Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About RomanMD
RomanMD
Building a reputation
Member since Apr 14, 2020
3 weeks ago
Community Record
129
Posts
116
Kudos
15
Solutions
Badges
10-21-2022
12:57 PM
3 Kudos
Once upon a time, there were network devices which had CLI interface ... 😬 The peoples administrating them were called Network admins... then a Merakle happened and all those admins left without a job 🤣
... View more
10-06-2022
03:32 AM
2 Kudos
I only know the following regarding NTP. So, MX will use public NTP to sync time and is heavily dependent on it. If the MX will not be able to reach any NTP server it uses, it will reboot (don't ask me how I know this). So, I am not sure how you can perform audit stuff but whats I want to say is that as long as the MX is working then it reaches NTP and most probably is synced. I also don't know why would you really need it - since all events in Dashboard will most probably use cloud time instead of device time. Roman
... View more
10-06-2022
12:40 AM
4 Kudos
Much appreciated! Thanks! Although this is not a competition but just a community where peoples are helping each other, it is nice to see some recognition for the effort. Thanks Roman
... View more
09-14-2022
01:49 PM
In a hell of an enterprise this is not easy doable. That's the long term goal, but not for the near future.
... View more
09-14-2022
05:54 AM
2 Kudos
It depends about which Client VPN you are talking - IPsec VPN or Anyconnect? Meraki doesn't support it natively, but it is possible to integrate with 3rd party authentication solution which will provide another factor auth. (https://documentation.meraki.com/General_Administration/Other_Topics/Two-Factor_Authentication)
... View more
09-14-2022
05:38 AM
8 Kudos
Hi everyone, recently I had the need to configure Meraki AnyConnect for a prof-of-concept project and I ran into some merakian issues. So, this post is meant to help others if they encounter the same problems. Let's start with the requirements: The main requirement was that users should authenticate with SAML, so that we can leverage 2FA. However, our SAML IdP is on-prem Active Directory Federation Services. The problem: Meraki does not have any specific guide on how to configure the SAML Authentication with ADFS. 👎 I went ahead and asked my ADFS team to configure the IdP as close as possible to what was described in the guide for Azure AD SAML configuration. However, this did not work properly. 😢 The user was prompted with the Authentication window to enter the username, password and the OTP, but then AnyConnect client returned some errors🤬: I did not know why it wasn't working, because I have no access 😤 to our ADFS environment. According to the AnyConnect troubleshooting guide and the error from Event log - it said to contact Meraki support, therefore I decided to engage Meraki support 🫡. After few ping-pongs 😴 with the support, I was very "surprised" 🤨 to hear that ADFS is not supported as Identity provider for AnyConnect. This was the message from development team which was relayed by the support engineer to me. But it was just another non-sense 🖕 from Meraki guys, since the ADFS or Azure AD would both use SAML 2.0 SSO which, by the way, the Meraki documentation says it is supported. I've decided not to rely on support anymore and go forward with my own testing 🥸 💪 . I spun up my own AD + ADFS Lab environment and figured out settings Btw: it was piece of cake to make it work. 🫢🥳 So, here we go: For this tutorial we will asume the network dynamic DNS is your-network-name.dynamic-m.com, however, for a production environment a custom DNS is recommended. In the Meraki Anyconnect setting we have to configure the following: 1. Upload ADFS Metadata XML file. 2. Configure the AnyConnect server URL: this is basically the network Hostname . You should add the port at the end, if you're not using port 443 for AnyConnect. This is all that has to be configured in the Dashboard. 🤪 The next part is to configure a new Relying Party trust on ADFS as following: (only significant settings will be shown ) The Claims should be configured as following: This are the basic settings that should be configured for the authentication to work. All other settings are either default or according to your needs. 🙃 Keep in mind, Meraki does not check any ADFS claim in order to allow or deny access, therefore if one has the need to only allow a set of users based on AD Security Group, this should be configured on ADFS side. Hopefully, Meraki will put up a nicer guide on how to configure the AnyConnect SAML authentication with ADFS 🤞 😈 .
... View more
Labels:
- Labels:
-
Client VPN
-
Other
09-14-2022
04:17 AM
Because the MXes in China and the one in Azure are in different organizations, you are totally right - Non-Meraki VPN would be the solution. This is working fine, it is just some considerations that you need to have in mind. 1. The non-meraki VPN will use standard VPN ports 500 and 4500. Those might be blocked by Chinese provider or Great Firewall. 2. Using AutoVPN should bypass the Great Firewall, because of the high ports which are usually not blocked. 3. Any of those solutions might break the law.
... View more
09-06-2022
05:30 AM
Hi, while this make sense as a request, Meraki says not to rely on the Dashboard Speed test, since it is there just for having some idea, not for really getting correct figures. This task has to be accomplished by installing a test-point in the network which will do this.That way you not only test the Internet line itself, but also the devices in between... Cisco has this feature with Thousand Eyes and there are rumours that Thousand Eyes will have a "Meraki" version... On the other hand, read here: https://community.meraki.com/t5/API-Early-Access-Discussions/SpeedTest-Endpoint-not-working-as-expected/m-p/147120#M535
... View more
08-13-2022
06:02 AM
Most of the time you talk to providers and they say the problem is not on their side. I see the need of more troubleshooting... I would do a trace to see how many providers are involved and would check what MTU is allowed end-to-end... the first step. I would also do a packet capture on both ends and see if I receive the packets from remote device...
... View more
08-12-2022
01:43 PM
1 Kudo
Where would the MX know the user? If the MX is not the one to authenticate the user...
... View more
08-11-2022
07:47 AM
Now that you said "encryption domain" I recall having a problem, and the problem was the way the subnets were defined in the encryption domain. I had to define the subnets as they were configured, and not supernet them. Maybe you have changed the configuration here...
... View more
08-11-2022
06:43 AM
1 Kudo
https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior
... View more
08-10-2022
01:20 PM
2 Kudos
In the routing, the most specific route takes precedence, so you can have a route: 10.10.10.0/24 next-hop 10.9.9.1 -> route for the subnet 10.10.10.5/32 next-hop 10.9.9.2 -> route for the host
... View more
08-10-2022
01:04 PM
It is not supported. The first recommendation applies. For instance, if your MX is participating with other MX in AutoVPN and with Fortinet in IPSec, the devices behind IPsec tunnel can't talk to devices behind AutoVPN tunnel. What you report here, is very much similar to what I've described, therefore I would assume this is the reason, but I would open a case to confirm it. This is why I pretty much like to have dedicated hardware for different services....
... View more
08-04-2022
01:49 AM
The tunnel will stay disconnected until there is traffic on the tunnel. Can you generate some traffic with a ping and see if the tunnel goes up?
... View more
No, not on my side. But observed different behavior with the App. It seems that from time to time they have app updates even the newly downloaded app says it is the same version.
... View more
07-14-2022
11:07 AM
2 Kudos
Meraki Dashboard is meant to manage and monitor Meraki devices not other 3rd party devices, regardless of what kind of information your IoT device will send. I don't expect such integration in the future either, at least not for non Cisco devices.
... View more
Name the networks accordingly and you will find the networks at a glance in dashboard. If you have multiple organizations/networks you need to have a well established naming concept.
... View more
Well, when you go to University it is supposed that you already know the alphabet. This is true also about the Meraki - when you embrace a cloud solution like Meraki, you like the fact that you can click in a nice dashboard but then when you scale, you find out that it does not work and also the old way of making excel templates also don't work, and you can only use APIs. And you must be ready to use the APIs. The script is in Python and uses the meraki library. I am sure if you'll search in the community you'll find some video guides of how to get started with Python, and then Meraki APIs. I've posted a xx$ worth script, if you want to use of it.. feel free.
... View more
Because I thought that it might be useful for me in the future. I might have some misses here and there, or not very efficient, but if you're like me and have 40 organizations.. then... dashboard = meraki.DashboardAPI(x_cisco_meraki_api_key, suppress_logging=True)
organizations = dashboard.organizations.getOrganizations()
SWITCH = True # Set to True if you want to display the vlans from MX
APPLIANCE = True # set to True if you want to display the vlans from MS
print("Organization,Network,Type,Subnet,Vlan name,Vlan ID")
for org in organizations:
networks = dashboard.organizations.getOrganizationNetworks(organizationId=org["id"])
devices = dashboard.organizations.getOrganizationDevices(organizationId=org["id"], productTypes=["appliance", "switch"])
for network in networks:
if "appliance" in network["productTypes"] and APPLIANCE is True:
networkSettings = dashboard.networks.getNetworkSettings(networkId=network["id"])
try:
singleVlan = dashboard.appliance.getNetworkApplianceSingleLan(networkId=network["id"])
print(f"{org['name']},{network['name']},MX,{singleVlan['subnet']},,1")
except Exception as e:
pass
try:
vlans = dashboard.appliance.getNetworkApplianceVlans(networkId=network["id"])
for vlan in vlans:
print(f"{org['name']},{network['name']},MX,{vlan['subnet']},{vlan['name']},{vlan['id']}")
except Exception as e:
pass
if "switch" in network["productTypes"] and SWITCH is True:
switchStacks = dashboard.switch.getNetworkSwitchStacks(networkId=network["id"])
switches = [switch for switch in devices if switch["productType"] == "switch" and switch["networkId"] == network["id"]]
for stack in switchStacks:
for serial in stack['serials']:
for index, switch in enumerate(switches):
switches.pop(index)
stackVlans = dashboard.switch.getNetworkSwitchStackRoutingInterfaces(networkId=network["id"], switchStackId=stack["id"])
for stackVlan in stackVlans:
print(f"{org['name']},{network['name']},MS-stack,{stackVlan['subnet']},{stackVlan['name']},{stackVlan['vlanId']}")
for switch in switches:
switchVlans = dashboard.switch.getDeviceSwitchRoutingInterfaces(serial=switch["serial"])
for switchVlan in switchVlans:
print(f"{org['name']},{network['name']},MS-nonstack,{switchVlan['subnet']},{switchVlan['name']},{switchVlan['vlanId']}")
... View more
IP band? Or IP subnet? Are you looking for the IP subnet on the WAN interface or the IP subnets configured as L3 on the MXes (Addresses and VLANs) or maybe on L3 switches? If is one of the above, the information can be easily extracted by leveraging APIs.
... View more
07-01-2022
03:31 AM
Any static routes configured on the switch which might send the traffic to other destination instead to the ISP? Maybe the traffic is going via your internal network where you have an inline proxy/fw that decrypts the traffic? On the other hand, I can confirm that there was a problem with MX250 which could not connect to the dashboard. This could be solved only after updating the MX to the latest version using copper SFP instead of 1GB FO SFP.
... View more
07-01-2022
01:11 AM
2 Kudos
Meraki switches are meant to be managed from the cloud. What you are referring to, most probably is the meraki-cli python module that is emulated kind of CLI interface. But that module is making use of Meraki API - and there is no api endpoint for your request. However, your request is easily done with a script and you will not have to copy/paste anything.
... View more
06-30-2022
11:42 PM
Hi @DarrenOC. Of course I have, but wanted to cross-check him! 🤣
... View more
06-30-2022
02:33 PM
Hi, we all know about the new AP models released by Cisco/Meraki which supports dual persona, so we can choose to have them WLC managed or Meraki Cloud managed. But those are new models and more expensive. Does somebody have any information - is there any plan to support Meraki Cloud Management on old Cisco 9k APs? C9115, C9120, C9130? Thanks
... View more
Labels:
- Labels:
-
Other
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 2505 | 06-24-2022 05:57 AM | |
| 684 | 06-22-2022 12:21 AM | |
| 325 | 06-22-2022 12:02 AM | |
| 380 | 06-15-2022 07:31 AM | |
| 2427 | 08-24-2021 03:32 AM | |
| 1399 | 07-30-2021 01:24 PM | |
| 1255 | 07-15-2021 12:44 PM | |
| 2075 | 07-13-2021 10:30 AM | |
| 2713 | 07-01-2021 08:04 AM | |
| 612 | 06-18-2021 02:53 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 8 | 457 | |
| 6 | 1123 | |
| 5 | 325 | |
| 4 | 404 | |
| 4 | 1255 |
