Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About PentagonSystems
PentagonSystems
Here to help
Member since Aug 15, 2017
05-27-2020
Community Record
12
Posts
10
Kudos
0
Solutions
Badges
02-27-2018
07:14 PM
@DCooper: Yes, I did get your suggestion and I do appreciate it. Unfortunately I think for my specific case it's not the right feature, but I definitely can see that being the preferred behavior. That should definitely be added in as an option checkbox. The reason it wont work for me because I may actually want to have two spokes be able to communicate with each other potentially, but that part is still irrelevant to the real issue, which is that any route that i enable in the vpn is seen by all spokes, hubs, or any member of the organization. My issue isn't specifically that Spoke A can route to Spoke B, as much as Spoke A can see the resources that Hub A may want to provide only to Spoke B. Unless I have the ability to select what routes I share with each spoke individually, I have to do what I can to make the meraki organization a 'black box'. I think architecturally i can hide these routes from everything in the office networks easily, and any routers they may have they will just have to create static routes for, and then use the firewall to block the access as you originally described. Although I'd much prefer to be able to designate the vpn routes that each spoke should see, I can manage without this.
... View more
02-26-2018
12:00 PM
Hi, did my diagram clarify any confusion? do you have any suggestions, or if you understand my situation, could you please inquire with your engineering team on if this is a feature request or something that is possible with the current stable firmware?
... View more
02-21-2018
10:13 AM
Hope this crude diagram helps. the general idea is that i want office 1 to only see the routes for what applies to office 1, e.g. not the office 2 network or the network where office 2 servers at the data center reside. with firewall rules i can prevent access, but their meraki are still seeing the prefixes that they should not have access to and therefore creating routes. I don't want this to happen. To answer your questions, I am using NAT transversal. The spokes are operating in split tunnel mode. And yes when i refer to 'in vpn' i am referring to the yes/no toggle for if a subnet should be included in the site-to-site vpn.
... View more
02-21-2018
08:25 AM
yes, firewalls rules work as far as access restriction, but the issue there is that the routing table of the remote office has networks that are going to be inaccessible via the vpn. for example: 1.MX HUB has vlans 1 (192.168.1.0/24) and 2 (10.10.10.0/24) in vpn. 2. MX HUB has firewall rule restricting MX spoke network (192.168.2.1) from vlan 1 in vpn (192.168.1.0/24) 3.MX Spoke sees vlans 1 and 2 and adds them to routing table 4. Client wants to reach 192.168.1.10. routing table directs him to the MX vpn, and then FW blocks him. This works and is how i'm doing it today, however here is the problem: suppose this remote office wants to use the 192.168.1.0/24 or a smaller subnet in that /24. Without static routes they cannot. It would be better if the MX HUB never told them that the 192.168.1.0/24 network is routable though it, rather than advertising that it is and then blocking them. That's the functional problem, but there's also a little security problem. Suppose i didn't want to give the users in the remote office any more information about the network than they need to know. The implementation with all the vlans in vpn and firewall rules preventing it gives a remote office user the visibility of all the networks i'm using, which is going to include all of the other remote offices. You might say 'who cares, the FW prevents them from accessing it anyway', but I'd rather not give a bad actor any information about my network unless absolutely necessary. Does that make more sense now? Let me know if not and i'll clarify further
... View more
02-21-2018
07:31 AM
Hello, I am not sure if this is a feature request, but the Meraki site-to-site VPN does not work the way i hoped it would. My architecture is to have several MX appliances acting as hubs across geographic regions. These hubs reside in our datacenters and I do want them to be able to communicate with each other with all VLANs that I configure. However I have several MX appliances at remote office locations, which i am configuring as spokes. These spoke MXs should only have access to one or two of the vlans that the hubs have. There doesn't appear to be any way to restrict what vlans appear in a spoke vpn connection. Currently I am restricting the traffic using deny policies on the firewall, but this doesn't seem clean to me, because the remote offices are getting routes added to their network that will be blocked. I'd prefer the routes not be advertised to them at all. here's an depiction of how i would like this to work: 1. hub 1. vlans 1,2,3,4,5,6,7,8 in vpn 2. hub 2. vlans 1,2,3,4,5,6,7,8 in vpn (hub 1 and 2 can talk to each other on any vlan) 3. spoke 1. vlan 3 only in vpn 4. spoke 2. vlan 4 and 5 in vpn. Easiest GUI implementation i can think of for this would be in the 'spoke' configuration page, i would be able to configure what vlans from the hubs I would accept. perhaps a little better would be to have the vlan delegation on the hub page, perhaps with a text box next to the 'use vpn' toggle where you can choose the devices to share. The latter would be better if someone wanted to give RO rights to an admin at that remote office. I'll 'make a wish' with this request, but if someone could point out how i could already do this with the existing mx functionality i'd appreciate it greatly
... View more
10-11-2017
06:15 AM
thanks for the suggestions. I went over each setting that you suggest to change and it all looks correct. For this example Everything used was default.
... View more
10-11-2017
06:13 AM
Thanks for the reply, Philip. I have only the default firewall entry for VPN (allow any any). I have tried pinging hosts on either side to no avail. Unfortunately i can only power cycle the MX on my end but i will try that. I also changed my setup from the default to a 'custom', changing the Phase 1 to use aes 256, SHA1, DH group 5, and left phase2 defaults. Same result, it would seem
... View more
10-10-2017
12:18 PM
Hi everyone, I'm a little puzzled. I set up a MX64 from my organization as an external peer to a MX64 in a customer's organization. Setup was simple, as i used the default settings. At first I configured only the private subnets that I wanted to route between the client and myself, but for testing i am now allowing all VLANS until i get the routing to work. The connection on either side shows green in dashboard's VPN status, but I cannot ping any of the MX IPs on either side. What appear to be the correct routes appear in the routing table on each device. For example, the client side has a MX ip of 10.1.1.1 for the VLAN I intend to route to, and mine is 10.2.2.1. these are not the real IPs but for the sake of this discussion let's assume these are. when I try to ping 10.1.1.1 from 10.2.2.1, i get 100% packet loss. In the route table, I see the routes that I am advertising, with type being IPSEC Peer, and via being my public WAN IP. Vice versa for all of this on 10.2.2.1. Does anyone have any thoughts? If this is a known bug, then let me know what build it is resolved in. My MX is running 13.24 currently, but i have also tried this before upgrading on 12.24. my client is on 12.24 In my routing table
... View more
09-11-2017
09:09 PM
update: it actually appears to prevent ping to a host on the 10.2.2.0/24 network (for example 10.2.2.10), but the gateway (MX) replies. This isn't ideal, but i understand why it's happening. Ideally I would like the MX to only reply with the address that is facing the host (for example 10.1.1.1 but not 10.2.2.1). I wouldn't even want a host I'm trying to isolate to be aware of how many vlans my MX services, which I dont seem to be able to prevent. The only thing i can think of to close this gap is to configure the MX to not respond to ICMP at all for that VLAN. I suppose this will be fine unless some utility needs to do a status check on the gateway and uses ICMP. Does anyone have any other ideas?
... View more
09-11-2017
09:01 PM
I am trying to use a MX64 as the 'core' router on my lab network. I have 2 VLANS which are all /24s that follow the addressing 10.1.1.0/24 for vlan 1, 10.2.2.0 for vlan 2. for this example I would expect to have to set up routing between 10.1.1.1 and 10.2.2.1, however the MX allows routing between vlans by default. This in itself is not a problem, and I attribute it to the default layer3 firewall rule to allow any any. Therefore, I created a policy to prevent routing from 10.1.1.0/24 from routing anything in the 10.0.0.0/8 private address space. This did not work, so I suspected that this may be in logical conflict because 10.1.1.0/24 itself is within the subnet mask of the rule, however when i changed the rule to prevent 10.1.1.0/24 from routing to 10.2.2.0/24 specifically I can still ping from any 10.1.1.0/24 machine to the gateway 10.2.2.1 My rule is as follows policy = deny proto = tcp source = 10.1.1.0/24 src prt = any destination = 10.2.2.0/24 dst prt = any comment = no inter vlan Can someone help me understand what i'm doing wrong?
... View more
08-31-2017
11:49 AM
10 Kudos
Hi Everyone, Did anyone else notice that if your MX is set up to send alerts to administrators whenever configuration settings are changed, you can go into the alerts settings (if you have the appropriate privileges), uncheck that setting, save the setting, make whatever changes you'd like, go back into alerts, check the setting again, save, and log out, and no alerts will be generated or sent? Sure you can still see the changes made in the event log, but I would think that, at a minimum, admins would get an alert when the 'configuration settings are changed' is changed from checked to unchecked. Am I imagining things, or is this a security/audit concern?
... View more
08-23-2017
09:17 AM
Hi Everyone, Tl;DR: how do i create a template for all Meraki Z1's in my organization that allows me to assign a specific /24 per device in the template? I'm brand new to Meraki, and I'm trying to create a template that will allow me to use unique addressing for each teleworker gateway for identification purposes. Each Z1 will be a spoke connecting to my MX64 as a hub. I will have about 40 remote sites, and I would like to identify all sites with their own /24 within a /16, for example 10.111.0.0/16 would be any Meraki device, and 10.111.1.0/24 would be teleworker#1's house. If I discover a device on the network that is 10.111.1.23 for example, i know that this is device is at teleworker#1's network. I'm having a problem however with creating the template. All devices in a template share the same local VLAN template. I don't understand how this will work, as I'm assigning the Appliance IP in the dialogue, so wouldn't every device bound to the template have an IP conflict?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 10 | 9357 |
