Meraki

Adam · ‎Feb 2 2018

In addition to what the others suggested you may also need to set the Security Appliance>Firewall>Web (local status & configuration) with the IP(s) you'll be connecting from.

Adam · ‎Jan 30 2018

I have the CMNO. How do I add the badge to my profile?

Adam · ‎Jan 23 2018

We keep a few items as spares for DR. Other than that we recycle per @PhilipDAth's comment.

Adam · ‎Dec 28 2017

Only somewhat inexpensive option I can think of then would be to get a small Meraki switch so you can go back to MAC authentication. Otherwise 802.1x is the only other feasible option but far more complex.

Adam · ‎Dec 27 2017

Couldn't you just disable the unused ports?

Adam · ‎Dec 22 2017

Confirmed through testing, thanks for the feedback everyone.

Adam · ‎Dec 21 2017

Actually the opposite. I know it disables the port traffic but I wanted to make sure it also disabled POE for power savings. My use case is that I want my APs to be fully powered off at a given site for a window during the night. The port schedule didn't really clarify if it just disabled the port or also disabled the POE.

Adam · ‎Dec 20 2017

Meraki or Network

Adam · ‎Dec 20 2017

Do the port schedules just disable the port or do they also disable POE?

Adam · ‎Dec 19 2017

In the meantime you can also probably just whitelist it.

Adam · ‎Dec 11 2017

No issues with that domain and OpenDNS Umbrella either.

Adam · ‎Dec 11 2017

I ran into this same issue at one of our buildings. I was trying to assign each one of our tenants a public IP. So basically mapping their LAN /24 to a single public IP. Never found a great way to accomplish it without more hardware.

Adam · ‎Dec 11 2017

Are you using Sophos internally or found that some of your clients are being blocked? May be worth Meraki getting that domain whitelisted if it is what they use for their guest auth. https://www.sophos.com/en-us/solutions/initiatives/threat-prevention.aspx

Adam · ‎Dec 4 2017

I agree, I kind of thought that is what "Off the Stack" was.

Adam · ‎Nov 27 2017

My lessons learned from replacing MX's so far. 1. You can add them as a secondary warm spare device in the current network. It won't take an additional license and you can plug it into any internet connection so it can get its initial config. 2. If you are going to be replacing an existing device make sure to setup any static IP information on the new MX. That information won't transfer over. 3. When ready you should be able to move all connections from the old MX to the new MX in a 1:1 fashion. 4. After the new MX is online you can remove the old MX. The only other things you may have to configure on thew new MX is the device name, address/location, tags etc...

Adam · ‎Nov 27 2017

I haven't looked into Forescout but are you a Windows AD environment? Can't you just use NPS on a Windows Server for 802.1x? Seems to work fine in our environment.

Adam · ‎Nov 18 2017

"whenever I tried to ping 5.5.5.3 from other ISP always get "request timed out" message." So you mean if some external source tries to ping the 5.5.5.3 client they get request timed out or no replies? If you are wanting publicly accessible IPs on your private clients I think you'd want to do either of the following. 1. Set the MX to passthrough mode 2. Keep the MX set to NAT mode and give your internal client machines some internal DHCP range of static IP's. For example if PC-PT had an internal static IP of 10.0.0.3. Then go to Security Appliance>Firewall and setup your 1:1 NATs and with selective "allowed inbound connection" firewall rules. Here would be a screenshot example.

Adam · ‎Nov 17 2017

In the most strict full stack Meraki environment here is an overview of our security. Security Appliance (MX) - Redundant Security Appliance>Content Filtering Make sure to enable Full List Security Appliance>Threat Protection AMP Enabled Intrusion Detection and Prevention set to Prevention/Balanced Security Appliance>Firewall Deny Peer-to-Peer (P2P) All P2P Deny Countries Traffic to/from Firewall rules to deny all traffic from our guest Vlan to other internal networks We maintain a public guest vlan/network and a private internet only vlan/network. One of the lesser considered issue is that if one of your devices fails over to the guest Vlan that could be the very same Vlan that public computers are on. Your protected machine could inadvertently fail 802.1x and end up on the public Vlan due to expired AD password etc. To combat this we have a separate internet only vlan/network for credit card machines, 802.1x failing devices, etc. This helps prevent the co-mingling of public devices with our trusted internal devices. Switches All ports enabled for 802.1x and will failover to guest Vlan Mac Whitelist used for ports with printers Switch>IPv4 ACLs to restrict certain traffic to/from sensitive devices Wireless Private subnet isn't advertised, deployed using Group Policy so machines know what to connect to Pulic Guest Vlan using Meraki DHCP and Deny access to Local LAN Non Meraki AV and Patching OpenDNS Umbrella - This has been one of the biggest tools for helping our users prevent getting malware/crypto. I hope know that Cisco owns this product that it eventually takes the place of Meraki's Content Filter.

Adam · ‎Nov 17 2017

Thank you for the diagram. Now give me an example of which of one of the devices depicted cannot get to what kind of destination?

Adam · ‎Nov 15 2017

I’m trying to pin down your issue so i can more clearly understand and provide some things to try. So far I’ve understood that the clients on this network are directly being assigned public IPs. They can access everything public just fine but not the internal router?

Adam · ‎Nov 13 2017

Ah so you are having issues pinging out? Any difference if you ping the IP directly vs name to make sure it isn't a DNS issue?

Adam · ‎Nov 13 2017

Security Appliance > Firewall When you setup the Public IP to LAN IP NAT you have to set the allowed inbound connections rule to: Protocol: ICMP Remote IPs: Any or a subnet if you want to be more specific on who can ping.

Adam · ‎Nov 10 2017

Run a cable test, also bouncing the port usually brings it back. But probably still a cable issue.

Adam · ‎Nov 9 2017

Try setting ip igmp query-interval 25 to see if it helps.

Adam · ‎Nov 9 2017

I'm not fully understanding your request but the MS425 should have 2 or 4 10G SFP+ Fiber ports according to the data sheet. https://meraki.cisco.com/lib/pdf/meraki_datasheet_ms400-series.pdf I typically only purchase Meraki Fiber SFP's to ensure compatibility and supportability. https://meraki.cisco.com/lib/pdf/meraki_datasheet_sfp.pdf

About Adam

Adam

Community Record

Badges