Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Brian_Scheele
Community Record
11
Posts
0
Kudos
0
Solutions
Badges
2 weeks ago
I tried going the Curl route, too. But I was running from a 2012 server, and curl is an alias for Invoke-WebRequest, and not curl.exe, so the Curl example with the -L parameter could not be used in my testing. Windows 10 and later you can install WSL and have Curl.exe.
... View more
2 weeks ago
It turns out that I was using a wrong API key that at least had read-only access. My script pulls the key from an encrypted file that is dependent on the currently logged on user. Somehow the secured file with the associated Windows user had the wrong API key. So, I regenerated the key and recreated the encrypted file, and magically all is well again.
... View more
2 weeks ago
I tried switching to my node as you suggested, and tried a different test network as a destination. In either case, it did not work. My API key is at least letting me read data. I'll try regenerating the key, or maybe even try a different admin account's API key to see if that makes any difference. I do have a hunch that something has changed with the PUT as the data structure coming out of GET has changed.
... View more
2 weeks ago
I have a script that I have always used to copy the L3 firewall rules from one network to another. This has worked until recently, and the only change I can see is that Security & SD-WAN > Firewall had a bit of an overhaul. I am wondering if this broke the API, or if I just need to change something. I did have to refine how I get the rules a bit as the output changed from getting the rules from a source network. This is a PowerShell script, however using the Curl template as an example I am using Invoke-RestMethod to PUT the data into Meraki. Recently, this started throwing (403) Forbidden. What is actually happening with the above code: #PowerShell:
$header = @{"X-Cisco-Meraki-API-Key" = $secured_api_key
"Content-Type" = 'application/json'}
#I have also tried adding "Accept" = 'application/json' to the above $header
$body = @{ rules = $FirewallRules } | ConvertTo-Json
$uri = https://api.meraki.com/api/v1/networks/L_123456789012345678/appliance/firewall/l3FirewallRules
$request = Invoke-RestMethod -Method Put -Uri $uri -Headers $header -Body $body
return $request #This is what is stored in the $body variable from above, with IP addresses modified for use as an example. The format still matches what is in the examples in the Developer Hub.
{
"rules": [
{
"comment": "Deny Guest to Internal VLANS",
"policy": "deny",
"protocol": "any",
"srcPort": "Any",
"srcCidr": "172.24.25.0/24",
"destPort": "Any",
"destCidr": "172.24.24.0/25,172.24.24.128/26,172.24.26.0/23,172.24.25.0/24,172.24.30.0/24,172.24.28.0/23,172.24.24.192/26",
"syslogEnabled": false
},
{
"comment": "Deny Outside to Internal VLANS except itself",
"policy": "deny",
"protocol": "any",
"srcPort": "Any",
"srcCidr": "172.24.24.192/26",
"destPort": "Any",
"destCidr": "172.24.24.0/25,172.24.24.128/26,172.24.26.0/23,172.24.25.0/24,172.24.30.0/24,172.24.28.0/23",
"syslogEnabled": false
}
]
} The account used with the API has full access. I am wondering if the format of $body needs to change to accommodate changes made to the dashboard, considering that Inbound and Cellular rules have been added. I am sort of at a loss of what to do to fix this. I am sure I can switch to using CURL from within PowerShell if anyone who wants to take a stab at it has trouble with PowerShell programming and the Invoke-RestMethod way I was doing it. I got really deep in the weeds programming that way before realizing I could have used curl commands all along in PS (and at the time I was new with API programming).
... View more
11-03-2021
12:44 PM
That now makes perfect sense - SNR. Thanks!
... View more
11-03-2021
09:55 AM
When I look at "Other SSIDs" in the Air Marshal, all signal strengths are reported as positive values - probably because the unit of measure is dB, and not dBm. So, it is a ratio. A ratio to what? Why would I see 33 dB when I turn on the hotspot on my cell phone, and see -67dBm when reported by my UniFi dashboard? I was asking on another forum about a neighbor who was showing up with 50+ devices at >90dB signal strength, hosing my own WiFi, and they insisted that it should be a non-issue because that is essentially zero. But, -90dBm would be essentially nothing - not positive 93dB as I see in the dashboard.
... View more
Labels:
- Labels:
-
Interference
06-14-2021
05:14 AM
@cmr wrote: @Brian_Scheele they are org wide, there is only Organization - Policy Objects. I think the use is more aimed at say access to central servers where multiple networks are traffic to servers x,y and z is allowed, with policy objects you can define the server group once and re-use. Are you managing multiple ASAs on different sites through one console? Yes and No. I use ASDM, which just has multiple saved connections to multiple ASAs, or SSH, but never to more than one ASA at a time, and there is no central repository of objects. If they have/had a central object repository, it would make life nice, sort of like what Meraki is doing with Policy Objects. It seems like they missed an opportunity here, but it is still helpful. From what everyone has responded, it seems like I can make it work, but I would just need to be careful not to accidentally give some random vendor, service, etc. access to multiple sites. If Users can talk to Printers in one network, then it is quite likely then can talk to printers in any network, and a group object of Printers covering multiple sites is fine. If a vendor needs access to something in Management, then I get more granular, not just grant access to Management itself, but instead to the exact resources needed. The more I think of it, this probably a good way to go the way it is designed. Create my objects, assign them to groups, apply rules, policies, etc. - whatever Meraki has enabled so far - to those groups. Not much different than with an ASA...
... View more
06-11-2021
12:24 PM
Correct, but what I want to know is if I create an object and assign it an IP address or range specific to one network, and want to re-use that name in another network, I cannot use a different IP address or range? The Meraki examples that explain how all this works shows an object name, Support, which is 192.168.1.0/24. Suppose we have support in two buildings with a site-to-site VPN, and the second building also has Support, but with a different subnet. Does that mean if I want to use an object called Support for that other network, I would have to call it Support 2? I have never managed any ASA firewalls and had an object whose name could not be assigned a different IP address on another ASA. Why would I want my object names to be unique organization-wide? For 50 sites, this will turn into Wireless01, Wireless02, ... WirelessN, and repeat it for every other object I want to create with unique IPs or subnets. I have not yet flipped the switch on this due to internal policy with betas in a production environment, so I don't have a way to navigate and test. It seems like there should be both Network > Policy Objects and Organization > Policy Objects, and when applying objects to rules, some sort of notation could be displayed so an admin can differentiate them.
... View more
06-11-2021
11:52 AM
I am interested in turning on Policy Objects, but I am wondering if it is even worth it yet for how we are managing our networks. Below is a simple set of firewall rules from a template covering 350 sites. I have another 50 sites that just cannot be part of a template, and I have to use a more lengthy set of rules, all with CIDR notation. I would love to just plug in my VLAN names and other objects using defined names instead. VLAN names, like Management, Users, Wireless, Guests, etc. are going to be the same names at every site, but different IP ranges per network. Can I have a policy object named "Management" that for Network A that covers 10.0.0.0/24, then another one called "Management" for Network B that covers 10.0.1.0/24, etc.? Or would I be stuck with "Network A Management" and "Network B Management" when I start creating these? I would love to just use the API to dump in firewall settings and not have to manipulate the data before it is uploaded.
... View more
01-28-2020
06:03 AM
Thanks for that info. I was suspecting some sort of bug during testing. If not a bug, it would be nice if I could see that a network does not have all elements of its template applied. When I received the " A bound combined network may only contain bound networks" error in testing when I tried adding a switch, I figured that some sort of flag was not being set on networks already on the template when the template was modified.
... View more
01-24-2020
02:05 PM
I have an appliance/wireless template with a lot of networks on it, but none of these required a switch until now. I cannot add a switch unless the template allows it, so I have to manipulate my templates to make this happen. For anyone who has done this, I would like to know how it went for you, if you had any problems, or any gotcha's to watch out for. I did identify a couple of issues, which I'll explain at the end. Suppose I have two templates: OriginalTemplate Combined template for appliances and wireless devices Contains 250 networks Mostly MX67 and MR33 devices Uses 6 VLANs, which have auto-generated subnets Site-to-site VPN with the datacenter, hub and spoke, no mesh. NewTemplate Combined template, created new. No networks on this template I want the OriginalTemplate to begin supporting MS switches. Can't do that without combining templates. So, if I split NewTemplate, I get: NewTemplate - appliance NewTemplate - switch NewTemplate - wireless Now, I want to combine OriginalTemplate with New-Template - switch. I am prompted to create a Network enrollment string. No idea why, what this will do, or if it even matters what I plug in. So I enter something so I can proceed. Now, I run into my first problem (when doing this in a test environment). When I attempted to add a MS120-24P switch, I received this error: "A bound combined network may only contain bound networks." Someone else in the Meraki community had this problem (but with MV cameras) with the solution to unbind the network from the template, add the device, then rebind to the template. This worked, but I lost all my VLANs and subnets on the unbind, and during the rebind, I received a new set of subnets for the VLANs. Plus, all the DHCP reservations were lost. No big deal as long as I document these first and plan for the downtime if in production so I can re-apply what was lost. From what I can tell, the above paragraph is the only gotcha to expect. Nothing changed in OriginalTemplate, other than also having a new Switch section. Anyone else have any success/failure they would like to share? If it was only a few networks, I would just go for it. But, I have more than 250 tied to the production template, and I have no desire to have a separate template to manage.
... View more
