Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout MartinLL
MartinLL
Building a reputation
Member since Dec 3, 2023
Online
Martin Lystad
Norway
Community Record
121
Posts
184
Kudos
17
Solutions
Badges
a week ago
4 Kudos
From a security and management perspective i would keep them separated. Otherwise it will not pose any issues having end users in the same vlan as APs and adding that subnet to the client list on the NPS server.
... View more
4 weeks ago
1 Kudo
Yes. https://community.cisco.com/t5/security-knowledge-base/ise-and-meraki-integration-for-the-sgt-policy/ta-p/4994519#toc-hId--771278621 You would need to use ANC on ISE and an external system that signals to ISE when a endpoint is not behaving correctly, then do an action based on that.
... View more
May 11 2025
10:07 AM
2 Kudos
Hey gang. I did some testing with switching, dynamic vlan assignment using ISE and SmartPort Automations. Here is the setup. MR44 MS120-24P MX68CW The MX is the default gateway for vlan 500 as well as the DHCP server. The switch is plain L2. The port uplinking to the AP is configured as a "dummy" access port. The SmartPort Automation assigns the interface as a trunk allowing all VLANs upon seeing an LLDP string. This works (sometimes... rant for another time). The AP has been configured with the 802.1x ssid wifi-test. This ssid is set to vlan override from ISE with a dummy VLAN set to default tag. Here is the strange part. I use VLAN profiles along with the "use vlan names in radius response " radio checked. Upon authentication this works as expected. The correct autz profile is returned, meraki adds the client in the correct VLAN and the client gets an IP address. But when i try to ping the default gateway the packets are lost. I did a PCAP on the switch port towards the AP and i can see the ARP mesages trying to resolve the gateway IP/MAC. But the MX sees nothing. To verify that i was not going crazy i disabled the Automation and configured the port manualy and it all started working as expected. The vlan profiles are network local. However i use SmartPort profiles and Automation on the organization level. Is there some known issues/limitations with pairing smart port Automation and Profiles along with VLAN profiles and named VLANs? Thanks for reading! Software level is latest stable release for all network devices.
... View more
May 10 2025
12:09 AM
I should have clearified that im looking for options to dynamicly assign the interfaces connecting to switches and APs as trunks, not access ports.
... View more
May 10 2025
12:08 AM
Its a hail mary. But i will try it out over the weekend. Thanks for the suggestion.
... View more
May 9 2025
11:06 AM
Hi folks, Im looking for options for dynamic port configuration for APs and switches. I have tried SmartPorts with SmartPort Automation, but it seems very unstable. I also get issues when i pair SmartPort Profiles with Named Vlans. Is there any feature allowing ISE to return an interface template name or maybe even a SmartPort profile as a part of a Radius response?
... View more
Mar 12 2025
2:04 AM
Thanks for the reply. You put me on the correct track! I got it working with the least privilege approach. These are the final permissions i ended on and seems to be the bare minimum. At least to get a full sync going. By adding these 2 as application permissions and not Delegated Permissions we dont need to add the Access Manager application with user impersonation permissions, which is a big pluss from a security perspective. ref: to this document. Some of the steps could be expanded upon a bit i think. Organization End Users - Cisco Meraki Documentation I am unsure if Directory.Read.All is necessary if we instead add Group.Read.All along with User.Read.All. Removing the Directory.Read.All permission would go a long way in boosting security posture. Also regarding licensing. Checked with a colleague who is quite learned in the ways of Azure. The Entra ID free tier should be enough for it to work, which is nice to know. I will do some more testing on my end with the bare minimum permissions and do a short writeup here when i get time 🙂
... View more
Mar 11 2025
12:46 PM
Hi Gang, I'm currently constructing a lab with Meraki AccessManager and EntraID. However after following the documentation for the setup i get the message "connection invalid". However i'm struggeling with figuring out what the issue could be. I see a note in the docs about EntraID lincesing, but it is very unclear on what the actuall requirement is. Currently im running the Free Tier option. Anyone had any issues/experiense with AccessManager and EntraID integration yet?
... View more
Feb 19 2025
8:11 AM
1 Kudo
You need to contact Meraki support so they can move you over to a shard that has this enabled. I recommend that you only do this for test orgs.
... View more
Feb 19 2025
8:08 AM
2 Kudos
You need to use SAML if you dont have any radius service like ISE that can forward your authentication to an MFA server. Read here. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration
... View more
Feb 19 2025
8:06 AM
Most likely because the NAT gateway only serves Azure devices instanciated in the VNET where the NAT gateway is then. At this point, if it has to be in azure you must deploy an NVA. Azure firewall basic is not that bad price wise.
... View more
Feb 13 2025
2:02 PM
Hmm, what if you add the ip address of the 3. party site you wanna reach to the split tunnel config, then on the azure side you add an UDR to the vMX subnet that points the anyconnect ip pool back to the vMX? In theory that should work with the NAT gateway.
... View more
Feb 13 2025
4:50 AM
Dont use the vMX instance public ip. In fact i'm pretty sure that you cant. The vMX VM public IP is not something the vMX can NAT to, so you wont reach the internet that way. What i would do instead is to pin all traffic egressing the vMX towards Azure to an Azure Firewall or something. This way you can create DNAT/SNAT rules on the Azure Firewall, have your vendors whitelist the AZFW Public IP and reach it that way instead. look at my post history. I have explained this setup a few times. if you have more questions after reading my posts feel free to ask.
... View more
Feb 12 2025
10:20 AM
6 Kudos
Just passed the Implementing and Configuring Cisco Identity Services Engine Exam at Cisco Live. So for the remainder of the year ill definitely focus on putting some more ISEing on the Meraki Stacks i manage 🙂
... View more
Feb 10 2025
7:00 AM
2 Kudos
I ran into this exact issue when migrating a customer from Cisco Classic to Meraki SD-WAN. When i pre-staged the location all active Meraki sites wanting to reach that locations subnet got blackholed. To solve this you would need a way to dynamically advertise the routes. Azure Route Server as you mentioned can be used for SD-WAN. If possible i would try to ditch the non-meraki VPN tunnel and instead add a second Meraki vMX to the SD-WAN in Azure. Both vMX'es will be active, but the traffic flow is controlled with BGP. This way you dont need to re-program all your UDR's in Azure so that they point to the secondary vMX.
... View more
Nov 27 2024
11:58 PM
No not in production. But in theory it should be possible. Route all traffic from the vMX VNET to the AZFW, but create a few entries for the Meraki stuff that exits locally. Like the Dashboard IP ranges and VPN registrar.
... View more
Nov 4 2024
1:29 PM
3 Kudos
Sounds like traffic is still being blocked then. You can look at the live firewall logs on the MX. See if that gives you a clue into whats going on. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Logging
... View more
Nov 4 2024
1:21 PM
5 Kudos
Great job everyone! 💚
... View more
Nov 4 2024
4:04 AM
2 Kudos
That very much depends on your network needs, users, tunnels etc. Check out the Sizing tool, it will help you select the correct MX model 🙂 Meraki Sizing Tool
... View more
Nov 2 2024
9:25 AM
Try to create the query variable before you pass it in the requests function. Like this for example. params = {'networkID': '12345'} Then response = dashboard.organizations.getOrganizationDevices(params=params)
... View more
Nov 1 2024
4:00 AM
I belive you will find what you are looking for here. Meraki Licensing - License More Devices vs Renewal - Cisco Meraki Documentation
... View more
Oct 31 2024
1:13 PM
Try software upgrades or ease up on some advanced security settings if it is within your security policy to do so. If not the best option would be to upscale your MX to MX450. You can also try to reduce the amount of tunnels that terminate if its a vpn hub. You can do this by disabeling the active active tunnel on your spokes. Failover will be slow but you can conserve a good amount of system resources that way as well.
... View more
Oct 30 2024
2:46 PM
6 Kudos
No, Geo-Blocking applies to both directions. No way to only apply it inbound to my knowledge. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings
... View more
Undestandable. Good luck to you!
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1040 | Feb 10 2025 7:00 AM | |
| 802 | Oct 30 2024 2:46 PM | |
| 1511 | Oct 29 2024 11:23 AM | |
| 1395 | Oct 29 2024 5:24 AM | |
| 1312 | Oct 28 2024 6:25 AM | |
| 1996 | Oct 28 2024 5:36 AM | |
| 797 | Oct 25 2024 3:21 AM | |
| 1471 | Oct 23 2024 9:15 AM | |
| 1189 | Oct 17 2024 11:29 PM | |
| 1479 | Oct 17 2024 11:04 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 9 | 1122 | |
| 6 | 5885 | |
| 6 | 802 | |
| 6 | 1471 | |
| 6 | 4506 |
© 2025 Cisco Systems, Inc.
