The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About Bruce
Bruce

Bruce

Kind of a big deal

Member since Aug 8, 2017

‎01-31-2023
Kudos from
User Count
Samarraie
Samarraie
1
scytales
scytales
1
whistleblower
whistleblower
6
ajhe
ajhe
1
MartinSeitz
MartinSeitz
1
View All
Kudos given to
User Count
PaulMcG
PaulMcG
2
Inderdeep
Kind of a big deal Inderdeep
2
PhilipDAth
Kind of a big deal PhilipDAth
75
DarrenOC
DarrenOC
16
Russ_B
Russ_B
2
View All

Community Record

1132
Posts
1246
Kudos
159
Solutions

Badges

CMNA
Meraki FIT Level One
Meraki FIT Level Two
Meraki Master
Community All-Star 2022
Community All-Star 2021 View All
Latest Contributions by Bruce
  • Topics Bruce has Participated In
  • Latest Contributions by Bruce
  • « Previous
    • 1
    • 2
    • 3
    • …
    • 44
  • Next »

Re: Meraki alternatives for Cisco Antenna's

by Bruce in Wireless LAN
‎01-14-2023 06:12 PM
1 Kudo
‎01-14-2023 06:12 PM
1 Kudo
There’s no exact replacements, and the actual model numbers will vary depending on the Meraki access point you’re using. Assuming you are planning to use an MR46E then… AIR-ANT2524DW-R  => MA-ANT-3-B6 Just as you concluded, the are dipoles with an articulated joint.   AIR-ANT2566P4W-R => MA-ANT-3-E6 The Azimuth/Horizontal half power beam width is about half on the Meraki antenna compared with the Cisco one, so you may need some coverage re-work depending on the existing AP placement.   It may be that the C6/D6 (Omni panel) models are a better replacement if the Cisco antennas are ceiling mounted radiating downward.   AIR-ANT2566D4M-R => MA-ANT-3-E6 These will be pretty much the same. The F6 has a narrower beam width (about half that of the E6), so stay with the E6 for the closet match.   AIR-ANT2535SDW-R => I think MA-ANT-3-A6 Spot on, these are non-articulated dipoles.   Hope this helps. ... View more

Re: Opportunistic Wireless Encryption (OWE) Dual Guest networks

by Bruce in Wireless LAN
‎01-14-2023 02:21 PM
3 Kudos
‎01-14-2023 02:21 PM
3 Kudos
Clients have to support OWE to make use of it. I haven’t implemented OWE yet, but I’m wondering whether what you’re seeing is Meraki presenting you with both an OWE enabled SSID (the one with a lock), and an open SSID (the one without the lock). This would allow clients that don’t support OWE to still connect to your guest network. If this is the case, then to remove the the SSID with the ‘lock’, you’ll need to revert to using an Open SSID. I’m sure things will change when there is more support and adoption of WPA3/OWE. ... View more

Re: Block mac-address in SSID

by Bruce in Wireless LAN
‎01-11-2023 12:14 PM
‎01-11-2023 12:14 PM
Yep, with the randomised MAC addresses that are used by virtually every OS now, this is hard to implement. You have to flip it on its head and ensure you are only permitting the devices you want to access your network, and block everything else. ... View more

Re: Random IPsec/Arp issue?

by Bruce in Security / SD-WAN
‎01-09-2023 01:00 PM
5 Kudos
‎01-09-2023 01:00 PM
5 Kudos
Assuming these are all /24 subnets the the 192.168.20.99 device shouldn’t be ARPing for 192.168.100.253, it should be ARPing for the gateway address. I’d get the subnet mask and default gateway configuration on 192.168.20.99 checked. ... View more

Re: lost IP addresses

by Bruce in Security / SD-WAN
‎01-09-2023 12:51 PM
4 Kudos
‎01-09-2023 12:51 PM
4 Kudos
What addressing mode are you using on the wireless SSID? Sounds like you might be using NAT mode, which means all traffic from the SSID will be NATed to the access point’s IP address. You’ll want to move to bridge mode so that the IP address doesn’t get modified. ... View more

Re: Meraki MX multiple /29 Public Blocks

by Bruce in Security / SD-WAN
‎01-09-2023 12:45 PM
4 Kudos
‎01-09-2023 12:45 PM
4 Kudos
Yes this should work fine. Note that the PAT that The MX performs will always use the address assigned to the WAN interface. The addresses in the additional /29 can be used to 1:1 NAT, or 1:many NAT configured through the Dashboard. ... View more

Re: Loosing connectivity in the network after creating a new VLAN

by Bruce in Switching
‎01-04-2023 11:39 PM
2 Kudos
‎01-04-2023 11:39 PM
2 Kudos
What are the IP subnets on the other VLANs you have? I’m wondering if you are accidentally overlapping VLANs. Normally the Meraki Dashboard stops this or warns about it, but maybe somehow it’s not detecting the overlap. ... View more

Re: Limiting client VPN connections by their IP address

by Bruce in Security / SD-WAN
‎06-17-2022 03:30 PM
2 Kudos
‎06-17-2022 03:30 PM
2 Kudos
What do you mean my filter client VPN connections by IP address? Are you trying to restrict the IP addresses that can connect to the MX? In which case, how are you going to determine the IP addresses since they’re likely to be dynamic at the remote end?   If you mean filter what they can access within your network then you can use Group Policy, depending on whether you’re using L2TP or AnyConnect will determine how well this can be implemented (AnyConnect offers the better solution). ... View more

Re: Any connect-vpn

by Bruce in Security / SD-WAN
‎05-31-2022 05:07 AM
2 Kudos
‎05-31-2022 05:07 AM
2 Kudos
I don’t believe you can do this directly with AnyConnect. What you’ll need to do is RADIUs authentication which returns a Filter-ID parameter that the MX then uses to apply a Meraki Group Policy to the user. Have a look in here under the Group Policy section, https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance.   The other option is once the device is connected to the VPN, find it in the client list on the Dashboard and manually apply a Group Policy to it. ... View more

Re: MR76 with MA-ANT-23 in a warehouse

by Bruce in Wireless LAN
‎05-30-2022 05:43 AM
4 Kudos
‎05-30-2022 05:43 AM
4 Kudos
The MR76 has 4x antenna connectors. One pair for 2.4GHz and the other pair for 5GHz. One MA-ANT-23 connects to both the 2.4GHz connectors. If you’re not going to use the 5GHz radio then you need to properly cap them and make sure the radio is turned off. Personally I’d set up the 5GHz antenna too, that frequency is less congested and provides better performance, and if you don’t use it now you may in the future (and it’s easier to set it up once rather than revisit APs 10m in the air).   With regards to will the signal reach 30m down an aisle, that depends on how the antenna is positioned relative to the aisle and how it is angled. You can get an idea from the antenna data sheet, https://meraki.cisco.com/lib/pdf/meraki_datasheet_antenna_2GHz_sector_11dBi.pdf, but performing a real world test with an AP and an antenna is the only way to be sure you get the experience you require. ... View more

Re: Any connect-vpn

by Bruce in Security / SD-WAN
‎05-29-2022 02:11 AM
4 Kudos
‎05-29-2022 02:11 AM
4 Kudos
Yes, the subnet that you’re using for remote access VPN (either AnyConnect or L2TP) only needs to be configured on the AnyConnect or L2TP page, you don’t need it configured on the “Addressing & VLAN” page. ... View more

Re: MS Group Policy

by Bruce in Switching
‎05-13-2022 03:27 PM
1 Kudo
‎05-13-2022 03:27 PM
1 Kudo
I believe it’s one of those ‘depends’ answers.   If the rules in the policies are 40 rules with Layer 4 ports then I’d say no, as the minute any GP ACL is applied you’ve exceeded the switch capacity. If you have less Layer 4 rules, say 15 per GP, then so long as all the clients connected to the switch only use two GP ACLs then you should be fine.   The question really is, what’s the definition of a Layer 4 rule? Is it any rule, or just one that specifies a specific Layer 4 port. And that I think is the real question…. ... View more

Re: Meraki MX Route traffic though Down Peer

by Bruce in Security / SD-WAN
‎05-13-2022 02:46 PM
‎05-13-2022 02:46 PM
The MX makes an uplink decision based on the status of the uplinks (I.e. up/down) and the status and performance of the VPN tunnels if you’ve configured SD-WAN routing in your environment.   The choice of the Auto VPN peer to send traffic to is purely based on IP address, and each site has different IP addressing, so if a particular site is unreachable (e.g. the VPN is down) then traffic destined for IP addresses at that site will go nowhere unless another site is also advertising the same IP addresses (which can be done using static routes via a non-Auto VPN path between sites, or if you’re using VPN concentrators as a head-end).   So, if you’re expecting traffic to failover to another peer, then make sure that other peer is advertising the same IP addresses as the primary peer. ... View more

Re: Z3 Questions (For 'reverse' printing over a VPN)

by Bruce in Security / SD-WAN
‎05-13-2022 02:21 PM
2 Kudos
‎05-13-2022 02:21 PM
2 Kudos
In answer to your questions: 1. Yes, you are missing something. 2. No, you don’t need a static IP address for the Z3, Auto VPN takes care of that.   Regarding the IP addressing the printer will need an IP address for the subnet in the secondary office. Without knowing how your secondary office is currently configured it’s hard to say how best to add the Z3 in. Generally though the approach would be: internet connection terminates on Z3, make sure the LAN addressing on VLAN1 at the secondary office is different to the primary office, enable the primary office MX64 as an Auto VPN hub and add the primary office VLAN to the VPN, enable the Z3 as a Auto VPN spoke, select the MX64 as the hub (don’t select default route) and add the secondary office VLAN to the VPN. Now connect the printer to the Z3 at the secondary office, and also the PC (you no longer need to use the client VPN at the secondary office). And if all that works then the primary and secondary offices should be able ‘talk’ to each other, and so you should be able to print from anywhere on your LAN to any printer at either office. ... View more

Re: Enabling Cert-based Authentication for Mobile Phones

by Bruce in Wireless LAN
‎05-05-2022 01:10 AM
5 Kudos
‎05-05-2022 01:10 AM
5 Kudos
If you don’t want to go full MDM, and you’re happy for your users to do some self-enrolment then you can look at using Meraki Trusted Access, https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Trusted_Access_for_Secure_Wireless_Connectivity.   It still requires a systems manager license per device, but might not put such a heavy burden as managing the full MDM. ... View more

Re: Geo Block IP Lookup Tool

by Bruce in Security / SD-WAN
‎05-02-2022 05:12 AM
2 Kudos
‎05-02-2022 05:12 AM
2 Kudos
From my understanding (which may be out of dat now), Meraki use MaxMind for their Geo IP database. You can use tools on their site (the demo portal) to test the location of up to 25 addresses a day.   I was always of the understanding that the Geo-blocking only works in the upstream (outbound) direction. So if you have traffic coming from a blocked country it will potentially hit the servers (firewall rules permitting), but any return traffic will be dropped. This prevents and TCP connections from establishing, but does mean you potentially see traffic from ‘blocked’ countries hitting your servers - e.g. TCP SYNs, UDP and ICMP traffic. You’d need to check this to be sure though. ... View more

Re: MAC is flapping between two MX's

by Bruce in Security / SD-WAN
‎05-02-2022 03:29 AM
‎05-02-2022 03:29 AM
Not sure what your setup looks like, but make sure you only have one link from the switch to each of the MXs, and make sure there is no link directly between the MXs. Double check all your cables too, and make sure they are good. ... View more

Re: Lock down Z3 site 2 site

by Bruce in Security / SD-WAN
‎04-19-2022 02:05 PM
2 Kudos
‎04-19-2022 02:05 PM
2 Kudos
No, there is no way to block which IP address the Z3 can establish its tunnel from - that is the ease of the Meraki solution, you don’t need a static IP address. You’ll have to lock the Z3 on the LAN side so that if it is moved somewhere else it is useless unless the right credentials are used on the LAN side - e.g. look at using 802.1x on both wired and wireless.   Obviously, if you know the device has moved you can shut down the VPN tunnel manually. Using this principle you could write a script to monitor the WAN IP address of the Z3 using the API, and if changes then drop the VPN. (Although I don’t think there is an API endpoint to drop the VPN, but you can remove the subnet from the site-to-site VPN which should have the same effect). ... View more

Re: DHCP Release events

by Bruce in Wireless LAN
‎04-19-2022 01:47 PM
2 Kudos
‎04-19-2022 01:47 PM
2 Kudos
I very much doubt this is going to provide you what you want. When a machine connects to the network it requests an IP address, and you may through a lookup or another system be able to identify exactly who that machine belongs to. However, very few machines will release an IP address ‘cleanly’, most just go out of range and the lease on the server eventually expires, so you have no idea when a machine actually left.  If you want to go down an automated attendance path then you might be better off using a location based system, either using the Meraki location APIs to determine which machines are onsite, or using another application (e.g. who’s on location) that can interface with the GPS locator in a device. ... View more

Re: Greetings everyone !

by Bruce in Introduce Yourself!
‎04-02-2022 02:30 PM
‎04-02-2022 02:30 PM
@RaphaelL Well done on the 250 posts, and glad you’re enjoying the Meraki experience. ... View more

Re: MX-68 CW Antenna Pattern

by Bruce in Wireless LAN
‎03-28-2022 11:52 PM
‎03-28-2022 11:52 PM
I would recommend that you set up your device and do a wireless survey of the site to see if it provides the coverage you desire. The coverage from the MX-W devices is okay, but not as great as the MRs. The MX-W devices are only Wifi5, and you can’t really move the MX to the ‘ideal position to achieve the best coverage’, more often you are stuck with where the WAN service is delivered and other Ethernet cables connect to the MX. If you’re only talking a handful of users and the site is unlikely to grow then the MX-W may be the go, but I’d seriously consider a non-W MX with an MR, and a small PoE switch if you need it (or the MX68 which has two PoE ports). ... View more

Re: Meraki Local DNS Android issues

by Bruce in Wireless LAN
‎03-24-2022 11:47 PM
1 Kudo
‎03-24-2022 11:47 PM
1 Kudo
When you are running an SSID in NAT mode all the clients on the wireless side will be using a DNS server of 10.128.128.128. The AP just acts as a forwarder and forwards those requests to the custom DNS servers that you have defined if the hostnames are not already cached. See here https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/DNS_and_NAT_Mode.   What I suspect you are seeing is a browser (e.g. Firefox, Chrome) using DNS over HTTPS (DoH) to server IP addresses defined in Chrome - essentially bypassing the normal DNS mechanism, and your filtering solution. Have a Google of ‘Chrome DoH’ for some more information. Unfortunately this is a difficult one to prevent if it’s on devices you don’t manage. ... View more

Re: Fresh into IT

by Bruce in Introduce Yourself!
‎03-24-2022 11:28 PM
‎03-24-2022 11:28 PM
Python and Meraki go well together, it’s great for automation. There’s heaps of people here who can lend a hand if you run into any issues. ... View more

Re: Greetings

by Bruce in Introduce Yourself!
‎03-24-2022 11:26 PM
‎03-24-2022 11:26 PM
Welcome @SkiComputer, and the niceness extends well beyond the APs, it’s all pretty much great. ... View more

Re: MX-68 CW Antenna Pattern

by Bruce in Wireless LAN
‎03-24-2022 01:03 AM
‎03-24-2022 01:03 AM
I’ve never seen a radiation pattern for the MX-W devices. My assumption has always been that it is roughly spherical to the extent that it really matters - but I may be completely wrong. What are you trying to do that you need to know this? ... View more
  • « Previous
    • 1
    • 2
    • 3
    • …
    • 44
  • Next »
Kudos from
User Count
Samarraie
Samarraie
1
scytales
scytales
1
whistleblower
whistleblower
6
ajhe
ajhe
1
MartinSeitz
MartinSeitz
1
View All
Kudos given to
User Count
PaulMcG
PaulMcG
2
Inderdeep
Kind of a big deal Inderdeep
2
PhilipDAth
Kind of a big deal PhilipDAth
75
DarrenOC
DarrenOC
16
Russ_B
Russ_B
2
View All
My Accepted Solutions
Subject Views Posted

Re: Meraki alternatives for Cisco Antenna's

Wireless LAN
398 ‎01-14-2023 06:12 PM

Re: Opportunistic Wireless Encryption (OWE) Dual Guest networks

Wireless LAN
1179 ‎01-14-2023 02:21 PM

Re: Random IPsec/Arp issue?

Security / SD-WAN
427 ‎01-09-2023 01:00 PM

Re: MR76 with MA-ANT-23 in a warehouse

Wireless LAN
760 ‎05-30-2022 05:43 AM

Re: Dashboard SSO with SAML and Azure AD - Consumer URL broken?

Dashboard & Administration
2907 ‎03-22-2022 02:42 AM

Re: Site-to-site VPN firewall

Security / SD-WAN
1171 ‎03-08-2022 07:17 PM

Re: I want to reach other subnet . I forgot the routing rules

Security / SD-WAN
888 ‎03-07-2022 12:22 PM

Re: Soft failure test / Internet traffic failover much slower than VPN traf...

Security / SD-WAN
808 ‎10-24-2021 12:20 AM

Re: Site-to-Site VPN over MPLS

Security / SD-WAN
856 ‎10-08-2021 12:47 AM

Re: MS220-8P switch and support contract

Switching
1547 ‎10-04-2021 05:03 PM
View All
My Top Kudoed Posts
Subject Kudos Views

Re: MX64 Can use dashboard, but "username" rejected for direct configuratio...

Security / SD-WAN
11 1520

Re: MT10 temperature in Celsius instead of Fahrenheit

Sensors
9 2653

Re: Antenna selection for MR76. ANT-25 vs. ANT-27?

Wireless LAN
7 2303

Re: vMX License - Small, Medium or Large

Cloud Security / SD-WAN
7 4211

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Security / SD-WAN
7 34386
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Cookies
  • Terms of Use
© 2023 Meraki