Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About NetworkingGuy
About NetworkingGuy
NetworkingGuy
Here to help
Member since Dec 13, 2017
Jun 13 2018
Community Record
17
Posts
6
Kudos
0
Solutions
Badges
May 15 2018
6:18 AM
That's about what I was thinking. Thanks for the confirmation @NinoBrugioni.
... View more
May 14 2018
1:50 PM
Yeah, I'm seeing that. I have some content filters in place now and was looking into AD filters for the future. I was going to add a few more things to it and noticed Skype. I can't block that as its a critical business function. I'm fairly certain the server is horribly misconfigured and no QoS or Bandwidth Policy was put in place; nor proper links or whatever for sites. If Meraki can buy me time to redo all of that that's the goal. My concern is Skype seems to note what it has available in terms of bandwidth so will it see my rate limit when I put that on or will it only see the whole link like it does now? This would be a problem if for whatever reason Skype tried to shove 100 Mbps down a 10 Mbps limit. Supposedly if you set it up right it does its own thing ensuring its features are optimal on limited circuits. I see no reason though why without a limit I have like 80 Mbps in Skype on a 100 Mbps circuit. We don't even have 50 Skype clients at any location.
... View more
May 14 2018
1:15 PM
It seems I'm trying to solve a Skype or hosting issue rather than a bandwidth issue. Our network uses Skype for Business and I believe the server to be setup incorrectly not managing any users bandwidth. From what I can tell this has caused some of our users to use more than 12 GB a day which seems like a lot and it is filling up or circuits. My initial thought was just rate limit Skype traffic using the Traffic Shaping Tools but I was not certain if that would work. Has anyone been in a similar situation where they ended up successfully using Meraki to manage Skype traffic?
... View more
Apr 26 2018
10:27 AM
1 Kudo
I stack 2 MS225s or MS350s at most of my sites. I use a physical stack. When stacked, you only need 1 uplink to reach the cloud but if you have 1 per switch it would then be redundant. If each switch had an uplink, it stays redundant. All the switches in a stack act like one switch. So you can LAG ports from different switches together or clone configurations from switch members to another member. There is a section for stacking switches under your Network, then Switch, then Switch Stacks. I was not able to find anything about a master. However, from what I can tell, the 1st switch is the master. So, boot it first. Should it fail over, the other becomes the master. I have 1 ISP into one switch and another ISP into the other switch so to me the master does not matter as much. I have been told that there are a limit to the amount of switches you can have in a single stack. I've been told 8 switches but I'd have to Google around to confirm.
... View more
Apr 26 2018
8:57 AM
If that is not the Interface name for the port then you need to refresh your topology.
... View more
Apr 26 2018
7:57 AM
@MRCUR Thanks. I'll be testing this out now for sure. Regular AD is not so nice.
... View more
Apr 25 2018
4:30 PM
2 Kudos
Cisco Meraki MS120 switches provide Layer 2 access switching and doesn't have any Layer 3 access. That is, you can setup VLANs and a default gateway for the switch but you can't setup OSPF, BGP, etc. You would need an MS225+ for Layer 3 routing protocols. It sounds like you need help with your network setup. Can you provide us a diagram of your network? It would help us help you out. The routing and DHCP section is where you setup VLANs on the Meraki switches. When you make a network you will need the following: -A default gateway. -DHCP or manually set Static IPs. -DNS because its hard to remember 50 IPs but easier to remember 50 names. Before you really dive into that you need to identify what VLANs you have to setup and you should probably setup the general settings first. That is, on your MX84. Make sure your MX84 is setup so that you have a management VLAN (I call it NOC VLAN), and your other VLANs that you are going to consolidate. Under the MX84's menu go to Security Appliance > Address and VLANs. It is here that you will set the Default Gateways for your VLANs and the VLAN's ID. Going with defaults VLAN 1 would be the default VLAN and what I would call the NOC VLAN. I suggest setting it to something else as VLAN 1 is the default for every network so it might conflict with what you have now and its also not secure to use the default VLAN for anything. Here is an example of a VLAN: Creating the VLANs is not enough. You have to check your port settings as well. So, on the same page scroll down. Port 1 or 2 should be setup to use your ISP. Lets say its port 1 and they use DHCP so just plug in your ISP. Now, port 3 is your link to your MS120s. I made 2 VLANs - NOC and Guest to show you how to setup the interface. This will allow the VLANs I need for management and my users to get from the MX firewall to the MS120s. You could set the Native VLAN to be the NOC if you want but I do not for other setup reasons beyond the scope of your question. You will have different VLAN IDs than me and more VLANs. Just add as many as you want like mine. You could say to use ALL but the issue with that is DMZ networks would get on the LAN if you make them. Before you leave, do DHCP. Do you need DHCP for the VLANs you created? Then, before going to the MS120 go to DHCP and setup your DHCP. Meraki devices come with DHCP enabled for the NOC subnet so you are going to want to turn DHCP on for at least the NOC subnet so subsequent switches you connect at least get an IP. The default firewall configuration should deny all incoming by default and allow all outgoing. So your users can do everything and nothing can hurt them. For now, that's fine. Enable the Hub setting in Site to Site VPN if you need it to reach other sites. After that, you should have configured your firewall to at least work with your MS120 switch(s). You'll want to make sure that after you plug up your MS120 into Port 3 of the firewall. Set the port up like the below: This will at least allow you to connect to the firewall and accept any VLAN you allowed on the firewall. If you didn't follow my configuration exactly at set a Native VLAn then make sure to adjust accordingly. Now, this allows the VLANs on the MS120 and the rest of the LAN but the MS120 wont know what to do with them until you till it. That is what the Routing and DHCP section is for. The Routing and DHCP section will help you set some of this up. So, add the same VLANs to the MS120 that you added to the MX firewall. The MX firewall is your VLAN's default gateway so you just need to use a free IP on the firewall for the VLANs you setup. If the NOC is VLAN 100 like mine then you are going to want to adjust your LAN IP to DHCP from the NOC VLAN and under Network Wide > General ensure the Management VLAN is correct. After that, you can add more switches but you'll have to ensure you use the same steps above so that the VLANs are created on all switches and the firewalls. The links between switches can be native VLAN NOC and allow ALL vlans. The security we did for the firewall will keep unwanted VLANs out allowing an easier setup for the LAN. If security is a concern though then just tag the uplink interfaces with all user VLANs (not DMZ) and native NOC. Do you have more Cisco gear in there? If you are new to Meraki one thing to keep in mind about meshing multi-vendor gear with Meraki it to pay attention to STP. Older Cisco gear might be configured with PVST and Meraki supports RSPT. This will cause a conflict if you do not pay attention to STP. Hope that helps.
... View more
Apr 25 2018
3:51 PM
I skimmed so I apologize if I missed a diagram of your network. Why not just move your gateway and segment? We use MX100s at the head of our network and MS425s or MS350s on the LAN side for routing our VLANs out the MX. Our ISPs are in WAN VLANs. I allow them to connect to their VLAN on 1 port and our FW interface on another. The downstream link to our LAN does not include this WAN VLAN. 2 ISPs - 2 WAN VLANs. If you do this, then HA and VRRP and what not work but it keeps public networks out of the LAN. Our NOC Network is the native VLAN I use for management of our Meraki network gear. Its gateway is on the MX. Our Guest network default gateway resides on the MX100s we have (2 for HA and VRRP) in its own VLAN. Our user networks default gateway resides on the MS425s or MS350s. I setup a simple route on the MS425s or MS350s 0.0.0.0/0 to MX NOC IP. When users need an AP I set all the SSIDs to be assigned to a VLAN and then I tag that VLAN on their interfaces with native VLAN as my NOC. Like this, our LAN subnets can ICMP each other without issue and ping stuff in the Guest network. The Guest can't reach the LAN though unless I allow it. Since its for guests I don't care. I use Google DNS for them and that's it. That way you don't have to add as many Firewall rules.
... View more
Apr 25 2018
3:22 PM
@MRCUR Interesting. I think that the ASA does something similar and I ended up using an NPS server to get the ASA VPN going. Did you do something similar or are you talking about some FreeRADIUS? I now feel like a fool for not thinking more about Radius as a method for authentication here. I'll be messing around with this more tomorrow for sure as I need a more streamlined way than what I'm doing now. =P And, NPS is much better.
... View more
Apr 25 2018
3:15 PM
1 Kudo
I we use VRRP so our VIP has a DNS name and I provided our users with directions. We tied our AD to the VPN so all the users already know the login name and password. Out of 50 users only 5 couldn't follow directions. You can also automate it via a GPO or Powershell. Something like the below: $ServerAddress = "vpn.domain.com"
$ConnectionName = "Corp VPN"
$PresharedKey = "MakeALongKey"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -AllUserConnection -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap -Force The one thing to keep in mind about using AD for VPN Authentication is that there is no restriction or way to restrict who has a VPN account. So if you have a user called breakroom with password breakroompassword that is instantly a VPN account. To avert this you might want to look into some Group Filters with AD. Like here. This is technically intended for Wifi but can be used to filter groups accordingly. You can also use the Meraki Cloud as the login method if you do not mind VPN users having a 2nd username/password just for VPN. I personally hope that Meraki makes the VPN similar to the ASA as that is by far the best VPN I've used in 14 years. I know that Meraki is working on it. I ask all the time.
... View more
Apr 25 2018
2:36 PM
1 Kudo
The way that Microsoft does Azure pricing (or really any of their pricing) always has some odd caveat that makes you take a minute and think about it. We ran into similar issues having a variety of subscriptions and needing a vMX100 at Azure. I ended up configuring the firewall more than 1 time but it did work in the pay as you go and I believe we are now under a CSP, or have a CSP, and still use the vMX100. It did not work initially. One of the two methods did not work and I had to contact and Microsoft for them to do something on the back end. After that it was smooth. The other times it went down were because of a mistake (one time) and the reliability of Azure. You also have to pay attention to the area you are doing stuff in (for example: East != East2). One of the times our VM went down was, I assume, a configuration change. It was not by me but maybe someone on our Apps team or MS and it rendered the VM useless. Not really sure what happened. If I had to guess - storage disconnect via a network disconnect. Can't run without legs. A rebuild sync'd everything rather fast though. Rebuild is faster than restore. The last time I went down was updates. I've noticed a lot of my issues were fixed when I ran beta on all other Meraki gear. I was not aware that the vMX100 doesn't like updates and Azure. I would imagine AWS is just fine. Therefore, another tip for you is do not update the VM as even though updates are pending they are not supported past 12.26 currently. This is, of course, just for Azure. This will eventually change I'm sure but as far as I know 12.26 is the max version you should use and be running on for the smoothest ride. Edit: Thinking about our configuration I also wanted to mention that you can't really set the WAN IP on it and it is whatever Azure gives you. I think it changes so if you add the site as a hub to your mesh Client VPN from another site or use the Dynamic DNS or something. However, I haven't tried that as our VPN runs from another branch. I also used 1 /24 for private networks but all of the networking I can do from Azure I do from Azure and use minimal settings on the vMX100. Its nothing against Meraki - its really Azure. I hope something helps you here. This can be done but no matter what man, it will feel a little hackish as Azure in general feels hackish (IMO). The vMX100 is solid - Azure is not. Edit 2: Also, make sure you are following this: https://documentation.meraki.com/MX-Z/Installation_Guides/vMX100_Setup_Guide_for_Microsoft_Azure Do the Azure part first. It should be a template. Note my tips from above. The subnet should be the one you want from Azure and it should also go under the Firewall part once the VM is up. Try one subnet and defaults before you go crazy. You also have to Mesh for the full effects. The token is created in your Meraki Dashboard allowing the Azure Hypervisor to createa VM that shows a Virtual Appliance in Azure on your Meraki Dashboard. When you make certain changes you need API access from Azure to the Dashboard and that key is a secure way to do just that.
... View more
Dec 14 2017
7:36 PM
1 Kudo
Its the software but there isn't a release for it yet. I was told today it would take 3-4 weeks to have it made. It must be pretty bad. It looked like BPDU traffic which is why I thought it was STP but its actually a different kind of broadcast and it isn't operating right. Meraki said that they would need time to fix it but because they can't meet my deadline for my installs they are going to give me MS225s as a replacement. That's amazing. Very satisfied.
... View more
Dec 14 2017
7:38 AM
If the MS425's are stacked then how are you using vrrp? The firewalls use VRRP I have a VIP setup for each ISP and 2 ISPs for redundancy. Essentially if a MS425 goes out or a Fireall goes out or an ISP goes out I still run. Ok. So I am not alone in this. I did check the trunks and set them all to Native VLAN Management, Trunk All. I am running 9.30 so maybe an upgrade would help. That's something I can test in a lab. I'm afraid to plug this stuff back in.
... View more
Dec 13 2017
10:34 PM
I'm at a loss here and I could really use some guidance or at least know if others are experiencing what I am with the MS120 switch series. My STP settings were preconfigured before I added any devices to my Meraki Network. This is a 100% Meraki Network. Our network consists of two MX100s connected to a MS425 stack in our MDF. MS425 Switch 1 - Port 1 - ISP1 MS425 Switch 1 - Port 2 - MX100 Firewall 1 Port 1 (Internet 1) MS425 Switch 1 - Port 3 - MX100 Firewall 2 Port 1 (Internet 1) MS425 Switch 1 - Port 6 - MX100 Firewall 1 Port 4 Downlink Tagged for All VLANs except ISP1/ISP2 MS425 Switch 2 - Port 1 - ISP 2 MS425 Switch 2 - Port 2 - MX100 Firewall 1 Port 2 (Internet 2) MS425 Switch 2 - Port 3 - MX100 Firewall 2 Port 2 (Internet 2) MS425 Switch 2 - Port 6 - MX100 Firewall 2 Port 4 Downlink Tagged for All VLANs except ISP1/ISP2 I use VRRP and HA. My MS425s have a single Multi-Mode or Single-Mode SFP link (Native Management VLAN and Tagged for All VLANs) to our IDF switches Two of these switches are MS225s that are in the same rack as the gear above using 10G black cables - I forget the name). MS425 Switch 1 and MS425 Switch 2 Port 11 are Aggregates to MS225 SW 1 Port 49, 50. MS425 Switch 1 and MS425 Switch 2 Port 12 are Aggregates to MS225 SW 2 Port 49, 50. Right now the MS425s have just one server on them that is Linux based and used a software Bro for its uplinks. I see no issues with this as its not a true LACP and my logs are blank in terms of errors. We will later connect more stuff to it but for now, that's all it has. As I stated above, the additional SFP ports on the MS425s are used for our IDFs located throughout the building. Each port goes to a different IDF. One cable (SM or MM) to each IDF. It was distance from the MDF that determined the cable media. Each IDF is an MS120 either 24 or 48 Port LP switch for phones, MR74s, workstations and printers. For the sake of troubleshooting though, I disabled all ports except the uplinks. I will note though that before I dive into the issue more I did enable BPDU Guard on all access ports and RSTP was enabled on all interfaces. There are 3 instances where I didn't have enough fiber run in the building and needed more capacity. In two of those instances: MDF MS425 ------> IDF MS120 ----> IDF MS120 These MS120s are in the same IDF. The last instance: MDF MS425 ------> IDF MS120 ----> IDF MS120 | IDF MS120 Not sure if the spacing will come out right when I hit Post but essentially one IDF in this case with an MS120 has a Fiber link on port 52 to the MDF MS425 stack and Port 1 and Port 2 are Native Management All Trunk Ports to an MS120 (One switch each port). Again, I ran out of fiber. The issue we faced seemed to be related to RSTP and proper delegation of the root. I've set the root under Switch > Settings as my MS425 stack and all switches show the MS425 stack as the root (set to 0). For one, it didn't seem to block any BPDUs when you have BPDU Guard enabled on untagged ports. If I created a loop it wouldn't block it. I thought that was odd. Root Guard just took down IDF switches. I tested Root Guard on instances where like above where an MS120 has an uplink to the MS425 stack but 1 or 2 downlinks to another MS120. I'd try root guard on the downlinks. With 30 switches and 4 undeployed the network, at random a MS120 would request to be the root despite the root being set as my MS425 stack - set to 0 and the switch itself recognizing this under its Monitor page. You can see from each switch the root was in fact the MS425 stack as well. Not just the one making the request. When this happened, all switches would broadcast that they wanted to be the root. See example below: Dec 9 13:59:21 Port STP change Port 1 root→designated Dec 9 13:59:20 Port STP change Port 1 designated→root Dec 9 13:59:19 Port STP change Port 52 root→designated Dec 9 13:40:06 Port STP change Port 52 designated→root Dec 9 13:40:05 Port STP change Port 52 root→designated Dec 9 13:39:50 Port STP change Port 52 designated→root Dec 9 13:39:50 Port STP change Port 1 root→designated Dec 9 13:39:50 Port STP change Port 1 designated→root Dec 9 13:39:49 Port STP change This log output would be for every uplink to the MDF or downlink to another IDF. So if there was one fiber connecting an IDF to the MDF that would be the only port flapping but if it were an MDF connected to an IDF with 1 or 2 other IDFs daisy chained to the IDF with the uplink even those ports would flap too. I thought it was propagating from a particular IDF that had a direct fiber to the MS425 stack but also connected to 1 or 2 other IDF switches. So, I tried to use root guard on the other downlinks. Even with root guard enabled on the other IDF switches (not the uplink to the MS425 stack) the network would all flap their uplink port. That didn't make a difference. After trying to figure out why this was going on like I said above I shut every port down to ensure there wasn't an actual loop. That is, for example, Port 1-24 Disabled and 1 Fiber Uplink enabled. In the cases where IDFs were connected to 1-2 other MS120s I left those ports up. I enabled 1 interface on a switch and connected a laptop to it. I would drop 30+ packets trying to ping my default gateway on my MS425 stack before I got a successful ping. Gear showed green on the dashboard. The network was unusable. After about 20 hours of troubleshooting and 12 of that on the phone with various levels of Mearki support and zero luck getting us up I removed everything but the MX100 firewalls and replaced it with Cisco Catalyst gear that's about 7 years old. Network ran without an issue. Clean logs, flawless. My MDF ran fine prior to adding all the IDF switches - the MS120s. I have not yet deployed the MR74s but I am aware of the lovely way they go into repeater mode and so I haven't connected them yet. The issue was not with our MDF which consists of MS425 Stack, 2 MX100 firewalls and 2 MS225 switches. The issue is with the MS120 series and it seems like a hardware bug. I am having our consultant come by this weekend to help me pull all the gear into a lab and test again. My fear is when this got really bad it would knock out the firewall's connection to both ISPs and you cannot view the dashboard at all. No dashboard, no logs, no support no nothing. I have gear sitting around for 22 sites like this and I'm honestly terrified to connect any of it. I deployed 4 other locations. 2 are 100% Meraki and the other 2 are a mix of Meraki and Cisco Catalyst. I was going to make them all 100% Meraki but stopped when I discovered this lovely experience over the weekend. The topology, whether its 100% Meraki or not doesn't matter. Adding the MS120s to my Cisco networks that are 1/2 deployed crashed in a similar fashion. I forgot to mention that when they do "crash" the gear takes up all the IPs in the Management network trying to connect over and over so then you start loosing DHCP IPs in other VLANs because when one pool runs out it just goes to another. I'm not really sure what to do now. It all seems like a hardware bug. I can't see any source code so I'm not really sure though but if I remember reading online Meraki doesn't use typical VRP routing, I can't find a cost option anywhere and you can't really set any other STP settings. Just RSTP and if disabled STP kicks in automatically. After hours on the phone, email, and calls I still haven't got an answer. What scares me is if I didn't have other gear to connect I'd still be down and the gear that I have is like 7-10 years old. A gamble for as large as a company this is. Very scary stuff. Has anyone had this experience and this much trouble? Here is a rough diagram (not perfect but pretty spot on):
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 11020 | |
| 1 | 7941 | |
| 1 | 11189 | |
| 1 | 13151 | |
| 1 | 7075 |
© 2024 Cisco Systems, Inc.
