Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About OS-Cubed
OS-Cubed
Here to help
Member since May 21, 2019
Sep 19 2024
Community Record
20
Posts
8
Kudos
1
Solution
Badges
Aug 9 2024
6:28 AM
OK after much mucking around I got this all working. Some notes: since the original router was part of a meraki VPN, when I attempted to create (after disconnecting the old router and bringing it in-house) the public IP Address range I desired as a VLAN it gave me a warning that it wouldn't route correctly (and in fact it did not). I had to (temporarily): Take the vlan range down to a /26 rather than a /24 Remove the moved meraki from the site to site VPN Re expand the range to /24 I then ran into what I thought were additional problems. I could see all the devices inside the new VLAN when I was IN the VLAN but they could not see outside. Turned out I had: Plugged the switch they were plugged into into an access rather than a trunk port when rewiring it. Thus I couldn't see the devices unless I was on the switch, rather than the outside network. Rookie move but i wasted an hour trying to figure out why the devices could see each other but not the outside world, or the outside world see them. The original router was set as a pass-through firewall with just certain ports passed through. When it was on the site-to-site this didn't matter because I could see all ports once the vpn was established. After moving it i had to open up a couple ports for traffic to pass correctly between the 2 lans, but that was pretty easy and trivial and in fact increased security since now only that traffic passed. I don't need to vpn into the double-natted device so I didn't bother trying to set client or site-to-site back up again. Thanks for the help and pointers. I basically relocated my entire web infrastructure off shared hosting and into an archival state in under a day. Pretty good really. Gotta love Meraki.
... View more
Aug 9 2024
6:20 AM
Well aware. In this case the moved servers are there only for backup and archive purposes and won't be able to be accessed from the internet at all, nor do they need to really access the internet (though they can) since once the retention period expires I'll be purging them.
... View more
Aug 5 2024
7:03 AM
so if I punch the ipsec ports through to the secondary MX, won't that intefere with VPN to the primary MX? Just trying to think this through ahead of time. My thought was: * I have workstations that are between the two (behind the primary mx, but in front of the secondary) I can potentially cliend vpn to the secondary mx from those workstations to manage the devices behind the secondary MX - essentially as I do now to manage them over the autovpn. I'd just need to use client VPN instead of the current MX to MX autovpn, since it's behind the first MX now. I can currently client VPN to my devices that are out there on the public internet using client vpn. * I don't really need to remote into the stuff behind the secondary MX from the internet - in fact it would be preferable to NOT do that. * I do know that I could punch remote desktop ports through to the secondary servers and limit them to the ip addresses of the primary network if necessary. Less secure though.
... View more
Aug 2 2024
12:52 PM
Need feedback on this proposed config: I am going to be retiring a set of Meraki MX/MS systems and the servers behind them that were configured as public pass-through for hosting websites. The meraki and the switches and all servers behind it were configured with public IP addresses, but only certain ports were passed through the firewall. the system was also set up for client VPN to handle managing it. Not all servers had ports pushed through as they weren't all web servers. All that was configured by myself and I know it well. In order to fulfill data retention requirements for some period of time I intend to move this entire set of servers and network equipment into a local setup - with all the settings remaining the same. I do not intend to make those addresses available from outside the local private network. What I would like to do this this: * Set up a VLAN on my local network with the existing public IP address range (say it's 198.201.233.x/24 gateway 198.201.233.1- it's not but for the sake of the example) * Set one port to default to that VLAN on either a meraki switch or on my mx. * Connect the existing Meraki MX, configured as before, with the Internet part (configured for 198.201.233.2 with the .1 gateway). Connect the switch to the meraki mx, connect all the other devices to the same ports they were connected to on the Meraki switch, and power them up with their 198.201.233.x addresses intact. * There will be one public facing MX router with a connection to the internet. * The existing router will go behind the public facing one, and will not need ports punched through to it from the internet - it only needs to be internally accessible on the ports it's currently externally accessible from. Internal devices will be on other private subnets behind the first firewall, but not the second. Questions for the peanut gallery: * I assume I should remove any meraki site-to-site VPN connections to the second MX as that won't resolve since it doesn't have a unique public IP (other than the same public IP as the main router) * I assume that since I have a meraki behind a meraki I cannot client VPN into the relocated MX that is behind the first mx directly? They would both have the same public IP address, and punching ports through from the public facing mx to the private one would prevent public facing client vpn. * I would need a locally connnected device in the 198.201.233.x range behind the second firewall to manage the devices in that network. and then a secure non-clientvpn way to access that device? * Do i need to do anything special on the public facing meraki to reroute internal traffic intended for 198.201.233.x to the internal network rather than the external address. I don't expect to be using that public ip range in the future (at least until my data retention contract runs out). I am fine with rerouting it to the internal net indefinitely, and understand the ramifications of that. I know this is a weird ask but assume it's doable with some limitations (like no direct client VPN)
... View more
Labels:
- Labels:
-
Firewall
May 16 2023
7:07 AM
2 Kudos
Why should users have to buy a licsensed product. Meraki was always about NOT charging per user for stuff, but now if you want to connect an android device you need a license? Bs. Meraki could solve this in an instant by just adding support for one of the more secure supported protocols to their firmware. But no - Cisco would rather make money off us.
... View more
May 16 2023
7:03 AM
4 Kudos
And calling this "solved" when in fact the Meraki is still broken is also not really very accurate. Basically: Cisco Meraki used to work with Android (and pretty much every device). Cisco Meraki no longer works for all those devices Cisco isn't bothering to fix this issue I still rue the day that Meraki sold out to Cisco. - they've been the ugly stepchild ever since.
... View more
May 16 2023
7:01 AM
2 Kudos
THis is BS. People bought Meraki's specifically because of the built in NO LICENSE NEEDED VPN capability. It's basically criminal that it doesn't support a common secure protocol that IS supported such as MSCHAPV2 or a certificate based vpn for it's users. This is Cisco basically trying to make more money off the Meraki installed base by not activating a capability they could easily add to the hardware through a software update. That addition would enable all sorts of capabilities but because it's Cisco they'd rather you spent $/year/user to buy a client you don't need.
... View more
Apr 13 2022
7:53 AM
The day Cisco bought Meraki was the worst day for that brand on the planet.
... View more
Apr 13 2022
7:52 AM
And now I suspect that the stuff that was supposed to go to MY client went to the guy up above me in this reply chain. 🙂
... View more
Apr 13 2022
7:52 AM
This exact thing. I cannot tell a client - hey it'll be 5 months but I'll give you what you need, only to find out 5 months later that my delivery date has been pushed out to a year and 2 months.
... View more
Apr 13 2022
7:51 AM
BS - I've escalated the scenario every time they've extended the delivery date. If they do promise a date they don't make it. And they extend delivery dates without informing us. Maybe YOU are getting product but I'm not.
... View more
Apr 13 2022
7:49 AM
Nope. Type MR42 into items - not there. Nor are any of the other 1 day items that are no longer valid part numbers to sell. I shouldn't have to jump through hoops - if that's indeed what I am supposed to do - to get an orderable part into my quote.
... View more
Apr 12 2022
10:05 AM
Instead all I hear is whining about how I should upsell clients into stuff they don't need because you can't get the stuff they do need. I've built an ENTIRE BUSINESS around Meraki. Every one of my clients has Meraki. And now I cannot service them.
... View more
Apr 12 2022
10:03 AM
Meraki and Cisco need to address this head on. If they can't provide product in a reasonable time frame they should pull all that product off the site so that customers don't think they can buy it. They should out line to partners EXACTLY what they are going to do to fix this issue, and they should start parts sourcing other than china IMMEDIATELY. Take some of the BILLIONS in cash Cisco is sitting on and invest it in manufacturing and supply chain. Buy your own boat. Build your own factories. Fix it. Or go out of business. No one is waiting a year and a month for parts. No one.
... View more
Apr 12 2022
10:01 AM
To give you perspective I ordered an SMB MX in November 2021. They are estimating it will ship in.... January 2023. That's right. Next year. I'll let you explain that to my client, that they can't implement their network at their new site until..... next year. When they're planning to move in this month. We'll see how that goes.
... View more
Apr 12 2022
9:58 AM
Name one of those that is SMB. SMB is my business. No one is buying a $3000 MX when they can get a sonicwall for 700 bucks. So unless Cisco is selling their 3000 mx for 700 bucks - it's not happening. And the MR42 that you think ships today? Nope.You can't even quote those in CCW - they don't exist. Go try it. Nothing but current models in the price list. And none of those ship in less than 60 days, and the only ones that ship in 60 days require 5 antennaes and cost $2000 bucks list. All of those "one day ship" deals are wrong. Not a one of them ships in a day, because you can't order them at all. They should be pulled from the parts list, and are already pulled from the list of models on the meraki site, and in the ccw interface.
... View more
Apr 12 2022
8:00 AM
Because these are NEW customers that I'm selling Meraki into but cannot deliver and they have DEADLINES. And I CAN get the parts from other vendors IN STOCK. Their FIRST IMPRESSION of Meraki is "oh I can order in November and by APRIL I still don't have hardware. I can't order an "alternative router" if there are literally NO ROUTERS AVAILABLE. I cant' get them an "alternative wifi" AP if there are literally NONE AVAILABLE FOR 90 days. I can't "strengthen a relationship" by not delivering hardware. Bring the production of these parts home. Cisco has BILLIONS OF DOLLARS. Just bring the production home and make them here if you can't get them from China.
... View more
Apr 11 2022
10:24 AM
Question: Is that the forum where we would ask WTH we can't get any meraki parts for months at a time and are losing customers because of it?
... View more
Nov 4 2019
9:25 AM
My client has two buildings. They are currently using their wireless as a bridge between wired networks in the building: Internet -> Router1 -> Wireless and other wired devices ------- air gap --------- wireless -> Router2 (not connected to internet - routes to router 1) -> Wired and wireless devices in other building Can two merakiGo devices be configured in place of the router wireless in this scenario. They're envisioning 2 outdoor WAPs wired to the two routers (turning off the internal router wireless) and 2 indoor wireless access points to service the building - all connected to the local routers. Will traffic from one wired network pass to the other wired network as long as they are private IP addresses, and do not overlap? Or will only wireless traffic from the remote site pass to the router?
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 469 | Aug 9 2024 6:28 AM |
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.
