Meraki

Mloraditch

MAB with OWE will be useful! New feature UWB Asset Tracking – Support for Ultra-Wideband (UWB) asset tags (Cisco and 3rd party) Support for Ultra-Wideband (UWB) Enhanced Client Wayfinding - Enables UWB based asset tracking and live indoor wayfinding for smartphones, focusing exclusively on UWB ULTDOA (Ultra-Wideband Localization Time Difference of Arrival) Cisco Spaces Connect on Meraki – Enables APs to efficiently and securely transmit BLE data to the Spaces cloud. Support for OWE (Opportunistic Wireless Encryption) with MAB (MAC Authentication Bypass)- Extends MAC-based Access Control to support Opportunistic Wireless Encryption (OWE) Enhancement Enhancements to Ethernet over GRE tunneled SSIDs – Support for IPv4 client Isolation, DHCP Option 82 and IPv6 addressing. Bug fixes General stability, performance, and experience improvements.

Mloraditch

This should be dependent on the IdP. For example we use Entra and because of our conditional access policies basic applications tend to all work once I sign in once until the timeout, but things where stricter CA policies apply will require re-authentication. There are lot of variables here. For example I know DUO supports SSO where once you sign-in to the machine it should work on every app in the session. I would guess there are some caveats with that as well. This is really more a question for your IDP vendor than Meraki or TE.

Mloraditch

See here: https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Troubleshooting_and_Support/Troubleshooting/Troubleshooting_Group_Policies#What_is_the_order_of_priority_for_Group_Policies.3F The quick answer is yes, but the one applied to the client will be the highest priority

Mloraditch

I'm unsure what model you are referring to as MR16s have been EOL since 2021: https://documentation.meraki.com/@api/deki/files/17019/meraki_eol_mr16.pdf?revision=1 and MR36s are not EOL. There are a number of APs that do EOL on the date mentioned. Mostly 802.11ac Wave 2 models. Regardless they should continue to work, but after that date there are no guarantees: https://meraki.cisco.com/meraki-support/policies/#product-end-of-life-eol-policy check that out.

Mloraditch

What you have will work. You can either have them native on any vlan but 50 with 50 specified in the ip settings like you have or you can make 50 the native vlan and then you leave the vlan field blank in the ip settings

Mloraditch

The management VLAN setting under switches is for Switches Only. APs management VLAN is specified either by the native vlan on the trunk OR by setting it in the IP Settings of the AP (works both static and DHCP). If the native vlan you provide the AP doesn't have DHCP it will try to source an IP from any other VLAN it can see. If you set a static IP in another VLAN once it gets online once it will get it's config and switch to the static IP. While I generally recommend APs have DHCP for management if you must use static IPs, I'd setup a small pool on the VLAN to allow new devices to get online and then get their static configuration. Failing that you can put them on a native VLAN that provides DHCP and then allow them to switch their management to your VLAN 50 once they download the config.

Mloraditch

are you saying the API doesn't show what the dashboard does or the dashboard (and thus the api) is not showing the info at all? Either issue is a support case, although at least with the latter you could do some packet captures to see if the info is being sent. If it's being sent and the dashboard is not displaying it, there's some sort of bug before the API is even involved. If the dashboard has it and the API doesn't, probably an API bug. Either way support probably has to diagnose it.

Mloraditch

Sorry for the location mixup, that's fascinating though that the taxes are different between the models.

Mloraditch

The equivalent models have the exact same MSRPs here in the US and the same discount programs apply so we are getting the exact same prices between 6e and 7. Is that not the same in the EU?

Mloraditch

For outdoor there is nothing newer than Wifi 6e, 9163s. While it is probably a smart bet that there will eventually be an outdoor 9173 model, I haven't heard anything on timing. For Indoor the models are equivalent 9162/9172, 9164/9174 and so forth. They are also equivalent on published pricing which should make your end customer pricing be the same once discounts have been applied by your AM/Partner If you need indoor with external antennas, 9174 has this option https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wireless-9174-series-access-points-ds.html and 9176 https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/wireless-9176-series-acc-point-ds.html does have a directional antenna option

Mloraditch

I would have your edge firewall and switches in one network and the concentrator by itself. The Edge Firewall and Switches can then use unique identifier tracking. Your concentrator would then track by IP address in it's network.

Mloraditch

Per the documentation, that info is not (yet?) exposed in the API. https://developer.cisco.com/meraki/api-v1/get-organization-inventory-devices/ There is a global Cisco API that provides this data: https://developer.cisco.com/docs/support-apis/eox/#introduction It works differently as far as authentication so read up, but it is an option. We use it as we have mixed environments.

Mloraditch

My understanding is authenticated scans use valid credentials to scan, so they only way that would work is if your scanner supports it. The scanner developer would have to build something that either scrapes the dashboard or uses the API. It could have secondary functions that check local status pages via those creds.

Mloraditch

As @alemabrahao states devices will only consume as much as necessary for current operation but may state they request more. However as far as overall allocation MS code handles that differently than the underlying IOS-XE on CS firmware. MS switches will happily provide power as long as the actual consumption is below the total available and allow the total requested to be over the max available. IOS-XE, however, budgets on the requested power which is different. An AP may request 60W but in most operations only use 20ish. MS looks at the 20W, IOS-XE looks at the 60. A 720W MS switch would allow 36 of those devices, an IOS-XE, 12. The blue box on this page calls this out: https://documentation.meraki.com/Switching/MS_-_Switches/Operate_and_Maintain/How-Tos/PoE_Support_on_MS_Switches While there are some ways to deal with this in native mode (manual poe budgeting), Im not sure you can do that in Meraki managed mode. Support may be able to do something on the backend.

Mloraditch

My understanding of SLAAC is if a client sees an RA packet and has IPv6 enabled it will assign itself an IP. You should be able to see what that is in a packet capture. It could be another device misconfigured on the network. That device would have to be reconfigured, taken offline, etc. The only reason I can see wireless clients only getting it would be if you bridge wireless to a separate VLAN than wired and the RA advertising device is only on that VLAN. I'm not aware and can't find any documentation that suggests IPv6 exists in NAT mode yet. (https://documentation.meraki.com/Wireless/Product_Information/Compatibility_and_Firmware/IPv6_Support_on_MR_Access_Points) Regardless the only way to completely prevent the clients using IPv6 is disabling it on the clients. Others may have better insight, we don't really use IPv6 in our environments so my experience is limited, but hopefully the above helps, but I do think the capture is the best bet, find the RA packet, get it's mac and hunt it down.

Mloraditch

I don't use it, but everything with Sentry is labeled as Systems Manager and by my understanding of how it works I would presume it's going away as well. I'd certainly start thinking about it and in the meantime reach out to your Meraki rep for clarification if no one pops in here to clarify.

Mloraditch

For AD the requests come locally from the APs: https://documentation.meraki.com/Wireless/Operate_and_Maintain/How_Tos/Splash_Page/Integrating_Active_Directory_with_Sign-On_Splash_Page_For_MR_Access_Points I would use AD over RADIUS (presuming you are using NPS or another non ISE solution) because I don't want my RADIUS server exposed to the internet, but I would also use the Entra integration @PhilipDAth linked over either of these.

Mloraditch

See this note: Note: RADIUS access request messages for a splash page will be sourced from the dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here. Located here: https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Design_and_Configure/Configuration_Guides/Splash_Page_Configuration/Configuring_RADIUS_Authentication_with_a_Sign-on_Splash_Page LDAP will not have that oddity: https://documentation.meraki.com/Wireless/Operate_and_Maintain/How_Tos/Splash_Page/Configuring_Splash_Page_Authentication_with_an_LDAP_Server But it does use Secure LDAP over TLS, so if you don't have that configured properly, you may have issues. Packet captures and logs on your DC can help determine that or Meraki Support can help clarify as well if you aren't sure how to read the captures.

Mloraditch

All I know is I did a new install this week of an MS150 Stack running Layer 3 and tried to use 18.1.4 and ended up on 17.2.2 and destacked it before it appeared to all work. No idea if I hit new bugs or existing bugs, but support was not super helpful.

Mloraditch

Good Job Everyone!

Mloraditch

So are you saying your ISP only allows/provides 2 IPv6 addresses and sometimes your DMZ switch gets one of the two, preventing it from working on the MX? Can the ISP increase your IPv6 pool? The whole point of IPv6 was to provide more addresses and if I can still easily get a /29 of IPV4 space, you'd think you'd be able to get plenty of IPv6 space. I can't think of a way around that permanently as even if you setup the DMZ to be managed behind the MX it could still try to DHCP on any available vlan during a LAN outage and since you don't have IPv6 internally it's never going to have a valid IP and thus try on other vlans all the time.

Mloraditch

I would strongly urge you to use syslog for this. That’s what most siems use and at least IMO is sufficient for what you need therein. if you do want to use the API the article you pointed to lists the possibly relevant calls, if you have specific questions about specific calls we may be able to answer them. With regards to getnetworkevents you would use the starting after and ending before parameters to limit the time. You would have to track that in your app to be not overlapping when you call it. Im not sure what you mean by it referring to other calls. I don’t use it myself but the documentation examples don’t seem to indicate that: https://developer.cisco.com/meraki/api-v1/get-network-events/

Mloraditch

The only way you are going to be able to do this when not using the hub for all traffic is have the hub point it to something else, a secondary firewall generally and then have that devices public ip be the ip for the site to work. However, your website host should be able to allow multiple public ips to see the employee site. That may be onerous to maintain depending on how many sites and ISPs you have, but it's a solution that doesn't require new hardware and once setup, should be fairly simple to maintain.

Mloraditch

This is not infrequent as of late, recommend opening a case just to get the visibility up, in the meantime try hitting ctrl+f5 to force a full page reload, that sometimes helps, or if the page has new/old versions, switch that if you can see that link.

Mloraditch

This is backend, it can happen for multiple reasons (presuming a single delivery address, multiple addresses will always create multiple orders) 1) Ordering team (Disti if you are Tier 2) is placing multiple web orders in CCW 2) Ordering folks are placing order without the ship complete flag 3) Orders featuring multiple levels of MX licenses (i.e, a HW MX at SDW and VMX at SEC) will generate multiple license emails. May also effect advantage licensing, but we don't use that so i'm not sure. You can ask disti or if you are T1, your ordering team, to flag orders as ship complete and that should ensure you get everything at once if that's desired but you will not get things until the last item is available so check your lead times before asking. The partner can definitely get the emails. We get all of the emails. You just have to make sure whomever places the orders puts the right email in the reseller partner fields. We have a disti we use that goes to purchasing and actually have Exchange rules that forward only those emails (based on the subject formats) to our network engineers. If you have CCW access you can also access all this info from there. Your PSS admin can help with that possibly.

About Mloraditch

Mloraditch

Matthew Loraditch

Community Record

Badges