About PhilipDAth

PhilipDAth

I don't know the answer. I have a recollection you can create up to 128 VLAN interfaces (GUI restriction). The VLANs can range from 1 to 4094.

PhilipDAth

That is correct behaviour. Specifically the space after AF10 has an ASCII code of 32, while the character in the same spot - "0" - has an ASCII code of 48. Nothing to do with Meraki. This is simple, standard and correct sorting alphabetical behaviour.

PhilipDAth

A 404 often means the API key is wrong. It is likely not happy with that bit.

PhilipDAth

I'd turn them off just long enough to establish if it is related to the issue or not. If you turn them off and it keeps happening you know it has nothing to do with it.

PhilipDAth

It means a machine was discovered with a javascript crypto mining agent on it. You have a compromised machine.

PhilipDAth

Check the Security event log. Make sure IPS is not firing. Or try turning IPS/AMP off for 24 hours and see if the problem changes.

PhilipDAth

If you go "Organisation/Configuration Templates" it will tell you the number of bound networks. Subtract this number from 512 and you are done.

PhilipDAth

Is everything in the same VLAN (aka is there a single subnet)? What is doing DHCP? Any chance you have two devices doing DHCP (Windows server and MX) by accident? If the MX is doing DHCP it will need to give out the IP address of the Windows DC as the DNS server. It should also give out the domain name being used by AD.

PhilipDAth

I wont answer your questions directly as I see there is already quite a bit of feedback. Each MX needs to have a unique IP on at least one of its WAN interfaces You don't have to have both WAN interfaces of both MX connected. Connecting just WAN1 on the spare MX is sufficient. If you are not using "Virtual IP" (maybe you are only using the MX for AutoVPN mode) the two WAN interfaces don't even have to be connected to the same WAN circuit. They could be using completely different ISPs. But this config is not so common. When adding the warm spare you would "normally" configure the IP for its WAN interface via the local status page and not the dashboard. It is possible to do it via the dashboard but there are a lot more caveats.

PhilipDAth

> If you add a specific IP route on the HQ MX that points to the next hop on the internet link Good thought @cmr but you can not add a static route via a WAN interface - only a VLAN interface. However you are going in the correct direction. @MarkT this is not easy to do in Meraki land. What you basically have to do is have two MX at the HQ (or an MX and another firewall). One MX runs in VPN concentrator mode, and is what all your AutoVPN connections terminate on, and it sits behind the next MX/firewall. The other MX (or firewall) provides the actual connection to the Internet. Now we use @cmr 's idea. The VPN concentrator will allow the static route to now be added pointing to the other firewall (which is also its default route). You can then publish this static route into AutoVPN.

PhilipDAth

MAC addresses you add as clients don't show up until the client has connected, and then you have to display the list of clients for the time period the client would have been connected in. Within the scope of the question you have asked, @kYutobi has given an excellent answer. Basically create a layer 3 firewall rule blocking all traffic, and then create a group policy and attach it to each individual client that overrides the firewall rules allowing the traffic for that one client. HOWEVER, this is not a modern way of doing things. You should really consider using something like WPA2-Enterprise mode or at a minimum WPA2-PSK (with this last option being very simple to implement). You could also consider using the "Trusted Access" feature of Systems Manager (although this does require you to buy Systems Manager licences). This uses certificate based authentication - but frees you from having to manage the certificates. https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Trusted_Access_for_Secure_Wireless_Connectivity "Trusted Access" is still a little "green" at the moment. Apple support is good. Android and Windows 10 support is weak to poor - but give it maybe another 3 months and that should be sorted out.

PhilipDAth

This PDF contains the list of all compatible SFP/SFP+. https://meraki.cisco.com/lib/pdf/meraki_datasheet_sfp.pdf If you want 10Gbe SFP+ copper check out the TwinAx cables: MA-CBL-TA-1M MA-CBL-TA-3M If you just want plain Gigabit then: MA-SFP-1GB-TX

PhilipDAth

I'm not familiar with the Live Demo, but I would not be surprised if connections into the environment are limited. Did you know you can get free trial equipment? If you are not happy for the kit you just contact Meraki and they also pay for the shipping back. There are also a small number of webinars you can attend where Meraki will give you a free device (such as an AP) to keep. https://meraki.cisco.com/lp/free-demo

PhilipDAth

It is also possible that the Eve-NG software also allows you to limit where you can access it from.

PhilipDAth

I use a function like this: def get_org_id(meraki,orgName): result = meraki.organizations.get_organizations() for row in result: if row['name'] == orgName: return row['id'] raise ValueError('The organization name does not exist')

PhilipDAth

You can use a single NIC configured for 802.1q trunking. I haven't used Hyper-V in a long time, but basically you end up assigning the VMs to the VLANs. This would connect to a trunk port on the MX65. The other option is to use a NIC for each VLAN, which goes to access ports on the MX65 configured for the appropriate VLAN.

PhilipDAth

If they don't come back I would give the VMX a reboot.

PhilipDAth

A small number of carriers have started going with IPv6 as native transport. These often can not tunnel client VPN connections that use IPSec. Are you using the same carried for your fixed and mobile hot spot? If so, what is that carrier? Another possibility is that your carrier is filtering out traffic.

PhilipDAth

> Not seeing the option to update to 15.x You should be able to select it under Organization/Firmware Upgrades.

PhilipDAth

> So, how do I get around this ARP Issue you spoke of in a previous post? It was resolved in a firmware issue long ago. It should not have popped back up again. Another less likely possibility; I worked on an issue like this a couple of years ago and it turned out the ISP was getting low on IP address space and rotated their IP address pool too frequently. So when a new customer reset their router it got an IP address that another customer was already using - knocking that existing customer off. If the customer reset their router they got a new IP which got them back online - but knocking another customer offline. You could test this improbable case by plugging in some other brand of router, or even just leaving your notebook plugged directly into the ISP circuit for a prolonged period of time. If the issue keeps happening - it may be your ISP with the issue.

PhilipDAth

> Can anyone just use the api-mp? Yes.

PhilipDAth

This really smells like the old WAN ARP issue. If you aren't using 15.x, try jumping to that.

PhilipDAth

There is a new beta API service called "Mega Proxy" that does not use redirects. You can try it out using api-mp.meraki.com instead of api.meraki.com.

PhilipDAth

Are you using DHCP, PPPoE or a static IP for the ISP circuit?

PhilipDAth

This documents the firmware release process. https://documentation.meraki.com/zGeneral_Administration/Firmware_Upgrades/Meraki_Firmware_Release_Process In short it can not get promoted to stable until 10% to 20% of all the active deployed devices have been upgraded to it first.

PhilipDAth

Community Record

Badges