Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout mrpackethead_
mrpackethead_
Getting noticed
Member since Sep 23, 2024
Online
Community Record
27
Posts
8
Kudos
0
Solutions
Badges
4 hours ago
2 Kudos
Some good ideas there Phillip. I have a very capable router ( 8500-12X ) and i could run ipsec vpns off there, however That router is right out on the edge and i dont' want to be sending unencrypted data to it. Putting the small appliance on the other end, unlikely to be able to happen. In some circumstances it would be a good idea. Running StrongSwan is an easy enough idea for me as well, I have spare capacity at the datacenter and can spin up some mroe virtual machines. I was thinking of creating additional interfaces on teh MX450's, but that does add some complexitys to the routing, that can be avoided with Strong Swan. I only have a small number of VPN's.. its and easy idea.
... View more
20 hours ago
Port forwarding works, and so does forwarding my traffic from the merkai vpn to my local servers and to up to cloud. ( connectiions off the router in the diagram ). The only thing i can't make work, is trying to get a vpn up to a non meraki vpn.
... View more
yesterday
2 Kudos
No the device is not in one armed mode. Yes, only one port ( Wan1 ) is connected. running in one armed mode, means that Port Forwarding, and several other important and useful features no longer available.
... View more
Friday
The ipsec tunnel needs to be created between my MX450 and the non meraki Peer, in someone elses network. The traffic of interest comes from the server shown in the diagram, going to the other server behind the non merkai peer. When i do a packet capture, i can see packets from the server arriving at the MX450. I can also see the remote-peer attempting to intiate the vpn. The MX however does nothign. Meraki support has told me that this wont' work, the inbound traffic needs to be on a differnet interface, OR the device needs to be in one armed/concentrator mode.
... View more
Friday
First as background, I have a meraki network, where i have multiple 'very' remote sites, where my sites are connected via Starlink, which means i do not get a fixed IP address, and the address i have is CGNAT. My remote sites are spokes, (mx68) and my hub ( mx450 ) is at a datacneter and we have public address space. I need to provide access to some devices remotely. The Hub is in routed mode. It is ONLY attached via a single internet port. I set up port forwarding, and everything works nicely.. as per the 1st drawing. In order to make this, work i had to put this in routed mode. Forwarding is not avaialbe in concentrator mode. Now the problem. I now want to be able to create some IPSec tunnels to a non meraki peer outside of the network, from a server in our datacenter. to another server. ( see diagram ). Routing is configured so that traffic for the remote network is fowarded to the MX450, and this was confirmed by doing a packet capture, and i can see the traffic arrive. I have set up the Non Meraki Peer, but when i send traffic, the mx450 does not attempt to stand up the vpn. I do not see any activity in the logs. I can see the remote-peer attempting to intiate the vpn, ( captured packets ). It does nothing to respond. I have to run this in routed mode, for the inbound port direct to to work (a) Is the problem with the vpn, becuase there is only one interface. Will an non meraki Ipsec vpn work, if the traffic being ecnrypted is arrviing on the same interface as the the ipsec tunnel is going outbound? (b) if this is the case, do I need to connect another interface between the Meraki, and my router. ( a so called internal interface?
... View more
4 weeks ago
"I have an MX450 located in a remote datacenter" Yes, that is the likely thing that will need to be done. It is remote enough that it requires some effort to get to, and I was hoping to do this from the keyboard.
... View more
4 weeks ago
I have an MX450 located in a remote datacenter, that was configured with a static IP address on its WAN, that i want to change to DHCP. This MX450 is NOT in production yet, so a hit on availability is not an issue. Last night, i connected to it, via the WebUI, and modifyed the uplink to dynamic and updated. I waited for about 5 minutes so that the device had actually changed. I then took the interface down, on the device this MX is attached to, and changed it to the new network which has DHCP, ( and its staticly mapped ). I brough the interface back up and then waited and wait and waited.. It did'tn request a new IP.. ( despite the network interface being bounced. ).. I reconfigued the network back to how it was, and the device repeared on its old static IP. I have never tryed to modify this remotely before, ( Only done it directly on the local mgt page ).. Is this possible?
... View more
a month ago
can that be done on a per hub <---> hub basis or is it a global config for everything. As it turns out, my 'head-end' hubs do already have connectivity between them. Its these small hubs for hooking two sites together directly that are the problem children.
... View more
a month ago
and not the only reason i can't set them up. 😞 I was wanting to avoid using the Auto-VPN features and try to use non Meraki Peers, in a way similar to the method in the link. The difference for me, is that the MX appliances would have been in the same org. The org recognizes that the route you try to use to, overlaps with a Network in the org. and 'computer says no. I can set one end up as an addtional hub. This does however start increasing the number of VPN tunnels that are running on the devices. In the case of MX68's ( which are the bulk of my networks ), the max number is 50. Is there a way to select which 'Hubs' a 'Hub' will connect to, rather than all of them? ( Configuring Site-to-site VPN between MX Appliances in Different Organizations - Cisco Meraki Documentation )
... View more
a month ago
AN interesting idea, however I could end up in a situation where i have a lot of hubs, and that woudl then mean, some of the little devices. ( such as Z4's and MX68s ) would end up with a LOT of VPN tunnels. With a coupel of sites, it woudl be ok, but it woudl rapidlly get unworkable, You'd have tunnels to hubs that you dont' need direct connections to. This is somethign that i probalby am keen to avoid. What I was thinking about was not using the AutoVPN features at all, and setting up Manual VPn tunnels, using IPsec ( non meraki peers, even though they are merakis ). I'd also, in many of these cases, keen to keep these routes out of the autovpn. These site to site networks could be things that are not the main 'corporate' network..
... View more
Apr 10 2025
6:06 PM
Hi.. I have a situation where I have ~200 networks connected back to 2 hubs.. It all works fine. I have some edge case situations where i want to connect, a few sites together directly, so the traffic does not flow via my hub... ( it means i'm carrign the data twice as much as i need to ). Complicating the matter is that some of my network locations are connected on CGNAT connections. Is this possible? Can i build a VPN Between them.
... View more
Mar 7 2025
12:59 AM
Im using the new generation dashboard, and its problematic
... View more
Mar 6 2025
10:34 AM
I missed the profile property after looking at this too many times. Any idea what an Iname is?? profile:
object
Profile attributes
id:
string
When enabled, the ID of the port profile used to override the port's configuration.
iname:
string
When enabled, the IName of the profile.
enabled:
boolean
When enabled, override this port's configuration with a port profile.
... View more
Mar 6 2025
1:48 AM
4 Kudos
So, i have figureed out how to create a switchPortProfile ( and delete it ). However, now i'm trying to figure out how you apply this profile to a port... Which api provides that? def switchPortProfile(api_key: str, request_type, action, PhysicalResourceId):
"""
Manage Network Level Switch port configurations. This is an early API
This does not attempt to verify the payload. That should be done earlier.
"""
headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json",
"Accept": "application/json"
}
network_id = action['Parameters']['networkId']
match request_type:
case "Create":
url = f"https://api.meraki.com/api/v1/networks/{network_id}/switch/ports/profiles"
response = requests.post(
url=url,
headers=headers,
json=action['Parameters']['policy']
)
response.raise_for_status() # Raise an exception for bad status codes
return {
'PhysicalResourceId': response['profileId'],
'Data': {
'accessPolicyNumber': response['accessPolicyNumber']
}
}
case "Update":
url = f"https://api.meraki.com/api/v1/networks/{network_id}/switch/ports/profiles/{PhysicalResourceId}"
response = requests.put(
url=url,
headers=headers,
json=action['Parameters']['policy']
)
response.raise_for_status() # Raise an exception for bad status codes
case "Delete":
url = f"https://api.meraki.com/api/v1/networks/{network_id}/switch/ports/profiles/{PhysicalResourceId}"
response = requests.delete(
url=url,
headers=headers
)
response.raise_for_status() # Raise an exception for bad status codes
... View more
Mar 6 2025
12:24 AM
Does anyone know of an alternative to the the standard meraki 'all networks' page that you see when you first log in? FIrstly it times out, but more annoyingly it does'tn display the info feild. Perhaps i could create something bespoke
... View more
Mar 6 2025
12:19 AM
are there undocumented 'features' in the api?
... View more
Mar 5 2025
12:36 AM
yes, have a solution for MS Switches, but MX is a bit differnet.
... View more
Mar 4 2025
12:41 PM
I am trying to configure MX Access Policies via the API and need to set the radius servers (MX Access Policies (802.1X) - Cisco Meraki Documentation) When you configure a port, I think you need to use the updateNetworkAppliancePort ( https://developer.cisco.com/meraki/api-v1/update-network-appliance-port/ ) This however does not provide any properties for the radius servers.. How do you set the radius servers.
... View more
Feb 25 2025
9:48 AM
It feels to me that the ability to control what actions an 'administrator' can perform in meraki is very 'chunky'. that is to say, You can't really control the scope of what a user does... For example, i want to allow some people to be able to just change the profile of an access port on a switch. So they can facilitate the installation of a device.. but I dont' want them to be able to change anything else. Without creating my own wrap around for this, it seems like you just cant' realy do this.
... View more
Feb 24 2025
11:05 PM
The 'why' is because of a bit of annoying technical debt. I have 802.1x auth Occuring, and they need to be be able to resolve the radius servers names. Unfortantly for a "bunch of reasons" there is some split dns, where the public dns wont' resolve to the correct address's. ( this is because the public dns is being used for some managment of the radius servers, turns out thats a bad idea, but thats how it is) "The MX and Z-series devices use the Appliance LAN IP of the highest-numbered VLAN that is included in the VPN as the source address to reach the RADIUS server located on the other side of the VPN tunnel. ". This suggests that even though this is coming from the 'managment' it will go over the VPN. But the DNS request for the radius servers is going to go out the wan.. I think i'm going to have to fix that split horizon dns. MX and Z-series Source IP for RADIUS Authentication - Cisco Meraki Documentation
... View more
Feb 23 2025
8:21 PM
Hi, Is it possible to make a MX device use internal DNS servers that are reachable over the Site to Site VPN? I easily make devices, ( AP's, Switches ) do this, as they get DNS via DHCP. Am i missing something very simple here/
... View more
Jan 13 2025
10:13 PM
Can i use a MA-CBL-TA-1M TwinAx cable to connect a MX450 to a Cisco 8500-12x? They are adjacent to each other in the rack so cable distance is not a problem.
... View more
Oct 25 2024
10:53 AM
As soon as i make the get network APi call, it seems that its ready, however from the result that the API provides theres no status field, that tells you if its ready or not. If i get a valid response from the get network api does this mean that it is ready? I've wrapped it in a try except, but as it turns out i'm not getting a failure.. If i go create nework, then claim device it always fails.. but create network, get network, claim device. well that works. It woudl be nice if there was a status property
... View more
Oct 18 2024
9:55 AM
I am creating a network and then attempting to claim devices for it.. ``` response = dashboard.organizations.createOrganizationNetwork( ORGANISATION_ID, props['NetworkName'], props['ProductTypes'], tags=props['Tags'], timeZone=props['TimeZone'], notes=props['Notes'] ) ``` The networks create ok, but I get an error ( "error: devices, updateDevice - 404 Not Found, please wait a minute if the key or org was just newly created." when i try to immediately claim devices... ``` dashboard.networks.claimNetworkDevices( props['NetworkId'], [props["Serial"]], ) ``` The error suggests that the creation of the network is async... And i need to wait untill its ready. How can i test to see if the network is in fact ready and can have devices added to it? If i run these calls manually and allow some time between them, it works.. I dont' really want to just build in an arbitory wait...
... View more
My Top Kudoed Posts
© 2025 Cisco Systems, Inc.
