Meraki

KarstenI · ‎Jul 25 2023

Admin error, putting the wrong port into the wrong VLAN switch crash and forwarding without config applied config lost due to any other reason As @cmr writes, it is not worth it to save a couple of bucks. Although I prefer managed switches on the WAN side like Catalyst 1000 or CBS 350.

KarstenI · ‎Jul 24 2023

I would avoid this setup as much as I can. Or even more, I would refuse to implement it for a customer. In this setup, the switch has the potential to bypass the firewall. This is really bad practice.

KarstenI · ‎Jul 22 2023

802.1x for PC hosting Hyper V switch where ISE sits behind the vswitch the same bad idea ... The ISE has to be reachable all the time to do the authentication. MS120-8<>HyperV switch<>physical end host <<<<< but I believe this would inherit the access policy causing issues for the hosted VMs? with physical end host you probably mean the VM? Because I had no idea how to connect a physical host to a virtual switch. IMO still a bad idea, but it could work in two scenarios: 1) The switch-port is configured for multiple-host mode and only the HyperV has to authenticate to the switch. All VMs are allowed to connect "piggyback" on this connection. 2) The switch-port is configured for multi-auth, here all VMs need a supplicant to authenticate to the network. This will only work if the virtual switch does not interfere with the EAPOL communication. MS120-8<>physical adapter of host<>Windows10 <<<< Taking vswitch out of the flow This is the best way to do it from the 802.1X standpoint. One port, one end-device. But likely not the best solution from a VM standpoint.

KarstenI · ‎Jul 22 2023

Do I understand you right that you want to do 802.1X for your VMs? This is a bad idea in 99% of all cases.

KarstenI · ‎Jul 22 2023

RADIUS monitoring is something completely different than the Catalyst modes of Monitoring/Low Impact/Closed. These modes are not available on Meraki MS. Can you explain a little more detailed what your problems are?

KarstenI · ‎Jul 20 2023

I don't think that there is any USB-5G Dongle supported. But connecting a 5G router (I often use the GigaCubes) to a WAN port works perfectly fine. But for manageability I would always prefer an MG.

KarstenI · ‎Jul 13 2023

The 5 GHz only was that we didn't care about 2.4, The Business-SSIDs are 5GHz only. 2.4 is enabled on the Guest SSID. In this setup we have 4*4 on the SSIDs we care of for a reduced price per AP. The rest was exactly as you say. We try not to mix APs which is quite easy if there are enough sites to shift the APs around. The next shifting will be more complex as the CWs have other mounting plates compared to the MRs.

KarstenI · ‎Jul 12 2023

Yes, it works similar and it is possible to configure Ether-Channels that are active on both stack-members. What is not available compared to the Cat9500 VSS is dual active detection on an additional link. BTW: Today I would likely not buy the pair of MS425 but instead a pair of 9500s. They can be added to the Meraki dashboard and eventually also be cloud managed.

KarstenI · ‎Jul 11 2023

The MR44 are cheaper and with 5GHz only there is no real difference. The MR46 were moved to a site that didn’t need many APs and the old site was equipped completely with more MR44s as additional floors were used.

KarstenI · ‎Jul 11 2023

Visibility! One of the benefits of a modern platform. Any questions?

KarstenI · ‎Jul 10 2023

A remotely controlled PDU like the MT40 or something from APC?

KarstenI · ‎Jul 10 2023

They could do the enrolment the PCs on their own after being authenticated to your directory. But they would need to cooperate.

KarstenI · ‎Jul 10 2023

What about a script that disables all ports that are not infrastructure? For the routing I am not aware of a ways to just disable it, but removing and adding back the SVIs could also be automated with a script. Just make sure you don't remove config that is needed for the infrastructure itself.

KarstenI · ‎Jul 10 2023

Are the teacher PCs owned by the school? In this case, an easy solution for this problem would be to configure the WLAN-Settings of the PCs with an MDM like Meraki SM.

KarstenI · ‎Jul 7 2023

For “real” authentication the MR just forwards the TLS communication that is encapsulated in EAP between the client (supplicant) and the NPS (authentication server). The MR (authenticator) does not need to understand this communication.

KarstenI · ‎Jul 5 2023

That's a very good question. Would be a perfect task for "a cloud".

KarstenI · ‎Jul 5 2023

iPSK with RADIUS is basically PSK with Mac filtering. You just have to return a Tunnel-Password.

KarstenI · ‎Jul 5 2023

https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKSEC-2238.pdf Page 27 and 30

KarstenI · ‎Jul 4 2023

t seems these restrictions are heavily reduced when it all moves to Cisco+ Secure Connect. It will hopefully not take a long time.

KarstenI · ‎Jul 4 2023

In this context ...

KarstenI · ‎Jul 3 2023

I have been a member for some time. I think it was announced here quite some time ago. It is a nice distraction if you need a brake but don't want to move from your chair (yes, not the best brake). I got some nice swag from the rewards program, like shirts and mugs.

KarstenI · ‎Jul 2 2023

That is what I was saying. It was mainly about that there is no difference.

KarstenI · ‎Jul 1 2023

ie which we must replace if we are to get the most out of our already-connected MR44 WAPs. If this is your concern, do nothing. Your MR44 will not break the 1Gig barrier under normal conditions.

KarstenI · ‎Jul 1 2023

The NPS has the worst log of any software system on the planet. But if you show us a RADIUS capture between the AP and the NPS, it's likely to see some problem areas.

KarstenI · ‎Jun 30 2023

I once told a joke that good, that even HR called and wanted to hear the joke …

About KarstenI

KarstenI

Karsten Iwen

Community Record

Badges