About KarstenI

KarstenI

Order 100k switches and tell the Meraki SE this order depends on the availability of named VLAN assignments.

KarstenI

Duplicate post, Discussion started here: https://community.meraki.com/t5/Security-SD-WAN/Upload-SSL-Certificate-in-Meraki-MX-Appliance/m-p/134479

KarstenI

What are you planning to achieve. Usually, the MX doesn't need an extra certificate for RADIUS-integration.

KarstenI

In order to provide the best experience possible with IPv6, we will be targeting January to introduce support on the MX Security appliances. Please stay tuned for our update in January. Have safe and happy holiday season! The Cisco Meraki Team (still from ::1) Yeah! Finally it's going to happen! 🙂 (Perfect timing, because "next year" IPv6 will have it's breakthrough)

KarstenI

It is not really disabled, but overwritten with the login from the network-config: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Changing_Log-In_Credentials

KarstenI

I don't know anything about this specific device, but driver issues are a major cause of problems. I would try a more modern WiFi-5 or WiFi-6 card. Or try it with a cheap USB-device and if it works, then look for a PCI-E card with the same chip.

KarstenI

Other than setting the public IP to give the MX a way to reach the Dashboard, there is no offline config. The config "lives" in the cloud and gets pushed to the device.

KarstenI

"no native support" only means that there is nothing directly integrated. But you are free to integrate an external solution. So now go to the link @ww provided and then use Duo, or alternatively directly go to use Duo ... 😉

KarstenI

The organisational assignment is only for management. The data flow is based on the local connectivity. But certain features are implemented only *inside* the Organization. For example you don't have any radio resource management between OrgA and OrgB, no fast roaming and also you Bonjour forwarding could be impacted. The only clean way is to move all APs into one Org and inside the old into one network.

KarstenI

This is a really great feature! What bothers me a little bit is the following: MV32 Only Fisheye view. Dewarping is not supported on live stream or snapshots I really only want to see the door-area if the door sensor alerts and not the complete fisheye view.

KarstenI

Meraki Support can enable a beta feature named " custom layer 3 inbound firewall rules " where you have more flexibility in controlling the inbound way similar to what is available now for outbound rules. Perhaps this feature is of benefit for you.

KarstenI

The firewall rules are not for inbound traffic. They only control traffic from VLANs to the internet and between VLANs. That is the reason your tests did not block RDP. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings

KarstenI

Your unbind, upgrade, bind approach will not work. The target-firmware is bound to the network/template and not to the device. The moment you bind the network back to the template it will revert back to the firmware version configured for the template. The only solution I see is splitting your setup into multiple templates or accept that the upgrade will be done for all networks at the same time (well, same time local to the network).

KarstenI

The "right" way to test is to use it as the users do. Connect the test pc to a cellular hotspot and connect to the outside interface.

KarstenI

MS firmware version 15 has named VLANs for RADIUS assignment. Not tested it, but perhaps there will also be a way implemented to use it on Port assignments. Did you give feedback on the corresponding dashboard page?

KarstenI

Redirection to a captive portals will always give a certificate warning if HTTPS is redirected. That is the reason that nowadays only HTTP is redirected because no redirection is still better than redirection to a warning-page. HTTP is by default used for the captive-portal detection that is included in many operating systems. If it does not pop up automatically, I tell the users to browse to a site like neverssl.com which on purpose only uses HTTP.

KarstenI

The next generation of APs will likely be WiFi-6E. If your client-base will be upgraded in the near future to 6E *and* there will be local resources that need to be accessed in a fast way, then MGig could be useful. I still would spend the extra money on something else.

KarstenI

802.11ax is the standard (well, technically the amendment, but that is not important here). The WiFi-Alliance runs the certification program for the devices: https://www.wi-fi.org/discover-wi-fi/wi-fi-certified-6

KarstenI

My standpoint is that MGig is nice to have, but still not needed with WiFi-6. With channels still 40 MHz wide, MU-MIMO more of a wish than a reality and most devices only supporting 2 SS, the 1-Gig interface limit will likely not be hit.

KarstenI

All actual MRx6 are labelled as " Certified ".

KarstenI

You can change the default rule to "deny any any" and apply a group-policy to the client with access where the network rules are overridden. For SD-WAN, you can specify which networks are part of the AutoVPN. What do you want to achieve exactly?

KarstenI

@John-K wrote: ... Maybe 21H2 is better 😂 calendar or fiscal year?

KarstenI

I assume @cmr gets a five figure salary per month from Meraki to keep us updated as soon as possible ... 😉

KarstenI

Meraki first goal is simplicity. It doesn't always work as expected but if you use the system as intended you get an easily manageable network that really saves you time compared to the traditional Cisco gear..

KarstenI

Authelia looks very promising. Need to test that when I have some spare time!

KarstenI

Karsten Iwen

Community Record

Badges