Meraki

Adam · ‎Nov 30 2017

The house button just takes me to the full map overview. The zoomed in portion is a cluster of devices showing California (presumably Meraki HQ) as the location. But if I click on the icon or use any other method I cannot view which devices don't have an address.

Adam · ‎Nov 30 2017

I've tried that and it just shows this.

Adam · ‎Nov 30 2017

Related question to this, is there an easy way to get a list of or to see all devices that don't have a location set?

Adam · ‎Nov 30 2017

What setting/screen are you looking at to see "device utilization"?

Adam · ‎Nov 27 2017

My lessons learned from replacing MX's so far. 1. You can add them as a secondary warm spare device in the current network. It won't take an additional license and you can plug it into any internet connection so it can get its initial config. 2. If you are going to be replacing an existing device make sure to setup any static IP information on the new MX. That information won't transfer over. 3. When ready you should be able to move all connections from the old MX to the new MX in a 1:1 fashion. 4. After the new MX is online you can remove the old MX. The only other things you may have to configure on thew new MX is the device name, address/location, tags etc...

Adam · ‎Nov 27 2017

I haven't looked into Forescout but are you a Windows AD environment? Can't you just use NPS on a Windows Server for 802.1x? Seems to work fine in our environment.

Adam · ‎Nov 22 2017

Support is suspecting it us USB related on the MX it is working on some of my MX64's and not others. I'm not optimistic but I'm going to swap out the MX via RMA with them to eliminate a variable. Note: I tried multiple activated USB730L to ensure it wasn't an aircard issue.

Adam · ‎Nov 22 2017

Mine definitely isn't spanning tree related. I've had the issue in one of my networks that had a single Meraki switch with a single MX. No other switches.

Adam · ‎Nov 22 2017

Had another site that had the issue when going from MS 9.27 → MS 9.32. But this particular site/switch has had the issue for every firmware update I can remember. This is the third site that has experienced the issue out of about 20 so far.

Adam · ‎Nov 21 2017

I worked with support on this a little yesterday. I have USB730L's deployed to all of our MX's. All of our MX's are at 12.26 and strangely some of them show 'Ready' and others just show 'Connecting'. The Meraki tech I worked with grabbed some captures and worked with a Senior Engineer to identify and better support the USB730L.

Adam · ‎Nov 20 2017

Anyone get any updates on this? I'm using USB730L's and some of my MX64's recognize it fine and go 'Ready'. Others get stuck saying 'Connecting'. I've verified service by plugging the aircard directly into my laptop next to the MX64 and all MX's are running the same, latest stable, firmware 12.26.

Adam · ‎Nov 18 2017

"whenever I tried to ping 5.5.5.3 from other ISP always get "request timed out" message." So you mean if some external source tries to ping the 5.5.5.3 client they get request timed out or no replies? If you are wanting publicly accessible IPs on your private clients I think you'd want to do either of the following. 1. Set the MX to passthrough mode 2. Keep the MX set to NAT mode and give your internal client machines some internal DHCP range of static IP's. For example if PC-PT had an internal static IP of 10.0.0.3. Then go to Security Appliance>Firewall and setup your 1:1 NATs and with selective "allowed inbound connection" firewall rules. Here would be a screenshot example.

Adam · ‎Nov 18 2017

The last two networks I experienced the issue at were going from MS 9.27 → MS 9.32. I've also had the issue in the past when going from one stable firmware to another so this seems like it still may be an unresolved issue.

Adam · ‎Nov 17 2017

I'm not sure its hanging on boot since it still hadn't fully downloaded the firmware. But I'll pay attention to the current firmware version vs the destination version to identify if the 9.26 potentially resolved it.

Adam · ‎Nov 17 2017

In the most strict full stack Meraki environment here is an overview of our security. Security Appliance (MX) - Redundant Security Appliance>Content Filtering Make sure to enable Full List Security Appliance>Threat Protection AMP Enabled Intrusion Detection and Prevention set to Prevention/Balanced Security Appliance>Firewall Deny Peer-to-Peer (P2P) All P2P Deny Countries Traffic to/from Firewall rules to deny all traffic from our guest Vlan to other internal networks We maintain a public guest vlan/network and a private internet only vlan/network. One of the lesser considered issue is that if one of your devices fails over to the guest Vlan that could be the very same Vlan that public computers are on. Your protected machine could inadvertently fail 802.1x and end up on the public Vlan due to expired AD password etc. To combat this we have a separate internet only vlan/network for credit card machines, 802.1x failing devices, etc. This helps prevent the co-mingling of public devices with our trusted internal devices. Switches All ports enabled for 802.1x and will failover to guest Vlan Mac Whitelist used for ports with printers Switch>IPv4 ACLs to restrict certain traffic to/from sensitive devices Wireless Private subnet isn't advertised, deployed using Group Policy so machines know what to connect to Pulic Guest Vlan using Meraki DHCP and Deny access to Local LAN Non Meraki AV and Patching OpenDNS Umbrella - This has been one of the biggest tools for helping our users prevent getting malware/crypto. I hope know that Cisco owns this product that it eventually takes the place of Meraki's Content Filter.

Adam · ‎Nov 17 2017

Does anyone else have periodic issues updating the firmware on their switches? I realize that this may not impact all of you, especially if you only have a few smaller environments. But I have > 100 switches across multiple sites and connections and it feels like I periodically get firmware issues that exhibit the following behavior: 1. The switch goes into somewhat of a bricked state where it goes offline, in some cases the power light isn't on but the ports still have lights. Plugging in a computer to one of the open ports won't get connectivity nor will it allow setting up and connecting to the switches local interface using the 1.1.1.100 2. The only thing that seems to get it out of this state is a hard reboot of the switch 3. After a hard reboot it starts immediately downloading its new firmware then successfully installs it 4. Doesn't seem to make a difference what firmware going to/from or if it is scheduled or not. Note: I talked to support and they have had multiple other sites/users report this issue. They are trying to build fail safes and better identify what is going on but I'd be interested in starting a dialog here to get more details or possible way to avoid this.

Adam · ‎Nov 17 2017

Thank you for the diagram. Now give me an example of which of one of the devices depicted cannot get to what kind of destination?

Adam · ‎Nov 15 2017

If you’ve already purchased the MX84 and license you should be able to add it to your network. It’ll take the place of your MX80 just remember to setup your static IP information on the MX84 before connecting it. Everything else should migrate. Regarding removing the MX80 license. Did that device still have much license left? Are you not going to use it anywhere else? If not I’d think support could help remove it if you just want things to be cleaned up.

Adam · ‎Nov 15 2017

Many of my sites were at 9.30. We are starting the process of converting them to 9.32 gradually. Any other issues anyone has experienced?

Adam · ‎Nov 15 2017

I’m trying to pin down your issue so i can more clearly understand and provide some things to try. So far I’ve understood that the clients on this network are directly being assigned public IPs. They can access everything public just fine but not the internal router?

Adam · ‎Nov 14 2017

Looks like we are going to have a strongly encouraged stable firmware push soon. Upcoming scheduled maintenance The new firmware includes support for the following features: Support for MS225/MS250 platforms Support for URL Redirect and Walled Garden Support for PIM-Sparse mode Support for Multi-Domain Authentication Support for specifying a range of ports in a QoS rule Various performance and stability improvements Your switches will continue to serve clients while upgrading until the minute or so it takes to boot into the new version. If you need to reschedule the upgrade, you may do so by visiting the network-wide settings page. For more information, please refer to the Cisco Meraki Cloud Management Manual. If you have any questions, please contact Cisco Meraki Technical Support at support@meraki.com or +1 415 632 5994. IMPORTANT - SECURITY UPDATE The MS 9.32 firmware contains a security update that addresses an issue identified in CVEs 2017-13704 and 2017-14491 to 2017-14496. You can choose to self-upgrade at an alternate time. Deferring/cancelling this update may present a security risk and is strongly not recommended.

Adam · ‎Nov 13 2017

Ah so you are having issues pinging out? Any difference if you ping the IP directly vs name to make sure it isn't a DNS issue?

Adam · ‎Nov 13 2017

Security Appliance > Firewall When you setup the Public IP to LAN IP NAT you have to set the allowed inbound connections rule to: Protocol: ICMP Remote IPs: Any or a subnet if you want to be more specific on who can ping.

Adam · ‎Nov 10 2017

Run a cable test, also bouncing the port usually brings it back. But probably still a cable issue.

Adam · ‎Nov 9 2017

Try setting ip igmp query-interval 25 to see if it helps.

About Adam

Adam

Community Record

Badges