Meraki

DHAnderson · ‎Jan 21 2020

Nothing had changed in months, so there were no new config changes.

DHAnderson · ‎Jan 20 2020

I just had some strange and worrisome behavior happen at a client. The have a MR33 and called to say the Guest network is not showing up on people's devices. The Guest is configured with a SSID that has a password. It is not using Meraki Guest as the 10.0.0.0/8 overlaps with an internal network. When I went to their location, my phone connected up with the Guest network without any issue. I checked with other users and they could now also see the network, but there was no lock icon on their phones, indicating the SSID did not have a password. I told my phone to forget the Guest network, then I connected to it. I was not asked for a password. I repeated this twice to be sure a password was not required. I checked Meraki Dashboard, and Pre-Shared Key was still selected and the password was still showing. I checked Air Marshal but no Spoofs or Rouge SSIDs were found. There are no Air Marshal events for the last month in the event log. I rebooted the Access point and when it came back up, the Guest network password was working as it should. I have not seen this behavior before. The MR33 firmware version is MR 25.14 Has anyone else seen this?

DHAnderson · ‎Jan 14 2020

I have a client that is a small healthcare business. They have clinics two cities about 30 miles apart. They are connected to each other by a WAN link that the local hospital manages. In city A, there is the hospital and one of my clients clinics. In city B, both the hospital and my client have clinics. In city C, there is a Data center for both the hospital and my client. The hospital provides a WAN link between City A, B and C. In city A, my client has a MX84 providing internet access and static routes to the hospital WAN. In city B, my client has a Cisco router providing routes to the hospital WAN. I purchased a MS250 with the intention of replacing the Cisco Router in city B with it. Unfortunately, the Cisco routers are using eigrp routing protocol which the MS250 does not support. I am not sure of the best way to integrate the MS250 into the network. Any help or insights would be appreciated.

DHAnderson · ‎Dec 22 2019

@Matthew I am attempting to use a Meraki MS250 to replace a Cisco router that is using EIGRP. You mentioned you have a mixed environment. Since the MS series do not support EIGRP, how did your mixed environment work? - Dave

DHAnderson · ‎Dec 11 2019

It is now close enough to mid-December when another announcement is expected. Given the complexity of the task and the perceived glacial speed in progress, I am not expecting an early IPV6 Christmas present. It is sad though. Instead of dreaming about sugar plum fairies, I am dreaming of IPV6.

DHAnderson · ‎Dec 10 2019

Add LDAP support to System Manager Owners, so Cloud base Identity systems like JumpCloud can sync it's users with System Manager Owners.

DHAnderson · ‎Dec 10 2019

Under Security & SD-WAN / Addressing & VLANs, Per Port VLAN settings should move to a new page called Appliance Ports. The behavior of Appliance Ports should mimic the Switch / Switch Ports page in functionality. Along the same lines, there should be a Ports tab under Appliance Status that works like the Ports tab under Switch Status.

DHAnderson · ‎Nov 12 2019

I have a full stack of Meraki Go and Meraki equipment. The Go access point does not have scheduling or most of the features of a MR. That said, you can create an isolated guest network, set usage limits and get email notification when equipment goes off line. The firewall subscription gives you Cisco Umbrella, but you cannot disable content filtering. There is no Snort for traffic inspection, but there are layer 7 rules in the access point. The switches support POE, and cable testing, but not isolation. I know this is just a smattering comparison. Let me know if you have any specific questions. - Dave

DHAnderson · ‎Nov 12 2019

For me, it is coverage from firewalls through to end user training. I sell a security suite that includes Meraki hardware, email scanning, endpoint protection, computer policy management, Meraki Systems Manager and end user security training. One big advantage of the Meraki Dashboard is that since one signs in with their own credentials, you can see who made what changes. Also, implementing PCI requirements to change passwords is simple with the Dashboard. No more changing passwords manually on hardware scattered through the company. Another big advantage of the Dashboard is that it is easy to push firmware updates out to devices. And if you ever need to know what firmware a device is running, it is easy to find. It is in these simple ways, Meraki Dashboard helps with basic security.

DHAnderson · ‎Nov 8 2019

The client has purchased a Meraki MS120-24P to replace the Netonix. I will be glad to get rid of the Netonix, and the Microtek used to bypass firewall to allow the ISP to manage the switch.

DHAnderson · ‎Sep 30 2019

I am sitting my new deck (took almost all summer to build) on the last 80 degree day of the season in Minnesota. It does not feel like the last day in September, but tomorrow the fall weather resumes. I was hoping for an announcement today, but with a few working hours left, doubts are creeping in. I know that software schedules slip, but some word of forward progress would be greatly appreciated! - Dave

DHAnderson · ‎Sep 5 2019

The Managed Service Provider did not have a Native VLAN specified in the Netronix. Once they put that in to match what I had in the MX84, everything started working. If they had allowed me to look and the configuration of the Netronix, I could have spotted that, rather than playing a guessing game. Thanks, - Dave

DHAnderson · ‎Sep 4 2019

I have a client who is using a Managed Service plan from their ISP. The ISP did not quote a firewall, so I installed a MX84. The Managed Service provider has 3 VLANS, 300, 301, 302. The MX84 has DHCP pools for all three VLANS. Clients attached to a Netronix switch on VLAN 300 and 301 can get IP addresses from the MX84, but clients on VLAN 302 cannot. The port that the Netronix switch is plugged into is configured as a trunk line and all VLANS are allowed. The Managed Service provider has send me images of the NAT table in the Netronix switch, and it shows the MX84 mac address for VLAN 300 and VLAN 301, but nothing listed for VLAN 302. I cannot see the Netronix switch config, but I am told that the Netronix switch port connect to the MX84 is configured for all 3 VLANS. Is there any reason that the MX84 would not be listening for VLAN 302? Any help on this would be greatly appreciated .

DHAnderson · ‎Aug 15 2019

@PhilipDAth When I had a client who had their own servers running an online grocery e-commerce service, they had Fortinet firewalls. I am installing Meraki MX firewalls for my clients that are not running web servers.

DHAnderson · ‎Jul 23 2019

The SSL decryption on my Sonicwall was processor based, not FPGA or custom hardware based. Enabling that feature slowed the network to a crawl.

DHAnderson · ‎Jul 23 2019

@ccnewmeraki; Fortinet firewalls have FPGAs or custom chips to do the heavy lifting in their SSL inspection.

DHAnderson · ‎Jun 26 2019

I updated my avatar. Big ears, bald head and all! - Dave

DHAnderson · ‎Jun 2 2019

I just tested this on my MX65 and got the same result. Group policies are being applied, but in addition to the display problems listed by others, if you look at Network Wide -> Group Policies, the policy will show zero devices in that policy.

DHAnderson · ‎Apr 20 2019

I had Chrome changing the SSID password if I ever opened the Wireless / Access Control page. The edit box must have been labeled "password" in the HTML code, because it kept putting in my Meraki password. I raised a support ticket to have then change the name of the edit box, and the problem has stopped occuring sometime after that. When the problem was occuring, the site warned me that I had changes that needed to be saved every time I opened the page.

DHAnderson · ‎Apr 13 2019

SSL inspection helps solve a problem and I agree the further upstream you can block malware, the better. That said SSL inspection will always be invasive, expensive to do at high speeds, and troublesome with Browsers that are getting better at detecting MITM attacks. A more balanced approach might be to do inspection where one easily can. The Firewall can inspect unencrypted traffic, and the endpoint protection can inspect traffic after it has been unencrypted on the client. This solution also scales nicely.

DHAnderson · ‎Apr 13 2019

I agree that communication has been poor on this issue. There have been statements that early decisions were made about the MX design that need to be rethought because of IPV6. Besides the technical issues related directly to an IPV6 stack, there likely is the issue of a schema design change in the MX. This would mean potential complex transition steps from old MX to IPV6 MX. One would want to preserve any IPV4 settings on an existing production MX after such an upgrade for IPV6, and that schema change requires careful planning and execution on Meraki's part.

DHAnderson · ‎Apr 13 2019

Unfortunately, it sounds like the issue is the design of the MX that is the complicating factor. The good news is that in the April Quarterly, they did not directly answer a question about IPV6, but they did say that they are working on it.

DHAnderson · ‎Apr 13 2019

Unfortunately, it sounds like the issue is the design of the MX that is the complicating factor. The good news is that in the April Quarterly, they did not directly answer a question about IPV6, but they did say that they are working on it.

DHAnderson · ‎Apr 10 2019

Assume for the time being that the public IP of the access point is 10.128.128.128. Also assume Client A gets the same 10.128.128.128. If we also assume the access point acts like a switch with NAT capability, there will be two entries in a MAC to IP table for 10.128.128.128. This should cause an IP conflict and traffic to that IP address may get dropped.

DHAnderson · ‎Apr 9 2019

That is exactly what I am thinking, and I agree it is highly unlikely. Did Meraki test that? Great question! Going back to Murphy, I think I should avoid the issue until I can change the Lan to something not 10.x.x.x. The client can get by on a 172 address or even a 192 address. In the mean time I can use bridge mode, use Layer 2 isolation and block all access to the Lan in the firewall. Thanks to all who have chimed in! - Dave

About DHAnderson

DHAnderson

Dave Anderson

Community Record

Badges