Like many companies, Cisco uses cookies and other technologies, some of which are essential to make our website work. Others help us improve services and the user experience or to advertise. In using our site, you consent to the use of these cookies and other technologies. Learn more about cookies and other technologies we use.
- About PhilipDAth
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Community Record
3801
Posts
1661
Kudos
254
Solutions
Badges
3 hours ago
1 Kudo
I probably need more context to answer this properly. Lets assume you are deploying your application over https. So it's encrypted. The MX will not be able to see anything inside of those encrypted streams. It still provides benefits in that it can block access from "bad" IP address ranges. Lets assume you are terminating the SSL session on the WAF (aka SSL offload) and then forwarding it onto a web server behind it (unencrypted). In this case the WAF can see the full unencrypted stream, and can look for threats inside of those packets, such as SQL injection attacks. In this case, a WAF woud provide a significant improvement on the security posture on the web app being delivered. If it was me, and I had the choice, I would not be putting a web server on premise. I would put it somewhere like Amazon AWS. In environments like Amazon AWS all the common tools like this are available. And it is usually cheaper than doing it in-house. https://aws.amazon.com/waf/
... View more
6 hours ago
This might be too hard to do; but if you swap a problem AP with a non-problem AP - does the issue follow the AP or stay with the port where it was plugged in? Has your part of the world experienced any lightening storms recently?
... View more
6 hours ago
I haven't seen tutorials like this on the Cisco Meraki side. You would probably have better luck on a developer site. The Meraki side should be generic. It is just delivering a settins payload. Maybe @HodyCrouch might have some more insight.
... View more
6 hours ago
There is also the old IT adage; have you tried physically powering down one of the problem APs and then restoring power?
... View more
6 hours ago
I don't recall any MR52's that I look after, but I have not had that issue with any other MRs. Having said that, I'm not sure I would notice the odd AP rebooting, especially if they only do it one at a time. Not with MR's - but I have seen Meraki devices in the past (rarely) get into a slow infinte reboot loop because the cloud thinks there software upgrade failed, and keeps repeating it. The dashboard reports the software version the device is meant to be running, not the software version it actually is running, so only support can diagnose this one. So perhaps you could ask support to verify the actual code version running on the AP, as opposed to what the dashboard is reporting.
... View more
6 hours ago
You can't remove an auto tag. It is probably easiest to create a new tag, say "ProfileA". Assign it to all the current devices, and ten change your profile to apply to this rather than the AutoTag. Another option is to create another Systems Manager network, and move the one device into it.
... View more
yesterday
> We are using Meraki APs in conjunction with Windows Server 2012R2 as the RADIUS server I've used this combination extensively, and not had issues. Typically in the setup's I have done the AP's RADIUS traffic does not have to pass through a firewall to get to NPS, or at most, only pass through a VPN.
... View more
yesterday
2 Kudos
At 20,000 clients I would be trying to use a RADIUS based solution, as it wont require any API calls. Me personally; I would spin up an Ubuntu instance in Amazon AWS on a t3.micro instance. I would probably start with writing a script in Python. And then I would use cron to schedule it to run hourly. Likely running cost - $5 per month. Python is "trendy" so their are lots of example scripts. It is not that fast though. You can easily have a play on your workstation though. You just need to install Pyhton, and then do some of the learning courses at: https://create.meraki.io/learn/
... View more
yesterday
Well, if you have 1,000 clients it would take 200 seconds at 5 calls per second. I guess it depends on what you mean by "scale". If you ran the script once an hour if should be able to deal with 1,000 clients easily. This was just a general concept that will work with all WiFi configurations. If you are using RADIUS you would potentially just collect the RADIUS accounting records, and then send a RADIUS COA (change of authorizaton) when a trigger was reached and apply a group policy. The RADIUS method would scale hugely. https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)_on_MR_Access_Points
... View more
yesterday
1 Kudo
If you apply the firewall rules to an SSID it only affects WiFi clients attaching to the SSID. If you apply it to the VLAN that it affects WiFi clients going through that VLAN as well as wired clients using that VLAN.
... View more
yesterday
The cellular failover firewall rules only apply to USB based cellular modems (or the built in cellular modems). They don't apply to cellular modems that connect via Ethernet.
... View more
yesterday
1 Kudo
I would open a case with Meraki support. It sounds like those MR33's are sick.
... View more
yesterday
Do both MX appliances have a public IP address directly on their outside interfaces?
... View more
yesterday
Just to add to the answers already given; I tend to use the MX sizing guide. https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf
... View more
yesterday
> When I connect the cable coming from the router to my Mac and create a new virtual vlan interface with tag 1 and the same ip/mask/gateway/dns as the switch, it connects just fine. If you have to create a VLAN interface on your MAC with a tag of 1 - and it works - then it suggests that your Mac is tagging those packets. The pfSense box is configured to have VLAN1 as being native - so that should not be working. With a native vlan of 1 on the pfSense box, you should be able to just plug your Mac in just access it, without creating any VLAN interface. I would get pfSense to the point where you can just plug in the mac (without a VLAN configuration) and get it working. Once that works, the MS will alsmost certainly work.
... View more
yesterday
> Event log shows "msg: phase1 negotiation failed due to time up." There will be a mis-match in your phase 1 settings. The first thing I would check is the PSK. Have a mis-configured PSK will cause this. Next check the crypto settings, and the lifetime being used, and make sure they all match.
... View more
yesterday
If your sites have static IP addresses, you can use the Amazon VPC VPN Gateway service. https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html
... View more
yesterday
1 Kudo
@jcgvt you can test by trying to download the EICAR test virus. Accessing this URL should fail if you have it set up correctly. http://secure.eicar.org/eicar.com.txt
... View more
yesterday
1 Kudo
You could write a script and schedule it to run regularly. From the API you could query the usage of current clients: https://dashboard.meraki.com/api_docs#return-the-clients-daily-usage-history And then change the policy assigned to that client. https://dashboard.meraki.com/api_docs#update-the-policy-assigned-to-a-client-on-the-network
... View more
Wednesday
You could probably apply a tag to the first VPN, so it only works on devices with that tag - but don't put the tag on your MX. Then it should do nothing.
... View more
Kudos from
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 23 | 3 hours ago | |
| 57 | Monday | |
| 68 | a week ago | |
| 96 | a week ago | |
| 92 | a week ago | |
| 87 | a week ago | |
| 119 | 2 weeks ago | |
| 85 | 2 weeks ago | |
| 142 | 2 weeks ago | |
| 117 | 2 weeks ago |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 42 | 17437 | |
| 23 | 2394 | |
| 21 | 7626 | |
| 19 | 13231 | |
| 14 | 3231 |
