Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About mat1458
mat1458
Getting noticed
Member since Oct 23, 2018
03-26-2019
Kudos given to
Community Record
28
Posts
5
Kudos
0
Solutions
Badges
03-26-2019
08:11 AM
Hi It took me some time to do the tests, however I was not able to replicate the situation. The DHCP scope 192.168.0.0/16 did not show up again after various factory resets. I must assume that the faulty device has already been used in a test setup previously and had an old configuration on it. Since the spare MX did not have a direct internet connection during my tests with the errors happening, it might have started to distribute IP addresses from its DHCP server. This brings me to two other questions (tell me if I should ask it in a separate thread): what does a spare MX do in terms of packet forwarding on the LAN ports? Would an internal DHCP server on a spare MX be able to intercept DHCP packets and answer them?
... View more
03-18-2019
02:08 AM
Hi Nick First the cabling was not ok, since the standby MX was only connected to the primary MX via LAN port and no working internet uplink was present. After correcting the cabling and rebooting the MX I did a factory reset on the attached switches so I assume that they had to redo the DHCP discovery. And since active and standby MX were up and running in the dashboard I assume that the standby MX had the correct config. But I have to redo the setup to see if it behaves the same way again. Thanks for your support. Cheers Mat
... View more
03-18-2019
12:10 AM
Hi Philipp thanks for the fast reply. Both MX were connected to the same Internet access box on the internet interface and both MX's had were connected to both switches (all links up, at least what the LEDs said). The config in the dashboard for the MX ports was set to trunk/native VLAN1 in a template and therefore in the bound network as well. So I would say yes, same internet uplink and same Layer 2 domain. Kind regards Mat
... View more
03-17-2019
11:58 PM
Hi We tried to bring up a site with two MX67C and two MS120. The MX's came up, however the switches remained down. After some troubleshooting we noticed that the switches have pulled IP addresses out of a range 192.168.0.0/16 from the standby MX (new, out of the box). the configuration in the Meraki dashboard previewed VLAN1 as untagged VLAN with a range of 192.168.128.0/24. Apparently the switches were not reachable and therefore not configurable. We solved the problem by blocking the DHCP server on the Standby MX. All good, BUT: for me the question remains, how a standby MX can actively hand out DHCP addresses out of an unconfigured address range? A passive device should never be able to act as DHCP server in my opinion. The active MX should be the only active DHCP server. Does anybody have more insight in this topic, since I have not found a detailed description on how this is designed to work.
... View more
02-25-2019
07:38 AM
1 Kudo
Thanks for the reply Nolan. There is a possibility to prevent the access point from broadcasting the SSIDin SSID availability, so 'kind of' a way to hide it. Then furthermore a WPA2 password and a IP filter can add to make the SSID unusable. But the easiest way would be to switch it off completely. The dashboard in my opinion is built for single organizations, but when cloning of a Template-Org comes into play, the requirements of each clone org might vary.
... View more
02-25-2019
04:56 AM
Hi I see that templates for APs require at least one SSID to be enabled. Is there any trick with which I could even deactivate this SSID in the template? The reason is that the template is part of a master organization that is cloned when a new customer is created. And since not every customer needs WLAN from the start it might be a cleaner way to not have any WLAN enabled initially. I know, stupid question, but I might have overseen something. Cheers Mat
... View more
01-23-2019
03:38 AM
1 Kudo
Thanks Philip That explains everything clearly and my tests prove that you're right. Cheers Mat
... View more
01-23-2019
03:36 AM
1 Kudo
I did not yet know about the well-behaved part of the FW. But looking at it it makes a lot of sense in terms of economizing ports. Thanks for your endurance in answering my questions. Mat
... View more
01-22-2019
11:46 PM
Hi Philipp I have done further tests and I still can generate IP address overlaps. Just to make sure that I understand the concept of overlap checking in Meraki: Are the checks made per network bound to the same template (in which I define the uniqueness) or are the checks made based on the entire organization (all networks bound to a template and the ones that are not bound to a template)? Thanks for reading and supporting people. Mat
... View more
01-22-2019
11:36 PM
Let me rephrase my question: How does the Meraki Cloud populate the list for hubs in the Site-to-Site VPN configuration for spokes? In my opinion it makes a difference if a hub network is bound to a template or if it's not. I want to understand the reason why it is that way. I did not find any documentation that points this out.
... View more
01-21-2019
08:08 AM
Thanks Brecht for all the time you dedicate to my issue. The way I see it there must be a mechanism in the ISP FW NAPT process that re-uses previously assigned source ports for different IP addresses in the outgoing direction (which makes sense from an economical assignment point of view). This way the hole punching basically opens the same port on the public side for all outgoing UDP connections from the same inside source address. That way the whole model can work. Kind regards and many thanks again. Mat
... View more
01-21-2019
06:04 AM
Hi Brecht Thanks for the answer and sorry for the delay. I still have a question. The way I understand PAT (NAPT) it always consists of a two tuples: one describing local SrcIP/SrcPort and the corresponding global SrcIP/SrcPort, the other one describing local DstIP/DstPort and the corresponding global DstIP/DstPort. Now for the MX1 this would be something like local IP10.1.1.1/UDP40001 and global IP1.2.3.4/UDP40001 to local 64.62.142.12/UDP9350 and global 64.62.142.12/UDP9350. This in my opinion punches a hole for the connection between the two endpoint IP addresses. When having a second MX2 behind the same ISP firewall the situation would look like that: IP10.1.1.2/UDP40001 and global IP1.2.3.4/UDP40002 to local 64.62.142.12/UDP9350 and global 64.62.142.12/UDP9350. The UDP port for both MXs differs on the outside, but in my opinion only for the communication to 64.62.142.12/UDP9350. When assuming that an access point tries to set up a connection to MX2 it sends a UDP packet to IP1.2.3.4/UDP40002. Since the public IP address of the access point is not known the packet is dropped at MX2's ISP FW. Now if the MX2 tries to open the communication to the AP: is there a rule for the ISP FW to use the same UDP port number (40002) to the different public IP address of the access point? Or is it just the way most of the NAPT devices work? Sorry to bother you again but maybe you can help me understand the process more profoundly. Kind regards Mat
... View more
01-17-2019
08:06 AM
@kYutobi: I do not find anything specific about AutoVPN Hubs in the document. Am I missing something there?
... View more
01-17-2019
07:27 AM
Can a hub site be in a network that is bound to a template? (i.e. a template for all hubs in the organization) When I try to configure this the active MX in the sites never get selectable as hubs in the spoke configuration.
... View more
01-15-2019
06:16 AM
Hi Brecht Thanks for your reply. But if I understand you correctly, the non-Meraki FW would change the port in your scenario. How can the Meraki VPN registry track the different outside port? In my opinion there is no direct relationship between the FW and the registry. So some messaging (error messages?) could be used for this update but I don't see any way, how to do this update. In my opinion it could only work, if the VPN registry remarks the duplicate port numbers before it announces them and urges one of the data center MXs to change it's source port and then re-announce it. Or Meraki relies on coincidence with the random function on the port range. Cheers Mat
... View more
01-14-2019
11:47 PM
Hi I want to have multiple MX of different organizations in a data center that hide behind a non-Meraki firewall. All MX are in the same subnet. The MX act as VPN concentrators for SSID tunnels to APs of multiple customers. If I have a look at the documentation on how the tunnels are invoked (https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_between_Cisco_Meraki_Peers) I see in the example that the SF-MX selects a UDP port for the tunnel source/destination dynamically. Is there a way to make sure that these ports do not overlap when I hide all data center MX behind the same IP address to the internet? Or in other words: what is the algorithm for an MX to choose a UDP port for VPNs? Any ideas are welcome. Cheers Mat
... View more
12-10-2018
01:41 AM
Hi Philipp even though in some configuration situations I received error messages about overlapping IP subnets and I was not able to proceed I was able to configure my network in a way to have overlapping IP subnets. This was the case when I added a spoke site that used the pool of IP subnets out of the template. I do not know why the tests work when trying to add a hub site with overlapping IP addresses but not in the case where a spoke site gets an IP address out of the pool. So I think that the best strategy is still to use non-overlapping address spaces for hub and spokes, but that was clear in the first place. Thanks for taking the time for replying my (silly) questions. Matthias
... View more
12-06-2018
05:52 AM
I have understood that for automatic address assignment in Site-to-Site VPN I have to use a template. With it each site gets its own IP addresses from a defined pool. For a hub and spoke network I need to configure the MXs as spokes. the hub site as I see it cannot be part of the template because of the selection of the type "Hub". If I want to select an IP address for a VLAN on the hub out of a range in the template that is used in the spokes: does the dashboard track the used IP subnet so that it is never assigned to a spoke? Or do I have to assign IP addresses in a different IP address range? (reason for asking: FW rules would be easier in general if IP addresses for VLANs with the same purpose could reside in a common address range)
... View more
11-26-2018
07:04 AM
Hi Nolan Thanks for giving me such precise answers to all of my questions, I really appreciate that very much! I have found the Org>Firmware Upgrade page and am already playing around a bit. I let the question on an unsolved state for a little moment, even though you have replied and solved almost all of my questions. Just in case somebody has some more info tho share. I will however put it to solved shortly. Thanks again Mat
... View more
11-26-2018
05:49 AM
I am trying to understand how Meraki handles firmware updates. The documentation on some topics is quite clear, other stuff is a bit difficult to understand. That's why I want to ask a few questions: -Is it true that all devices of the same type (MX, MS, etc.) bound to a network with a template upgrade their firmware at the same time? -Is it true that firmware updates of all types of devices can only be delayed a certain amount of time but not suppressed totally? -When trying to set the date of the firmware update to a date two weeks from now the dashboard tells me that the " Firmware upgrade date must be set in the future ". Bug or feature? Or did I overlook something? In this case it concerns switch software (" New firmware is available for this network. However, an update is not scheduled. ") The date correlates with the Upgrade window that is set above. -The dashboard tells me "Upgrades may be staggered...". Is it true that this feature is in BETA? How do I access it? -For the whole firmware upgrade process: is there any integration in the API planned/already implemented? Any hint or reply is greatly appreciated.
... View more
11-21-2018
12:11 AM
Hi Philipp That's where I expected to see them but it seems that this is for site-to-site AutoVPN type of connections to other MXs only. It seems that apart from the "Test Connectivity" button in the SSID configuration panel there is nothing to show that the connection is working. And the results of "Test connectivity" are not easy to interpret, especially failed ones. But thanks anyway for your answer. Mat
... View more
11-20-2018
09:00 AM
If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC? If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?
... View more
11-20-2018
08:01 AM
In bridge mode Meraki allows to use VLAN IDs with tags. This gives the possibility to use templates and add the APs to the corresponding tags (and with that to the corresponding VLANs) afterwards. With SSID Tunneling to VPN Concentrator there is a possibility to use VLAN but only a single VLAN can be assigned. I have the need to separate the sites/networks on the central VPN concentrator into one VLAN per site. With the existing configuration logic on the dashboard I have no possibility to do this in a template, resulting in a second network per site only for the access points. I don't want to complain, please don't misunderstand me. But with the extension of the tag concept to the SSID tunnels I see a possibility to allow this configuration in templates as well. And in my opinion this would simplify the configuration overall. Anyway, I can do what I need to do, so I'm happy. Consider my post a a suggestion for future developments.
... View more
11-20-2018
05:54 AM
Another basic question (after having brought up the one armed concentrator with SSID tunnels): Is there any possibility to see how many SSIDs/Access Points have active tunnels to a MX VPN concentrator? I did not find anything in the portal so far, maybe API?
... View more
11-14-2018
07:37 AM
1 Kudo
Thanks for the reply!
... View more
Kudos given to
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 2061 | |
| 1 | 4061 | |
| 1 | 4258 | |
| 1 | 2163 | |
| 1 | 1520 |
