Jun 2 2021

The MX typically does not play any significant role in the BYOD solution. The onboarding runs through manual enrolment or through the MR access-points and provisions the client into the SM Mobile Device Management. Best to build a test-system for all your intended devices as there are some gotchas that make it less usable compared to an ISE. For example, the BYOD users can automatically get a certificate for WLAN access. But this is not an intended use case for your domain-users which need a different authentication. And these certificates can not be used on all switch ports. If you have an all-wireless, all BYOD environment, then it will be great. But if there are a significant amount of legacy devices you need "something else" for these. And the ISE could give you all at the same time.

KarstenI · ‎May 28 2021

@wfoteping2101 wrote: most likely answer here is A would be nice, but ... No!

KarstenI · ‎May 28 2021

Again one that you just have to know, also for real implementations: 🐝

KarstenI · ‎May 28 2021

I am not aware of any way to achieve this from the dashboard. But you can export all flows with Netflow and analyse the clients traffic on the Netflow collector.

About KarstenI

KarstenI

Karsten Iwen

Community Record

Badges