Community Record
1311
Posts
1480
Kudos
143
Solutions
Badges
Sep 15 2022
9:32 AM
1 Kudo
I recommend you contact Meraki Support to help look into this further.
... View more
Sep 15 2022
9:25 AM
While Advanced Security protections do add load to any MX, they aren't enabled by default and just enabling those features alone shouldn't restrict throughput that much (see Page 3 number for the MX64 column here: https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_VPN_peers).) I'd check that you're on the latest stable firmware release and contact Meraki Support if it stays the same.
... View more
Sep 15 2022
9:19 AM
1 Kudo
https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_VPN_peers It's not model-dependent
... View more
Model-dependent, your MS switch will provide critical temperature alerts, if you enable it (Network-wide > Configure > Alerts > Switch (if the option isn't there, your switch model doesn't support it). https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alerts_and_Notifications#MS_Alerts But MT10 is probably your best option
... View more
Sep 15 2022
9:11 AM
2 Kudos
You can't pass ACLs to the switch directly, as with dACLs, but you can effectively activate ACLs that have been previously configured there in the Dashboard, most powerfully, using Group Policy like this (which allows you to also apply things like rate shaping in a full-stack deployment): https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists#:~:text=Group%20Policy%20ACL%20on%20MS,server%20associates%20with%20the%20client. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies
... View more
Sep 15 2022
9:06 AM
2 Kudos
Just to add to @BrandonS ' reply, the MSP portal becomes automatically available to any user (MSP or no) if your Dashboard username (your email address) is made an Admin in more than one Organization. Those Organizations are the ones presented to you when you login. This allows you to choose which Org you want to be managing. It also allows you to jump quickly between Orgs in Dashboard - and provides a summary overview of them too. Do you recognise both the Organizations on login? Bear in mind that when you're added to an Org, you get a notification email, in which you can confirm your admission (or not) https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Using_the_MSP_Portal_to_Manage_Multiple_Organizations
... View more
Sep 9 2022
1:53 AM
HTTPS decryption is part of the Intelligent Proxy component of Umbrella SIG, which is included with Essentials. Check out the first line of this ready comparison: https://umbrella.cisco.com/products/umbrella-enterprise-security-packages
... View more
Yes, this is commonly done, using AP tags, to choose which APs the SSID is advertised by: https://documentation.meraki.com/MR/Other_Topics/Using_Tags_to_Broadcast_SSIDs_from_Specific_APs
... View more
Sep 1 2022
7:51 AM
This is true, for sites using HTTPS (which is a lot of sites, these days): https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering/Content_Filtering_Troubleshooting#Why_is_the_Meraki_block_page_not_displayed.3F Blocked sites using HTTP will generate a block page back to the client: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_the_Default_Block_Message To my knowledge the issue with HTTPS can't be resolved natively with the Meraki solution alone but, whilst I'm no expert on Umbrella specifically, I believe that can address this, provided the clients trust the cert which Umbrella uses for the block page: https://support.opendns.com/hc/en-us/articles/227987007-Block-Page-Errors-Installing-the-Cisco-Umbrella-Root-CA This is likely to be a problem if your clients are unmanaged (e.g. Guest users)
... View more
Aug 26 2022
5:13 AM
I was looking only to help with the original question. 😉 In my experience, there are a number of compelling reasons for choosing VPNC over routed mode for the majority of Hubs - with licensing cost not really a part of that design calculation. I also can't help feeling that, whilst I understand people don't want to pay for features they will not be using, the overall 'cost' in time and complexity of needing to specify (and separately renew) licensing for individual devices probably outweighs the extra spend from a simple one-choice, applied to all approach - given the majority of networks have greater numbers of Spokes (where you want Adv Sec/SD-WAN+) than Hubs.
... View more
Aug 26 2022
4:54 AM
I'm not 100% sure, but I have a feeling this must have to do with the recommendation that Hubs are configured as One Armed Concentrators - with just one uplink.
... View more
Aug 24 2022
7:01 AM
3 Kudos
Remember also that MXs can have a number of functions and the load is cumulative; a routed mode MX in a HQ handling (say) 150 concurrently connected VPN clients, whilst also providing Layer-7 firewalling with IPS & AMP protection for a 100 clients on the LAN will practically be able to support fewer site-to-site VPN tunnels and/or provide a lower level of throughput for all those users. Make sure to use the recommended maximum number of site-to-site VPN tunnels in your calculations, too. It is possible to monitor overall MX load using Organization > Summary report https://documentation.meraki.com/MX/Monitoring_and_Reporting/Device_Utilization
... View more
Aug 24 2022
6:54 AM
This MX device will only be useful if an administrator of the Dashboard Organization in which it is claimed unclaims it.
... View more
It's not clear, from your description, quite what's happening here - but I suggest you raise a case with Meraki Support. https://documentation.meraki.com/General_Administration/Support/Contacting_Support#:~:text=Call%20the%20Meraki%20Support%20team,the%20Meraki%20Support%20home%20page. Do this by telephone if it's urgent.
... View more
Aug 24 2022
6:48 AM
3 Kudos
As highlighted early in this documentation, they will essentially lose their config: https://documentation.meraki.com/General_Administration/Inventory_and_Devices/Moving_Devices_between_Organizations Bear in mind that you can have a replacement config all ready for them, in a new Network, in the destination Organization. It's possible to use the Dashboard API and some publicly available scripting to 'get' config from the existing Org and 'put' it into the destination too. (this is discussed in other threads on here)
... View more
Aug 20 2022
1:37 PM
1 Kudo
That's not quite right. With appropriate config the MX will re-order packets as they exit towards the Internet, to put more important / more time-sensitive packets first. Given that performance problems can quite often relate to contention for the available upstream bandwidth (which is often asymmetric), this can make all the difference. Once that traffic reaches the ISP's PoP, all bets are generally off.
... View more
Aug 16 2022
10:09 AM
2 Kudos
This is expected behaviour: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failover If you are operating with MX to MX AutoVPN tunnels then you can use SD-WAN policies to shuffle important tunnelled sessions across to the secondary WAN link very quickly (seconds). https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping#SD-WAN_policies For Internet-bound traffic, you can use SD-Internet policies to ensure that new flows are generated, originating from the secondary WAN link, more quickly (c. 30 seconds after the primary fails ) https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/SD-WAN_Internet_Policies_(SD-Internet) The SD-WAN+ MX license is required for this feature (required for all MXs in the Dashboard Organization) Remember that untunnelled traffic flows are NATed to the outside address of the MX. This session must therefore change source IP address to use the secondary WAN, so must be entirely re-initiated - thus seamless failover is not an option, regardless of configuration.
... View more
Aug 15 2022
3:21 AM
Remember too - if the traffic is being forwarded to the Internet; while the MX can re-order packets outbound, to reflect the priority you assign to different traffic types, the likelihood is that the ISP will remark DSCP values to 0 at the earliest opportunity, thus it would receive no priority upstream.
... View more
Aug 13 2022
4:30 AM
Even when (legacy) clients aren't using multiple spatial streams, they are using antenna diversity to avoid multi-path distortion. Thus the antennas associated with any one frequency band need to be covering the same area.
... View more
Aug 11 2022
10:39 AM
2 Kudos
A few things are going on here: Your post title mentions MR74 (which is End of Sale), whereas the body mentions MR76. As it happens these work very similarly (see below), but it's probably worth clarifying the detail. I think much of the first part of your question is covered by the following documentation: https://documentation.meraki.com/MR/Deployment_Guides/Mesh_Deployment_Guide and more specifically: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Extending_the_LAN_with_a_Wireless_Mesh_Link One key thing to remember here is that there is no specific 'bridge mode' operation for Meraki MR APs; the functionality is based around Meraki meshing, which is more general than that; it looks to use a wireless uplink for a powered up AP who's wired uplink isn't working. You haven't said very much about how you want to logically treat clients connecting at the far side of the mesh link, which likely affects your options and matching functionality (see the docs for more) . For your question about antennas, I think you may be mixing up the guidance for different AP models, between those with dedicated radios for each frequency (MR74/6) and those supporting > 2 spatial streams, with both 2.4 and 5 GHz served by the same antenna posts (MR84/6) For the latter, the expectation wold be that a single client should be able to communicate via all four antenna posts simultaneously - in order to make use of the extra spatial streams - hence all the connected antennas need to provide essentially the same coverage. This is also why such APs require dual-band antennas. For the former you could indeed have entirely different coverage areas for the 2.4 GHz versus the 5 GHz - e.g. 5 GHz directional antennas, on the outside of the buildings, pointing at each other, with the expectaion that the mesh link will form across that path - with a 2.4 GHz (maybe omni-directional? or broad patch?) coverage area inside the building, for clients. You'd obviously have to choose an appropriate antenna for each and route the cables for one of them through the wall (depending on whether you have the AP indoors or out). You could not use this separate coverage areas concept with MR84/6
... View more
Jul 28 2022
8:12 AM
To my knowledge we've never had that capability. Most customers would simply use syslog directly, with an appropriate syslog server in their central off network location - perhaps with a secure tunnel between the two, to carry the syslog traffic.
... View more
Jul 28 2022
7:54 AM
Yes - webhooks are about alerts, rather than events. You can pull the event log though, via the Dashboard API: https://developer.cisco.com/meraki/api-v1/#!get-network-events
... View more
You can't do this on the same SSID - the 'MAC-based access control (no encryption)' and 'Enterprise with my RADIUS server' config options are mutually exclusive. Remember that, as per the description, the MAC authentication option does not result in an encrypted WLAN session between the client and the AP as Enterprise 802.1x does. I'd recommend you look at using Identity PSK with RADIUS (assuming you;re using a reasonably recent MR access point model and firmware). iPSK combines WPA2-PSK authentication / encryption with a check of the client MAC address. https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication Note that this would still be a separate SSID to your Enterprise 802.1x SSID - but you should be able to use the same RADIUS server for both.
... View more
Jul 8 2022
5:05 AM
Doing this centrally via the Dashboard itself would be the way, using Network-wide alerts and converting to SMS: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alerts_and_Notifications#Receiving_Email_Alerts_via_SMS You may also be able to achieve similar using webhooks into a messaging platform, such as Webex, to alert admins using a mobile version of the app I think it highly unlikely a localised solution using the onboard SIM and SMS would also be developed.
... View more
May 31 2022
9:32 AM
4 Kudos
Answered in your previous thread... It's essentially permanent, Meraki-side
... View more
My Accepted Solutions
Subject | Views | Posted |
---|---|---|
548 | Dec 23 2024 6:09 AM | |
363 | Dec 10 2024 5:57 AM | |
560 | Dec 9 2024 9:29 AM | |
571 | Nov 25 2024 2:25 AM | |
562 | Nov 13 2024 8:10 AM | |
365 | Nov 11 2024 6:37 AM | |
459 | Nov 8 2024 8:27 AM | |
321 | Nov 7 2024 7:24 AM | |
343 | Nov 7 2024 5:57 AM | |
447 | Oct 31 2024 10:14 AM |
My Top Kudoed Posts
Subject | Kudos | Views |
---|---|---|
9 | 382 | |
9 | 217 | |
8 | 586 | |
8 | 1508 | |
8 | 1015 |