Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Crocker
Crocker
Getting noticed
Member since Nov 10, 2020
Friday
Community Record
59
Posts
47
Kudos
3
Solutions
Badges
2 weeks ago
I have the same question. Got prompted to test out the new UI this morning and took a look at the Early Access tab in the Organization Menu. Saw that I've got the new summary page enabled, and I know I saw it show up sometime last week but didn't have time to explore it. Now I dunno how to get back to it 😞
... View more
05-18-2022
09:36 AM
This is basically what we ended up doing. We have a handful of SSID's, and each one is tied to a tag. The tags are assigned/unassigned depending on the site needs. It's extra steps for sure, but after the initial setup it's proven to be beyond useful.
... View more
05-12-2022
10:47 PM
I'm not sure if it applies in your scenario, but Microsoft broke device certificate authentication between NPS and Domain controllers with the patches released Tuesday. Specifically, patched domain controllers are failing to map the certificates to the machine accounts.
... View more
04-27-2022
11:59 AM
Excellent, I'll ping support and do some capturing, see what I can see. Wanted to make sure I wasn't missing something obvious!
... View more
04-27-2022
11:35 AM
Yup, there's a SIM plugged into the SIM slot on the MX67C. Not sure what I need to ask support? You mentioned having them enable something in your post but not what. I enabled the Cellular Active Uplink option in the Security & SD-WAN > Configure > SD-WAN & Traffic Shaping options. Is there something else needed? Active-Active AutoVPN is enabled under Security & SD-WAN > Configure > SD-WAN & Traffic Shaping
... View more
04-27-2022
10:41 AM
Need a bit of clarification. Does this feature support active-active AutoVPN? The following blurb from the best practices document above is a bit unclear - unsure if it's talking about an add-on USB 3G/4G modem or the built-in cellular modem: Is dual active AutoVPN available over a 3G or 4G modem? No, 3G or 4G modem cannot be used for this purpose. While the MX supports a range of 3G and 4G modem options, cellular uplinks are currently used only to ensure availability in the event of WAN failure and cannot be used for load balancing in conjunction with an active wired WAN connection or VPN failover scenarios. Asking because I'm having some trouble testing this feature at a remote location, which is using a full-tunnel AutoVPN back to our concentrator(s). Seems like AutoVPN isn't detecting the cellular uplink, or isn't establishing across it.
... View more
04-26-2022
10:04 AM
Excellent, this is the detail I was looking for. Went digging around on the uplink configuration/SD-WAN configuration docs but they don't have much mention of this feature. Was apparently looking at the wrong docs.
... View more
04-26-2022
08:36 AM
Cool! Under the hood, is the built-in cellular interface basically becoming/being treated as WAN2 when the option is toggled on? Curious if this is going to interact with the cellular failover firewall rules at all. I notice I can enable both WAN 2 and Cellular Active Uplink, but Cellular replaces WAN2 as an option in a couple of the SD-WAN drop-downs I looked at (like primary uplink).
... View more
04-26-2022
08:27 AM
Looking to do some testing with this new feature, wondering if anyone else has already done so and if there are any blatant gotchas?
... View more
04-05-2022
10:54 AM
Ditto on shard 426. Also had some issues with the Tools tab not loading for Access Points, but that was back on 4/1. Didn't think much of it at the time.
... View more
On the 2nd switch, I was able to at least get link lights on the front LAN ports after a factory reset. Setting the static IP on my client allowed me to get to the local device management page, so that's good. Ended up carting both switches back to our build room and connecting them straight in to just a run-of-the-mill cable ISP connection, off of our corporate network. Got link lights, DHCP'd addresses, connected right up to the dashboard. Both switches pulled a firmware update and installed it before booting fully, but have behaved as expected afterwords. All good now, thanks for the suggestions!
... View more
Finally received 2 MS120-48P switches that we've been waiting on for a couple months. Attempting to do the pre-configuration (set static IP address on uplink port, etc). Normally we do this using a non-domain laptop connected direct to the management port of the MS. Connect it up, wait for the management page to pop up, and away we go. Simple. Today, on both of these newly-unboxed MS's, I'm seeing odd behavior: When something is connected to the management port, the port may or may not light up briefly, then goes dark When something is connected to any of the front panel ports (1-48), the port may or may not light up briefly, then go dark Multiple laptops exhibit this behavior with both switches Multiple ethernet cables have been tried If we try to skip the 'connect a laptop and configure' step and just connect a front-panel port to an uplink on on our closet switch, one that allows for internet access and DHCP, the port on the MS may or may not light up briefly, then goes dark Tapping the reset button on the front of the switch has 0 impact on the behavior, no change after the switch reboots Holding the reset button on the front of the switch for 10 seconds and forcing a reload also produces no differences in behavior after the switch reboots Just for grins, if I connect two of the MS's switchports together, the link lights come up. Not sure what this tells me, other than that the link lights work Am I missing something super obvious or did I win the lottery and get 2 DOA MS120's? That doesn't seem likely, right?
... View more
02-25-2022
10:10 AM
For the MS - It's looking for an interface in the subnet/VLAN you want to listen for DHCP requests in, and will then relay those requests (using the interface's IP), to the DHCP servers it's configured to relay to.
... View more
02-23-2022
10:38 AM
1 Kudo
You can try the /devices/$serialNum/clients endpoint: https://developer.cisco.com/meraki/api-v1/#!get-device-clients Alternatively, if you want to gather all clients for a given network, you can query the /networks/$id/clients endpoint: https://developer.cisco.com/meraki/api-v1/#!get-network-client
... View more
02-11-2022
01:23 PM
2 Kudos
Thanks for double-checking me. Now to figure out why my per-client limit doesn't appear to be working! Update: I'm an idiot. SpeedBurst was skewing my my tests.
... View more
02-11-2022
12:32 PM
Doing some testing and it appears that they do not, in fact, work for clients connected to mesh AP's...
... View more
02-07-2022
07:58 AM
2 Kudos
I don't believe there's a great way to do this through the dashboard itself. You may want to look at a Netflow configuration. In a nutshell, you'll tell your MX to send Netflow to a specified server/workstation with some Netflow parsing software on it (we use Solarwinds Netflow Traffic Analyzer). The software can then give you a rough breakdown of what traffic is passing through the MX, along with analytics like top talkers, top sources, top destinations, and specific information like throughput to/from a specific website or host.
... View more
02-04-2022
08:17 AM
Yeah, the Policy Objects/Policy Object Groups are a lifesaver for that exact reason. Even though they're marked as a beta feature, I believe several folks are using them successfully. We haven't seen any problems with them either - they behave exactly like you would expect. That said, we do back up the policy objects, policy object groups, and site to site VPN firewall rules daily using API calls...just incase.
... View more
02-04-2022
07:53 AM
Support got back to me, Development confirmed this is a bug they're aware of and actively working on. No timeframe was provided but we can expect it to be fixed at some point.
... View more
02-04-2022
07:48 AM
2 Kudos
It took me a little while to get my head around the behavior of Group Policy Layer 3 Firewall rules. In our case, we migrated from Cisco ISR 4321 + Cisco Catalyst 2960 hardware to MX67/MS120's. In the old setup, the SVI's were defined on the Catalyst and each SVI had an inbound/outbound ACL that had ACE's to only allow the conversations we wanted to allow. We attempted to recreate that with Meraki gear, but with the SVI's defined on the MX67 and the group policies filling in for the ACLs. Note that we also use full-tunnel Site-to-Site VPN between our remotes and our datacenters, which introduces some caveats. In a nutshell: The group policy Layer 3 Firewall rules do not block traffic inbound to a client in the VLAN, only traffic outbound from a client in the VLAN. Say you have a simple policy applied to VLAN 100 (and the subnet associated with that VLAN is 10.10.20.0/24) that permits SSH to 10.10.10.35 and blocks all other traffic. Anything on your network is going to be able to send packets to 10.10.20.0/24 clients (and the clients will receive these packets) using whatever protocol/port they want; However, the group policy will block response traffic that doesn't match the permit. You can verify this with a packet capture either from the MX or on the client itself. While this works to block unwanted conversations, it does not block unwanted packets the way we were used to. We didn't like that packets were getting to clients that shouldn't have been, even if the outbound packets were getting dropped so no real communication occurred. We ended up reworking this to nix the group policy firewall rules entirely, instead using a combination of Layer 3 firewall rules + Site to Site VPN firewall rules.
... View more
02-03-2022
01:07 PM
1 Kudo
We're also semi affected on n426.meraki.com. No errors (yet) but we're getting that behavior where the dashboard doesn't fully load when trying to navigate around - for example, the left-hand nav menu is missing 9/10 times on refresh. Started for us at about 3:00 PM Central.
... View more
02-03-2022
01:04 PM
1 Kudo
Got one opened not long after my post. Support is running some examples up to the Devs, will follow-up if/when they provide more info.
... View more
02-03-2022
08:22 AM
I've noticed the same thing. The change alerts for devices still identify the admin that made the change, but change alerts for MS (at least, for MS120 series which is all we've got) devices do not. Going back through our change alert e-mail history, changes on MS devices identified the admin up till at least 12/14/21. There's a 14-day gap where we didn't make any switch changes, and then the next change alert was on 12/31/21 which does not identify the admin. All change alerts after this point do not identify the admin responsible for the change. Edit: Reviewed the Organization -> Change Log entries, these do still identify the admin responsible, so the information is at least available. Would be nice to have it back in the change alert e-mails though.
... View more
02-01-2022
07:28 AM
3 Kudos
We have a couple remote ATM's that we run with Z3C's. The experience has generally been positive, but every once in awhile (every couple of months, maybe?) a handful of Z3C's or MX67C's will go offline. The devices will not come back online until someone goes on-site power-cycles the things. We do not have the same behavior with Z3's or MX67's using an MG21 for their only uplink. If I were to recommend anything, it would be to avoid using the built-in cellular as the 'primary' connection on these two platforms.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 363 | 02-01-2022 07:28 AM | |
| 452 | 01-20-2022 02:13 PM | |
| 7584 | 05-21-2021 03:48 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 6 | 223 | |
| 6 | 7584 | |
| 5 | 690 | |
| 3 | 363 | |
| 3 | 607 |
