Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About swifty
Community Record
33
Posts
3
Kudos
0
Solutions
Badges
05-13-2021
02:37 AM
Hi Philip Thanks for the reply. After discussion w our Meraki SE, it was explained the one-armed vMX has the public IP as the 'outside' and the internal Azure NIC as the 'inside' interfaces - and rules can be applied much like any other firewall i.e. looking at the perspective of inbound & outbound. As we are replacing an incumbent Juniper firewall, which has ingress & egress policies we are replicating those. The customer is security conscious of their Azure environment and wants to control ingress to it, and control access out form it (presumably being used as an attack plane into the rest of their SD-WAN environment.) My comment was really around the template missing the inbound section, whereas when you don't bind the network to a template you can specify inbound and outbound rules. Ian 😀
... View more
05-12-2021
07:38 AM
Hi yes we have deployed in Azure. 2 things; i. Unable to browse to the public IP ii. There isn't the option to specify an external src IP in the 'Security Appliance services' section in firewall Oddly enough if you bind the network to a template you can specify the IPs that can access the ' Web (local status & configuration)' page. Have you tried this yourself ?
... View more
05-12-2021
04:47 AM
I've got a few vMXs I want to apply the same - inbound & outbound - f-w rules to. 💡 I'll use templates. The usual vMX Firewall configuration page, has Inbound and Outbound rules sections. The template once bound to a vMX network, only has outbound rules. Can anyone explain this ? I'm also thinking of using mfw.py for the API from https://www.ifm.net.nz/cookbooks/mfw.html Obviously the rules I send via .csv will be directional i.e. src. or dest. will live 'inside [Azure]' or 'outside [SD-WAN]'. If I add rules that are inbound will they; a) Get added to the inbound section b) Get ignored ? Ian
... View more
05-12-2021
02:05 AM
Hello Deploying vMX. Thinking about external access inbound, I thought of allowing a static IP in for access to the local status page, in much the same way as a physical MX. But there is no Network > General settings page where you would set credentials. Can anyone confirm that you can't browse in like a hardware MX ?
... View more
05-04-2021
04:26 AM
I have the same q. Any lurkers ? My reqt is pretty similar - have built 100+ sites (network envy of >400 😉 ) individually, but want to edit URL filtering directly, either in one go or probably by using a small number of templates applied in groups, to handle a staged implementation. Yes, we can use the API, but a GUI method is even more widely available.
... View more
03-16-2021
07:07 AM
Brave man - bleeding edge ! ;-] I guess you know too, I did a 'upgrade now' and it says scheduled for 6 or 7m time, if you go and reschedule and do another 'upgrade now' it claims to start it immediately saving the wait.
... View more
03-15-2021
12:52 PM
1 Kudo
@cmr Thanks again. 👍 All went fine, customer reports no users reported any disruption to service. Not that I think they would have noticed anyway.
... View more
03-15-2021
10:44 AM
Hi All I have just come off the phone to Meraki TAC. The failover is not stateful. So TCP resets all round, but device available achieved by failover and fallback. Ian
... View more
03-15-2021
07:55 AM
Is an MX HA pair stateful ?? Same thing here, users asking for impact statement. According to the doc referenced elsewhere https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practices_for_Meraki_Firmware#Appliance_Network_with_Two_MXs_in_an_HA_Configuration " the dashboard will automatically take steps to minimize downtime when upgrades are performed to ensure a zero-downtime MX upgrade " Will a tcp state table be copied across or will tcp connections be reset ? My understanding ref @cmr 's comment, SIP phones - once call setup has taken place - will be keeping the call going between endpoints and unless the call flow, or one of the endpoints, is via the device being upgraded there is no impact. If the SIP server is via the device in q, I can see a hit, but I would have thought it would be very quick if 'zero downtime' is the reality.
... View more
03-15-2021
07:21 AM
Hi MerakiDave It would be great to get clarity on this. Am upgrading a pair of MX450s tonight and the customer is not going to want to hear there's a 50min delay, like @cmr . Also clarity on the timings. I know the scheduler drop-down only allows it on the hour, but other posts here suggest these get pushed back at 20m intervals, or is that coincidence and it's random, as it's a cloud based service and has to service lots of folk, and depends on load at any given time ?
... View more
01-28-2021
09:52 AM
hi Is this documented anywhere ? I had assumed that would be the process but cannot find it in Meraki documentation.
... View more
11-03-2020
09:35 AM
We share your pain ! In our instance we decided to get the carrier to strip VLAN tagging on the cct, rather than go with beta code. But if you like living dangerously there is a fix starting in 15.37 https://community.meraki.com/t5/Security-SD-WAN/New-15-37-firmware-fixes-MX250-450-WAN-VLAN-issue/m-p/99714 ** N.B. ** Security appliance firmware versions MX 15.37 changelog IMPORTANT NOTICE This is a beta version for the next major MX release. Due to this, we recommend taking additional caution before upgrading production appliances. Where applicable, MX 14 releases will provide a more stable upgrade alternative. 😱 😁 💣
... View more
09-17-2020
04:45 AM
I've had it confirmed by TAC that you have to enable a DHCP server on the vlan, not just able to get it to act as a DHCP/BOOTP relay. So we can; a) Act as an ip helper / dhcp-relay and NOT a BOOTP forwarder, or b) Act as a DHCP server (i.e. not a dhcp relay), and act as a BOOTP forwarder Seems a bit contradictory; a) Forward DHCP multicasts as unicasts, and DO NOT Forward BOOTP multicasts as unicasts; or b) Forward BOOTP multicasts as unicasts, and DO NOT Forward DHCP multicasts as unicasts
... View more
09-07-2020
01:57 AM
Update, we are told (Meraki TAC) this relates to a VLAN tag on the WAN configuration. Apparently an old issue seen strips the VLAN tag from the port config. We are seeing this. When you first connect a unit to the WAN and it connects to the dashboard, then tries to download firmware, if you look at the Uplink config in the dashboard, the dashboard has stripped the VLAN tag from the link. We have been told to add this to the dashboard before the next reload/download happens and it should go fine. What appears to be happening is the VLAN tag gets stripped, the MX can no longer see the dashboard and it recovers itself by rolling back.
... View more
08-27-2020
10:00 AM
not the REST API but the Dashboard API https://nxxx.meraki.com/api/v0/organizations/organizationid/devices/
... View more
08-27-2020
03:10 AM
Joel - can I DM you for the Meraki case # please ? We have what appears to be a similar issue, and when I asked Meraki tech support if it was related to this post they couldn't say as I didn't give the ticket no. for him to compare with. The behaviour we see is the dashboard tells us the units are on 14.42 but Meraki tech say this has failed and they are actually on 12.24, and the dashboard actually is reporting the 'desired' not the running version. The units go offline for 8-10mins roughly every 2.5hrs. My understanding is that they never achieve their initial image download from the dashboard so try continuously rather than using the default schedule (weekly?)
... View more
07-16-2020
01:47 AM
Hi PhilipDAth I'm not sure I follow the suggestion above. The boot options only appear when the Meraki vlan is set to 'Run a DHCP' server. So you can't specify 'Relay DHCP to another server', and bootp options i.e. ip helper and bootp forwarding appear to be mutually exclusive in the dashboard DHCP, Vlan definition page.
... View more
07-15-2020
01:27 AM
The article relates to ports you need to open up for Merkai device to Dashboard comms. The article has a table, and a .csv version. The info differs - which one to believe ? e.g. no .csv entry for tcp/udp 3478,5020-1,7011 .csv no udp ephemeral ports .csv, no tcp 443,30001 'camera streaming proxy' Obviously i can attempt and see what works, but I'd prefer to have an 'official' guide.
... View more
06-24-2020
08:00 AM
1 Kudo
Has anyone got experience of using Bulk Network Creation to create MX networks. The guide https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Using_the_Bulk_Network_Creation_Tool is very thin, and another post suggests consulting the 'Bulking Up' article which has even less detail @NolanHerring https://community.meraki.com/t5/Dashboard-Administration/Bulk-network-creation-issues/m-p/60707 I appreciate it's probably not practical to expect to be able to build the uplink and gateway IPs because you have to manually configure the MX to talk to the dashboard in the 1st instance, but I'd like to create all the L3 subnets for each location as the MX will be the L3 gateway at each site. The format will be largely repeatable at each location, and it will save a lot of clicking if I can do a bulk import.
... View more
06-24-2020
07:46 AM
@bford1 That's a real pain for you. Did you get much joy in the end. I too am on the same path. I realise that you cannot import combined networks, so I want to start with the MX's, then maybe bind a pre-defined template, depending if that works or not. Did you have your serial numbers pre-defined per location ?
... View more
06-24-2020
01:25 AM
1 Kudo
Split tunnel. There is a NAT set up for the return traffic, but I don't see that would necessarily dictate the outbound traffic. i.e. there is a hide-mode NAT (port-forwarding) set up for this internal host when egressing the WAN2 uplink of the MX. So going out that would hide the internal src IP behind the MX WAN 2, but would that make the traffic go that way itself, I don' think so. Anyway thanks for your input and I have learnt something. I have got rid of the SD-WAN, VPN traffic, Uplink Selection Policy, and used a Uplink selection, Flow preference, Internet traffic rule instead. Thanks for your interest. But no stats unfortunately, other than to look at the WAN usage in the Appliance status page :[
... View more
06-23-2020
11:04 AM
Hi Yes i was - now you have explained the sections I am surprised it was behaving like it was. My VPN traffic , Uplink selection policy had WAN2 as the preferred uplink option (with mandatory failover) AND the traffic filters Windows Ofice365, and a custom expression tcp from an inside host to any host, external port number. So a very crude kind of policy routing, i.e. "if it comes from here" AND "the destination port is X", THEN use uplink WAN2.
... View more
06-23-2020
07:48 AM
HI jdsilva That's a really useful explanation. I get what you are saying - my Uplink Selection is set to WAN1 with load-balancing Off. In fact I was successfully using the SD-WAN, VPN traffic, Uplink selection policy to send particular traffic down WAN2. (otherwise with WAN1 as the primary uplink, WAN2 would never get a look in)
... View more
06-23-2020
01:54 AM
Hi @jds Thx. That's clear altho slightly disappointing on the stats. front. Just to clarify it's not an Internet Flow Preference in the SD-WAN UPlink section, but a (confusingly named section) SD-WAN policies, 'VPN traffic', Uplink selection policy. When speceified filters are met, Prefer WAN 2, Fail over if Uplink down Rgds, Ian
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 454 | |
| 1 | 512 | |
| 1 | 1248 |
