Community Record
87
Posts
23
Kudos
6
Solutions
Badges
Apr 27 2021
4:02 AM
That's what I thought. I was kinda hoping I was wrong but, back to the drawing board.
... View more
Apr 27 2021
3:22 AM
Hi all, Can someone help me wrap my head around this please? We're looking to implement firewall rule that would permit traffic to specific destinations, while continuing to block everything else. The challenge is the destinations are cloud services so tend to contain many changing IP addresses. Looking of the details in the document below, it suggests it's possible, but only if the MX sees the DNS request to match it up with the client connection. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings What's not clear is if that DNS request must come from the client itself, rather than from an onsite DNS server that the client is talking to. Am I right in thinking this only works if the client machine is making the request to, for example Google DNS 8.8.8.8., so that the MX sees those requests and can match them directly back to the client IP then asking to get to sitexyz.com?
... View more
Mar 17 2021
1:42 AM
No problem. It's usually me asking for help so it makes a change when I spot a question I might be able to answer before the experts beat me to it 🙂 "layer 8", I love that
... View more
Mar 16 2021
9:38 AM
2 Kudos
We have a similar setup with a single Azure subscription hosting a vMX with other subscriptions peered in. Apologise if I'm already talking about things you've done but we had 2 things we didn't spot when we started to move traffic over to this setup 1. Do you have a route table in VNET 2 pointing to the LAN IP of the vMX in VNET 1? Azure takes care of getting traffic between the VNET's but the route table gets traffic to anything outside Azure 2. Did you add the VNET 2 subnet as a local subnet on the vMX
... View more
Feb 25 2021
3:40 AM
1 Kudo
Hi all, just to confirm if anyone runs across this question in the future. Yes, you can switch the Auto-VPN to using BGP without having to immediately configure any external BGP peers. The Auto-VPN reconfigures itself and although Meraki support suggested there may be some outage time while that happened, with our 25 site mesh we didn't even drop a packet as far as I could tell.
... View more
Feb 11 2021
2:56 AM
Hi, We've already spoken to Meraki support and they have activated the BGP options for us so we have the BGP settings available in the dashboard. We are planning to activate BGP on the dashboard so that the Auto-VPN can update for iBGP but at this time we do not have any eBGP peers available, the data centre team are still working on them. It's not clear from the documentation, if we have to enable BGP on the dashboard and at the same time make the peer connection to the data centre routers, but we are hoping that is not the case. We are hoping to just activate the iBGP options and let the Auto-VPN update and re-stabalise and then at a later date we add the peer to the DC router.
... View more
Feb 10 2021
3:56 AM
Hi all, We're working to deploy a couple of MX's into regional data centres and will be using BGP to peer into the Auto-VPN. We've agreed an internal AS number to assign to the Meraki side but we don't have all of the data centre parts of the system in place yet. Are we able to still activate the BGP settings in the Auto-VPN so we can get the Meraki side of things updated to BGP and stable again (I understand the Auto-VPN will have to reconfigure itself internally) before we have to add in any BGP peers? I'm assuming we can, it's just not clear from the documentation
... View more
Aug 30 2020
1:02 AM
Thanks @PhilipDAth, That's whati was hoping.
... View more
Aug 28 2020
6:14 AM
Hi @PhilipDAth, We've just hit a roadblock trying to peer a couple of third party managed subscriptions to an existing subscription created especially for the purpose of being a hub running a vMX. The "experts" doing the work have just told use the setup they have build wont work and we have to build something they "think" is called a transit gateway. I'm more than a little frustrated after weeks of me Googling the answers for their "experts". But I digress. Would I be right in thinking that you can still deploy a vMX into a transit gateway account to be able to peer with the rest of our SD-WAN?
... View more
Jul 8 2020
3:04 AM
2 Kudos
One option you could look at, is using a secondary MX at your hub site (Main-MX location) to manage the ASA VPN link. That way, you can add a static route onto the Main-MX pointing to the VPN MX and that will allow you to publish the remote ASA subnets into SD-WAN. There's a great example walk through of this by Aaron Willette https://www.willette.works/merging-meraki-vpns/ We use this approach to bring in a couple of third party locations that need to reach services on site but are not part of our Meraki deployment.
... View more
Jul 6 2020
6:31 AM
It was the Azure side of things that I managed to get confused so just removing the vMX and redeploying worked for me.
... View more
Jun 16 2020
1:22 AM
2 Kudos
I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference. Ports used to contact the VPN registry: Source UDP port range 32768-61000 Destination UDP port 9350 Ports used for IPsec tunneling: Source UDP port range 32768-61000 Destination UDP port range 32768-61000 https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN
... View more
Jun 12 2020
3:28 AM
Hi @PhilipDAth, thanks for the sanity check. I'm still confused how it's ever worked without the allowed inbound traffic but I'm working on a change plan for the AWS guys to open up the inbound firewall rules.
... View more
Jun 10 2020
2:11 AM
Hi all, We've had a vMX up and running in AWS since the middle of April but somewhere around the early hours of June 6th it dropped all of the SD-WAN links. It's not in PROD yet so we didn't pickup a monitoring alert. Anyway, we still have dashboard access and neither a vMX or AWS Instance restart has not shaken it back into life but something hit me while I'm trying to figure out what's going on. The AWS Security Group is built from the dashboard recommended firewall rules for the site as recommended in the AWS vMX setup guide, including all the usual suspects for dashboard access, you know all the funky UDP ports and the like, but that gives you no ports I would have thought needed for IPSec (4500, 500, etc). I kinda assumed the dashboard did uber magic and the fact it was working made me suspect that was the case but maybe the initial setup had less rules on SG and the connections were up before it closed off the doors. I know this is something that should make sense but I'm way down on my coffee supply this morning. Should we have more outbound/inbound rules in place the IPSec links that the SD-WAN needs to operate?
... View more
Apr 9 2020
1:42 AM
Ironically, the setup we did in Azure to test came up almost straight away. Untangling the right options and getting things in the right NSG to start with is more of a challenge there and as you can't change the vMX appliance once it's deployed it meant we had to tear it down and rebuild it again but once we had that done it was up and running.
... View more
Apr 8 2020
12:27 AM
1 Kudo
Hi @JamesC_AB, It seems you were spot on. The update from Meraki overnight was that they changed something in the back-end of the dashboard and now it's all working without any changes on this end despite them being sure it was a firewall issue on our side. Anyway, we're up and running. Thanks all for the suggestions.
... View more
Apr 1 2020
8:19 AM
Hi all, I must be missing something here because it just can't be this hard. The EC2 instance is up and running (using the Meraki setup guide - https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS) and using the "customer data" from the authentication token. We can reach the appliance's public IP (we have a rule allowing port 80 inbound temporarily to troubleshoot) and it confirms internet access but no connection to the dashboard over port 7734. However, AWS flows confirm it's sending and receiving data from the dashboard over port 80 and port 7734 but it just will not phone home and show up in the dashboard at all. What have I missed?
... View more
Dec 11 2019
2:08 AM
We're up and running but not without having to tear down the initial installation and start from scratch. That was rather convoluted as well but eventually I managed to unpick it and remove all of the newly created resource groups and the vMX. I had to create a new dedicated subnet in our primary resource group and VNET to be able to attach the vMX LAN interface to which then made it available on the list when building the new vMX. The other subnet I was trying to connect to initially, has been configured as the Azure gateway subnet which seems to exclude it from the selection list. Yeah, I don't know anywhere near enough about Azure to fully understand how all the widgets hang together. It seems overly complicated coming from a physical hardware world but I think it makes enough sense to me now to be able to reproduce this in production when we need to.
... View more
Dec 5 2019
2:22 AM
I've just run up against the same issue deploying a vMX. The process never made sense beforehand (I'm in no way any sort of Azure expert) so I just presumed it was my physical world thinking but I don't recall having any options at all to select a subnet/vnet outside the vMX's new resource group. In theory, peering the VNET's should be trivial but I'm hitting a permissions error that we can't make sense of so I've bounced it back to our Meraki sales contact to see if they can help unravel what's happening.
... View more
Nov 18 2019
6:54 AM
1 Kudo
OK, That's really strange. The internet connection troubleshooting sent me down a particular path and I remembered that many years ago, the subnet we had from our ISP was split into two halves with one half being NAT'd on our old Checkpoint firewall, and the second half of the subnet routed through the Checkpoint. No idea how, I never saw the config. However, switching to 3 IP addresses in the original lower half of the range has the MX's happy again. It's bizarre as there are services using the upper half without issues.. But anyway, we are up and running.
... View more
Nov 18 2019
6:29 AM
Thanks for confirming. That's what I was hoping. I'll run through the connection check docs to confirm what I can see. We do have some 1:1 NAT on the HA pair for some locally hosted services but I've confirmed there are no overlapping addresses. The 2 IP's (will be a third for HA once I get basic comms working) are free of any other configuration and I don't think we have ever used them.
... View more
Nov 18 2019
3:40 AM
Hi all, Before I go completely bonkers, can I run a question by you all to see if I'm in fact trying something impossible. We have an existing MX HA setup on site that's happily running and providing SD-WAN links to an expanding number of our offices but we are looking to move some third party IPSec VPN links over to our Meraki infrastructure as well. To help separate out the traffic from our SD-WAN (We don't need everyone to know about the links, they are for single local services), we're following this article - https://www.willette.works/merging-meraki-vpns/. It makes sense and I've most of the infrastructure up and running with the exception of the primary WAN link. I'm trying to use 3 additional IP's from our available public subnet but the IPSec MX's seem to not want to use them and keep falling back to WAN2. They are part of the same public subnet assigned to interfaces on the HA MX's and I'm half thinking this is the cause. I'm not seeing any errors but they just don't seem to want to use the primary WAN connection. There's a mention in the article about needing a separate organisation for the VPN link to avoid any VPN subnet overlaps but the impression I got from this was avoiding overlaps between third party subnet and a subnet on the SD-WAN but it's not clear. Can anyone confirm if this should be possible or am I going to have to look at a separate organisation?
... View more
Nov 11 2019
3:46 AM
Thanks, I knew there would be a way to do it but I've not had enough coffee yet this morning 🙂
... View more
Nov 11 2019
1:40 AM
Hi all, A question popped up in our team meeting this morning that I hadn't considered. If a website is dropped into a category by Brightcloud that a local MX happens to block (Parked Domains for example), is there a safe way to allow a management IP address to bypass the URL category list and get unrestricted internet access to be able to confirm the type of site? I'm assuming it's not obvious from the URL or users description. We could of course connect out of band to check it or simply whitelist the URL on the MX but that releases it for all users so I'm kinda hoping there may be a more elegant and controlled option we could consider. Thanks, Martin
... View more
Oct 23 2019
12:44 AM
1 Kudo
That's my name in the bag for some swag.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 2963 | Mar 16 2021 9:38 AM | |
| 2601 | Feb 25 2021 3:40 AM | |
| 2545 | Jun 16 2020 1:22 AM | |
| 4540 | Nov 13 2018 7:35 AM | |
| 5077 | Oct 31 2018 7:05 AM | |
| 3979 | Jul 6 2018 5:23 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 2963 | |
| 2 | 1983 | |
| 2 | 2545 | |
| 2 | 19388 | |
| 1 | 2601 |
