Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About Brian_Scheele
Brian_Scheele
Here to help
Member since Jan 24, 2020
Jan 22 2024
Community Record
16
Posts
2
Kudos
1
Solution
Badges
Jan 22 2024
5:25 AM
I ended up taking WAN2 offline on the MX84 at the site. The alerts were coming from both sides of the site to site VPN connection - office and both datacenters. Turning off alerts at the office to instead use 3rd party software would not solve receiving alerts from the datacenters, unless we also went third-party with those, too. The ideal solution would be for Meraki to provide some granularity in the details provided in the reports. Instead, the path from inside to the Internet is: MX84 Port 1 > Comcast Modem < > Cradlepoint Modem (cellular) Thanks everyone for the suggestions! Zabbix will probably be something we end up using, but we can decide later if it also makes sense as a solution that includes WAN2 plugged into the Cradlepoint.
... View more
Jan 19 2024
8:21 AM
I'll have to give a serious look into Zabbix. Not sure I can sell it as the solution, but I can see this being useful for some other things, and as a replacement for something we currently pay for that monitors servers and the non-Meraki hardware we have in place. Quick fix is probably just going to be to move the patch cable connecting WAN2 to cellular to be cellular to copper modem.
... View more
Jan 19 2024
7:57 AM
I would have to turn off my alerts to use something 3rd party to alert for WAN1 and VPN connectivity. That probably would not be the best idea - we have over 300 sites monitored and only a handful that make use of WAN2 for cellular backup. If we did disable the alerts from the Meraki side, we would want our SEIM to provide the alerts in its place, provided the SEIM can differentiate between WAN1 and WAN2, and have some way for the datacenter side to know it was just a backup connection going down. Seems the best fix would be if Meraki just added more detail in the email alerts.
... View more
Jan 19 2024
7:52 AM
On one side of the VPN connection, we have our datacenters. That needs to be monitored and alerted.
... View more
Jan 19 2024
6:51 AM
2 Kudos
Many of our offices use Comcast copper for primary Internet connectivity and use their Connection Pro, which is a cellular backup modem. WAN1 from the MX plugs into the coper modem, WAN2 into the cellular backup. We do not have connectivity between the two modems, otherwise we would have no visibility to failover events. One of our sites barely has a strong enough 4G signal - about 10 Mbps with low jitter, but connectivity apparently drops several times per day, long enough to cause the site-to-site VPN connection to go down. It would be nice if Meraki could at least include the public IP addresses involved in the connection, or the WAN port, or both, so that Outlook inbox rules can be created to ignore some of these alerts. I only care if the connection goes down if it happens while I am in a failover. I could for this one particular network just not use WAN2 and have the copper modem connected to the cellular modem like Comcast suggests. The only way we would know of a failover event is if someone at the remote office complains about bandwidth or maybe there is another alert about a site-to-site route change. Or, if someone has a better idea, I would be open to some suggestions. I doubt there is some magic setting that just keeps the tunnel open when a connection is down for several minutes. DNS has to happen across the tunnel, so even if I could turn off the VPN for WAN2, it would not be too helpful.
... View more
Jan 24 2023
6:16 AM
I tried going the Curl route, too. But I was running from a 2012 server, and curl is an alias for Invoke-WebRequest, and not curl.exe, so the Curl example with the -L parameter could not be used in my testing. Windows 10 and later you can install WSL and have Curl.exe.
... View more
Jan 24 2023
6:14 AM
It turns out that I was using a wrong API key that at least had read-only access. My script pulls the key from an encrypted file that is dependent on the currently logged on user. Somehow the secured file with the associated Windows user had the wrong API key. So, I regenerated the key and recreated the encrypted file, and magically all is well again.
... View more
Jan 24 2023
5:25 AM
I tried switching to my node as you suggested, and tried a different test network as a destination. In either case, it did not work. My API key is at least letting me read data. I'll try regenerating the key, or maybe even try a different admin account's API key to see if that makes any difference. I do have a hunch that something has changed with the PUT as the data structure coming out of GET has changed.
... View more
Jan 23 2023
1:48 PM
I have a script that I have always used to copy the L3 firewall rules from one network to another. This has worked until recently, and the only change I can see is that Security & SD-WAN > Firewall had a bit of an overhaul. I am wondering if this broke the API, or if I just need to change something. I did have to refine how I get the rules a bit as the output changed from getting the rules from a source network. This is a PowerShell script, however using the Curl template as an example I am using Invoke-RestMethod to PUT the data into Meraki. Recently, this started throwing (403) Forbidden. What is actually happening with the above code: #PowerShell:
$header = @{"X-Cisco-Meraki-API-Key" = $secured_api_key
"Content-Type" = 'application/json'}
#I have also tried adding "Accept" = 'application/json' to the above $header
$body = @{ rules = $FirewallRules } | ConvertTo-Json
$uri = https://api.meraki.com/api/v1/networks/L_123456789012345678/appliance/firewall/l3FirewallRules
$request = Invoke-RestMethod -Method Put -Uri $uri -Headers $header -Body $body
return $request #This is what is stored in the $body variable from above, with IP addresses modified for use as an example. The format still matches what is in the examples in the Developer Hub.
{
"rules": [
{
"comment": "Deny Guest to Internal VLANS",
"policy": "deny",
"protocol": "any",
"srcPort": "Any",
"srcCidr": "172.24.25.0/24",
"destPort": "Any",
"destCidr": "172.24.24.0/25,172.24.24.128/26,172.24.26.0/23,172.24.25.0/24,172.24.30.0/24,172.24.28.0/23,172.24.24.192/26",
"syslogEnabled": false
},
{
"comment": "Deny Outside to Internal VLANS except itself",
"policy": "deny",
"protocol": "any",
"srcPort": "Any",
"srcCidr": "172.24.24.192/26",
"destPort": "Any",
"destCidr": "172.24.24.0/25,172.24.24.128/26,172.24.26.0/23,172.24.25.0/24,172.24.30.0/24,172.24.28.0/23",
"syslogEnabled": false
}
]
} The account used with the API has full access. I am wondering if the format of $body needs to change to accommodate changes made to the dashboard, considering that Inbound and Cellular rules have been added. I am sort of at a loss of what to do to fix this. I am sure I can switch to using CURL from within PowerShell if anyone who wants to take a stab at it has trouble with PowerShell programming and the Invoke-RestMethod way I was doing it. I got really deep in the weeds programming that way before realizing I could have used curl commands all along in PS (and at the time I was new with API programming).
... View more
Nov 3 2021
12:44 PM
That now makes perfect sense - SNR. Thanks!
... View more
Nov 3 2021
9:55 AM
When I look at "Other SSIDs" in the Air Marshal, all signal strengths are reported as positive values - probably because the unit of measure is dB, and not dBm. So, it is a ratio. A ratio to what? Why would I see 33 dB when I turn on the hotspot on my cell phone, and see -67dBm when reported by my UniFi dashboard? I was asking on another forum about a neighbor who was showing up with 50+ devices at >90dB signal strength, hosing my own WiFi, and they insisted that it should be a non-issue because that is essentially zero. But, -90dBm would be essentially nothing - not positive 93dB as I see in the dashboard.
... View more
Labels:
- Labels:
-
Interference
Jun 14 2021
5:14 AM
@cmr wrote: @Brian_Scheele they are org wide, there is only Organization - Policy Objects. I think the use is more aimed at say access to central servers where multiple networks are traffic to servers x,y and z is allowed, with policy objects you can define the server group once and re-use. Are you managing multiple ASAs on different sites through one console? Yes and No. I use ASDM, which just has multiple saved connections to multiple ASAs, or SSH, but never to more than one ASA at a time, and there is no central repository of objects. If they have/had a central object repository, it would make life nice, sort of like what Meraki is doing with Policy Objects. It seems like they missed an opportunity here, but it is still helpful. From what everyone has responded, it seems like I can make it work, but I would just need to be careful not to accidentally give some random vendor, service, etc. access to multiple sites. If Users can talk to Printers in one network, then it is quite likely then can talk to printers in any network, and a group object of Printers covering multiple sites is fine. If a vendor needs access to something in Management, then I get more granular, not just grant access to Management itself, but instead to the exact resources needed. The more I think of it, this probably a good way to go the way it is designed. Create my objects, assign them to groups, apply rules, policies, etc. - whatever Meraki has enabled so far - to those groups. Not much different than with an ASA...
... View more
Jun 11 2021
12:24 PM
Correct, but what I want to know is if I create an object and assign it an IP address or range specific to one network, and want to re-use that name in another network, I cannot use a different IP address or range? The Meraki examples that explain how all this works shows an object name, Support, which is 192.168.1.0/24. Suppose we have support in two buildings with a site-to-site VPN, and the second building also has Support, but with a different subnet. Does that mean if I want to use an object called Support for that other network, I would have to call it Support 2? I have never managed any ASA firewalls and had an object whose name could not be assigned a different IP address on another ASA. Why would I want my object names to be unique organization-wide? For 50 sites, this will turn into Wireless01, Wireless02, ... WirelessN, and repeat it for every other object I want to create with unique IPs or subnets. I have not yet flipped the switch on this due to internal policy with betas in a production environment, so I don't have a way to navigate and test. It seems like there should be both Network > Policy Objects and Organization > Policy Objects, and when applying objects to rules, some sort of notation could be displayed so an admin can differentiate them.
... View more
Jun 11 2021
11:52 AM
I am interested in turning on Policy Objects, but I am wondering if it is even worth it yet for how we are managing our networks. Below is a simple set of firewall rules from a template covering 350 sites. I have another 50 sites that just cannot be part of a template, and I have to use a more lengthy set of rules, all with CIDR notation. I would love to just plug in my VLAN names and other objects using defined names instead. VLAN names, like Management, Users, Wireless, Guests, etc. are going to be the same names at every site, but different IP ranges per network. Can I have a policy object named "Management" that for Network A that covers 10.0.0.0/24, then another one called "Management" for Network B that covers 10.0.1.0/24, etc.? Or would I be stuck with "Network A Management" and "Network B Management" when I start creating these? I would love to just use the API to dump in firewall settings and not have to manipulate the data before it is uploaded.
... View more
Jan 28 2020
6:03 AM
Thanks for that info. I was suspecting some sort of bug during testing. If not a bug, it would be nice if I could see that a network does not have all elements of its template applied. When I received the "A bound combined network may only contain bound networks" error in testing when I tried adding a switch, I figured that some sort of flag was not being set on networks already on the template when the template was modified.
... View more
Jan 24 2020
2:05 PM
I have an appliance/wireless template with a lot of networks on it, but none of these required a switch until now. I cannot add a switch unless the template allows it, so I have to manipulate my templates to make this happen. For anyone who has done this, I would like to know how it went for you, if you had any problems, or any gotcha's to watch out for. I did identify a couple of issues, which I'll explain at the end. Suppose I have two templates: OriginalTemplate Combined template for appliances and wireless devices Contains 250 networks Mostly MX67 and MR33 devices Uses 6 VLANs, which have auto-generated subnets Site-to-site VPN with the datacenter, hub and spoke, no mesh. NewTemplate Combined template, created new. No networks on this template I want the OriginalTemplate to begin supporting MS switches. Can't do that without combining templates. So, if I split NewTemplate, I get: NewTemplate - appliance NewTemplate - switch NewTemplate - wireless Now, I want to combine OriginalTemplate with New-Template - switch. I am prompted to create a Network enrollment string. No idea why, what this will do, or if it even matters what I plug in. So I enter something so I can proceed. Now, I run into my first problem (when doing this in a test environment). When I attempted to add a MS120-24P switch, I received this error: "A bound combined network may only contain bound networks." Someone else in the Meraki community had this problem (but with MV cameras) with the solution to unbind the network from the template, add the device, then rebind to the template. This worked, but I lost all my VLANs and subnets on the unbind, and during the rebind, I received a new set of subnets for the VLANs. Plus, all the DHCP reservations were lost. No big deal as long as I document these first and plan for the downtime if in production so I can re-apply what was lost. From what I can tell, the above paragraph is the only gotcha to expect. Nothing changed in OriginalTemplate, other than also having a new Switch section. Anyone else have any success/failure they would like to share? If it was only a few networks, I would just go for it. But, I have more than 250 tied to the production template, and I have no desire to have a separate template to manage.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 519 | Jan 22 2024 5:25 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 829 |
© 2024 Cisco Systems, Inc.
