About PhilipDAth

PhilipDAth

It should be something more like: esponse = dashboard.mx_l3_firewall.updateNetworkL3FirewallRules(def_network,rules=payload)

PhilipDAth

If you need logs in detail you need to use something like syslog and either setup your own syslog server (the free ones on Ubuntu are great) or use a commercial syslog server. https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration

PhilipDAth

> Was not sure if Umbrella would help with the SSL that the MX does not handle? Umbrella can do this as long as you are prepared to load its root certificate into the trusted root CA store on every single one of your devices that will be using it.

PhilipDAth

Does the customer have an existing firewall they want to keep - or are they happy to replace it with the MX?

PhilipDAth

kwargs just means you use named parameters. For example, the updateNetworkDevice call (which also uses kwargs) might look like: dashboard.devices.updateNetworkDevice(netId,serial,lat=lat,lng=long)

PhilipDAth

Try going: Network-Wide/Clients/<click on the client>/ Click on "Show Details" under the pie chart on the far right hand side.

PhilipDAth

> Hi PhilipDAth, here is a diagram of how things are currently connected and how we are trying to set up the secondary path.. The two sites are not layer 2 adjacent, so that limits the options. You'll need to run both MX's active/active and use BGP between them and the network core at each site.

PhilipDAth

> Or should I make a wish and ask Meraki to add support for Machine Groups under NPS to add it as a condition to confirm any PC connecting via VPN is an authorized AD joined device? It is not an issue on the Meraki side. The Microsoft VPN client (L2TP over IPSec) uses PAP for authentication, and does not pass the name of the machine where the authentication is happening. You need Microsoft to change their client to send this information.

PhilipDAth

Yep, borked. MV firmware 4.2 produces this message. { ts: 1582602223666, counts: { '': 1 } } MV firmware 4.1 produces this message. { ts: 1582602599696, counts: { person: 1 } }

PhilipDAth

On MV firmware 4.1 on an MV12 I get people detection events via MQTT. On MV firmware 4.2 on an MV12 I get no people detection events via MQTT. The release notes do say: " Resolved an issue where too many snapshot API calls could cause camera instability" But the fix is that you don't get detection events to request a snapshot. 😀 Anyone else observed this?

PhilipDAth

GPUs are listed as a requirement as well ... https://documentation.meraki.com/MV/Advanced_Configuration/Hardware_Guidelines_for_MV_Video_Wall_Workstations#16_Video_Tile_Video_Wall_Requirements

PhilipDAth

> Also, I'll let the MV team comment on the GPU requirements, but remember that even if a camera's view on a video wall is <540 lines, it will automatically shift to adaptive bitrate streaming and only require 400Kbps, even if you have the camera set for 1080p or 4MP. I have tried using 12 camera video walls on a high spec i7 workstation with cameras configured for 1080p - and it was terrible. I've been using Nvidia P1000 GPUs, and they have been great (apart from Nvidia driver bugs - but touch wood, the latest driver released this month seems to have everything working nicely).

PhilipDAth

I have some questions about the new 4k cameras - mostly because I am spec'ing up some solutions and I would like them to work. Perhaps @Saralyn or @GeorgeB like like to add some info. Are the GPU requirements likely to be the same for the 4k cameras with video walls, or will I need to use a GPU twice as powerful (or some other multiplier) than I am used to using? The MV12 has a 4k picture element but outputs processed 1080p. Is people (and vehicle) detection performed on the raw (4k) or processed image (1080)? When using the snapshot API with the 4k cameras will I get a much higher quality image back than the 1080 cameras? I don't understand the maths. A 4k camera output seems to me like it should have 4 times as many pixel elements as a 1080 camera. How come the quality is only twice as good?

PhilipDAth

> APs have a static IP There is no requirement for this. I've never had an issue with iOS devices using WPA2-Enterprise mode.

PhilipDAth

17,000 ft^2 is about 1600 m^2. 24,500 ft^2 is about 2300 m^2. I like to have an AP for every 500 m^2 or so. So I would start looking around: 1600 / 500 = 3 APs 2300 / 500 = 5 APs So maybe budget for 20% more APs so you have something to fill in any problem coverage issues.

PhilipDAth

Lets say you have a DC. You plug WAN1 of each MX into the DC's Internet connection (this is usually an HA Internet connection). I normally get a cheap domestic Internet circuit via a different carrier, and plug the two WAN2 interfaces into that. Often you have a layer 3 switch. You plug the inside of each MX into that switch. You add L3 routes on the switch for the branches via the MX cluster.

PhilipDAth

You are correct.

PhilipDAth

> would that change things a bit for my risk profile and how to approach this It's hard to say for a product that is not released. We are expecting the AnyConnect support to be IKEv2 only (rather than TLS). More than likely it wont support AnyConnect's rich array of features. I would say you are going to end up using something like Duo.

PhilipDAth

> is just for the purpose of Meraki Cloud management? Yes, kind of.

PhilipDAth

This is the main reason I deploy hubs in NAT mode. It allows you to plug in dual circuits AND use SD-WAN. VPN concentrator mode makes this impossible. You would use the second hub in warm spare mode.

PhilipDAth

>S o can you help confirm that , we cannot do different netmask in template ? 100% correct.

PhilipDAth

> showing as "Connecting...." but doesn't connec Create a shortcut to rasphone.exe on the users desktop. It works everytime. > would rely on zero trus You have no choice but to go to MFA, such as Duo. You are on the right direction. Based on your risk profile, you should install Duo onto the actual workstations as well for "Windows Logon", so they need MFA to log into the computers. https://duo.com/docs/rdp > from @Nash and his excellent script. Her.

PhilipDAth

When you have ticked the "default route" option what you are saying is it must go via AutoVPN. You wont be able to achieve failover doing it that way. Perhaps you need to consider making the hub more redundant.

PhilipDAth

They all have to have the same subnet. What you have at the moment sounds like a nightmare. Perhaps you can re-IP each site as you cut them over?

PhilipDAth

With 200 branches you wont have any issues. This is the sizing guide. https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf

PhilipDAth

Community Record

Badges