Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Crocker
Crocker
Here to help
Member since Nov 10, 2020
a week ago
Community Record
12
Posts
7
Kudos
0
Solutions
Badges
2 weeks ago
I've got several group policies that are intended to act as an equivalent to Cisco ACL's, assigned to specific VLANS. For example, a policy governing what is/isn't allowed out of the management VLAN at a given site. The rules appear to work as intended. Is there any way to enable logging to see what traffic the group policy firewall is blocking?
... View more
2 weeks ago
I'm sure this isn't the case, but I wanted to check. Do you have any static routes configured on any of your hubs?
... View more
3 weeks ago
2 Kudos
Throwing in my 2 cents here. We use a mix of MX67C and Z3C appliances at several small satellite sites spread across the state, running entirely over their internal cellular. We also have several MX67/Z3 (no internal cell) appliances as well. This works well most of the time; However, we do occasionally have issues where a handful of sites (usually within a small geographical range of eachother) will go offline early in the morning. They will not recover automatically, but we can send somebody out to reboot them and everything comes back to life. My pet theory (which I need to check against a Meraki resource) is that the built-in cellular on both models has a limited # of retry attempts when it loses its signal. After so many attempts (or after so long without a ping from a cell tower), they just give up and don't try again until they're rebooted. We do not experience this problem at sites that have an MX67/Z3 + MG21 setup.
... View more
03-21-2021
03:20 PM
2 Kudos
All went according to plan, discounting some weirdness with the MX250 not being able to check-in with the dashboard for ~2 hours. Almost seems too easy!
... View more
03-20-2021
07:53 AM
2 Kudos
Thanks for passing that along. The MX250 did eventually come up about 2 hours after my post, automagically...
... View more
03-19-2021
11:34 PM
1 Kudo
Just got off the phone with support, was in the middle of attempting to swap an MX84 for an MX250 (our AutoVPN hub). Everything went smoothly until it came time for the MX250 to check in with the dashboard. Gave it probably half an hour to check in, it never did. Verified I can ping it from our internal network, verified the switchport it's connected to is seeing a bit of traffic in/out. Verified arp entries, etc. Support tried a couple things like removing the MX250 from the hub network, adding it back. They verified that they can see it talking to the dashboard, and the dashboard talking back. Dug around a little, turns out there's a known bug right now preventing new devices from checking in with the dashboard. Anyone else heard about this? Edit: a few more details
... View more
03-18-2021
03:37 PM
Thanks for the review and the notes! Doing this tomorrow night, will post back if I end up deviating from the plan.
... View more
03-13-2021
09:02 AM
Wanted to make sure I'm not oversimplifying a task, any feedback is appreciated. We have two MX84's, in disparate datacenters, both operating in one-armed concentrator setup. The MX84 in datacenter A advertises more specific routes to devices located in datacenter A, and the MX84 in datacenter B advertises more specific routes for devices located in datacenter B. Datacenter A and Datacenter B are connected via a 10gbps backhaul. Both hubs have their own individual 'networks' in the Meraki dashboard. I've got replacement MX250's for both of the MX84's. The plan (per datacenter) is as follows: 1. Hardcode the MX250 to use the same IP address as its respective MX84 2. Rack the MX250, connect to a switchport in the core that is in a SHUT status but otherwise mirrors the switchport configuration for the MX84 3. Remove the more specific routes from the AutoVPN configuration so AutoVPN traffic can freely fail between the MX's (traversing the backhaul to get from Datacenter B to Datacenter A while MX84-A is offline) 4. SHUT the switchport on the MX84 5. Remove the MX84 from the "Datacenter X Concentrator" Meraki network in the dashboard 6. NO SHUT the switchport for the MX250. Verify it comes up and can talk to the dashboard 7. Add the MX250 to the "Datacenter X Concentrator" Meraki network in the dashboard 8. Verify AutoVPN connections establish with the MX250, then re-apply the more specific routes removed in step 3 Thoughts?
... View more
03-13-2021
08:39 AM
Adding in my agreement here. We're in the process of migrating from a fully Cisco environment to Meraki devices at our satellites. While the Meraki equipment does satisfy most of the performance/security requirements at the satellites, they've been kind of a nightmare for any sort of monitoring or reporting. Whether it's SNMP values requiring quite a bit more brain work to interpret, trying to set up alerting that is useful without being too spammy (via the Dashboard or third party tools), to trying to get a 'big picture' view of ~150 satellite locations, it's been a real struggle.
... View more
11-26-2020
01:19 PM
Any chance the 'Private Addresses' setting is toggled on, on the devices in question? That could stop the GP from applying to the device.
... View more
11-26-2020
08:00 AM
Support confirmed that the cellular failover rules will not work for Active/Active AutoVPN traffic, which is kind of a bummer. I've experimented with the SD-WAN policies as well, and they too seem to not work properly. As a test, at one of my sites I put together a very simple rule: Prefer WAN 1, failover if uplink down - 10.##.##.##/32 to Any, Any to 10.##.##.##/32 However, when I run a packet capture on the S2S over Internet1 and S2S over Internet2 interfaces, I see the traffic to/from the specified IP crossing both interfaces. I've notified support of this, and they have verified that the rule appears to be set up properly. The question is whether or not SD-WAN policies affect Active/Active AutoVPN traffic... I'll follow-up once I have an official answer.
... View more
11-10-2020
12:11 PM
Wanted to check in and see what others have done/experienced. In short, I have a location with the following setup: MX67C with WAN1 connected to a hardline ISP, WAN2 connected to an MG21 using an AT&T SIM It is a full-tunnel spoke in a larger AutoVPN deployment Active-Active AutoVPN is enabled We have a simple SD-WAN policy defined that ships our traffic across whichever Uplink is 'best for VOIP traffic' The setup appears to be mostly working as expected; However, we do end up sending quite a bit of heavy data across the cell connection at times - one example is our Microsoft SCCM software/update deployments. I'm not seeing any way to specify that defined traffic (to/from an IP&Port) should only ever traverse WAN1 and never WAN2. We worked with support a few weeks ago, and they changed a hidden setting that should have forced the Cellular Failover Firewall Rules to act on WAN2 instead of the built-in (inactive) cellular interface on the MX67C; However, through testing I've found that this doesn't appear to work at all. I'm still chasing that up with support, but wanted to check in here with the community and get your thoughts.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 89 | |
| 2 | 93 | |
| 2 | 164 | |
| 1 | 196 |
