Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About MarkiP
MarkiP
Getting noticed
Member since Jan 9, 2020
May 1 2021
Community Record
23
Posts
9
Kudos
2
Solutions
Badges
Jan 8 2021
5:11 AM
Keep learning and pass the CCNP Encor exam. Replace our old switches with Meraki kit. And hopefully get outside and see some of the world on the bike 🤞
... View more
Jan 5 2021
12:42 PM
3 Kudos
Scrap that, seems it was L7 firewall rules (geographic) that was blocking this.
... View more
Jan 5 2021
12:14 PM
Morning/evening all, Had a bit of a peculiar scenario today that I would appreciate any input on. Essentially one particular website has been failing to load today (worked fine yesterday). Page tries to load and eventually the browser times it out. Running a pcap on both the client (affects all users at the current site) and the LAN MX interface shows the same story, the TCP SYN request being sent, and a TCP Reset flagged packet received in response, this happens indefinitely. Am also unable to ping that IP which I can elsewhere, and when attempting to SSH get a connection timed out, rather than connection refused as I do elsewhere. Running a capture on the WAN interface however shows a different story, there are only outgoing packets with the SYN bit unset, and the Reset bit set, so in essence we are just sending TCP Reset packets and receive no response. Little bit baffled here, the website is accessible on the same IP from our other offices/home just fine so seems be to be a local issue only, have tried amending the traffic shaping to use a different uplink but no change. It seems that the MX is modifying the TCP SYN's to TCP RST's, but then where the replies are coming from I am not sure, as these do not appear on the WAN interface captures. Ran a capture on the site-to-site interfaces too but nothing. My only possible theory at the moment is that a while back I may have tried to setup a static route to that internet IP via the MX LAN IP when testing something. And whilst it doesn't show under the route table, it may be hanging around in the background somewhere playing havoc. Tried a reboot also but that made no difference. I will raise that with support in the morning, but would appreciate anyone's advice if they have ever come across anything similar before. Many thanks in advance, Mark
... View more
Dec 16 2020
2:58 AM
Just checked and this can also be done the same way if you have a Meraki router/firewall.
... View more
Dec 16 2020
2:56 AM
Hi, If you go to Wireless > Firewall and Traffic Shaping, under the section "Block applications and content categories" you can add a layer 7 firewall rule and specify hostnames to block etc. You can also specify by IP ranges if needed.
... View more
May 22 2020
8:07 AM
I would take the active time with a pinch of salt, have seen other people reporting this is not 100% accurate. An installed app on a mobile or even desktop will still continue to send traffic periodically despite the firewall blocking it.
... View more
May 22 2020
7:46 AM
Judging by the data usage it clearly isn't actually streaming video as you say, perhaps it could be traffic flows that are passing through the switch (DNS and TCP SYN's etc) which the Meraki switch recognises as Netflix, but are then blocked as they hit your firewall. The flows are still present with clients trying to reach Netflix, but are simply passing through the switch then getting terminated. Just my 2 cents on how I see it, someone may be able to confirm for definite.
... View more
May 20 2020
7:19 AM
Thanks for your reply. Would this be configured with a static route under Addressing & VLANs? And for a static route to a public IP range, does it matter which subnet Gateway IP it uses? Also, do you happen to know if traffic that matches those routes and is sent over the VPN from spoke to hub will still conform to the hub site traffic shaping rules, it must use Uplink 2 in our scenario.
... View more
May 20 2020
5:45 AM
Hi all, We have a branch site that is currently set up as a spoke with a default route to our hub main site, as that spoke site needs to send certain traffic to external/public IP addresses which are only accessible via a physical WAN connection at our hub site. Ideally however, we would like to have a split tunnel, whereby traffic to the hub subnets advertised over the Auto-VPN, as well as specific external IP address ranges are sent over the VPN, and all other traffic is sent out to the internet via the spoke site's own WAN link. The aim being to reduce load on the hub site and increase speed at the spoke site when accessing IP ranges that do not require the hub site's WAN connection, whereas currently it is either all or no traffic that can be sent over the VPN. We had resigned ourselves to this fact, however I stumbled across the following (https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/MR_Teleworker_VPN), and it seems that this functionality is available on the MR devices, whereby you can specify the IP ranges & ports to send over the tunnel, with other traffic exiting from the local WAN link. However, it doesn't seem this is possible on the MX/Z series devices? Could someone please confirm if this is the case or if there is any way to achieve what I state above? It does seem somewhat odd that this can be implemented on an access point, but not on a full security appliance. Many thanks, Mark
... View more
Mar 25 2020
3:53 AM
Does the event log (Network-wide > Event Log, filter by All Non-Meraki / Client VPN) throw any light on this?
... View more
Mar 25 2020
1:17 AM
What in particular are you trying to do? Flow preferences are available if you click "Add a preference". Your traffic shaping rules should be further down the page.
... View more
Feb 5 2020
4:06 AM
1 Kudo
Hi Allistair, Was this speed test done on a wireless client? If so, could be any number of issues such as distance from AP, interference etc. Re DHCP-if I understand you correctly, you would want to run DHCP from the MX, you can then manage DHCP (reservations, exclusions fixed assignments etc) from the dashboard. The MX may be NATing traffic also, so you would want to run DHCP from the MX for internal devices.
... View more
Feb 5 2020
2:37 AM
Hi all, Would be interested to know if it is possible to setup a vMX on AWS/Azure as an AutoVPN spoke site? Use case would be to allow all traffic from the virtual machines in AWS/Azure to route to one of our hub sites and then traffic shaping rules are then applied at the hub to route this traffic over selected WAN uplinks. Quick search suggests this probably isn't possible but would be grateful if someone could confirm this. Many thanks, Mark
... View more
Feb 4 2020
6:09 AM
Hi Rsahni, Can the devices print or transfer files between themselves or is there no connectivity whatsoever? I would check they have the correct default gateway also.
... View more
Feb 4 2020
5:54 AM
Having dealt with a similar issue this morning, my first thinking would be are the relevant ports on the correct VLAN(s)?
... View more
Jan 15 2020
7:19 AM
2 Kudos
If you go to SD-WAN & Traffic Shaping, then under Traffic Shaping Rules, click add a new shaping rule. From here you can add a definition, under "Video & Music" XfinityTV is already defined. You can then apply a bandwidth limit for this traffic (this will apply to all clients). I suspect this will be the simplest and easiest way of achieving this.
... View more
Jan 15 2020
3:53 AM
1 Kudo
As Brandon mentioned, I'm pretty sure it's the same thing. I assigned a fixed IP to a device from the Client list the other day and it does show in the list of fixed assignments under Security and SD-WAN > DHCP.
... View more
Jan 14 2020
12:08 AM
Hi Philip, I did take a look at the event logs and there was nothing relevant unfortunately. It appears to be sending the SIP packets over UDP. Thanks for the suggestions-I'll look into them and get onto the support team as well. Much appreciated.
... View more
Jan 13 2020
10:05 AM
Thanks for the response, the MX84 is currently on 14.40, up to date stable release. I shall look into raising a support case.
... View more
Jan 13 2020
7:32 AM
Hi, We are having an issue with some VoIP phones in one of our offices, they periodically fail to register, we can still ping them internally but cannot make calls etc. Forcing them onto a new IP reservation then rebooting fixes this. We have run DHCP from the router, server & set them IP's statically but seemingly makes no difference. On running a few packet captures from the MX84 on the LAN interface, I can see traffic between one of the non-functional phones and the external IP of the VoIP provider, including some outgoing only SIP packets-no responses coming back in. However, on the WAN side capture I cannot see these outgoing SIP packets (nor any incoming) for that internal IP address. On assigning a new IP and rebooting the phone and repeating the captures, SIP packets for that phone are showing on both the WAN and LAN interfaces as expected and the phone works. The phone provider suspects a NAT issue, we have no 1:1 or 1:Many NAT mappings set up. It seems as if the outgoing SIP packets are reaching the router and not being forwarded out over the internet, however the phone can successfully make TCP connections. Also this issue is only periodic, and affects all phones which have to be manually assigned a new IP to get them working again. Leaving me a bit baffled as to what is causing this and why the SIP packets are not exiting the router (or at least why I cannot see them). Any help would be much appreciated on this. Many thanks, Mark
... View more
Jan 9 2020
3:27 AM
My New Year's Network Resolutions are to pass the Network+ exam, get started on the CCNA, as well as getting involved in the helpful community here 🙂
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 2784 | Jan 5 2021 12:42 PM | |
| 3646 | Jan 15 2020 7:19 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 2784 | |
| 2 | 3646 | |
| 1 | 3668 | |
| 1 | 23083 |
© 2024 Cisco Systems, Inc.
