Meraki

PhilipDAth · ‎Nov 7 2018

Yes because if an AD joined machine needs to resolve an AD resource query and it gets sent to an external DNS the lookup will fail. This tends to result in intermittent and random failures to users that can be difficult to re-produce.

PhilipDAth · ‎Nov 7 2018

If your machines are Active Directory joined - then you should point the DNS for every branch to those AD controllers (and not use external DNS servers).

PhilipDAth · ‎Nov 6 2018

At a minimum, make sure you enable band steering to encourage those clients with 5Ghz radio to use that band instead of 2.4ghz.

PhilipDAth · ‎Nov 5 2018

Don't use 2.4Ghz if you want performance. It is anyways problematic. I would disable 2.4Ghz if you can

PhilipDAth · ‎Nov 5 2018

I think that should work. What ports are you allowing through to the vMX? I would allow: UDP/500 UDP/4500 IP protocol 50 (ESP)

PhilipDAth · ‎Nov 3 2018

Is the file server running any firewall, such as Windows Firewall or a Antivirus firewall? If so, try turning it off for a little while to see if it is related to the issue.

PhilipDAth · ‎Nov 3 2018

You can, although note as traffic passes from a VLAN interface to a WAN interface it will be NATed to the IP address of the WAN interface.

PhilipDAth · ‎Nov 2 2018

Splash Access sell a solution to do this. https://www.splashaccess.com/secure-wpa-2-guest-wifi-dashboard-cisco-meraki/

PhilipDAth · ‎Nov 2 2018

Wow, that came around again quickly. I have been so crazy busy in the last month. @jdsilva I love your icon. I'll keep an eye out for the swag now that you have mentioned it! Well team, what a great effort by everyone.

PhilipDAth · ‎Nov 2 2018

I'm not really a fan of loop guard unless there are redundant paths. Othewise if you have a single link and it triggers it'll take out the downstream network.

PhilipDAth · ‎Nov 2 2018

I don't ever use root guard. I have had it bite me in the past when various failures happened, and it made those failures more severe.

PhilipDAth · ‎Nov 2 2018

Create a new template and use the option to copy the settings from an existing template. Re-bind the existing site(s) to the new template. Note that any customised LAN IP addressing wont pull through when you re-bind, and you'll need to note that and put that configuration back in.

PhilipDAth · ‎Oct 31 2018

I could probably write a chapter for a book answering this question. To make the answer shorter I can going to assume: The hub will be active/wam spare (not active/active or dual DC). There are less than 1500 spokes. There is no MPLS. There is only AutoVPN over the Internet. You would probably use One armed VPN concentrator mode if: You have an existing firewall. You have an HA Internet setup. You have a layer 3 network core You need BGP or OSPF support exchange routes. You would probably use NAT mode if: You can plug the MX into more than one Internet circuit so the MX can provide Internet HA itself. You need to support clients behind the MX accessing the Internet, or you want to be able to apply Meraki group to those users. Personally, I mostly use NAT mode myself. I mostly do deployments with less than 200 spokes. I nearly always use the DC's primary Internet connection, and get another "out of band" domestic grade Internet circuit in case of catastrophic failure. I call it cheap insurance. I also avoid using dynamic routing in Meraki deployments (I like to keep them Meraki simple). I would also like to recommend the Meraki MX sizing guide by Aaron Willette, which you should regard as a Cisco Meraki God. http://www.willette.works/meraki-mx-sizing/

PhilipDAth · ‎Oct 31 2018

You are almost certainly experiencing an MSS squeeze. If you have a Windows client you can determine the maximum MTU by using a ping command like this: ping <app server> -f -l 1400 If the ping works, increase the size (above 1400). If it fails, reduce the number. Keep going to you get the maximum size that works. What OS is the App Server running? I can probably suggest the command to run to adjust the MSS or MTU on that side to resolve the issue.

PhilipDAth · ‎Oct 31 2018

I'm with @MacuserJim - move to 14.x code. We have a large number of customers using 14.x. It works well.

PhilipDAth · ‎Oct 31 2018

Cisco Meraki will never have a locally managed, on-premise WiFi option. I was talking with a global company last week with 130,000 staff. They have access to every kind of IT Support specialist you can think of. You wouldn't call them a small mom/pop operation. They somehow seem to cope with only having cloud management.

PhilipDAth · ‎Oct 30 2018

Just to build on @BlakeRichardson answer. Content filtering only runs between WAN and LAN interfaces. Threat protection runs between WAN and LAN interfaces, and also between VLAN interfaces. https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection "Intrusion detection feeds all packets flowing between the LAN and Internet interfaces and in-between VLANs through the SNORT® intrusion detection engine and logs the generated alerts to the Security Report."

PhilipDAth · ‎Oct 29 2018

What you could do is configure the WiFi for pre-paid billing. You can then pre-print the cards with have PIN numbers on them. You can say that the PIN code expires after a set period of time. https://documentation.meraki.com/MR/Splash_Page/Configuring_a_Prepaid_Card_Billing_SSID

PhilipDAth · ‎Oct 29 2018

If you are using Microsoft NPS check out this guide. Even if you are not using it, check out the guide and figure out how to apply similar settings. https://documentation.meraki.com/MX/Client_VPN/Configuring_RADIUS_Authentication_with_Client_VPN

PhilipDAth · ‎Oct 29 2018

Which radius server are you using? I don't know how important these are, but is the RADIUS server also returning Framed-Protocol and Service-Type, to say what the user is permitted to use? On my RADIUS server, Framed-Protocol is set to PPP and Service-Type is set to Framed.

PhilipDAth · ‎Oct 29 2018

Is this an AD account? Do they perhaps need to login as domain\user? And to be specific. in your packet capture you sure the RADIUS server send an ACCESS_ACCEPT message?

PhilipDAth · ‎Oct 29 2018

You can apply the "Blocked" group policy, which will prevent them from accessing anything. https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Blocking_and_Whitelisting_Clients Removing just a single client from the client monitor is not really possible. You could possibly use the GPDR data privacy feature. https://documentation.meraki.com/zGeneral_Administration/Privacy_and_Security/Meraki_Data_Privacy_and_Protection_Features

PhilipDAth · ‎Oct 27 2018

I like Pizza @MRCUR.

PhilipDAth · ‎Oct 27 2018

Try making a wish for "konami" and then scroll down a little bit.

PhilipDAth · ‎Oct 26 2018

No one should be using WEP anymore. Use WPA2 Enterprise mode instead.

About PhilipDAth

PhilipDAth

Philip D'Ath

Community Record

Badges