cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About Brian_Scheele

Re: Policy Objects - Are they global or per-network?

by in Security / SD-WAN
‎06-14-2021 05:14 AM
‎06-14-2021 05:14 AM
  @cmr wrote: @Brian_Scheele they are org wide, there is only Organization - Policy Objects.  I think the use is more aimed at say access to central servers where multiple networks are traffic to servers x,y and z is allowed, with policy objects you can define the server group once and re-use.   Are you managing multiple ASAs on different sites through one console? Yes and No.  I use ASDM, which just has multiple saved connections to multiple ASAs, or SSH, but never to more than one ASA at a time, and there is no central repository of objects.  If they have/had a central object repository, it would make life nice, sort of like what Meraki is doing with Policy Objects.  It seems like they missed an opportunity here, but it is still helpful.    From what everyone has responded, it seems like I can make it work, but I would just need to be careful not to accidentally give some random vendor, service, etc. access to multiple sites.  If Users can talk to Printers in one network, then it is quite likely then can talk to printers in any network, and a group object of Printers covering multiple sites is fine.  If a vendor needs access to something in Management, then I get more granular, not just grant access to Management itself, but instead to the exact resources needed.   The more I think of it, this probably a good way to go the way it is designed.  Create my objects, assign them to groups, apply rules, policies, etc. - whatever Meraki has enabled so far - to those groups. Not much different than with an ASA... ... View more

Re: Policy Objects - Are they global or per-network?

by in Security / SD-WAN
‎06-11-2021 12:24 PM
‎06-11-2021 12:24 PM
Correct, but what I want to know is if I create an object and assign it an IP address or range specific to one network, and want to re-use that name in another network, I cannot use a different IP address or range?   The Meraki examples that explain how all this works shows an object name, Support, which is 192.168.1.0/24.  Suppose we have support in two buildings with a site-to-site VPN, and the second building also has Support, but with a different subnet.  Does that mean if I want to use an object called Support for that other network, I would have to call it Support 2?     I have never managed any ASA firewalls and had an object whose name could not be assigned a different IP address on another ASA.  Why would I want my object names to be unique organization-wide?  For 50 sites, this will turn into Wireless01, Wireless02, ... WirelessN, and repeat it for every other object I want to create with unique IPs or subnets.     I have not yet flipped the switch on this due to internal policy with betas in a production environment, so I don't have a way to navigate and test.   It seems like there should be both Network > Policy Objects and Organization > Policy Objects, and when applying objects to rules, some sort of notation could be displayed so an admin can differentiate them. ... View more

Policy Objects - Are they global or per-network?

by in Security / SD-WAN
‎06-11-2021 11:52 AM
‎06-11-2021 11:52 AM
I am interested in turning on Policy Objects, but I am wondering if it is even worth it yet for how we are managing our networks.  Below is a simple set of firewall rules from a template covering 350 sites.  I have another 50 sites that just cannot be part of a template, and I have to use a more lengthy set of rules, all with CIDR notation.  I would love to just plug in my VLAN names and other objects using defined names instead.  VLAN names, like Management, Users, Wireless, Guests, etc. are going to be the same names at every site, but different IP ranges per network.   Can I have a policy object named "Management" that for Network A that covers 10.0.0.0/24, then another one called "Management" for Network B that covers 10.0.1.0/24, etc.?  Or would I be stuck with "Network A Management" and "Network B Management" when I start creating these?  I would love to just use the API to dump in firewall settings and not have to manipulate the data before it is uploaded.     ... View more

Re: Combining an appliance/wireless template with a switch-only template

by in Dashboard & Administration
‎01-28-2020 06:03 AM
‎01-28-2020 06:03 AM
Thanks for that info.  I was suspecting some sort of bug during testing.  If not a bug, it would be nice if I could see that a network does not have all elements of its template applied.  When I received the " A bound combined network may only contain bound networks" error in testing when I tried adding a switch, I figured that some sort of flag was not being set on networks already on the template when the template was modified. ... View more

Combining an appliance/wireless template with a switch-only template

by in Dashboard & Administration
‎01-24-2020 02:05 PM
‎01-24-2020 02:05 PM
I have an appliance/wireless template with a lot of networks on it, but none of these required a switch until now.  I cannot add a switch unless the template allows it, so I have to manipulate my templates to make this happen.   For anyone who has done this, I would like to know how it went for you, if you had any problems, or any gotcha's to watch out for.   I did identify a couple of issues, which I'll explain at the end.   Suppose I have two templates: OriginalTemplate Combined template for appliances and wireless devices Contains 250 networks Mostly MX67 and MR33 devices Uses 6 VLANs, which have auto-generated subnets Site-to-site VPN with the datacenter, hub and spoke, no mesh. NewTemplate Combined template, created new. No networks on this template   I want the OriginalTemplate to begin supporting MS switches.  Can't do that without combining templates. So, if I split NewTemplate, I get: NewTemplate - appliance NewTemplate - switch NewTemplate - wireless   Now, I want to combine OriginalTemplate with New-Template - switch.   I am prompted to create a  Network enrollment string.  No idea why, what this will do, or if it even matters what I plug in.  So I enter something so I can proceed.   Now, I run into my first problem (when doing this in a test environment).  When I attempted to add a MS120-24P switch, I received this error: "A bound combined network may only contain bound networks."  Someone else in the Meraki community had this problem (but with MV cameras) with the solution to unbind the network from the template, add the device, then rebind to the template.  This worked, but I lost all my VLANs and subnets on the unbind, and during the rebind, I received a new set of subnets for the VLANs.  Plus, all the DHCP reservations were lost.  No big deal as long as I document these first and plan for the downtime if in production so I can re-apply what was lost.   From what I can tell, the above paragraph is the only gotcha to expect.  Nothing changed in OriginalTemplate, other than also having a new Switch section.   Anyone else have any success/failure they would like to share?   If it was only a few networks, I would just go for it.  But, I have more than 250 tied to the production template, and I have no desire to have a separate template to manage. ... View more
© 2021 Meraki