Community Record
31
Posts
12
Kudos
0
Solutions
Badges
4 weeks ago
Is it a VTI or not? I don't see how it would work without the other end being configured as VTI.
... View more
Feb 17 2025
11:54 AM
So the documentation for Access Manager was just released and it looks very cool. It supports access control through 802.1X and MAB, while SmartPorts profiles endpoints using OUI and LLDP/CDP. SmartPorts also configures both access and trunk ports. How do these two features interact with each other, and which one takes precedence? Are there any plans to consolidate Access Manager and SmartPorts policies into a unified, shared policy? With ISE, you can manage 802.1X, MAB, profiling, and more all in one centralized location.
... View more
Dec 9 2024
12:24 PM
If spokes receive a default route from the SC hubs, does that mean NAT (1:1, 1:many, port forwards) on the spoke stops working when SC is enabled?
... View more
Nov 29 2024
4:42 AM
2 Kudos
I am just trying to fully understand SC and what options there are. The use case here would mostly be to utilize remote access and ztna without tunneling everything. It would also be nice to force split tunneling temporarily or in troubleshooting scenarios in case full tunneling broke something. traffic exclusion is cool for that thou 🙂
... View more
Nov 27 2024
12:37 PM
Is it possible to do split tunneling so only RFC1918 is tunneled to Secure Connect via auto-vpn? I am guessing it is only possible for hub sites as spokes will always receive the 0.0.0.0/0 route from the secure connect hubs.
... View more
Nov 11 2024
9:12 AM
Thank you! So its basically always S2S rules and if the traffic goes via the secure connect hubs then CDFW rules are checked.
... View more
Nov 11 2024
12:23 AM
Hi, I'm trying to understand when the Meraki S2S firewall rules are being used and when the CWD rules are being used. I think its a bit blurry now that hubs are supported. If the only hubs are Secure Connect hubs: Is it only the CDW rules that are being evaluated or are the Meraki S2S rules also being evaluated? If there is an on-prem MX as hub and it has first priority: Is it CDW or S2S rules that are being evaluted or both? If there is an on-prem MX as hub and it has first priority: How does Spoke to Spoke traffic behave? Does it still go via secure connect? Is it CDW or S2S rules that are being evaluated or both? Link to the documentation for: https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now-_Sites/Meraki_SD-WAN_Hub_Integration_with_Secure_Connect
... View more
From a performance perspective, yes in theory it's better to prune, but in practice, just allow all and avoid the management overhead.
... View more
Dec 6 2023
6:29 AM
2 Kudos
Yeah as is you will need to cycle the ports once the sites comes back online... It's really not ideal. There is also a risk that you don't notice before the users as the AP will be online and connected to the management network even thou the port isn't authenticated...
... View more
Nov 17 2023
2:04 AM
I wonder if it has anything to do with the service DNSCRYPT not running on the MX. Meraki has a bug where the service stop running so DNS traffic tunneled to Umbrella stops working. A restart to of the MX solves the issue, but it might or might not come again. They don't know why it happens atm.
... View more
Nov 9 2023
4:04 AM
The only way do deal with silent devices is by either configure the device to use DHCP or to set the access VLAN to the VLAN the device should be in, and make sure that control direction is only out in the access-policy. This way the traffic should be able to reach the device, and the return traffic should trikker authentication.
... View more
Oct 3 2023
4:19 AM
1 Kudo
Its not a solution. Where does it go from the L3 switch? It goes back to the MX. Where does it go from the MX? To the L3 switch. Until TTL reaches 0. Meraki needs to add the ability to create static routes towards the WAN. As long as you can't do that, then there isn't a good solution.
... View more
Sep 21 2023
4:13 AM
1 Kudo
Any ETA on this? Getting a bit tired of having to do maintainance windows for minor changes 😉
... View more
Aug 23 2023
1:25 AM
Great information! My only experience so far with secure connect is the dcloud lab, so it's nice with some feedback from the real world. Number 1 should definitely be an exception by default. Regarding number 2. What do you mean by it isn't supported? What is preventing you from using the Umbrella hubs as exit hub on the hub in the DC? And why can't traffic from spokes to the DC go directly and not via Umbrella? The fact that you can't do local breakout based on domains and wildcard domains is a big problem. That being said, when you go down this path it is expected to put in quite some work on bypassing umbrella completely or doing selective decryption for different destinations/applications. That's the same for all vendors.
... View more
Aug 15 2023
2:12 AM
1 Kudo
Meraki also uses a public IP in the NAS field when AP's and Switches probes the radius server to see if it is alive. Meraki also uses public IPs for BGP router ID's when enabling BGP and for the APs when they are in mesh. It's really strange to see these public IPs show up at seemingly random places.
... View more
Jun 26 2023
6:34 AM
2 Kudos
Hi Gary. This documentation states you can set the umbrella “mx” as an exit hub. Is this not possible when doing secure connect? I thought it was essentially the same. https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide why does the VMX need to be in routed mode?
... View more
Jun 6 2023
6:11 AM
I am asking about management and deployment of secure client, which is part of secure connect.This is the documentation from the Meraki page, but it leaves out some details. https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now_Remote_Access What I am curious about is whether secure client used for secure connect can (or shouldn't) be managed / deployed via Secure-X / XDR. Is there anything special about the installation file generated by Meraki and Umbrella or is it just the normal installer with a profile that can be used with any type deployment. When I read the documentation is sounds like I am able to deploy the secure client XML whatever way I want. I find it hard to only talk about Meraki when talking about secure connect, when it seems to be a combination of Meraki, Umbrella and secure client.
... View more
Jun 6 2023
5:57 AM
I don't think that is related. The document describes SSO for the Meraki and Umbrella dashboard.
... View more
Jun 6 2023
3:07 AM
Will it be possible to deploy and manage the Cisco + Secure connect secure client via Secure-X / XDR? Is there anything special in the secure client installation file generated from the secure connect / Umbrella dashboard or can it be deployed by uploading the profile to Secure-X / XDR and then generating the installation file there? Is there any disadvantage?
... View more
May 24 2023
10:39 AM
In the PVT today they mentioned a list of hidden features which support can enable. One of them was disabling peering between hubs. If you are receiving the same routes in both dcs it is recommended to enable this feature to avoid asymmetric routing.
... View more
May 15 2023
4:53 AM
@Ryan_Pascoe Thanks, that makes a lot more sense. That also means the MS390 is a beast with Meraki GP compared to a C9300 with dACL, but I guess thats the advantage of using an access-list that exists locally on the switch.
... View more
May 14 2023
2:05 PM
200 ACE across the switch?! Does that mean if I make a gp that allows dns, dhcp, blocks rfc1918 and allows anything else. That would be 5 aces. I would only be able to apply it on 40 ports?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 1208 | |
| 2 | 1490 | |
| 2 | 6500 | |
| 2 | 4222 | |
| 1 | 2579 |
