Meraki

Flavio_Vieira · ‎Jun 11 2019

Thanks @kYutobi ! But do you know if it'll work in this topology that I've mentioned? As default to work with Client tracking by MAC MX should be L3...

Flavio_Vieira · ‎Jun 11 2019

Hello, I have some doubts about MX content filtering in this scenario: MX84 as firewall/internet edge with MS350 as L3 downstream with 5 Vlans Can I have the full functionality of Content Filtering feature in this case? I mean tracking clients by MAC? Or I'll still need to split my network and choose client tracking by IP? I think by MAC is the best way to go, Am I right?

Flavio_Vieira · ‎Jun 4 2019

Thank you @PhilipDAth For now I'll choose my guessing as solution because it'll take some till I can test this routes in HQ ASA. For those searching for solution to the same problem, have in mind that this case just worked because the overlapping subnet 10.24.0.0 was not in use on both sites, but just in one side. If you have same networks on both sites, a Non-Meraki VPN won't work in this case(at least this way) because it does not have the VPN translation active. VPN translation, which is the feature that solves the problem of same subnets on both sites, only works with AutoVPN which is Meraki-to-Meraki VPNs. If you need more info: https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

Flavio_Vieira · ‎Jun 3 2019

My huge problem is with subnets 172.16.0.0/12 and 172.24.0.0/16. 172.24.0.0/16 the subnet which MX is connected through the VPN(HQ) and from HQ we have another branch with the 172.16.0.0/12. In this other branch they have created the network 172.16.0.0/12, but they don't use the 172.24.0.0 network there. If I advertise the subnets from MX tunnel to HQ(on both ends vice-versa) this way: 172.16.0.0/13 172.24.0.0/16 172.25.0.0/16 172.26.0.0/15 172.28.0.0/14 I mean, excluding the overlap subnet from the 172.16.0.0/12, will it work?

Flavio_Vieira · ‎Jun 1 2019

Just found the issue: Overlapping subnets, with ASA in place I have no problem on working with these subnets. I need to have access to all of them over the VPN, how can I manage to fix that?

Flavio_Vieira · ‎May 31 2019

Thank you @PhilipDAth I just discovered that I can ping all subnets but one, I have 6 subnets advertised on VPN and just this one does not ping. I'm current at Branch and I don't have access to the HQ ASA, so I'll ask them just in last resort. As you can see I have a Core switch that gets my subnets routing With ASA in place, when I traceroute from a client below ASA I get these hops to the subnet that I'm unable to ping when Meraki is placed: 1 - 3ms - Gateway 2 - * 3 - 119ms - subnet in HQ Maybe it is something that I'm missing?

Flavio_Vieira · ‎May 30 2019

Hello, Need some help on accessing the subnets on the Non-Meraki S2S VPN peer. I already have up and running an IPsec tunnel between HQ and Branch(ASA to ASA), now the idea is to update our Branch ASA5510 to MX84. Just tested a VPN between MX84 and the HQ ASA and connects normally as I'm able to check over the " All Non-Meraki/Client VPN" event log. My work on replacing the ASA to MX was to mirror the conf in ASA to MX, advertising the subnets the way they were on ASA. The problem is that I'm not able to ping the HQ subnets from the MX. The only thing that I see suspicious is that in ASA I see several route as: route outside x.x.x.x(HQ subnet) 255.255.0.0 x.x.x.x(Branch MX WAN gateway) 10 I did configured a static route on MX, with HQ subnet pointing to MX local lan IP which does not go online on Route Table, tried too HQ subnet pointing to WAN gateway, but the MX does allow this stating that there's no subnet active as WAN subnet. What is the issue? Any help is appreciated

Flavio_Vieira · ‎Dec 5 2018

Imagine a bridge over a river, on one side you have 1000 people that need to cross it to the other side. If all of them cross it at the same time, it is possible, but it will take longer to cross due to room space and it will be a mess, giving chance for accidents. But you have a problem: there's injured people, eldery and children amongst them, what will you do in this case? Just create lanes on the bridge separating the injured, eldery and children so they can cross it calm and safely. The rest of people will cross it normally through its own lane.

Flavio_Vieira · ‎Jul 24 2018

Thanks man! I was suspicious about that too.

Flavio_Vieira · ‎Jul 24 2018

Hello, How's the compatibility for SD-WAN working with Meraki x Non-Meraki? We're planning to have a MX at the branch and some other vendor in HQ(maybe Versa's SD-WAN solution). Do you guys know if the SD-WAN capabilities will work between them? Does anyone implemented this scenario? I mean MX to any other vendor? Thanks!

Meraki

Community

About Flavio_Vieira

Flavio_Vieira

Community Record

Badges

Re: Content filtering by MAC with MS350 as L3

Content filtering by MAC with MS350 as L3

Re: Can't ping Non-Meraki S2S VPN peer subnets

Re: Can't ping Non-Meraki S2S VPN peer subnets

Re: Can't ping Non-Meraki S2S VPN peer subnets

Re: Can't ping Non-Meraki S2S VPN peer subnets

Can't ping Non-Meraki S2S VPN peer subnets

Re: Community Challenge: SD-WAN, Explained

Re: MX SD-WAN compatibility with other vendors

MX SD-WAN compatibility with other vendors

Re: Can't ping Non-Meraki S2S VPN peer subnets

Re: Can't ping Non-Meraki S2S VPN peer subnets

Re: Community Challenge: SD-WAN, Explained

Re: MX SD-WAN compatibility with other vendors