Meraki

Nash · ‎Dec 16 2019

Which domain are the computers joined to, out of curiosity? Asking for my own edification. Is it the working one? Agreed that this isn't sounding like a Meraki issue, beyond the fact that the Meraki client VPN doesn't share DNS suffixes to connected clients automatically. Just DNS servers.

Nash · ‎Dec 13 2019

Add timespan to the end of the endpoint's URL. GET/networks/{networkId}/devices/{serial}/lldp_cdp?timespan=28800 or whatever timespan you prefer. If you haven't played with Postman, I'd get it and download the library from postman.meraki.com. It helps with understanding how the query parameters fit together.

Nash · ‎Dec 12 2019

I've changed addressing mode, vlan tagging, and added a vlan. I'm not seeing an API endpoint that addresses l2 LAN isolation on the MR firewall. The only MR firewall calls I see relate to the L3 firewall. I'm not seeing anything to modify the SSID availability... anyone else see something I'm not?

Nash · ‎Dec 12 2019

Essentially invisible trailing whitespace is the worst. I checked.

Nash · ‎Dec 12 2019

If you can get a /29, that's also nice for troubleshooting. Gives you spare IPs for connecting other equipment.

Nash · ‎Dec 12 2019

Okay, first up: Everyone is putting their account name, not domain.local\accountName, right? RADIUS just needs the account name. Second, the clients are testing from outside the work network? Hotspots can be used to test but they must ensure that the hotspot is not connected to the local wireless. Third, Windows 10? I've got scripts in my signature that setup a Win10 saved VPN connection better. There's comments that describe what each bit does. One script for large deployments; the other for help desks that handle multiple clients.

Nash · ‎Dec 11 2019

I would: Make a wish on the switch page, so it goes to the right team. Contact your account manager and see if they've got any details. See if @MeredithW can get someone to come give us the low down. 🙂

Nash · ‎Dec 11 2019

In addition to the above, I would recommend you setup a local syslog server if you want to be able to review that information on your own. It will at least allow you to review the logs up to the point at which the MX loses all local network connectivity. Of course, in a small office, that may not be feasible. 🙂

Nash · ‎Dec 10 2019

Nice idea! Aside from wishing we had an SSL client vpn: More DH groups for site to site tunnels under IKEv1. Let me set the encryption/hash settings for my client VPN myself. I don't care if they're preset packs so long as I've got an easy toggle with AES-something and a higher DH group... that Windows and Mac OS support. Let me toggle NAT-T on my site to site tunnels myself. Accurate CDP/LLDP neighbor info for MX on the dashboard! Change the colors on uplink status with WAN1 and WAN2, so it's no longer Lighter Blue and Darker Blue. This is hard to differentiate for everyone on my 4 person team, and at least two of us have good color acuity. I would like a puppy. Thank you.

Nash · ‎Dec 9 2019

If the current stack should be the core of your network, yes. Lower its priority value so that it will be designated as root. I highly recommend doing this during a maintenance window! Spanning tree will recalculate when you make this change, and this can cause network interruptions.

Nash · ‎Dec 9 2019

@Einstein wrote: So is RSTP not a concern, or having a root switch not a concern when configured as a stack? Now I have other questions... RSTP will treat your stack as a single switch. Assuming your switch stack should be root: If you have other switches in your environment, beyond your switch stack, then I would setup an identified root switch. If you might ever have other switches in your environment, I would setup an identified root switch.

Nash · ‎Dec 9 2019

Nah, you're fine. Meraki's different. An MX (by default) will automatically pass all traffic it receives from the inside to the outside, as PAT/1:Many. You can restrict that via the L7 and L3 firewall, content filter...

Nash · ‎Dec 6 2019

Honestly, I'd just do the large pcap off your WAN interface and crunch it in Wireshark. I find the filtering in Wireshark proper to be much more useful and predictable in behavior.

Nash · ‎Dec 6 2019

We told y'all not to drink grape juice on the light colored couch, but NOOOOOO somebody had to be the "before" character on an enzyme cleaner commercial.

Nash · ‎Dec 4 2019

Best practice for Systems Manager is to have a separate SM network within your organization.

Nash · ‎Dec 3 2019

Shoutout to unixtimestamp.com! I'd be doomed without it.

Nash · ‎Dec 3 2019

If at all possible, I would recommend getting a maint window for this, even if it's only 30-45 minutes for some leeway. I would anticipate some level of network disruption for a short period of time.

Nash · ‎Nov 27 2019

Ah, I see. It depends on your scenario. Is this an RMA-type situation, where the remote firewall is dead and you're replacing it with the same model? If so: Add replacement firewall to the network in a warm spare-type setup. Connect fw to internet, let it pull config, ship it off. Once it's in place, remove the faulty fw from the network.

Nash · ‎Nov 27 2019

Connect it to a wired access port in an environment with internet access and let it pull a config and update its firmware. If you have a static IP at the destination, make sure you setup the static IP on the MX before shipping it off. I'll double-check on the local status page usually, before boxing up for shipping.

Nash · ‎Nov 26 2019

Ah hah! So I don't actually have to worry about node.js right now, since I'm primarily doing sequential work right now. Yaaaaay!

Nash · ‎Nov 26 2019

Will admit, I prefer to use content filtering or a utility like Umbrella to handle this task. It's too easy to use a prepaid credit card to buy space on AWS and launch an attack from there. That said, I have some clients where our company policy is to block a heap of countries because we have poor political relationships with their governments.

Nash · ‎Nov 26 2019

@DexterLaBora This is a really good post. Have you considered doing it as a blog? I know we had the Open API launch announcement, but I think a breakdown of current Postman would be great. @Melissa You should make Dexter do some extra work!

Nash · ‎Nov 26 2019

@PhilipDAth is using NodeJs, if I recall correctly, and finds it faster than Python. I need to look into it to be honest. He makes it sound good! I've also seen people use PowerShell in Windows environments.

Nash · ‎Nov 25 2019

If you have a master list of countries you want to use, you can update it via API. Set it up on one MX the way you want, GET a copy, then put it to all the others. Do note that this will overwrite any other L7 rules you've got in place. So if you've got a set of rules that MX B needs, grab the list of countries from MX A and add it to the MX B return.

Nash · ‎Nov 25 2019

It's so kind of you to mention me! I'm glad to see you got a moment in the spotlight. I've noticed some really good, valuable posts from you lately. I followed that same "help desk to networker" path that you're currently on. The help desk experience is like a super power when you're trying to figure out if something is actually the endpoint, since you can more easily prove it to whomever owns handling endpoints.

About Nash

Nash

Nash King

Community Record

Badges