Meraki

GreenMan · ‎May 6 2022

Can I ask what you're looking to do using this? Note that an MX automatically obtains a publicly visible DNS hostname - which you can then use as a destination for things like Client VPN, instead of needing to use the public IP address, which may change from time-to-time, depending on your Internet service: https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS)

GreenMan · ‎May 6 2022

If you haven't already, I'd suggest you read this document carefully: https://documentation.meraki.com/MX/Site-to-site_VPN/China_Auto_VPN Also this one, at a higher level: https://documentation.meraki.com/General_Administration/Support/Information_for_Users_in_China Basically, in China you are recommended to deploy Meraki devices into an Organization within the China cloud. Doing this precludes forming AutoVPN (SD-WAN) tunnels to an MX in a different Organization, of course. If you choose not to follow the recommendation and physically deploy an MX in China, but as part of a non-China Org, while you may or may not get VPN to come up, to other locations, there would be no guarantees around whether it would stay working, nor around its performance .

GreenMan · ‎May 6 2022

I found this was pretty easily fixed using Rain-X - I'm sure there are other similar products out there, too: https://rainx.co.uk/rain-x-products/rain-x-rain-repellent/

GreenMan · ‎May 5 2022

Are the devices communicating via bluetooth or WiFi? To my knowledge both of these technologies leave any roaming decisions to the client device itself (so check documentation and config / firmware options for those) If it's WiFi, check to see if there are any AutoRF-related reconfigs of the APs, at the times in question - changing channels or Tx power, that might affect the client's decisions. You could consider fixing those WiFi parameters through an RF Profile: https://documentation.meraki.com/MR/Radio_Settings/Manual_Channel_Selection%2C_Transmit_Power_Adjustment%2C_and_Antenna_Configuration

GreenMan · ‎May 5 2022

L2 isolation doesn't prevent broadcasts and multicasts from being generated. Proxy ARP within broadcast suppression will help with this, to some degree and client devices are generally better these days at handling resultant traffic in some volume than previously, but not to the level of a /16 subnet, I would think. https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Broadcast_Suppression_and_Control_Technologies_for_MR_Access_Points

GreenMan · ‎Apr 30 2022

Woah there! I chose my masks carefully... /23 = c. 500 clients /22 = c. 1,000 clients. = basically doable (think: short DHCP leases) but /16 = > 65,000 clients! That's a big jump and not one I'd recommend. But there are certainly advantages if you can stick to layer-2 roaming. One thing to bear in mind - unless you have contiguous coverage between buildings on a campus (i.e. outdoor APs etc.) then clients are not even going to need Layer-2 roaming everywhere, as they won't remain associated between buildings anyway. It's also much less likely to be manageable to extend the same VLAN between buildings on a campus. The analogy comparing floors in the same building with different buildings on a campus isn't necessarily the best, unfortunately. Mind you; even in a building, maintaining coverage between floors can be a significant challenge anyway (stairwells and lift shafts are difficult and expensive to fully cover). All these things make a difference.

GreenMan · ‎Apr 29 2022

Is there a particular reason why you want to map the different floors to different VLANs? It's generally simpler (& you know how we love simple!) just to provide a common VLAN to all the switches - and then use Layer-2 roaming alone. Remember that, if you're only placing wireless clients in that VLAN (recommended) and you're enabling Layer-2 isolation, the usual concerns about the size of a broadcast domain, from needing (say) a /23 or /22 subnet, to handle your client base, are not so acute. https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

GreenMan · ‎Apr 27 2022

It used to be that the Cellular Active Uplink feature needed to be enabled by Support - that probably went away when 16 became Stable. It sounds to me like your next call to Support is "It doesn't appear to be working? Please help!" Have you tried running a packet capture on the Internet side of the MX, to see what the cellular interface is sending & receiving to/from the Hub? This would likely be Support's first ask - so worth doing in advance. Take a look at the firewall logs at the Hub site too - see if any tunnel-related packets from the Spoke are being changed in transit by the carrier. This because, with cellular uplinks, you often run into CG-NAT related issues, which often stops tunnels from forming properly. You may need to set up the destination Hub (and any upstream firewall) to work with Manual NAT traversal, tying VPN to a specific public IP and port (I recommend picking one between 1025 and 32768, but avoiding 4500) as per https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal

GreenMan · ‎Apr 27 2022

You could maybe use a script to monitor network usage, in some way, to trigger automated reconfiguration of the shaping settings.. all via the Dashboard API? https://developer.cisco.com/meraki/api-v1/#!get-network-appliance-uplinks-usage-history https://developer.cisco.com/meraki/api-v1/#!update-network-appliance-traffic-shaping Or - maybe simpler - have the script just change the settings on different days and at different times, to reflect your busy periods?

GreenMan · ‎Apr 27 2022

From my previous comment: "For MXs with integrated cellular (MX67C, MX68CW) SD-WAN is supported over the LTE uplink..." and "This will not work for LTE provided using a USB dongle..." It's this (USB dongle = 3G or 4G modem) that is being referred to in the blurb you quoted. Assuming you do have an MX with integrated cellular... (you plugged a SIM in, not a USB dongle/modem): Did you have Support enable the feature? Do you have Active-Active AutoVPN enabled under Security & SD-WAN > Configure > SD-WAN & traffic shaping?

GreenMan · ‎Apr 27 2022

A single Dashboard Organization can only be hosted in one region. What are you looking to achieve or gain from having different regions? Remember that the Dashboard is only for management - your user traffic does not flow through it, so it isn't essential, for most customers, that the hosting is local to the users.

GreenMan · ‎Apr 26 2022

Meraki APs have TAM too...

GreenMan · ‎Apr 26 2022

For MXs with integrated cellular (MX67C, MX68CW) SD-WAN is supported over the LTE uplink with MX version 16.2 or later (in practise 16.16.1 - latest stable GA is currently recommended, but note the move to 443 for device <-> dashboard comms in 16.x - read the Release Notes). A backend configuration needs to be applied by Meraki Support (two, if you want to also be apply cellular failure firewall rules to the new WAN2) When enabled, this allows the customer to effectively choose their LTE uplink as WAN2. You can’t simultaneously have both 2 x fixed uplinks AND LTE. See details here: https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/Meraki_SD-WAN#SD-WAN_over_Cellular Note: this will not work for LTE provided using a USB dongle.

GreenMan · ‎Apr 14 2022

If you have an existing MX84 and want to add a second device, running warm spare, you have to have a second MX84. You cannot run warm spare between dissimilar MX models (this includes, for example, MX67 and MX67C). https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair If you are routing between your three sites (i.e. you have a different IP subnet or group of subnets per site) then you will have a challenge here, from using MS225 switches; while they support IP routing at layer-3, they do not support a dynamic routing protocol such as OSPF, which is supported by MS250 and higher. If this were a green-field deployment I'd recommend a pair of MS250 switches (at least) per site, with each operating as a stack and OSPF then running between the three stacks. You'd then have a static default route on the Site 1 stack pointing at the Virtual IP address of the upstream MX warm spare pair. If you are running the three sites as a flat subnet you would use Spanning Tree, with the Site 1 stack as the STP Root bridge. You may need to check that the VPLS service will carry STP frames (BPDUs) to ensure this works properly. This would, in principle, work with MS225. Note that such a setup would block one of the links, meaning Site 2 <-> Site 3 traffic would hairpin via Site 1. https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Spanning_Tree_Protocol_(STP)_Overview

GreenMan · ‎Apr 14 2022

I think this should be possible. While an MR can only live within one Network in Dashboard and 'Users' are a Network-wide function, you have the ability to control authorization for each SSID separately. On the User management portal, under Access policy: select each SSID in turn and check the 'Authorized for SSID' tickbox for the right group of users in each. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Managing_User_Accounts_using_Meraki_Cloud_Authentication

GreenMan · ‎Apr 13 2022

A fairly quick look lead me to this... https://kb.paessler.com/en/topic/86352-monitoring-via-api

GreenMan · ‎Apr 13 2022

In terms of tools to query data from the Dashboard, I would say that the REST API is a much bigger thing than SNMP. I doubt any further functionality will be added to SNMP in the future, whereas the power of the API solution continues to grow at great pace: https://developer.cisco.com/meraki/ Try this rather neat documentation / basic API query page, for a flavour: https://developer.cisco.com/meraki/api-v1/#!introduction/whats-new-in-v1 Just look for the info you're after in the search window, top left

GreenMan · ‎Apr 1 2022

I would recommend calling in to Meraki Support for assistance. (Details available under Help > Get help in the Dashboard)

GreenMan · ‎Feb 18 2022

OK, makes sense. Note that the recommended mode for MX Hubs in Data Centres is one-armed VPN Concentrator mode (which only uses a WAN link): https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

GreenMan · ‎Feb 18 2022

If you are using these MXs as VPN Concentrators - I'm wondering why the need for all those LAN ports?

GreenMan · ‎Jan 28 2022

The Dashboard itself holds the backups (and backups of the backups). In fact, the backup is created before the live config; config is created in Dashboard, then pushed down to the device. It is possible to take details of configs out of the Dashboard via the API, but the API would still need to be used to apply them back again, too. There are a bunch of scripts out there that can be used for this purpose, not least one created by the legend that is @PhilipDAth https://www.ifm.net.nz/cookbooks/meraki-backup.html (can you update the link, if I've pasted an old one, Philip?)

GreenMan · ‎Jan 26 2022

For co-term Orgs, I'd claim licences (or orders / serials) using https://developer.cisco.com/meraki/api-v1/#!claim-into-organization

GreenMan · ‎Jan 25 2022

As @ww said - they should work fine, but you'll need to configure your existing networking gear to allow the MV cameras access to the necessary Meraki resources in the cloud (PoE, DHCP & routing, DNS etc. ) Plus any firewall rules necessary - shown under Help > Firewall info in the Meraki Dashboard.

GreenMan · ‎Jan 20 2022

You could maybe use AnyConnect VPN into the MX. With RADIUS authentication, it would be possible to use Meraki Group Policies to apply a different set of network access controls to contractors, versus your employees, if that's the primary concern. https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Group_Policies

GreenMan · ‎Jan 19 2022

Why do you have so many IP addresses assigned to one interface on one PC? This is extremely unusual, unless I'm missing something; The rest of the world, for one PC with one interface uses just one IP address. If that PC requires access to multiple IP subnets, you provide routing within your network, via a Default Gateway.

About GreenMan

GreenMan

Community Record

Badges