About Brash

Brash · ‎02-20-2022

A few points of confusion here. The Merak MX67W doesn't have an internal cellular modem, so it makes sense that an external cellular modem would be required between the antenna and the MX. The MX67C does have an internal cellular modem, however external antenna are only supported on the RP-SMA connector, not directly over RJ-45. Also, only the Meraki external antenna (MA-ANT-MX) are officially supported. MX67 datasheet for reference: MX67 and MX68 Datasheet - Cisco Meraki

Brash · ‎02-16-2022

By default the Meraki Client VPN establishes a full tunnel connection, meaning all of your network traffic from the client is tunnelled to the Meraki gateway. This would include web browsing and office resources. However, split tunnelling (where only internal traffic is routed across the VPN) can be configured on the client. Configuring Split Tunnel Client VPN - Cisco Meraki

Brash · ‎02-16-2022

I think the simplest way to do this is to enable " Assign group policies by device type" in the SSID settings. You can then assign android and iphone devices to be blocked while allowing other device types access.

Brash · ‎02-09-2022

I can't quite speak from experience here but I think there's less concern around which AP's to use (assuming they're outdoor suitable) and more about the antennae choice and placement. You might also have to perform some testing and tuning with power settings to ensure coverage whilst also having a decent data rate.

Brash · ‎02-09-2022

There's quite a few ways you could do this. A lot of it comes down to design choices. Eg. - Will the VM's and ESXi management use the same physical port on the server? - Will the VM's be on the same subnet and VLAN as ESXi Management or different? Assuming your ESXi host and VM traffic will exit the same physical server port onto Meraki switch port 5, you can: - Configure Meraki port 5 as a trunk with Native VLAN 10, or Access VLAN 10 - Leave the VM traffic untagged in ESXi Or if you'd prefer to tag on ESXi, you can: - Configure Meraki port 5 as a trunk port with native vlan 1 - Configure ESXi management to use VLAN 10 - Configure your VM's to use VLAN 10 within ESXi These are just a couple of ways you can configure the devices to have both ESXi and the VM's on VLAN 10 and receiving IP addresses, assuming that's what you're trying to do.

Brash · ‎02-09-2022

I'm not quite sure where the VM's fit into your network. But generally speaking, any VM on VLAN 10 will receive an IP from the DHCP server via the relay you setup. VM's on VLAN 1 will receive an IP directly from the DHCP server. VM's on other VLAN's will not receive an IP lease and you will need to configure a DHCP relay for that VLAN somewhere in the network.

Brash · ‎02-09-2022

I don't know if it's applicable to Comcast, but check your ISP doesn't do Carrier Grade NAT (CG-NAT). That will prevent you from initiating inbound connections. If you're manual port forwarding for your site-to-site, double check there's no port overlaps. Site-to-site and Client VPN Port Overlap with Manual port Forwarding rules - Cisco Meraki

Brash · ‎02-08-2022

For me, it's not an absolute must but definitely a feature that would be nice to have.

Brash · ‎02-08-2022

The Meraki appliance will communicate with the cloud with a destination port of TCP 443. However the source port will be dynamic (in the >50000 range). The Meraki cloud will not send any traffic inbound towards to MX on port 443. As verification, If you navigate to "Help" -> "Firewall Info" in the Meraki console, you'll see that the firewall rules required on port 443 are all outbound from the MX, not inbound.

Brash · ‎02-08-2022

Congrats everyone! The top 4 killing it as always. Great thread @Troy360, it was a journey of a read. And nice post @ChrisMarriott! Additions like that really benefit the community 👍

Brash · ‎02-08-2022

Yeah, that one got us too. The Windows 10 Jan 2022 update broke L2TP VPN connectivity. Thanksfully MS released an out-of-band update to fix it soon-after.

Brash · ‎02-07-2022

169.254 addresses are present when the client is attempting to obtain an IP address from the DHCP server. Once the DHCP server has responded to the client's request, the 192.x IP address will be adopted. If wired clients are working but wireless clients are not, check the L3 firewall rules on the access point to make sure it can reach the DHCP server (wireless -> firewall & traffic shaping). Also ensure that the client is being placed into the correct VLAN upon connection and authentication. You can also perform a packet capture on the AP (Network -> Packet Capture) and add filters for DHCP to see if the client request is going through and whether the server response is seen coming back.

Brash · ‎02-06-2022

If the AP's are connected to Meraki switches, you can go to the switch's network and you should see them as clients with an OS type of Meraki even if the AP's themselves aren't added to the network. If you have a small number of networks, that's a quick and easy way to find them. The below image is of an AP (unclaimed and not in a network) that I briefly had connected to a Meraki switch. Depending on the scope, you could create a dummy network and add them all into it and note which are online. However depending on your licensing, it may push you into grace period for that time. Otherwise if you have all of the MAC addresses and a relatively small or flat network, you can try tracking them through the network.

Brash · ‎02-06-2022

You can definitely pull all claimed devices from Organization -> Inventory. However, there's no way to differentiate online vs. offline.

Brash · ‎02-03-2022

@DarrenOC Right, I think you're spot on. I thought I'd read somewhere that the warranty provided by Meraki license was also NBD but it appears I was wrong.

Brash · ‎02-03-2022

Hi @AjitKumar The document helps describe the difference between different service levels of Meraki Now. However, from what I understand, there would be no advantage to purchasing Meraki Now (8x5 NBD HW Only) as this is already included with the Meraki license purchase.

Brash · ‎02-02-2022

This is probably an easy one but I'm having trouble correlating the information I've been able to find on this. In being quoted for some Meraki gear, the partner has also included RMA ONLY NBD line items (Eg. CON-ROB-MR44HWRL) at extra cost. If I'm not mistaken, Meraki gear already comes with NBD RMA as part of the license cost. What extra service would this line item be providing and is it a requirement to purchase?

Brash · ‎02-02-2022

I believe it can be done using an Azure site-to-site VPN and/or Meraki vMX appliance. The following blog (written by a Meraki engineer) provides some detail - Meraki MR 802.1X with Azure Active Directory – APICLI

Brash · ‎02-02-2022

1. Meraki switches should continue forwarding indefinitely if they lose cloud access (at least as long as the license allows) 2. That's a good question. I would assume it stays running until next time it becomes cloud connected but I've never tested this (I'd say very few people have). Might be a good question for your Meraki rep. 3. You can make some changes to switchport configuration and uplink configuration. It's primarily designed is to be able to get the switch cloud connected again after a potentially incorrect configuration change - Using the Cisco Meraki Device Local Status Page - Cisco Meraki 4. Depends on what you mean... Meraki configuration that has been applied more that 30 minutes ago (and the device has not rebooted) is considered 'safe', which then has implications on what happens if it loses access to the cloud. Behavior during Connection Loss to Cisco Meraki Cloud - Cisco Meraki In terms of backing up configuration, it's not exactly a requirement given all configuration is cloud managed but there's a few tools (paid and not paid) that enable this function - IFM - Backup Meraki Config to an offine file

Brash · ‎01-31-2022

This should be relatively simple. You can easily create a new subnet, VLAN and SSID alongside the old one to configure, test etc. Then for cutting over users, you can either have them manually connect to the new SSID, or use GPO or an MDM software (Meraki Systems Manager, Intune etc.) to configure the new SSID on each machine. I would transition some key test users over to the new SSID first and make sure it's all working, and once you're happy with it, push out the network settings to all computers and turn off the old SSID. The approach will probably depend on the number of users on the network, its importance to the business and whether all connected devices are managed or not.

Brash · ‎01-30-2022

Submitted. Thanks MeredithW!

Brash · ‎01-24-2022

I've never tested this in the wild on Meraki gear but your logic is sound. I don't see why this wouldn't work. Also depending on switch model, you could also use a dynamic routing protocol instead of static routes.

Brash · ‎01-19-2022

So Good! Didn't realise you can run it dual stack. I'm super excited aye!

Brash · ‎01-19-2022

The DNS bad or misconfigured alert can sometimes be a bit of a red herring. I've noticed it can appear when there's drops somewhere between the device and the DNS, just enough that it misses enough DNS replies to raise the alert. Is there any correlation between the AP's that flag the alert and where they're connected to - common switch or network path?

Brash · ‎01-19-2022

What @ww said is a great starting point. Just to add, you said you enabled ping any under Security -> Firewall. Was that under outbound rules or security appliance services? The setting under security appliance services is to allow remote IP's to ping the MX via the upstream WAN interface. It doesn't impact downstream. Traffic coming from downstream will adhere to L3 firewall rules and ACL's, so I suggest ensuring that they're setup correctly to allow ICMP.

Brash

Community Record

Badges