About PhilipDAth

BS

Thanks Philip. That's a great suggestion. I will go through that link.

PhilipDAth

According to the specs those antennas (in the 2.4Ghz band) throw out a lot of signal "left and right" (blue line) but not much directly down. So most of your RF energy is probably being lost providing coverage in the roof in itself. Note the special install instructions for these antenna that say they must be mounted with the cables towards the ground ("Install the antenna vertically and mount it with the cables pointing towards the ground"). https://www.cisco.com/c/en/us/td/docs/wireless/antenna/installation/guide/ant2544v4m-r.html This is not the correct antenna for you - but contrast this with a sector antenna, and you can see how you can direct most of your RF signal down to the ground. This example is a 2.4Ghz antenna with 11dBi of gain. https://meraki.cisco.com/products/wireless/antennas-power#sector-antenna-11 Is there any way you could put them on poles attached to the roof to lower them? Having antennas 30ft to 60ft above wear the coverage is required burns a lot of the RF signal strength up straight away. Would it be possible to mount some of the antennas to a wall rather than the roof to lower their height? Note with those antennas you would need to keep their current orientation so you would need some kind of bracket to mount them at a right angle to a wall. If the antennas could be kept at the same height you would think the proposed layout would be an improvement. If the height is increased though (such as an 'A' frame roof) then things could be worse. I think I would be tempted to splash out and get a predictive site survey done. If you do, make sure whoever is doing it loads in the heights of everything. The heights will make a big difference to the results in this case.

FloForster

Do you use the agent and MDM integration?

PhilipDAth

There isn't really a user group policy. It is only ever applied to a device. A user logs into device "x" and the group policy gets applied to that device. So the admin would take priority because it would replace any other group policy that was previsouly applied to that device.

Cloggs

Thanks all for your input, I ended up using separate switches for DMZ and LAN, all working nicely.

PhilipDAth

What is SSP?

PhilipDAth

Lets assume we are only talking about IPv4. You can block ARP spoofing. Snooping is a different matter. ARP queries are sent as a broadcast. They go out every port in the VLAN that the host belongs to. This is fundamental to ARP and there is no way to stop this. So if you sit their with a packet sniffer you'll evenually capture enough ARP traffic to build up a list of (MAC,IP Address) combinations. If you *really* want to stop ARP snooping put every port into its own seperate VLAN and use /30 stubs.

jdsilva

And just in case anyone else needs to do this, here's what I did. http://blog.brokennetwork.ca/2019/05/lets-encrypt-for-meraki-webhooks-and.html

PhilipDAth

That is exactly right. I would describe Azure MFA as only "just" capable of such configurations. The debugging is poor to non-existant. There are few configurable options. But it does work.

JeffV2

Hello, My name is Jeff Vigil. I am an Network Admin with the state of NM. I have experience with the Meraki line if Cisco equipment including WAPs and Firewalls. I love the outdoors and I love to fish in the streams and lakes here in NM.

kYutobi

@PhilipDAth 🎉Congratulations!!🎉

cwal21

Welp, the good news is the VPN started magically working again which i believe was after a pending Windows Update finally going through and installed. Bad news, i'm not sure what exactly solved the issue besides that update (You know good ol' Microsoft). I did not try running the Network Reset utility in Win10, I wish I had to see if that may have resolved it, but was afraid to touch deep network settings as I was working remotely with the client a few states away and would have had trouble walking them through getting back online if the solution failed or didn't bring the system back online after the reset. I did give the uninstall-reinstall WAN Mini adapters option a try and it did not work. Thanks again for all of the assistance @Nash. Hopefully Meraki will eventually come out with a dedicated client similar to AnyConnect to help alleviate these Microsoft provided headaches!

NolanHerring

@Philip1 wrote: @NolanHerring Not OP, but that's the behavior I've found in my environment. After enabling mesh the "wrong PSK" bevavior on my MR33 went away. PSK on MR32 worked, on MR33 didn't work while mesh was disabled. Thanks for the feedback @Philip1 That's not good lol. Did you open a support case for that? I've disabled MESHING (for testing) with MR33 and did not run into any issue with being able to connect with the same WPA2-PSK network I had before disabling.

HodyCrouch

You're correct that Meraki needs at least three access points to triangulate client location. You will get more reliable location data within the area defined by your set of access points (technically, within the two-dimensional convex hull defined by your access points). Outside of that area, Meraki tries to determine a location, but the results aren't as good as you'll see inside the area. If you want really good location data, you should think about every possible position on your property. At each point, consider four directional quadrants. You want an access point in 3 out of those 4 quadrants within a range of about 3m to 25m (not the exact numbers, just from memory). You won't get a perfect layout, but this is a way to approximate the quality of your plan from a location accuracy perspective.

RaphaelL

Well that is my issue , the teleworker wasn't home , the only device that was plugged is a Cisco phone 7945. No unsual traffic was detected and it is not a ISP issue in that case. After the reboot it's back to 20ms and probably that this weekend it will climb back to 1000ms and I will have to reboot it. We have a few ( 5-10 on 2000 ) that have this behavior. Really weird. Support didn't find anything unusual on the MX.

kYutobi

@PhilipDAth Congrats. YOU DA MAN!!!

Fakrul

Well it is very random. Drops are very frequent; more than 8-10 times a day. Loose connection between sites. Don't have to do anything. Tunnel comes up again automatically.

Uberseehandel

@federicogalarza wrote: I would like to know what are the best practices which you usually implement in the Meraki world. Thanks! Federico The general rules I adhere to are: Tag all VLANs Set up a Management VLAN Set up an Isolated Guest VLAN (and SSID) Do not use the native LAN Create a faux VLAN for those cases where the configuration GUI requires a VLAN ID (make sure it goes nowhere) Explicitly declare the VLANs a given switch port should pass, avoid the all option on uplinks Make the firewall proscriptive rather than permissive. There are some exceptions for certain network architectures, even so, they are usually very limited in scope. For example, at the moment we have a Meraki network within a third party network. The MX running the Meraki network has its WAN port on a native LAN that is connected to the LAN port of the external facing security appliance which uses PPPoE on its WAN uplink. This enables the dynamic external IP address supplied by the ISP to be passed to the MX and even to the Z3C connected to the MX. It is simpler to set up than it is to write about it.

KMNEP

hi @Coen Appreciate your hard work. But this method is only applicable for browsing. It doesn't block Facebook and Messenger App in mobile phones.

ww

https://meraki.cisco.com/lib/pdf/meraki_datasheet_sfp.pdf

MarcP

@SCC wrote: When it comes to SOPHOS Firewall Rules if i will allow any/any from the Security Camera VLAN. Will that not work ? this will work... Or as Philip said, you can configure the following: Dashboard (top right) -> Help -> Firewall Info Source IP Destination IP Ports Protocol Direction Description Devices using this rule Your network(s) 64.62.142.12/32, 108.161.147.0/24, 199.231.78.0/24, 209.206.48.0/20 7351, 9350 UDP outbound Meraki cloud communication, VPN registry Access points, Cameras, MX Security Appliance, Phones, Switches Your network(s) 64.62.142.2/32, 108.161.147.0/24, 199.231.78.0/24, 209.206.48.0/20 80, 443, 7734, 7752 TCP outbound Backup configuration downloads, Backup firmware downloads, Splash pages, Backup Meraki cloud communication, Throughput tests live tool Access points, Cameras, MX Security Appliance, Phones, Switches Your network(s) Any 123 UDP outbound NTP time synchronization Access points, Cameras, MX Security Appliance, Switches Your network(s) 8.8.8.8/32 53 UDP outbound Uplink connection monitor MX Security Appliance Your network(s) 10.1.220.81/32 1812 UDP inbound 802.1X with customer-hosted RADIUS Access points Your network(s) 8.8.8.8/32, 209.206.48.0/20 ICMP outbound Uplink connection monitor MX Security Appliance

Oskar

To my knowledge for MV lineup and accessories CoO is Taiwan. Easiest is to call a partner/disti. Self service solution is to check Cisco tools. https://community.meraki.com/t5/Dashboard-Administration/How-to-find-the-Country-of-Origin/td-p/25063

PhilipDAth

Which regard to GPS - no. This is completely up to the device. You can ask a device to refresh its location though from the Meraki dashboard.

AjBets

I am also having this same issue. We block very little and yet all email services work with the exception of BT Yahoo.

NABLAyass

Did you find a solution to the issue? I have the same situation, only the Windows computers have disconnections, weak WiFi signal, and show the yellow triangle with the exclamation point. Our Chromebooks and Macs work fine. I have AP MR34 with firmware 25.13. Justin, Meraki Supervisor, mentioned that they are not aware of this issue. Did you have a case number I can provide as a reference to Meraki?

PhilipDAth

Community Record

Badges