The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About MickeyDawson
MickeyDawson

MickeyDawson

Comes here often

Member since Apr 18, 2018

‎03-03-2021

Community Record

15
Posts
0
Kudos
0
Solutions

Badges

CMNA
1st Birthday
First 5 Posts View All
Latest Contributions by MickeyDawson
  • Topics MickeyDawson has Participated In
  • Latest Contributions by MickeyDawson

Re: STATIC ROUTE availability test

by MickeyDawson in Security / SD-WAN
‎07-15-2018 01:22 PM
‎07-15-2018 01:22 PM
Internet ADSL router gateway (VLAN1) (192.168.1.0/24) MX WAN port (NAT) is on the same VLAN 1 / subnet as the Fortinet WAN port (192.168.1.0/24) NAT Fortinet LAN interface used as  MX next hop =VLAN 2, 192.168.2.0/24 Test PC running CMD and Internet on VLAN 44 (172.16.44.0/24) connected to MX LAN port VLAN 44   Mike       ... View more

Re: STATIC ROUTE availability test

by MickeyDawson in Security / SD-WAN
‎07-15-2018 02:13 AM
‎07-15-2018 02:13 AM
Philip a good pointer. I tried adding a static to 8.8.8.8/32 via my next hop 192.168.2.1 via LAN 3 port and testing availability to host 8.8.8.8 I then added a 2nd static route to 0.0.0.0/0 via my next hop 192.168.2.1   I checked that the static route was active via the Fortinet Firewall 192.168.2.1 and it was.   I then failed the WAN on the Fortinet to fail the 8.8.8.8 host test and the default route did not change it remained active on the Fortinet.   Not giving up but using your logic, I added a 2nd availability test onto the 0.0.0.0/0 static also to ping host 8.8.8.8   This worked when the 8.8.8.8 host test was associated with the Default static. When I failed the WAN interface on the next hop firewall the route then disappeared.   Now for the interesting bit.   So we have a static default via a 3rd party firewall and have the ability to remove the route if the test ping to 8.8.8.8 fails.    My monitored pings to 8.34.34.34 and 88.221.170.233 both failed when the static default route disappears, however Internet connectivity is maintained by my test PC plugged into MX port 3 on a separate VLAN.   So the failover for Internet connectivity via the MX WAN port instead of the next hop worked 🙂 but the CMD pings stopped. I tired an additional CMD ping to a different destination 208.67.220.220 and that responded via the route MX WAN 1 however the original pings still showed Request Timed Out and again I still have internet connectivity.   So in my mind something is not timing out on the MX ARP around 8.34.34.34 / 88.221.170.233   I rebooted MX to see if pings would return and they did.   So  were 99% there but I am a little confused what is happening re the original test pings failing. p.s If I re enable the WAN port on the Fortinet the Static route becomes active again and the pings return.   Strange. What do we think is going on here is it the arp cache on the MX that's not timing out within my observation window?   ####################   Below is a test I have just performed pinging the 3 destinations. The original two that failed and the new destination to OpenDNS. The picture below is what just happened after I disconnected the Fortigate WAN. Notice the OPenDNS ping remains but the only the original destinations which were established when the Static route was active fail.   Got to be something in my mind to do with arp caches 🙂     ... View more

STATIC ROUTE availability test

by MickeyDawson in Security / SD-WAN
‎07-13-2018 05:15 AM
‎07-13-2018 05:15 AM
Meraki advise .When a route is configured as active while the next hop responds to ping, or active while a host responds to ping, the MX tracks the route. If the MX stops receiving ping responses for a period of time, the route will be removed from the routing table. The route is re-added when responses are received again.   I have a specific requirement where a static route is providing a route via a 2nd L3 device connected to a LAN port. As such next hop testing will not detect if a L3 path failure occurs towards a destination using the static.    Will 'while a host responds' provide route availability and detection for a distant host that sits behind a few hops?   Specifically here I am using the static 0.0.0.0/0 via next hop on a LAN port so as to use a next hop L3 device to route to the Internet. However if that device looses internet connectivity I need the 0.0.0.0/0 static removing to allow a dynamic 0.0.0.0/0 via the MX WAN interface.    Does anyone think this scenario is possible?   Mike  ... View more

Re: How can I bypass a 3rd Party VPN that is advertising the default route.

by MickeyDawson in Security / SD-WAN
‎06-25-2018 11:35 AM
‎06-25-2018 11:35 AM
I have spoken with our Meraki SE and he thinks that bypassing a Meraki - Meraki VPN is something they do support for SDWAN features but we're not sure if this also works for 3rd parties well, at least I cannot find a way to do it 🙂 Just wondered if this has ever come up before. ... View more

Re: How can I bypass a 3rd Party VPN that is advertising the default route.

by MickeyDawson in Security / SD-WAN
‎06-16-2018 11:47 AM
‎06-16-2018 11:47 AM
Yep I agree Phil I think that should work 🙂 and is possibly the cheapest alternative being the cost of maybe a cheap cct. ... View more

How can I bypass a 3rd Party VPN that is advertising the default route.

by MickeyDawson in Security / SD-WAN
‎06-16-2018 03:56 AM
‎06-16-2018 03:56 AM
I have a scenario where ALL traffic from the MX is to traverse a VPN to the internet via a centralised cloud security service. The 3rd party VPN advertises the 0.0.0.0/0 so that the VPN is used as the default gateway. Its working fine. However there will be exceptions where some LAN traffic will be required to use the WAN 0.0.0.0/0 to retain the local sites source IP in the UK for web site / vpn authentication purposes and not the VPN 0.0.0.0/0. The MX has the ability to add static routes however they only apply to LAN interfaces and do not override the 0.0.0.0/0 behavior. I tried adding a static to Google 8.8.8.8/32 and passing it to a LAN port VLAN that was not in the 'use VPN' list however the traffic got terminated by the MX which returns pings <1ms so its staying local. I guess I could add a static to a 3rd party device on a VLAN in my attempt to get the traffic to 8.8.8.8 to use a different path to the internet but that means adding additional LAN hardware. Can anyone think how the MX could be configured to route specific traffic via the WAN 0.0.0.0/0 and override the VPN learned 0.0.0.0/0 ? This is so frustrating as all we need is a static routing capability that works with WAN interfaces and not just LAN so we can override the default path.   ... View more

Re: MX Warm Spare Issue

by MickeyDawson in Security / SD-WAN
‎04-26-2018 06:58 AM
‎04-26-2018 06:58 AM
Sorry for the previous posts after reading the article you advised its VRRP so local 😉 now I understand. I thought incorrectly it was cloud controlled 🙂 ... View more

Re: MX Warm Spare Issue

by MickeyDawson in Security / SD-WAN
‎04-26-2018 06:49 AM
‎04-26-2018 06:49 AM
Hi, what scenario would you describe the MX having sub second failover? I would have thought that once it looses connectivity to Meraki there would be a lag between the failover between the existing and the warm standby as if you had a intermittent problem regards internet connectivity would they both try and become the primary? Maybe incorrectly I thought the failover to warm standby was over a min or two maybe I am wrong. 🙂 ... View more

Re: MX Warm Spare Issue

by MickeyDawson in Security / SD-WAN
‎04-25-2018 04:33 AM
‎04-25-2018 04:33 AM
Am I correct in assuming that your MX's are both ACTIVE ACTIVE not Warm spare. Does anyone have any experience of typical Warm Standby failover times ?   We have a design that requires the DC to terminate 2 x Internet & 2 x MPLS, however if we terminate 1 INT + 1 MPLS on the Active MX if that fails the Warm Standby will take x seconds to become active where we loose both INT + MPLS so in this situation would you have 2 x ACTIVE MX on separate networks and not a warm standby design. ... View more

Re: OSPF and VLAN support in new NO NAT MODE

by MickeyDawson in Security / SD-WAN
‎04-20-2018 08:13 AM
‎04-20-2018 08:13 AM
This again is so simple thank you for the reply. Makes perfect sense. ... View more

Re: OSPF and VLAN support in new NO NAT MODE

by MickeyDawson in Security / SD-WAN
‎04-20-2018 04:36 AM
‎04-20-2018 04:36 AM
A colleague has just pointed out the obvious... wood and trees now comes to mind. The below seems to answer the question and negate the need for the MX to perform any dynamic routing. Why not just connect the FG to MPLS routers and INTERNET CE routers via a switched VLAN, the FG can then make the routing decision based on full routing information. The MX in that case just chucks everything at the FG and doesn’t get involved in anything too complex. ... View more

Re: OSPF and VLAN support in new NO NAT MODE

by MickeyDawson in Security / SD-WAN
‎04-20-2018 04:36 AM
‎04-20-2018 04:36 AM
A colleague has just pointed out the obvious... wood and trees now comes to mind. The below seems to answer the question and negate the need for the MX to perform any dynamic routing. @MickeyDawson wrote: I have a requirement to receive an OSPF default route from an adjacent Fortigate firewall which is the local Internet gateway and WAN1. However for backup purposes we also have a MPLS internet route connected to WAN2. OSPF is configured to prefer the Fortigate as primary and the Fortigate is testing the Internet availability before advertising the default route so if it fails we route to the internet via the WAN2 MPLS.   I read that OSPF is only supported on PASS THRU which means the MX cannot support VLANS so this question is aimed at the NEW NO NAT feature i.e will this allow us to have dynamic routing so the above scenario can be adopted.   🙂   Why not just connect the FG to MPLS routers and INTERNET CE routers via a switched VLAN, the FG can then make the routing decision based on full routing information. The MX in that case just chucks everything at the FG and doesn’t get involved in anything too complex. ... View more

Re: OSPF and VLAN support in new NO NAT MODE

by MickeyDawson in Security / SD-WAN
‎04-20-2018 03:42 AM
‎04-20-2018 03:42 AM
I have a requirement to receive an OSPF default route from an adjacent Fortigate firewall which is the local Internet gateway and WAN1. However for backup purposes we also have a MPLS internet route connected to WAN2. OSPF is configured to prefer the Fortigate as primary and the Fortigate is testing the Internet availability before advertising the default route so if it fails we route to the internet via the WAN2 MPLS.   I read that OSPF is only supported on PASS THRU which means the MX cannot support VLANS so this question is aimed at the NEW NO NAT feature i.e will this allow us to have dynamic routing so the above scenario can be adopted.   🙂 ... View more

OSPF and VLAN support in new NO NAT MODE

by MickeyDawson in Security / SD-WAN
‎04-20-2018 03:38 AM
‎04-20-2018 03:38 AM
... View more

Re: MX - NO-NAT 15.3 / 15.4

by MickeyDawson in Security / SD-WAN
‎04-18-2018 11:56 AM
‎04-18-2018 11:56 AM
I need this feature in order to pass traffic to a next hop Fortinet Firewall that is transporting the traffic to Zscaler via a primary and backup GRE. Zscaler needs to see the clients source IP therefore traffic must not be NAT'd I hope this feature will allow me to pass the traffic to Fortigate and down the GRE to Zscaler.   Meraki integration with Zscaler cloud is a problem requiring additional firewalls that are dual GRE capable. However if the MX supported dual IPSEC with failover that would also solve the problem as long as we could remove the NAT. However so far the MX only supports 1 x IPSEC so I need an additional interface to get the traffic to Zscaler via a tunnel.   Mike ... View more
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki