Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About MarcAEC
MarcAEC
Getting noticed
Member since Nov 20, 2019
Wednesday
Community Record
42
Posts
24
Kudos
1
Solution
Badges
05-20-2022
10:39 AM
1 Kudo
Let's not forget that this problem is really an example of a deeper problem. The Merkai development team likes to design functionality that has broad effects without including a way for customers to implement exceptions. The NBAR problem would be much smaller if there was a way to create ALLOW rules for confirmed mis-identifications. Instead, it's an all or nothing choice. This is the same problem with the geographic filtering. Need to access one specific site in Russia? Guess what --you need to allow all inbound and outbound traffic from the entire country.
... View more
04-28-2022
05:06 AM
2 Kudos
The list of "Current Modems" that are "...are still actively being manufactured, distributed, and sold..." is now officially empty.
... View more
04-07-2022
03:52 PM
3 Kudos
Alex, if you have access to the product team, could you find out why they are so resistant to updating L7 to support exceptions. This has been a big problem with geo-filtering for years. When MaxMind decides 8.8.8.8 is in Iran, we can't put in a rule that exempts 8.8.8.8 from geo-filtering. Instead, we have to allow all traffic from Iran!
... View more
03-28-2022
11:07 AM
1 Kudo
No, but if the software vendor's fix makes a material change to the functionality, that should be documented in release notes. The most likely fix that support is implementing is to cause "statistical P2P" to be excluded when "All P2P" is selected. If that's what they're doing, they should disclose that versus saying "don't worry, trust us".
... View more
03-25-2022
02:49 PM
1 Kudo
The disadvantage with support doing something behind-the-scenes is there's no visibility that "All P2P" is excluding the statistical P2P. Your successor may not know that's what's going on.
... View more
03-25-2022
06:27 AM
2 Kudos
The real solution (which we won't get) would be for Meraki to implement an exclusion function. Do we know what we're losing by having Statistical P2P off? What does it protect against when it is not blocking false positives.
... View more
03-25-2022
06:13 AM
Are you sure they just didn't exclude "Statistical P2P" from the internal rules when "Deny All Peer-to-Peer" is selected, the same as we could do by creating individual P2P rules for the other categories?
... View more
03-22-2022
11:24 AM
2 Kudos
For years, Meraki has received feedback about the problems the lack of whitelisting for geo-blocking causes. So, not only did they ignore that feedback, but then decided to build the same problems into the NBAR and the layer 7 rules. 😫 The best work-around I could come up with was to remove the rule to "Deny All Peer-to peer (P2P) and replace it with 5 rules to block BitTorrent, DC++, eDonkey, Gnutella, and Kazaa. It seems the problematic rule for our legitimate applications is "Encrypted P2P".
... View more
02-11-2022
05:28 AM
With VOIP, if the internet circuit the call is using goes down, the call would probably drop. If the internet circuit you have at the hub is more reliable, I'd recommend setting up the VOIP traffic to go to the hub even when the local DIA circuit is online (unless there is a large geographical distance that would cause the latency to be too high). That way when the DIA circuit goes down, the VOIP traffic will not change how it is connected to the provider. VOIP traffic typically has its own VLAN. So, you'd use the source-based routing feature introduced in 15.x for that instead of the IP-based technique discussed in this thread.
... View more
02-10-2022
04:51 PM
I would think this would happen automatically. If WAN1 goes down, the MX will automatically try to send the traffic over WAN2. I've got a use case where I'd like to block that, and couldn't find a way to do it.
... View more
12-22-2021
05:32 AM
I've not seen that comment in the 15.x or 14.x release notes. It first showed up in 16.4. It reads like conditions that cause instability have been identified and the development team just hasn't gotten around to fixing them. They already put a generic disclaimer at the top of alpha and beta release notes. That's enough. They don't need an additional disclaimer in the Known Issues section.
... View more
12-10-2021
08:02 AM
So if you have two WAN uplinks, you can connect a Meraki MG to one of the free LAN ports and it will function as a cellular backup?
... View more
12-09-2021
05:09 PM
Actually, this is likely not possible for the OP. Since Meraki has stopped certifying USB modems years ago, it's almost impossible to buy one that would work because all of the certified models are EOL. Updating the firmware to allow one of the RJ45 ports to be used as a cellular fail-over port would be a decent consolation for customers who buy MX devices believing USB cellular fail-over is still a realistic feature.
... View more
11-09-2021
01:16 PM
In the rules I have set up using this method, the next hop IP is (normally) pingable. So, that's not a problem. I haven't had a chance to try source-based routing because Meraki broke netflow in 15.x and didn't fix it until 16.x. From the documentation, it looks like source-based routing will handle some use cases nicely. The rule applies to an entire VLAN. So, if you want VOIP traffic to egress via a specific MX, it should work for that. But if you want all of your internal web site traffic to egress via a specific MX so that marketing can exclude it from the visitor stats, I don't think source-based routing will work because that traffic is going to be mixed with the traffic in the normal data VLAN.
... View more
09-27-2021
11:48 AM
@GiacomoS, If something sits in a queue for years, it's the same as being ignored. All of NordOps's suggestions are good and should be moved to the top of the list. https://community.meraki.com/t5/Security-SD-WAN/Google-com-incorrectly-Geolocated/m-p/129887/highlight/true#M32400 Many of us have requested #1 and #2 years ago. Years = deaf ears.
... View more
09-27-2021
08:42 AM
I use https://www.iplocation.net/ to compare. It shows the results from 5 different Geo IP databases. When MaxMind has been wrong, I've used the results from iplocation.net to support my case. For example, the two sites RickA @putt4show is having trouble with, http://ontargetrange.com/ (192.124.249.67) and https://officesolutions.com/log-in/ (192.124.249.110), are showing as Singapore in MaxMind, but iplocation.net is showing them in the United States in all 5 databases.
... View more
09-27-2021
08:25 AM
1 Kudo
I believe the vendor is MaxMind. Here is the lookup tool. https://www.maxmind.com/en/geoip2-precision-demo I've had good experiences getting MaxMind to correct incorrect locations versus trying to do it through Meraki Support. https://support.maxmind.com/geoip-data-correction-request/ Meraki support usually fights with me. MaxMind will just make the correction.
... View more
09-27-2021
08:20 AM
3 Kudos
I've sent this "wish" in multiple times over the last few years. It feels like "Make a Wish" just goes direct to /dev/null. 😞
... View more
09-01-2021
04:30 PM
I can purchase a Connected IO CM4NA in the USA. It won't work with the MX because Meraki doesn't support it. To me, this looks like this situation is the fault of Meraki. And they've added text to the compatibility page admitting as much: "New USB modem approvals are currently on hold until further notice. All ongoing evaluations for USB modems will be updated on this page as soon as completed. We recommend to upgrade to the integrated/MG models for cellular connectivity and reach out to your sales contact."
... View more
05-10-2021
03:02 PM
The team ordered a modem from one of the eBay links Meraki support provided. When it arrived, we noticed it was marked "engineering sample - not for resale". But when connected to the MX, it was recognized. So, we tried to activate service with Verizon and the sales rep could not do it. He got an error "ESN IS NOT E911/NETWORK COMPLIANT". Now this only happened because all of the Verizon modems on the Meraki compatibility list are EOL and can't be purchased new anywhere. I would have rather bought new from a reliable vendor. I keep having to tell myself that Meraki is a major brand owned by Cisco and that I didn't buy firewalls from some guy building them from open source software in his basement. It is an embarrassment that the product team is content with being equivalent to that.
... View more
04-07-2021
03:30 PM
It looks like Source Based Default Routing (SBDR) in the 15.4 firmware (which is stable release candidate now) may work for some use case scenarios. It looks like it supports routing all of a VLAN 's traffic across the VPN. If you have VOIP phones on their own VLAN and want to send all of the traffic through to a central gateway before hitting the internet, SBDR could work.
... View more
04-02-2021
01:43 PM
It's my general preference to prefer external modems. In theory, that makes it easier to upgrade the modem in the future. I have to operate as if the Meraki list is accurate. It sounds like you might be thinking the list is out-of-date and that true modem support is really much larger. But I don't have any confidence that is the situation. All the evidence I've seen leads me to believe that support is as poor as the list indicates. That the USB ID needs to match means there's more going on than just Meraki officially testing the equipment. It indicates there is special code that activates only when the applicable USB IDs are detected, and the real problem is likely lack of engineering resources to write the code for the newer devices.
... View more
04-02-2021
01:24 PM
Some of the devices I'm looking to add 4G failover to do have both Ethernet connections in use (same carrier for both circuits), and others don't. But I would like to set up cellular-specific rules and the MX has to know the circuit is cellular (e.g. be a supported USB modem) for that to be an option. I'm guessing you're using the Verizon 730L with older MX devices as the compatibility list indicates support was dropped for MX deviecs released after 2017.
... View more
04-02-2021
10:45 AM
I'm trying to set up cellular fail-over on the Meraki MX devices and I can't believe the ***tshow that this has become. Meraki's documentation is very clear - in order to use the cellular fail-over, a USB modem from the certified list must be used. https://documentation.meraki.com/MX/Cellular/3G%2F%2F4G_Cellular_Failover_with_USB_Modems My suppliers have told me that all of the certified modems are EOL. Skydus DS is one of the modems on the list and Inseego had this comment: "The Skyus DS platform is now EOL. ...the newer device is the Skyus DS2.... If connecting with a Meraki appliance, the DS2 will not work. Meraki has not / will not certify us on their platform any longer." I opened a support case with Meraki and got the response that "Engineering is already working on adding more devices to the list of compatible USB modems." Timeframe? - Nope. The support engineer, wanting to do something to help me, found some of the old modems on eBay. Points to the rep for wanting to help, but that Meraki engineering and product management let it get to this point is disgraceful.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 4337 | 09-25-2020 03:15 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 2878 | |
| 3 | 8373 | |
| 3 | 14639 | |
| 2 | 257 | |
| 2 | 3552 |
