Meraki

ToryDav · ‎Feb 21 2022

Thanks for the insights here. I will discuss this with them and see if it makes sense to disable, or not.

ToryDav · ‎Feb 21 2022

Hey @KarstenI, my assumption was also that it would not be supported, in traditional Meraki fashion to stay in alignment with "Keep it simple", I know Meraki typically doesn't implement "bells and whistles". Thanks for digging a little deeper into this, I don't have L3 features on my Meraki lab switch to play with this in the lab. Also, just to be sure, I will elaborate a little more: There are several sites all Meraki, OSPF routing to the primary core 4500x VSS pair, and then each location has a backup link to the secondary site for failover to a secondary 4500x VSS pair. I notice on the Cisco Core's the NSF feature is enabled under the OSPF process, but In this scenario with Meraki I wonder why. I'm assuming this is old config from before Meraki was installed at each location, since before they routed EIGRP with NSF enabled to Cisco Catalyst switches. I will request justification as to why this feature is enabled today. I also agree this should be disabled.

ToryDav · ‎Feb 21 2022

Does Cisco Meraki support Non-Stop Forwarding? Is enabling Non-Stop forwarding on the routing core (not Meraki, Cat 4500x) with MS 350 peers downstream a bad idea?

ToryDav · ‎Feb 16 2022

Congratulations all!!

ToryDav · ‎Feb 16 2022

Thanks for adding to this thread @Marco_812. That's an interesting point you make there.

ToryDav · ‎Oct 25 2021

Hello, Looking at the MX security report generated by my MX, I can see all kinds of connections attempts being stopped by IPS, which is great. Is there a way to create a rule to deny these connection attempts from a specific country, like China? Would I simply create a layer 3 firewall rule that says "deny source <PUBLIC BLOCK> destination < INTERNAL NET>" Something of that nature?

ToryDav · ‎Oct 22 2021

I questioned it because there is only one camera showing problems, but shorts show on several ports, and its because or what @cmr pointed out.

ToryDav · ‎Oct 21 2021

Hello! How reliable is the Cable Test feature on the MS product? I am getting a 'short' even when I move the cable to another port. I am going to rule out the cable itself, but how reliable is this tool? I'm looking for your experiences using it, or any knowledge of what it's doing under the hood. Thanks! Tory

ToryDav · ‎Sep 20 2021

Totally! I was pleased to see only 15 minutes drop. That release also fixed all the issues I was seeing.

ToryDav · ‎Sep 17 2021

Just to update this post. I got approval to upgrade this MS390 switch stack firmware. It took a long time to download but once they actually went down it was only about 15 minutes downtime or so. Everything seems ok thus far.

ToryDav · ‎Sep 17 2021

Hi @Bruce, Having done the upgrade yourself, would you recommend having someone on-site during the upgrade window? I am not local to the site location. That issue seems to have been fixed in 14.29, but I am a bit nervous. from 14.29 release notes.

ToryDav · ‎Sep 16 2021

Deployed my first pair of MS 390 switches! Some strange issues -- VLAN 0 - I see a bunch of clients showing they are on VLAN 0, but I don't really know what this means. For example: Shows it on port 6, but that is configured for VLAN 40. STP ROOT - Although there is only a single stack of two switches, this still concerns me. What is this trying to tell me? Just looking for any experience anyone may have to shed some ideas on what could be causing this weirdness. Also seeing constant port status changes, so I am concerned to know if this STP root message is truly something to be concerned about or a bug. Or is it just an MS390 thing? Thanks, Tory

ToryDav · ‎Aug 18 2021

I recently had the same issue and fixed it by looking at the event log in windows. Windows Start > type Event Viewer Under Applications you will see the RASclient entries and error codes I was seeing error code 720. I made sure my config matched the instructions: https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration (IT DID) What I actually did to fix my issue was head on over to Windows Device Manager > Network Adapters Delete the WAN MINIPORT for IP as well as for L2TP. Then above click the icon to scan for new changes. You will see them return. Deleting the IP Miniport was the only thing that fixed this for me after I checked configuration, enabled firewall rules and looked at both logs in Meraki and Windows. Hope it helps! Tory Let's connect on linkedin!

ToryDav · ‎Aug 6 2021

Hi! I'm looking for some clarification on this question: If I have an MX with 2 WANs set to load-balance and configure my port forwarding to use "BOTH" uplinks, would this essentially make my ports exposed on both public IPs of each wan? I don't need the port forwarding to work on both IPs at the same time, but I am just curious to know, in this configuration, would it? Thanks, Tory

ToryDav · ‎Aug 2 2021

Hello ! I have a design question regarding a port forward and a multi-wan set-up using Meraki MX. Lets say I have an MX with a triple WAN set-up. Below shows the proposed idea. With port forwarding, It looks like I may only be able to configure dual WAN port forwarding, see the below example: My confusion lies within the complexity of the port forwarding. With the two devices above is this even possible when configuring the port forwarding onto the MX? It seems pretty straight-forward for two WANs, but since WAN 2 port on the MX will connect to the CP E300 router, it will actually be given a private IP, the E300 router will be the gateway which then connects to the WAN 2 + Cellular. In this scenario, how can I ensure the port forwarding works regardless of whether we have failed over from WAN 1 onto WAN 2 or LTE?

ToryDav · ‎Jul 1 2021

ToryDav · ‎Jul 1 2021

@DarrenOC @Bruce Likely it will be MS 390's The top and bottom spread is just how I chose to do it, it's a stack so really I could put one link on each switch. Logically all one switch. Also Bruce thanks for the tips. I will aggregate the links and spread those links out better. Makes perfect sense, not sure why that got past me on this one.

ToryDav · ‎Jul 1 2021

Cartoon floating head Tory has arrived!

ToryDav · ‎Jul 1 2021

Hello! I would love some feedback on the following designs. Looking for ways to improve the technical design and check for correctness. 2x MX in H/A (WAN NOT SHOWN) (LAYER 1 CABLE DIAGRAM) Layer 2 Diagram LAYER 3 DIAGRAM For the Layer 3 diagram, I've debated with putting the layer 3 gateways on the MX but I would prefer to have a true core as well where the gateways and DHCP reside on the MDF switch stack instead with Layer 2 trunks to the IDFs. Thus I would create a transit VLAN X with a /30 for each MX for connectivity between the core and both MX. Thoughts? Constructive feedback? Thanks, Tory

ToryDav · ‎May 20 2021

All, The MX swap went flawlessly. We stood up the MX100 in parallel, put a static IP on it within the local status page and cut over the uplink. I did have to reboot the MX 100 as it didn't reach the dashboard right away. Once it came online all the configuration applied from before, with the exception of the site-to-site VPN. We simply turned on the site-to-site VPN and didn't need to reconfigure it in any way. Our 1:1 NAT didn't work, but rebooting the upstream router cleared its tables and restored connectivity to the webserver behind the NAT. To troubleshoot this I took a PCAP and watched the TCP SYN from my public IP address hit three times and then saw the fast retransmission occur, but we never received any SYN/ACK. Looking at the source and destination MAC addresses, I could see the packet source from the CISCO router upstream, destined for the old MX port 1 MAC address. Rebooted the cache upstream. Thanks, Tory H. Davenport

ToryDav · ‎Apr 29 2021

Thanks! I will use the cold swap method and prior to cutting make sure I go through the caveats for proper preparation. I'm comfortable configuring Meraki features. I am really posting this for the logic of the cut. So in this instance I should be able to use the following task list: 1. Backup current MX configuration just in case, including local status page and dashboard. 2. Remove the MX 80 from the network. 3. Add the MX 100 to the new network. Allow the MX to boot and upgrade firmware. Add any local parameters from the local status page. 4. Validate that all the configuration carried over and re-configure the features that may or may not have.

ToryDav · ‎Apr 29 2021

Hi everyone, I need to migrate MX 80 to MX 100 single device, no H/A. We want to stand the MX 100 up in parallel with the MX 80, configure the MX 100 and then cut the cables. Problem is, I don't think this is going to work. If the MX 80 and MX 100 are stood up in the same network, I can't configure them independatly can I? Otherwise what would be the best way to migrate seamlessly. We do have a cutover window, but I'd like to avoid taking the MX 80 down and out of the network and adding the MX 100 manually because I know I'll have to reconfigure it on the spot. The other route I am considering is using the API. Thoughts?

ToryDav · ‎Feb 23 2021

*Sigh of relief*

ToryDav · ‎Feb 23 2021

Thanks @PhilipDAth I was thinking about that too. They are set-up like the diagram now. STP is blocking where it should be with the redundancy between the MX and the 355's, but that is good point. The 355's are stacked. I can advise them to remove two links like you mention to reduce potential STP issues from occurring, but so far so good. I was concerned about using the public IPs on the WAN switches. Any concern there beyond locking down the local status pages on those devices? Not a huge fan of public IP's on the WAN switches for management personally.

ToryDav · ‎Feb 23 2021

Does this design seem copacetic? Right or wrong? I know these are not ideal for breakout switches.

Meraki

Community

About ToryDav

ToryDav

API Early Access Group

Community Record

Badges

Re: OSPF and NSF

Re: OSPF and NSF

OSPF and NSF

Re: Revealing Your 2022 Meraki Community All-Stars!

Re: MAC Flaps - Always bad or sometimes normal?

Blocking inbound connection attempts on MX

Re: Meraki Switch Cable Test

Meraki Switch Cable Test

Re: MS 390 Strange Behavior

Re: MS 390 Strange Behavior

Re: MS 390 Strange Behavior

MS 390 Strange Behavior

Re: VPN Client to site can not establish

Meraki MX Load balancing dual wan with port forwarding question

Meraki MX Port Forward Design Question

Re: MS Switching / MX Campus Design Peer Review

Re: MS Switching / MX Campus Design Peer Review

Re: Update your avatar, win Meraki swag!

MS Switching / MX Campus Design Peer Review

Re: MX 80 to MX 100 Migration

Re: MX 80 to MX 100 Migration

MX 80 to MX 100 Migration

Re: Meraki Switch WAN Breakout

Re: Meraki Switch WAN Breakout

Meraki Switch WAN Breakout

Re: Custom Hostname Cert issues AutoVPN - ZeroSSL

Re: Configuration Templates, switch profiles and STP root bridge placement.

Re: MX 80 to MX 100 Migration

Re: VPN Client to site can not establish

Re: MX 80 to MX 100 Migration

Re: MS 390 Strange Behavior

Re: Community Challenge: Folding@home

Re: Cisco Meraki and DNA-Center Integrations