About Nash

Nash · ‎09-10-2020

@GreenMan wrote: Do you have a specific reason for running 15 (beta) firmware? Unless you're needing something specific that's only in the beta firmware, running with Stable or Stable RC will likely be more reliable. If there is a particular feature you're trying, it wouldn't be HTTPS Inspection, would it?https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection I too would be curious if you've enabled HTTPS Inspection. That's going to eat all the resources you've got and then some, compared to performance without it enabled.

Nash · ‎08-19-2020

Are you accessing the Azure resources via VPN? If so, use the IP of the highest numbered VLAN on your device. Fun tip - syslog will also use the highest numbered vlan on your device when syslog is sent over VPN to a collector.

Nash · ‎08-14-2020

@Uberseehandel Were you the one who'd done something like this before?

Nash · ‎08-07-2020

Haven't used it, but a quick read of https://github.com/wifiguru10/Meraki_MX_Converter makes it look like it could potentially do you some good.

Nash · ‎07-30-2020

Key error means the key doesn't necessarily exist. I'd recommend adding a variable with your dict.keys() so you're not running dict.keys() repeatedly, then checking if the key exists before you do something with it. keys = curr_clients[k].keys() if 'os' in keys: # Do something with curr_clients[k]['os'] here Or you could do something like a try/except block, but I usually end up doing the "if 'key name' in keys" thing for Reasons.

Nash · ‎07-22-2020

JSONLint, for all your validating needs.

Nash · ‎07-20-2020

I believe both v0 and v1 only allow us to modify organization-level administers, from a straight API point of view. If SAML SSO is an option for you, you can create/read/update/delete SAML roles via API once you have it setup.

Nash · ‎07-20-2020

I strongly recommend using NPS or another RADIUS server instead of using the Active Directory sync for client VPN. NPS is especially easy if you've already got an AD environment. You tell RADIUS which group gets access to the VPN, then you're off to the races. If your users already belong to groups (such as IT, Accounting, HR...), then add those groups to your VPN users group. It's easier to maintain in the long run versus adding individual users. If you don't use RADIUS, you have to modify your AD groups so your ldap admin only has read permissions on groups containing your authorized users. This is annoying and I do not recommend it.

Nash · ‎07-20-2020

"SOMETHING HAS CHANGED" was my first thought when the page loaded, honestly. I'm glad it was on purpose! It looks nice.

Nash · ‎07-20-2020

@Johan_Oosterwaa wrote: Yes you can 😉 As i have done this many time In that case, are you sure your JSON is well-formed? Also, are VLANs enabled on your network? I feel like I ran into mystery failures on non-templated MX networks, and the ultimate problem was that VLANs were not enabled. No enabled VLANs, no access to the VLAN calls. Might have changed though.

Nash · ‎07-20-2020

@Edgar-VO wrote: I am pretty sure you cannot change the IP addresses when a site is bound to a template.... There for you need to unbind, but then you loose a lot of details of the site,... Also wondering why you make your own definitions within python, simply use the meraki API and not use your own requests REST API calls and live is much easier. "Easier" is a matter of opinion. I use Python and the requests module because I use the requests module with REST APIs from multiple vendors, and it's a standard method. SDKs all have their own quirks.

Nash · ‎07-18-2020

Seconding Philip's recommendation to reach out to a Cisco/Meraki partner for more detailed environment planning. Once you get into the fine details, you get what you pay for.

Nash · ‎07-18-2020

I strongly recommend Philip's generator. Otherwise, you can use a PowerShell script in Win10 to add the routes you need. I've got a (no longer maintained but valid) script in my signature line that you can steal commands from.

Nash · ‎07-18-2020

Has this firewall ever connected successfully? Such as when connected to your existing network, which presumably has a valid uplink, as opposed to the ISP modem directly? If it's connected before: Have you called your ISP? I'd set the WAN1 uplink back to what the config should be, with everything set auto-auto. Does the ISP see traffic coming from your firewall's mac address?

Nash · ‎07-18-2020

So your MX are all bound to a template that includes the vlan setup, but you want to override that part of the template? Pretty sure you can't: https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple_Networks_with_Configuration_Templates#MX_-_Template_VLAN_IP_Address_Range_Allocations https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/MX_Templates_Best_Practices Specifically: "If unique is chosen, each network bound to the template will get a unique subnet based on the configured options. The MX does not support local VLAN overrides on templates." So you're getting a 400 Bad Request response because you're asking it to do something that you're not allowed to do, b/c the network is using a template that includes vlan setup. By the way, I strongly encourage you to look into the available exceptions for the requests module instead of passing all errors the way you are. Unless you are deliberately passing a generic error and aren't concerned about why an attempt at a particular request failed.

Nash · ‎07-10-2020

Congratulations! Glad to see you both join the club. You've been everywhere.

Nash · ‎07-08-2020

100% bait and switch title! 🙂 But a clever solution to trying to integrate a new friend. I hope your buns decide to be chill with each other and can romp around your home together soon.

Nash · ‎07-05-2020

Where does internet traffic exit in this configuration? Is all internet traffic being funneled back to that MX450, or does each site's internet access split off locally instead of going through the VPN tunnel? Also, are you using AutoVPN here or regular IPSEC tunnels?

Nash · ‎07-05-2020

@bxdobs wrote: Please Disregard my previous posting ... tried another machine which had exactly the same results with W10 Pro 64b Turns out in this case the 691 error was CORRECT ... there may be an issue with the Meraki Dashboard used from the latest Firefox browser ... I explicitly CHANGED the PW for the VPN User to something simple as a temporary test ... this temporary password apparently wasn't accepted by the dashboard ... don't recollect seeing any error message when I pressed the change button so will take a closer look at this as a possible issue Anyway I have now put back the original PW and reset all users ... all working now I've caught myself before by thinking I've hit save when I haven't, when the save button is all the way at the bottom of the web page. I feel your pain.

Nash · ‎07-02-2020

@Network-dad wrote: @SoCalRacer wrote: @Network-dad wrote: For just an small non Meraki in room AP I travel with one of these https://amzn.to/3glwRuC For a Meraki solution I travel with a Z3 https://meraki.cisco.com/product/security-sd-wan/teleworker/z3/ Pretty much my exact recommendation, also my preferred device is Z3C for travel since I use the T-Mobile SIM in it all the time. Screw Marriott Wifi! I usually bring a chromecast device and then I can stream pretty much anything I want and not be on the hotel wifi and I get wired access if needed. Only downside is TSA looks at you kind of funny. (#Small Flex) Flying corporate don't have to deal with TSA... 😁 Yeah but how much time do you spend on that plane... 🤣

Nash · ‎07-02-2020

Hey @Uberseehandel do you still travel with that Z3? I know you were doing it more to avoid an issue between a non-Meraki security appliance and the client VPN, but that's got wifi and a few ethernet ports. Won't fix problems with your host's uplink, @RumorConsumer, but it might be another consideration.

Nash · ‎06-30-2020

On the dangers of IoT and fish front. If you can, I'd put those cameras on a separate subnet with some firewall rules, in addition to patching the heck out of em.

Nash · ‎06-30-2020

I have the old CCNA R&S and CCNA Security, from before the recent round of changes. I'm working on devnet associate right now. You don't have to get a CCNA first. Take a look at the plans for the CCNP Enterprise and see where you are on those topics. If you think you can knock it out, you can skip the new CCNA and go straight to ENCOR and something like ENARSI. If you want to do wireless, get a CWNA. If you want to do security, get a CISSP to make HR happy. I know you've got the years of experience necessary.

Nash · ‎06-30-2020

I mean you'll have to read the (heckin) manual for part of this, because that's how we API, but: You want to know number of devices that have associated to the wireless network in a given span of time? I use Python so this is going to be Python-y. If you need to know on a per AP basis, you could: Pull a list of APs (Pull on a per org or per network basis; check model[0:2] in Python to see if it's an MR) Pull a list of clients per AP Drop it in a spreadsheet using something like openpyxl If you need it on a per-network basis: Pull network clients Check the SSID field for a value OTHER THAN null Drop list of clients into a spreadsheet using something like openpyxl. Then just run this as a cronjob someplace, or do it on demand via CLI or a Flask app, and there you go. If you have a bunch of networks, get fancy, make a table of contents, and do one tab per network in openpyxl. I need to refactor it badly, but I've got an example here that I threw together for a per org device inventory. Caveat: I use kludges because I run into networks with a bunch of APs that aren't placed on a map and I am unable to place on a map accurately, so heatmap is not... so useful for me. You don't want to be me, maybe.

Nash · ‎06-25-2020

Turn off "Send All Traffic" with the slider button? You can verify traffic routing properly by using something like the iNetTools app, which gives you a proper traceroute, or just comparing a google search for "whats my ip" before and after you connect to the VPN.

Nash

Nash King

Community Record

Badges