- About GlenW70
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Community Record
12
Posts
20
Kudos
0
Solutions
Badges
3 weeks ago
Is this the proper method to export the dynamic DNS name assigned to the device too? I need this for all of our MX devices.
... View more
12-15-2020
02:42 PM
OK have solution You must have active/active tunnels enable for this to work (thinking about it makes sense otherwise you'd only have single tunnel to use) We also had a back end change made to our dashboard long ago that disabled active/active regardless of what GUI showed. Support was able to adjust the override in our dashboard (now that GUI works properly) After doing that AND enabling active/active VPN and doing a full refresh on page we see VPN flow preferences!
... View more
12-14-2020
03:04 PM
I too am seeing this condition. Latest stable firmware MX 14.53 We have ~150 MX60/64s None are showing the SD-WAN policies Only IP Flow Preferences. Our standard configuration is to prefer WAN1 and only use WAN2 in a failover mode. I have tested enabling load-balancing and active-active VPN to see if any change but none. I do have a pair of MX84 in Asia and they DO have the proper options but are only network I can find that does. Opened case with Meraki and they are coming up empty initially and continue to research.
... View more
12-14-2020
02:47 PM
Yes I believe you are correct. If you flows are purely internet based you can define the "match filter" and route traffic over your preferred uplink. Flow Preferences By default (without load balancing), internet-bound traffic will flow out of the MX's primary uplink. The MX can also be configured to send traffic out of a specific interface based on the traffic type (policy-based routing), or based on the link quality of each uplink (performance-based routing). Flow preferences can be configured to define which uplink a given flow should use. Flow preferences will also supersede load balancing decisions. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferences
... View more
06-24-2020
04:30 PM
We are working towards this solution today for a couple of reasons. 1) When a laptop gets patched and rebooted today it does not reconnect to the network (assuming it was only wifi connected) until a user interactively logs on. With COVID keeping folks out of many offices for weeks or months on end this has been problematic 2) When an IT person attempts to logon to a laptop via wireless (currently using RADIUS with NPS to AD) that logon fails because there is no network connection until after successful login (exception being cached credentials). This is a pain for IT and forces them to connect wired before then can even start their work. 3) If you have any sort of logon script or any other processing that should happen at logon this doesn't work properly either (cart before the horse) To mitigate some of the concerns mentioned above our AD team uses LAPS to automate local admin account password changes every month and each one is stored in a secure server that requires multi factor auth to logon to. We also encrypt the drives of all mobile device making boot disks and other ways to reset the local accounts very difficult. Lastly, we are using 2 AD groups one that we can add devices we want to deny (policy 1) and the other those we want to permit (unsure but could ultimately be domain computers with exceptions weeded out in policy 1) in policy 2. Hope this helps. Also, good luck with setting this up. I have found MANY different articles and approaches on this. Many focus on the user auth side. The machine auth is more complicated and there isn't a single recipe for success I've found so far anyway.
... View more
03-26-2020
10:09 AM
16 Kudos
I have been using the MR30H in a somewhat unique configuration for a while and thought I'd share the application to see if others have similar needs. Most of you probably know the MR access points have a feature called Teleworker VPN that allows you to create a dynamic VPN tunnel to an MX and "bridge" that network remotely. This is a cool feature and works great for wireless devices. Unfortunately, not everything we use is wireless (I do believe it may be possible to use a MR in mesh mode and reuse a single ethernet port on it for this purpose but I've not tried that). If you need a solution for wired with more than 1 port (like I did/do) you might want to read the rest of this post. My first application for this solution (wired / bridged Teleworker VPN) was a mobile food truck that we needed a cash register connected to a physical restaurant POS server but the register had to be on the same subnet as the POS server. Even though the MR30H is an AP it also have 4 integrated switch ports. You can assigned each of those to a VLAN and link that VLAN to an SSID (even if you aren't using WiFi at all - which in my case I'm not). You can then use the MR configuration to create a Teleworker VPN tunnel to an MX at the site in question and tunnel that VLAN to the physical site. In my design I'm doing this with 3 different VLANs (register, guest wifi and security camera). This works from DHCP/BootP/, to ARP and right up the OSI model. This was a requirement for our vendors application as well as a bonus to have a single MX firewall ruleset to manage and content filters to monitor. Plus an MR30H is less expensive than an MX64 and it, unfortunately, cannot do L2 VPN. Lastly, we paired this with a Cradlepoint device with dual, auto switching carriers to provide connectivity from all over Maui. Hi. area. With COVID stay at home restrictions we had to move some or our retail lab out to employees homes. Once again we had another scenario where for test applications and firewall rules (source IPs, L2 adjacency requirements, etc) this solution was our best option. The only caveat to this design is you MUST have an MX in the VLAN you want to extend the L2 connectivity to. I wish Meraki would add this L2 functionality to MX devices too (future?)
... View more
03-26-2020
09:17 AM
2 Kudos
Support was able to fix this for us. It is an engineering change made behind the scenes If you have a similar issue you could ask support to reference our case 04537743
... View more
12-13-2019
08:32 AM
Hi Kegan, Yes we currently have 2 sites experiencing the issue. Our case number is 04537743. Site #3 is all MR42s and MR70s Site #14 is all MR42s and MR70s In both sites we have 3 or 4 fully functional devices but 1 device (iPad pro in both locations) that will not respond to whitelisting. In each of the sites we've gone so far as to replace the device and testing in site 3 shows no change. Both are broken now (since nobody at support has been able to solve our issue) so replicating the issue is very easy for us right now. I am happy to assist with beta or patch if you think it could help. Please let me know how I can contribute.
... View more
12-12-2019
11:44 AM
We are experiencing this same issue at 2 sites Does anyone have an update on this? I have 2 tickets open with Meraki support but nobody is claiming to know about a back end issue.
... View more
11-25-2019
04:37 PM
I ran into a similar problem In my case we had and ASA fronting the MX100 and it wasn't configured to allow the outbound ICMP echos to 8.8.8.8. Once I added this rule the status went green and the connectivity line changed from gold to green.
... View more
01-08-2019
03:28 PM
1 Kudo
We have ~160 sites that are full stack Meraki implementations. Unfortunately, we weren't able to roll out using templates early on because of some limitation on specifying IP schema and other issues. Because of this, we have to clone and existing site and modify. This give us little centralized control for mass deploying changes (especially firewall rules) This year I hope to migrate to templates for MX appliances.
... View more
12-05-2017
09:49 AM
1 Kudo
Hi I'm Glen Warn and I'm a sr. network architect for Tommy Bahama (retailer) based in Seattle. We operate ~160 stores and outlets in the US, Canada, & Puerto Rico. We leverage Meraki MX, MS and MR devices at all of our retail locations and couple them with Cradlepoint devices for cellular backup. Looking forward to working with community knowledge base.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 16 | 1187 | |
| 2 | 1499 | |
| 1 | 10232 | |
| 1 | 13235 |
