- About Bruce
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Community Record
25
Posts
25
Kudos
3
Solutions
Badges
05-12-2020
07:05 PM
Hi Aamir, If you can't do eBGP peering to the data-centre and use OSPF, then you will just be using the traditional AutoVPN route distribution, which doesn't use BGP (the BGP approach is an option). Have a look here, https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf, it doesn't go into depth about it, but gives a high-level outline.
... View more
05-12-2020
05:42 AM
2 Kudos
If you have any MX devices in the organisation that need Adv. Sec. licenses then all the devices have to have it. If none of them need it, then you don’t need the Adv. Sec. license. It’s an organisation-wide setting. If you’re using iBGP on the SD-WAN then you should be peering into your data centres with eBGP, not OSPF. If you’re using the ‘traditional’ SD-WAN (i.e. non- BGP) then the Auto-VPN functionality takes care of route distribution through the Meraki cloud, and you’re right, in this scenario the MX will advertise routes to the DC, but not learn from the DC.
... View more
05-11-2020
03:32 AM
It’s not something I’d want to be trying. The warm spare is intended to be relatively close with low latency. You’d be better off looking to see if you can implement a data centre failover solution, see here https://documentation.meraki.com/MX/Deployment_Guides/Datacenter_Redundancy_(DC-DC_Failover)_Deployment_Guide
... View more
05-09-2020
03:54 PM
You need to know whether the ISP is separating the IP addresses on different VLANs, if they are then you need to use VLANs, if they’re not then you won’t. If they are using VLANs then you’ll need a trunk on Port 1 that allows the VLANs that the ISP is providing, then you use access ports to the MXes, one acess port assigned to each VLAN. If the ISP isn’t using VLANs then you just use access ports - the VLAN for those access ports doesn’t matter so long as they are all the same.
... View more
01-13-2019
08:07 PM
@Mosquitar,if, as your post suggests, you are replacing a member of a switch stack rather than a standalone switch then please have a look at this document, Replacing and Cloning Stack Members, as the process is slightly different to a straight Clone and Replace, and if its not done properly you can end up with other issues (key point is making sure the replacement switch is on the same firmware as the stack - check on the device status page - before adding it to the stack).
... View more
01-09-2019
03:43 PM
The Dashboard API provides the Latitude and Longitude of a device, e.g. an AP (obviously based on where you position it), and likewise the Scanning API provides the Latitude and Longitude of an endpoint/client (which is based on correctly aligning your imported floor plans with Google Maps), so you should be able to achieve whatever you require one way or another.
... View more
01-09-2019
02:33 PM
Not something I've done, but ultimately you'll need a RADIUS server that integrates with your Google directory. You could look at Fox Pass or Jump Cloud if you want something cloud based. Or as you said something like freeRADIUS which you'd then need to integrate with your Google directory. If you're doing WPA2-Enterprise then the certificate trust is between the wireless client and the RADIUS server (not the Meraki access point), and potentially also between the RADIUS server and the directory if that connection is secure too.
... View more
01-09-2019
02:11 PM
Just to add to the good advice that everyone has provided below. You might also want to look at using Cisco Identity Services Engine (ISE) if you want to try and block access by device type. It is generally more robust at determining the device type and may serve your purpose well - but that said, it is obviously more $$$, which may not be wanted.
... View more
01-07-2019
04:40 PM
Once you've got your initial status of devices, if you are then looking for alerts on those devices you could look at using Webhooks (https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Webhooks) so that you don't exceed the API rate limit - just depends on what the goal of your solution is.
... View more
01-07-2019
03:11 PM
Just another suggestion to check - which I'm not sure will be relevant or not, but might be worth checking. Does the Connection Request Policy you are hitting also have EAP selected as an Authentication method? If the Connection Request Policy doesn't have EAP specifically selected as an Authentication Method then the type of EAP isn't passed through to the Network Policy, and so this can cause the unknown EAP type error.
... View more
01-02-2019
05:53 PM
So I just re-read your description, are the clients with problems on the SSID that is using the Meraki DHCP? And does the rest of the network use the 192.168.2.0/24 subnet?
... View more
01-02-2019
04:20 PM
When you are using client isolation on the wireless is only allows traffic to the subnet gateway, see Wireless Client Isolation. Therefore if you have everything in one VLAN using the same subnet then the clients in the isolated WLAN can only communicate with the gateway IP address. If you move the isolated WLAN to another subnet then they should be able to communicate with the printers since the traffic will go via the subnet gateway.
... View more
01-02-2019
03:56 PM
2 Kudos
Just to follow this up, if you want to try it again, then you need the trunk between the switch and the access point, as ClaytonMeyer wrote, and then for each SSID you need to configure it to tag the traffic. In the Meraki Dashboard go to Wireless -> Access Control, and under the Addressing and traffic section you need to be in 'Bridge mode', and then set VLAN tagging to 'Use VLAN tagging', and then for the VLAN ID, set All other APs to the VLAN ID for the SSID - so for SSID.1 set the VLAN ID to 100, then change to SSID.2 make the configuration changes again and set the VLAN ID to 200, and so on. If the wired part of the network is correctly configured then this should then tag the traffic from each SSID with the appropriate VLAN tag. Just remember that if the DHCP server isn't on the same VLAN/subnet as the client then you'll also need to configure DHCP forwarding for that VLAN/subnet.
... View more
01-02-2019
03:41 PM
Just to check a couple of things that I've come across in the past... (although admittedly this was on a Windows Server 2012 R2 server). Make sure that the the 'Extensible Authentication Protocol' service on the Windows Server running NPS is not disabled (it should be set to Manual), and make sure that you have registered the NPS server with Active Directory. Both of these can prevent EAP with user credentials working.
... View more
01-02-2019
03:21 PM
2 Kudos
The Meraki DHCP doesn't operate as a full DHCP server per se. It creates the client IP address using a hash of the client's MAC address, and responds with that and a gateway and DNS server of 10.128.128.128 - which is an IP address that the access point responds to. The access point then proxies the DNS requests from the clients to the DNS servers it has configured (i.e. the ones you can see on the main access point summary/dashboard page), so you need to ensure that the access point can reach these DNS servers. By using this approach if the client roams to another access point it will most likely receive the same IP address, and maintain the same gateway and DNS server, so it will be as seamless as is possible without using any of the various roaming technologies/protocols out there.
... View more
10-26-2017
09:20 PM
1 Kudo
As @WadeAlsup eludes to, I wouldn't be using both the wireless from an MX65W appliance and MR devices in the same environment. The MR devices have many more capabilities and you may experience roaming issues, security issues, or more if you have the same SSID configured on the MX65W wireless and the MR devices (and it means you're configuring the wireless in two places too). Best advice is use one or the other not both.
... View more
09-04-2017
12:22 AM
1 Kudo
The Meraki content filtering on the access points is pretty rudimentary and relies on a list of sites maintained by Meraki to prevent access to adult content. However, they do also offer the option to use 'Custom DNS' which would allow you the capability to use a much more full-featured solution such as Cisco Umbrella (previously OpenDNS) to achieve more dynamic control. It's also worth noting that beyond the content filtering the access points also offer capability around firewalling, application based traffic shaping, and user based traffic shaping.
... View more
09-01-2017
01:05 AM
It's definitely still coming 🙂 Keep in contact with your local Meraki team if you want to know more.
... View more
08-21-2017
02:59 PM
2 Kudos
Just be aware that the vMX isn't a full MX appliance virtualised. It's capability is designed for access into the AWS cloud through a head-end VPN termination point. Thus the feature set is heavily focused on VPN and SD-WAN - the firewall functionality isn't there.
... View more
08-20-2017
10:45 PM
7 Kudos
Unfortunately you can't use Cisco AnyConnect with the Meraki MX appliances. I know this is a common request, and hopefully its one that will come about soon, hit that 'Make a Wish' button a bit more. Although Cisco AnyConnect client can create an IPSec tunnel, it only uses IKE v2 for the initial negotiations, whereas the MX appliances only do IKE v1 at the moment - that I believe is the problem.
... View more
08-14-2017
03:25 PM
2 Kudos
I'd agree with @MerakiJockey505 in that I wouldn't be using a Z1 for 10-15 users, its aimed for more around the 5 user mark. Depending on your requirements, whether you need any wired ports at the site, you could do a MX64W or MX65W, or just the MX64 or MX65 with an 'small' external access point, maybe the MR33 - you get more flexibility\capability with the MR series than with the wireless built into the MX/Z devices. The other option if you only need wireless is the MR Teleworker VPN, but I've never used it so I can't vouch for whether it works well or not - others may be able to. As to the bandwidth, that's a bit subjective, it all depends what the staff at the remote site are going to be doing. If they're going to be pulling large amounts of data from the parent site over the VPN then I'd be recommending the larger bandwidth, on the other hand if they're mainly autonomous and occasionally accessing Office 365 for email, for example, then you might get away with the smaller bandwidth.
... View more
08-14-2017
03:07 PM
Other than just getting a list of the clients that were on the network, was there anything more specific you were trying to achieve?
... View more
08-09-2017
02:31 AM
1 Kudo
What @MerakiJockey505 says is completely correct. But if you can't see 'Traffic analytics' under the Network-wide menu you need to switch on the detailed host name gathering. Go to Network-wide then configure, General. You'll see a Traffic analytics drop down, change this to Detailed: collect destination hostnames. Now, give it a little while and you'll start seeing the traffic destinations in the places @MerakiJockey505 describes. Hope this helps.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1223 | 01-07-2019 04:40 PM | |
| 2288 | 08-14-2017 03:25 PM | |
| 3042 | 08-09-2017 02:31 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 7 | 18809 | |
| 2 | 643 | |
| 2 | 5291 | |
| 2 | 2667 | |
| 2 | 19856 |
