Community Record
1540
Posts
1656
Kudos
113
Solutions
Badges
Sep 30 2024
12:04 PM
Make sure you actually use the native VLAN on the port going to the MX. If you double downlink the MX to a switch or multiple switches in a stack or not it is of vital importance to NOT USE THE DROP UNTAGGED TRAFFIC!! Since the MX does not know spanning-tree it will see incoming spanning-tree bpdu's as regular untagged traffic and drop it. Which means the second port that is connected will not see any incoming BPDU's and not block a port causing high risk of traffic looping around those ports. I personally use the switch management VLAN as native between the MX and the MS. I'm hoping in the near future the MX would be able to form 802.3ad port-channels causing this whole potential problem to go away and ease the uplinking to MX appliances. So for the moment just use simple trunk links with switch management as native VLAN and don't forget to use tags for each of management of those ports.
... View more
So may I assume, green is ISP 1 and blue is ISP 2? Each MX can only have 1 WAN cable per WAN, you can't use the LAN ports as WAN ports. In that case it is quite easy. If the primary MX goes down, the spare takes over due to missing VRRP messages, and since ISP 1 is still configured as primary WAN, the spare MX will use the diagonal green link towards the upper switch to reach ISP 1.
... View more
Sep 27 2024
11:32 AM
It is best to look at the idle/max of the MS210-24 or 48 to see the actual min/max values of the switch itself without any PoE added to it. So that would equate to a max of 24W on a 24 port version and 42W on a 48 port switch. The other switches then add more power overhead due to the use of PoE on the ports. And seeing you can have up to 370W of PoE+ power on the 24P and the 48LP but the total is wattage is higher than the 370W + 24 or 42W meaning you still have some extra overhead from the PoE distribution. So each switch has some basic operation wattage for it's CPU, CAM/TCAM, RAM, and then some power to maintain each port's ethernet connection to the endhost. That's why the 48 port has a higher max power without PoE figures. So it all depends how many devices are plugged in.
... View more
Sep 27 2024
11:26 AM
2 Kudos
If you didn't install the switches yourself you should visually check if the switches have the stacking adapters installed. The distributor where we buy the switches for our customers always use the spare part version of the SKU for modules and adapters. So we always get the switches without the modules installed and have to screw them in ourselves. They have these really long bolts and it's fun wrecking your wrist if you don't have an electric screwdriver on hand 😉
... View more
Sep 27 2024
4:35 AM
Usually data centers via routers are connected on the LAN site of the MX so you can have a simple static route that points to the router to reach the datacenter. In that case you can easily use the DHCP relay. Or go the AutoVPN route. Traffic that goes out the WAN port usually is NAT'ed so that would explain why you can't be relaying dhcp requests that way.
... View more
If you do a show flash or dir Do you see the actual packages.conf file and all the individual package files that it is referencing (.pkg) files? If you do more flash:packages.conf you should see the files it is referencing for boot.
... View more
Sep 27 2024
4:03 AM
The MX uses AS prepending for branch routes that have that Hub MX as secondary.
... View more
Sep 26 2024
12:35 PM
1 Kudo
@MartinLL's answer covers most needed. I would also like to point out that there are two licensing models of interest. - Co-term licensing: where every license you buy terminates on the same date, even if you add devices with licenses later on. - Subscription licensing: where you simpler SKU especially if you are using other gear like switches and MX firewall appliances and where you can choose to pay automatically per period for your licenses or have a set period with pre paid licenses. Other than that you choose your hardware according to the needs of the customer and 1 device = 1 license. License tiers are enterprise and advanced in the co-term model or essentials and advantage in the subscription model. The higher tier provices umbrella integration (DNS security), adaptive policy (segmentation via tags instead of VLANs, advanced wireless stuff like AI RRM and full blown intelligent capture). The license SKU's usually come in 1, 3, 5, 7 and 10 year options.
... View more
Sep 26 2024
12:24 PM
Your drawing is incorrect. The uplink switches are connected to LAN ports instead of WAN ports which is incorrect. Each MX WAN uplink cannot be split on the MX itself. So basically for WAN1 you can only have 1 cable coming from the MX to the uplink switch. So each MX should have 1 line going to the upper switch for ISP 1 and each MX should have 1 line going to the lower switch for ISP 2. In case of a device failure, VRRP will make the spare take over and the spare will use the same primary ISP as configured in dashboard.
... View more
Sep 25 2024
11:18 AM
1 Kudo
I'm having difficulties understanding your setup. What do you mean with the Z3 is managed by an MX84? Do you mean it does a full tunnel to the MX84? Secondly the management of any Meraki switch can be out of band. So if your user traffic uses a different firewall to reach the internet than the switches, that is no problem. You can have a VLAN that terminates on a different firewall/router for your Meraki management then the firewall for your user traffic. What is important however is that the Meraki devices all do a tls connection to dashboard that is not allowed to be decrypted and reencrypted using a different certificate. We had a customer once with a PA firewall that was doing TLS decryption on port 443. So when the Meraki AP's updated to the newer version that no longer uses UDP/7351 by default for cloud management but TCP/443 all these AP's lost connectivity to dashboard until we made an exception for those devices and let the connection through unchanged (except for NAT of course).
... View more
No problem 😉 It makes sense to install the newer type in newer installations which we all do or to replace a broken older cable with a newer one. I just question replacing a whole bunch if it isn't necessary especially if it are not even fiber runs but local patchpanels.
... View more
You are looking at it wrong then. I don't know how they get the figure of 40% higher bandwidth... because this depends heavily on the type of transceiver you are using and the set speed you have. The rating of the cable is only a measure of physical properties like minimum bend radius, and loss of dB per amount of distance. As long as you don't lose x over a certain distance you can safely use these speeds. You always have to look at fiber this way. - You want to run a certain speed over a certain distance. Then looking at the datasheets you will know what kind of transceivers are compatible and what fiber options you have. For example you will have to run 150 meters fiber and you want 25 Gbps speeds over that: when you look at tmgmatrix.cisco.com you will see what is possible. For example the SFP-25G-SR-S can support 25G over 70 meters of OM3 or 100 meters over OM4. So yes there is a difference but in distance. But if you look a bit further you have the SFP-10/25G-CSR-S which can support 25G over 300 meters OM3 or 400 meters OM4 because the module supports RS-FEC. So taking the time and effort of just changing your patch cables will not return you any gains in latency or bandwidth. It will merely gain you a different color of fiber patch cables. Extra latency comes from the switching process and potential buffering on devices and the main latency on the fiber is merely a function of the speed of light.
... View more
Question of course is what do you hope to gain when laying OM4 fibers in place of current OM3. If it is to have more pairs, or to have different cable runs for redundancy, then sure new fibers should at least be OM4 if using multimode. But investing tons into replacing fibers if they are perfectly fine and you are running 10 Gbps over no more than 300 meters you will not have any advantage. Also be aware that higher speeds like 25 Gbps have much different distances depending on the type of technology used in the transceivers.
... View more
Sep 24 2024
3:46 AM
In Europe we don't have a choice. The lower channels 36-48 are simply not available on outdoor AP's. So DFS channels is the only choice we have.
... View more
Sep 23 2024
12:20 PM
4 Kudos
I haven't heard about transceivers that can do multigig in variable speeds. The speeds on an SFP+ port are fixed at 1 Gbps or 10 Gbps depending on the module inserted. If you want to run 2.5 Gbps to your MR's you actually need a multigig switch.
... View more
Using this site https://www.everythingrf.com/rf-calculators/free-space-path-loss-calculator I have calculated the following: 500ft is about 152 meters. Using channel 100-104-108-112 (I used the highest of these channels for the free space path loss, ch 112) equates to 5560 MHz. The MA-ANT-27 has a gain of 12 dBi. I'm not sure what region you're in but the European rules are the strictest when it comes to Tx Power so I'll assume a max EIRP of 30 dBm on this channel which means you can transmit on 18 dBm. Using these inputs in the calculator I come to a free space path loss of 67 dB. Since the gains are already included in the calculation I now have to do 18 - 67 = -49 dBm which is quite high and should not be a problem to receive well enough signals between both buildings. You even have over 20 dB of fade margin in case of bad weather. From another calculator on that same site https://www.everythingrf.com/rf-calculators/fresnel-zone-calculator I calculated the fresnel zone of 1.4 meters or a bit under 5 feet. This is the radius around the line you would draw between both antennas that has to be clear of obstructions to not negatively affect your signal. The only thing I do question however is the use of an MR86 instead of an MR76. If there are no reflective surfaces you won't gain any spatial streams to augment the speed. So you could basically use an MR76 instead and only use 1 antenna per AP between the buildings.
... View more
Sep 23 2024
11:11 AM
1 Kudo
Each Meraki network is a logical container. Inside one network you can only have a single MX or two MX'es acting as an active/passive HA-pair. Each logical container has it's own client VPN configuration. That does mean that each separate client VPN config on an MX has it's own IP subnet you need to enable on the SD-WAN fabric to be able to communicate with shared resources. And indeed each of these configs has their own authentication method and in case of Meraki authentication it's own set of users that are authorized for VPN.
... View more
I hope you then started an ask for help on the Aruba forums then? You'll have an easier time finding a person who deployed their authentication and authorization rules to communicate with the AP's?
... View more
In your other deployments are you letting the radius server directly speak to the AP's to send the access-accept? Or are you merely allowing access to the webportal with a reauthentication after succesful login on the page? On the access control page for the SSID you will need to choose the L2 authentication first which probably will be Open or Opportunistic Wireless Encryption. For the L3 authentication you should be using Login using my radius server. Then add the radius servers with their ports and shared secrets. Make sure to add the IP's of the webserver hosting the login page to the walled garden. Then go to Wireless -> Splash page and select custom splash url. DNS and DHCP should normally be allowed through so you should at least see the login page after connection if you added the IP's to the walled garden.
... View more
Sep 21 2024
11:09 AM
Ah I see, that was an issue a while back but was not limited to SIP and RTP traffic but all kinds of IP traffic. That issue was why the 18.211.0.1 was released back then. I also had issues with that firmware build a few months ago but that was purely over the AutoVPN tunnel, not straight to the internet.
... View more
Sep 21 2024
11:04 AM
2 Kudos
"Both are static assignments or PD assignments at all." Do you mean they are static assignments and NOT PD assignments at all? In the case your WAN interface config is supposed to be static then the ISP is probably routing towards another address for your /56 block so the ISP is failing to route towards the MX for your return traffic. In case it IS prefix delegation then you need to configure your interface as dynamic so the ISP automatically routes the /56 subnets via the IP given in the DHCP lease.
... View more
Sep 21 2024
5:15 AM
Are you capturing both on the LAN and Internet interface of your MX? When you say you don't see the icmp echo reply coming back in, do you mean with capturing on the host directly? I'm still on an MX84 at home so I don't have access to the newer MX18.2xx firmware. In my case the ISP router receives a /56 PD itself and them PD's /57 of that towards my MX. There I can see my 4 VLAN's receive a /64 each + the /96 NAT66 (for the WAN failover). In that case routing from upstream devices is done for you. Can you clarify a little more about how your WAN is exactly setup, including the upstream router.
... View more
Also if you correctly hold down the button you should see the led flashing and when it stops you may release the button. It will then revert back to the serial number as username.
... View more
Sep 20 2024
12:12 PM
2 Kudos
The MX250 is getting a bit old indeed. However in your case it is important to see if your 500 branch MX'es will use 1 tunnel (1 ISP) or 2 to reach the hub location. In case of 2 you would have no other choice than to use the MX250.
... View more
Sep 20 2024
11:12 AM
True, the configuration is on the cloud and you can factory default your device, it will regain it's previously running config from the cloud. But as you stated, you want a personal backup, even if this just for keeping locally or if it is for rolling back changes you're not satisfied with then it's not as simple as getting a config file like you have on a locally managed device. You can get the config, but through API calls. And it's not one config file, it are multiple JSON constructs.
... View more
My Accepted Solutions
Subject | Views | Posted |
---|---|---|
1863 | 4 weeks ago | |
479 | Jan 17 2025 11:21 AM | |
532 | Jan 15 2025 4:42 AM | |
512 | Nov 21 2024 1:00 PM | |
436 | Nov 21 2024 5:48 AM | |
589 | Nov 12 2024 2:53 AM | |
986 | Oct 31 2024 9:51 AM | |
736 | Oct 27 2024 5:22 AM | |
1141 | Oct 22 2024 9:12 AM | |
535 | Oct 11 2024 11:40 AM |
My Top Kudoed Posts
Subject | Kudos | Views |
---|---|---|
14 | 5754 | |
13 | 7538 | |
11 | 2099 | |
9 | 795 | |
9 | 1836 |