About IT_Magician

IT_Magician · ‎11-30-2020

We use TP-Link switches on the edge.. non managed of course. This was after days of troubleshooting with Cisco Meraki support they finally said it wasn't supported. I suppose there are ways to do it, but at that point we found non-managed switches on the edge worked best for us.

IT_Magician · ‎11-30-2020

Check out my video on building high quality VoIP rules in the MX. Also in each MX, go to SD WAN & traffic shaping and add the public facing IP of your call manager server to check if packet loss is happening on the ISP WAN side. https://www.youtube.com/watch?v=G57e4oQsHaw

IT_Magician · ‎11-24-2020

Yeah I am starting to realize that. Meraki support doesn't think there is an option. The Juniper engineer on the phone was not impressed, couldn't believe Meraki can't route S2S traffic to WAN from anything but a Meraki. They are escalating this to product team to make sure nothing is missed here.

IT_Magician · ‎11-24-2020

Ok so we have the tunnel up and here is what is happening: On Non Meraki VPN side: - Client can ping our MX and receive response back without issue - Client then attempts to access www.website.com but doesn't get a response back Any idea why Meraki is not routing the traffic back across the VPN tunnel?

IT_Magician · ‎11-24-2020

I am reading through more documentation now to see if I can find something on this

IT_Magician · ‎11-24-2020

Hey Meraki Community, How can I route traffic from a private subnet across a non-Meraki VPN out the WAN on our MX84? We have a handful of websites that compliance only allows our WAN IPs to access. We added a site to site VPN tunnel witih a non-Meraki peer which is up and working. The goal is the remote subnet attempts to access specific websites, the remote non-Meraki VPN peer routes that out the WAN on the MX so it has the allowed public IP. Is this possible?

IT_Magician · ‎11-16-2020

No problem. Once you setup the SD-WAN settings, go to Google and search what is my IP and confirm it is on your new WAN connection. Once confirmed you are good to go.

IT_Magician · ‎11-16-2020

Both, setting it makes both upload and download go out WAN2

IT_Magician · ‎11-16-2020

Under SD-Wan and traffic shaping, set the network you want and set primary uplink as WAN 2 and it will work.

IT_Magician · ‎09-29-2020

Yes, we are 100% meraki across the board, including switches. Good idea on Layer 3 rules. The switches are only layer 2. So you are saying, use Layer 3 firewall rules to limit it as much as possible to only what it needs? My main concern is a threat coming in where a malicious attacker gains access into the network through the web server and finds a way to hop over to another system. Is that a silly concern?

IT_Magician · ‎09-29-2020

MX67 to switch network. From switch network into ESXi host running many VMs, one of them is the new IIS?SQL database. All servers are on the same network and domain.

IT_Magician · ‎09-29-2020

Want to clarify, this server is running IIS & SQL Database for a new custom built CRM

IT_Magician · ‎09-29-2020

Hey Meraki Community, We have a Meraki MX67 and behind it is a new IIS web server going up. The vendor isn't using an SSL certificate and has asked us to make this available via port 80. Because the web server has to be accessed externally AND from within the office it is on the private VLAN to allow communication. What is the best way to secure this from a networking/Meraki standpoint? Thanks, BA

IT_Magician · ‎06-02-2020

Hi Nash, Thanks, we have standard setup, not sure if split or full tunnel but will investigate. In this scenario, how would virtual appliances work? The reason we deployed Umbrella Roaming client is to protect laptops with content filtering while they are outside of the network and not connected to the VPN, which means no firewall security. The goal is to have Roaming Client on laptops so they have content filtering outside of the office, but these users also require VPN from time to time. Mabye we could create a script where event log shows VPN connected and it disabled Umbrella client and when event logs shows deactivated it re-enables it.

IT_Magician · ‎06-02-2020

YoYo Community, does anyone have a work around for this? Long story short, Cisco Umbrella support is saying Windows 10 VPN and Cisco Umbrella roaming client isn't compatible. You would think since Meraki only offers the built-in client VPN and Cisco owns both companies there would be a better integration, but that is not the case. Basically remote laptops with Umbrella client stop processing external domain DNS lookups once they connect to the VPN. Technical reason is below, but does anyone have a work around on this? From Cisco Umbrella support: The reason you are having issues with this VPN is because it utilizes a Microsoft connection API that requires DNS be sent to the local NIC, not 127.0.0.1 and therefore cannot connect. While there are some VPNs that are compatible with the Enterprise Roaming Client, unfortunately the built in windows VPNs are not at this time. Thanks, and go team!

IT_Magician · ‎05-09-2020

Hey Bruce, Thanks for this - I got it working how I originally suggested. I am about to call the ISP though but wanted to see if you or anyone thinks this is an issue. Now on the client list I see devices from the ISP, not sure what they are, looks like all their stuff and mostly public IP addresses. If I click on my port 1 on the switch and look at current clients there is a list that keeps changing with new IPs.

IT_Magician · ‎05-09-2020

Go to network wide and clients, and sort by usage. Do you see large amounts of UDP traffic that could mean a broadcast storm somewhere?

IT_Magician · ‎05-09-2020

Long story short, when the second MX is on the same LAN nothing works. Meraki has suggested we put all locations in their own organization. If that doesn't work I am out of ideas and will have to get a different unit. Very frustrated right now with all of this.

IT_Magician · ‎05-09-2020

Ok 100% confirmed this is what is happening: We have auto-vpn MX We have a second non-meraki VPN MX The moment we plug the non-meraki VPN mx either directly into MX, or directly into Meraki switch, we get about 90% dropped DNS traffic. This is same result on WAN 1 or WAN 2. From Meraki dashboard it can pass traffic, but something is getting messed up once the second MX is plugged into the same LAN as the primary non-meraki MX. Any thoughts?

IT_Magician · ‎05-09-2020

I am going to read this article you sent. I got it 100% working, but then 24 hours later we have an issue. DNS traffic will not route! No idea why, but if I remove the second MX which is handling our non-meraki VPN peers from the local LAN where the primary auto-vpn MX lives, the problem goes away. Meraki support believes we have a traffic leak somewhere - wanted to see if anyone had any insight? When I say DNS traffic can't pass, Google DNS, Cloud Flare, OpenDNS all fail to resolve DNS. I can ping 1.1.1.1 but no DNS traffic will work on either WAN 1 or WAN 2.

IT_Magician · ‎05-09-2020

I have two sister companies in the same building. Our ISP provided us two WAN IPs but the modem only has 1 uplink port. We have a Meraki ms125 switch. What would be best practice for a setup like this: 1. Port 1 = WAN UPLINK from ISP 2. Port 2 = Internet 1 port on First MX 3. Port 3 = Internet 1 port on Second mX 4. Each MX internet port configured with the WAN IP from the ISP In this setup, how would I have to create a VLAN on ports 1 2 and 3 on the switch? Trunk or access? Or would I only do access port on PORT 1, and then tag on the UPLINK port on the MX to use VLAN on that section?

IT_Magician · ‎05-07-2020

Hi Phillip, Thanks for your suggestions, the new MX came in and I am starting the configuration. I do have a question, can you double check this strategy is correct: 1. WAN 1 goes into New MX 2. I will build VPN tunnel on new MX to HQ This is the part want to make sure I don't mess up.... On new MX I created 192.168.100.0/24 network, MX IP is 192.168.100.1. I will assign that to a port, and then that port will become the internet uplink of my existing MX? If that is the case, where do I program the static route? On the existing MX?

IT_Magician · ‎05-01-2020

Awesome, thank you so much for the suggestion. I want to clarify, when you say AutoVPN hub, you just mean the MX?

IT_Magician · ‎05-01-2020

It is short sided on both sides, but we are just happy to win the contract and have to play by their rules. Why does Meraki not make this possible? It is simply a routing table, why does it care? I'm sure Meraki didn't go out of their way and has a reason this is not possible. We are going to purchase another firewall and make that the upstream WAN device and see if we can trick the Meraki. My hope is since Meraki will use it as the WAN anyway, once it its the upstream firewall it will be smart enough to route the traffic as needed.

IT_Magician · ‎05-01-2020

After 100% success rate with Cisco Meraki installations, we have hit our first ever road block where Meraki isn’t working. It is a unique situation, and am really hoping someone here can provide some insight. Here is the setup: We are required to have a VPN tunnel with HQ. HQ only allows a single VPN tunnel, it is their corporate policy, no exceptions. We have no control/say/access over this network, but it is critical to the business. We have two locations, both 100% Cisco Meraki stack (MX67 with M S120 switches) Here is the issue: We have the VPN tunnel between HQ and Site 1, works 100% no issue. We have a Meraki Auto VPN between Site 1 and Site 2, works 100% no issue. Site 2 needs to go across the VPN to Site 1, and then across the VPN tunnel to HQ. This is our issue. Here are the things I have tried: Setting a static route on site 2, Meraki doesn't allow this. Settings site 2 as a spoke, with default route to site 1. Called support, they said Meraki doesn't support this type of configuration. Does anyone have a clever way to get around this? If we need to purchase more equipment or whatever it takes we will do it.

IT_Magician

Community Record

Badges

Re: Redundant uplinks to MX from Switch Stack. Is it even possible?

Re: We have cuts in VoIP

Re: How can I make this site to site VPN work?

Re: How can I make this site to site VPN work?

Re: How can I make this site to site VPN work?

How can I make this site to site VPN work?

Re: How can we force one my VLAN's subnet to use WAN2 for upload and downlo...

Re: How can we force one my VLAN's subnet to use WAN2 for upload and downlo...

Re: How can we force one my VLAN's subnet to use WAN2 for upload and downlo...

Re: Web server being accessed internally and externally

Re: Web server being accessed internally and externally

Re: Web server being accessed internally and externally

Web server being accessed internally and externally

Re: Umbrella Roaming Client and Cisco Meraki MX Firewalls

Umbrella Roaming Client and Cisco Meraki MX Firewalls

Re: Two companies sharing 1 ISP - how to configure?

Re: Campus Network, Switches randomly turning orange and going down, or int...

Re: After 100% success rate on installs, hit first road block

Re: After 100% success rate on installs, hit first road block

Re: After 100% success rate on installs, hit first road block

Two companies sharing 1 ISP - how to configure?

Re: After 100% success rate on installs, hit first road block

Re: After 100% success rate on installs, hit first road block

Re: After 100% success rate on installs, hit first road block

After 100% success rate on installs, hit first road block

Re: First time doing routing on MX

No affordable MX appliance for gigabit

MX17.10 bug with built in wireless?

Re: New firmware bringing down switches

Re: Windows custom APPs failing to install - need guidance

Re: Windows Meraki Sentry VPN prompting for credentials