The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About grepaly
grepaly

grepaly

Here to help

Member since Jul 9, 2019

Monday
Kudos from
User Count
Rafa-AR
Rafa-AR
1
cmr
Kind of a big deal cmr
2
SGenin
SGenin
1
MarcP
MarcP
1
jdsilva
jdsilva
1
View All
Kudos given to
User Count
DrSDM
DrSDM
1
forkwhilefork
forkwhilefork
2
View All

Community Record

6
Posts
6
Kudos
0
Solutions

Badges

CMNO
First 5 Posts
Lift-Off View All
Latest Contributions by grepaly
  • Topics grepaly has Participated In
  • Latest Contributions by grepaly

Re: MX Doesn't Send Gratuitous ARP on 1:1 NAT IPs

by grepaly in Security / SD-WAN
‎02-09-2023 01:39 AM
‎02-09-2023 01:39 AM
We did some more tests, and it looks like when a "real" failover happens, the 1:1 NAT is handled correctly. When we do a switch of primary-spare initiated from the Meraki dashboard, the 1:1 NAT stays with the device which becomes inactive and it will not work properly. ... View more

Re: MX Doesn't Send Gratuitous ARP on 1:1 NAT IPs

by grepaly in Security / SD-WAN
‎02-01-2023 08:36 AM
4 Kudos
‎02-01-2023 08:36 AM
4 Kudos
After more than four years, this still seems to be an issue. I don't buy the argument that I should clear the upstream device cache. If there is a failover, that should just happen without anyone intervening in any way. ... View more

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

by grepaly in Wireless LAN
‎03-24-2020 05:11 AM
‎03-24-2020 05:11 AM
  Sure. Let me find my notes. Here they are:   a.) Log in to your Cisco Wireless Controller b.) Go to Controller/Internal DHCP Server/DHCP Scope, click your scope and take a note of your DNS servers. In my case these were 8.8.8.8 and 8.8.4.4. Usually you have only two DNS servers, but it is also possible to set three. c.) Go to Controller > Interfaces and take a note of your virtual address. d.) Go to Security, Access Control Lists, Access Control Lists. e.) Create a new Access Control List by clicking New. Name it Pre-Auth-ACL. f.) Click the name of the newly created ACL. g.) Add the following five rules, while keeping their order. 1. Permit, Source 0.0.0.0/0.0.0.0, Destination: 0.0.0.0/0.0.0.0, Protocol: Any, Source port: Any, Dest port: Any, Direction: outbound. 2. Permit, Source 0.0.0.0/0.0.0.0, Destination: (your virtual address)/0.0.0.0, Protocol: Any, Source port: Any, Dest port: DNS, Direction: inbound. 3. Permit, Source 0.0.0.0/0.0.0.0, Destination: (your primary DNS)/0.0.0.0, Protocol: Any, Source port: Any, Dest port: DNS, Direction: inbound. 4. Permit, Source 0.0.0.0/0.0.0.0, Destination: (your secondary DNS)/0.0.0.0, Protocol: Any, Source port: Any, Dest port: DNS, Direction: inbound. (If you have a third DNS, add it here) 5. Deny, Source 0.0.0.0/0.0.0.0, Destination: 0.0.0.0/0.0.0.0, Protocol: Any, Source port: Any, Dest port: Any, Direction: inbound.   h. Go to WLANS, Select your guest network, Select Security, Layer 3, and set the newly created ACL as Preauthentication ACL for IPv4.   ... View more

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

by grepaly in Wireless LAN
‎07-09-2019 08:03 AM
1 Kudo
‎07-09-2019 08:03 AM
1 Kudo
Well, I am quite sure we don't want spend some more money this way just to plug this hole. It is possible to set custom DNS per SSID (Content filtering: custom DNS), we tried that, it did not work. ... View more

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

by grepaly in Wireless LAN
‎07-09-2019 06:19 AM
‎07-09-2019 06:19 AM
SLR, can you please elaborate? Where do you set Umbrella and how will that stop tunneling over DNS?   We tried to set Custom DNS in the SSID settings, even that is not working in the pre-auth phase.   ... View more

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

by grepaly in Wireless LAN
‎07-09-2019 12:52 AM
1 Kudo
‎07-09-2019 12:52 AM
1 Kudo
The issue here is that DNS to any public IP is allowed in the pre-auth phase. It should be allowed only to those servers which are handed out to client by DHCP. Those allowed should be captured and all answers should point to the captive server instead of the original answer. Cisco WLC is also vulnerable but that can be fixed by creating a pre-auth ACL. ... View more
Kudos from
User Count
Rafa-AR
Rafa-AR
1
cmr
Kind of a big deal cmr
2
SGenin
SGenin
1
MarcP
MarcP
1
jdsilva
jdsilva
1
View All
Kudos given to
User Count
DrSDM
DrSDM
1
forkwhilefork
forkwhilefork
2
View All
My Top Kudoed Posts
Subject Kudos Views

Re: MX Doesn't Send Gratuitous ARP on 1:1 NAT IPs

Security / SD-WAN
4 329

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

Wireless LAN
1 10022

Re: Bypass Meraki Splash pages in 10 secs to gain unrestricted Internet acc...

Wireless LAN
1 10075
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki