Meraki

Brash · ‎Apr 11 2022

Correct. The direct link shouldn't really be required as the heartbeats will propagate on all vlans. In fact it can even limit the effectiveness of your fail over.

Brash · ‎Apr 11 2022

Congratulations everyone! And well done @MerryAki and @PaulF . Keep up the quality posts!

Brash · ‎Apr 7 2022

As @cmr said, I've also never seen a rogue AP triangulated on a heat map. I don't think this feature exists.

Brash · ‎Apr 6 2022

It should be possible. https://support.apple.com/en-au/guide/deployment/depabc994b84/web Are you doing user or system auth via group policy? What do you see in the radius logging when the Mac attempts to connect?

Brash · ‎Apr 5 2022

As per the licensing FAQ: "...This means that you will no longer be able to configure or make changes to your Meraki network device, and your Meraki network product will no longer pass traffic." So at minimum no network traffic will pass through the device but I'd say it's likely the SSID's will also stop beaconing.

Brash · ‎Mar 30 2022

Yes! So ready to see some aesthetically pleasing cabling! Unfortunately I forgot to take a before shot but was pretty happy with this. (Featuring twist ties as I was out of Velcro strips)

Brash · ‎Mar 8 2022

@ww Beat me to it 😉 Exactly as said above, hub-spoke is the best design for what you're looking to achieve. For rules, depending on what you want to send over the site-to-site vpn, it may be easier to add allow rules and an explicit deny any any rule at the end.

Brash · ‎Mar 7 2022

As WW said, the error indicates that the IP address you're using for the gateway is actually the network address (the first address in the subnet). This is always a reserved and non-assignable IP address. A good way to verify this is by using a subnet calculator: IP Subnet Calculator

Brash · ‎Mar 7 2022

Congratulations everyone! 😃

Brash · ‎Feb 16 2022

By default the Meraki Client VPN establishes a full tunnel connection, meaning all of your network traffic from the client is tunnelled to the Meraki gateway. This would include web browsing and office resources. However, split tunnelling (where only internal traffic is routed across the VPN) can be configured on the client. Configuring Split Tunnel Client VPN - Cisco Meraki

Brash · ‎Feb 8 2022

Congrats everyone! The top 4 killing it as always. Great thread @Troy360, it was a journey of a read. And nice post @ChrisMarriott! Additions like that really benefit the community 👍

Brash · ‎Feb 7 2022

169.254 addresses are present when the client is attempting to obtain an IP address from the DHCP server. Once the DHCP server has responded to the client's request, the 192.x IP address will be adopted. If wired clients are working but wireless clients are not, check the L3 firewall rules on the access point to make sure it can reach the DHCP server (wireless -> firewall & traffic shaping). Also ensure that the client is being placed into the correct VLAN upon connection and authentication. You can also perform a packet capture on the AP (Network -> Packet Capture) and add filters for DHCP to see if the client request is going through and whether the server response is seen coming back.

Brash · ‎Feb 3 2022

@DarrenOC Right, I think you're spot on. I thought I'd read somewhere that the warranty provided by Meraki license was also NBD but it appears I was wrong.

Brash · ‎Feb 3 2022

Hi @AjitKumar The document helps describe the difference between different service levels of Meraki Now. However, from what I understand, there would be no advantage to purchasing Meraki Now (8x5 NBD HW Only) as this is already included with the Meraki license purchase.

Brash · ‎Feb 2 2022

This is probably an easy one but I'm having trouble correlating the information I've been able to find on this. In being quoted for some Meraki gear, the partner has also included RMA ONLY NBD line items (Eg. CON-ROB-MR44HWRL) at extra cost. If I'm not mistaken, Meraki gear already comes with NBD RMA as part of the license cost. What extra service would this line item be providing and is it a requirement to purchase?

Brash · ‎Feb 2 2022

I believe it can be done using an Azure site-to-site VPN and/or Meraki vMX appliance. The following blog (written by a Meraki engineer) provides some detail - Meraki MR 802.1X with Azure Active Directory – APICLI

Brash · ‎Feb 2 2022

1. Meraki switches should continue forwarding indefinitely if they lose cloud access (at least as long as the license allows) 2. That's a good question. I would assume it stays running until next time it becomes cloud connected but I've never tested this (I'd say very few people have). Might be a good question for your Meraki rep. 3. You can make some changes to switchport configuration and uplink configuration. It's primarily designed is to be able to get the switch cloud connected again after a potentially incorrect configuration change - Using the Cisco Meraki Device Local Status Page - Cisco Meraki 4. Depends on what you mean... Meraki configuration that has been applied more that 30 minutes ago (and the device has not rebooted) is considered 'safe', which then has implications on what happens if it loses access to the cloud. Behavior during Connection Loss to Cisco Meraki Cloud - Cisco Meraki In terms of backing up configuration, it's not exactly a requirement given all configuration is cloud managed but there's a few tools (paid and not paid) that enable this function - IFM - Backup Meraki Config to an offine file

Brash · ‎Jan 30 2022

Submitted. Thanks MeredithW!

Brash · ‎Jan 19 2022

What @ww said is a great starting point. Just to add, you said you enabled ping any under Security -> Firewall. Was that under outbound rules or security appliance services? The setting under security appliance services is to allow remote IP's to ping the MX via the upstream WAN interface. It doesn't impact downstream. Traffic coming from downstream will adhere to L3 firewall rules and ACL's, so I suggest ensuring that they're setup correctly to allow ICMP.

Brash · ‎Jan 18 2022

Congratulations everyone! And thanks for the warm welcome! 🙂

Brash · ‎Jan 14 2022

Virtual stacking is essentially a feature for ease of management from the dashboard. The switches remain separate in terms of physical operation and network topology. Physical switching on the other hand is where two (or more) switches are physically connected to eachother using the stack ports.They are managed and act as a single switch, providing benefits or redundancy and faster switching of packets between ports on two different stack members. Physical is only supported on certain switch models so make sure to check the Meraki MS Datasheet or the below linked stacking guide. Stacking Guide for reference: Switch Stacks - Cisco Meraki

Brash · ‎Jan 13 2022

This might be what you're looking for: "The MX supports L2TP/IPsec Client VPN and AnyConnect VPN simultaneously. " AnyConnect on the MX Appliance - Cisco Meraki

Brash · ‎Dec 20 2021

It depends on what you're looking for. If you're looking for clients, you can find them under Network-Wide -> Clients, and sort by "connected to". If you're looking to find LLDP information about connected devices from the MX's perspective, there's no way to find that in the GUI. However you can pull the information via the API. See the following thread. View LLDP or CDP information on MX device - The Meraki Community If you know it's connected to a Meraki switch and are just trying to identify which port, you can navigate to Switch -> Switch Ports and look at the table column CDP/LLDP for the MX (you might have to add the column using the spanner in the top right of the table). You can also use the search bar to filter on this.

Brash · ‎Dec 13 2021

Chances are you can configure just about all of this in the firewall on the MX250. Outbound rules can be set with the applicable source/destination subnets & ports to allow/deny. Or you can add an explicit deny all as the last configurable rule. The rest depends on your topology: - Whether the static route is for a WAN port or LAN port or S2S VPN? - Is your MX setup for NAT or No-NAT? Is it common practice to deny all outbound connections in the firewall and only allow wanted outbound connections? It really depends on your use case, traffic flows and security you're putting in place. For example blocking all outbound except for specific allowed rules is a common firewall technique. However for many SMB's it is too much overhead to implement and maintain the rules. Therefore the trade-off may be that they leave the allow any-any rule for an arguably less secure but easier to manage environment.

Brash · ‎Dec 8 2021

North-South will definitely require solid switches given all of your Management, VM Network and vMotion traffic will be going through it but the requirements for those should be exactly the same as any other server solution (HCI, traditional SAN etc). I can only see PFC being a requirement if you're using the same switches to push the storage traffic across, or presenting the storage directly to other hosts on the network. In that circumstance though, I'd probably just opt for physically separate switches. That said, these are all assumptions. The only HCI solution I've worked on (albeit very closely) is Cisco Hyperflex.

About Brash

Brash

Community Record

Badges