The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About Pugmiester
Pugmiester

Pugmiester

Building a reputation

Member since May 9, 2018

Wednesday
Kudos from
User Count
AmitP
AmitP
1
DSCP_jpk
DSCP_jpk
1
PhilipDAth
Kind of a big deal PhilipDAth
2
CptnCrnch
Kind of a big deal CptnCrnch
2
RB___
RB___
1
View All
Kudos given to
User Count
GiacomoS
Meraki Employee GiacomoS
1
PhilE
Meraki Employee PhilE
1
JoshNansoz
Meraki Employee JoshNansoz
1
pratikvyas
Meraki Employee pratikvyas
1
UCcert
Kind of a big deal UCcert
1
View All

Community Record

87
Posts
23
Kudos
6
Solutions

Badges

CMNO
1st Birthday
50 Posts
First 5 Posts
First 10 Kudos
5+ Solutions View All
Topics Pugmiester has Participated In
  • Topics Pugmiester has Participated In
  • Latest Contributions by Pugmiester

Re: Meraki MX Firewall with FQDN

by Kind of a big deal PhilipDAth in Security / SD-WAN
‎02-28-2022 01:32 PM
‎02-28-2022 01:32 PM
You could deploy the Umbrella virtual appliances on-premise if you would like to keep the same functionality.   But it doesn't sound like you really have an issue.  You can just use Umbrella for enforcement and tracking of the users, rather than the MX. ... View more

Re: vMX and Azure VNET peering

by Mohit_Chauhan in Security / SD-WAN
‎02-01-2022 07:31 PM
‎02-01-2022 07:31 PM
Few clarifcations on your point Phil, 1. are you suggesting we can use the same existing subnet where servers are hosted so when when the vMX comes up online, it will pick up one of the ip range from the same pool? In my case, I have only one /24 subnet available in the server vnet beside the server subnet. However, I am planing to use that for the VPN users, will this be OK? 2. The other alternative was, can I use /25 as the subnet for the vMX. So far when I have tried its giving me "conflict error" on Azure in building up the VM for this vMX. I have logged a case with Azure on that and waiting for the feedback.   Thanks in advance.   Mo ... View more

Re: MX BGP routes are just magic

by Pugmiester in Security / SD-WAN
‎08-04-2021 07:41 AM
‎08-04-2021 07:41 AM
Hi ww,   That was my assumption and have logged a ticket before we risk swamping our smaller MX's I can see some BGP route sumarisation in the DC teams future. ... View more

Re: Meraki in Russia?

by n00b in Full-Stack & Network-Wide
‎05-15-2021 01:07 PM
‎05-15-2021 01:07 PM
Cisco partners are hiring Meraki reps in Moscow, so you can probably expect the sales to begin in next few month. Here's the link to job listing https://hh.ru/vacancy/44334276 ... View more

Re: Azure Vmx peering

by Pugmiester in Security / SD-WAN
‎03-17-2021 01:42 AM
‎03-17-2021 01:42 AM
No problem. It's usually me asking for help so it makes a change when I spot a question I might be able to answer before the experts beat me to it 🙂   "layer 8", I love that ... View more

Re: Activating BGP without configuring a peer yet

by Pugmiester in Security / SD-WAN
‎02-25-2021 03:40 AM
1 Kudo
‎02-25-2021 03:40 AM
1 Kudo
Hi all, just to confirm if anyone runs across this question in the future.   Yes, you can switch the Auto-VPN to using BGP without having to immediately configure any external BGP peers. The Auto-VPN reconfigures itself and although Meraki support suggested there may be some outage time while that happened, with our 25 site mesh we didn't even drop a packet as far as I could tell. ... View more

Re: Activating BGP to peer with a third party data centre

by Kind of a big deal cmr in Security / SD-WAN
‎01-12-2021 08:19 AM
1 Kudo
‎01-12-2021 08:19 AM
1 Kudo
@Pugmiester I think @m841 is correct, we are running 15.41 and on a VPN concentrator we can simply choose to enable BGP and see the following settings (to be edited to match what you need):   ... View more

Re: Meraki integration with AWS Tranist Gateway

by Vittoriusly in Security / SD-WAN
‎11-16-2020 01:54 AM
‎11-16-2020 01:54 AM
I would like to implement something like that. I found this AWS document  https://aws.amazon.com/blogs/apn/exploring-architectures-with-cisco-sd-wan-and-aws-transit-gateway/ Maybe it could be usefull. Best. ... View more

Re: vMX 100 in Azure working as a hub but failing to pass traffic between o...

by Pugmiester in Security / SD-WAN
‎09-29-2020 07:18 AM
‎09-29-2020 07:18 AM
I've had this on the back burner for a couple of weeks for one reason or another but am back at it today. Something I've noticed, and I don't remember seeing before, is that the vMX seems to be performing NAT on the traffic that passing between the subscriptions.   A quick recap, our network in Azure looks a little like this - Sub A > Sub B < Sub C. A and C are VNET peered to B and each have a local route table for our SD-WAN subnets associated pointing to the LAN IP of the vMX in Sub B. Sub B hosts the vMX and is happily talking to our SD-WAN. It's also passing traffic from any client across the SD-WAN through SUB B and onto servers in Sub A or Sub C with no issues at all. Our problem lies in getting traffic between Sub A and Sub C.   What I noticed today is that although I can ping from A to C, the packet capture on the vMX as well as the destination server (tcpdump) shows it being NAT'd and the source showing as the vMX LAN IP instead of the source server. The source server gets a reply so on the face of it connectivity seems to be working but if I hop up the stack with an HTTP connection, the same NAT appears to happen on the vMX and I even see a reply to the vMX LAN IP but then the vMX seems to have no idea what to do it it and the traffic never reaches the initial source machine.   I didn't think a vMX in one armed concentrator mode (that's the only choice you get with a vMX in Azure) was supposed to perform NAT at all. It's really confusing. ... View more

Re: Non-Meraki VPN network reachability

by Pugmiester in Security / SD-WAN
‎07-08-2020 03:04 AM
2 Kudos
‎07-08-2020 03:04 AM
2 Kudos
One option you could look at, is using a secondary MX at your hub site (Main-MX location) to manage the ASA VPN link. That way, you can add a static route onto the Main-MX pointing to the VPN MX and that will allow you to publish the remote ASA subnets into SD-WAN. There's a great example walk through of this by Aaron Willette  https://www.willette.works/merging-meraki-vpns/   We use this approach to bring in a couple of third party locations that need to reach services on site but are not part of our Meraki deployment. ... View more

Re: Third party VPN with redundant connectivity to SD-WAN

by Pugmiester in Security / SD-WAN
‎07-06-2020 07:44 AM
‎07-06-2020 07:44 AM
Thanks Philip, will take a look. I'm sure I'm just overthinking the problem. The eventual plan, once Meraki figure out the legal minefield, is to hook them up with a HA pair of MX's like every other site we have in EMEA but for the foreseeable future we cannot legally deploy any Meraki hardware to the country at all so we're stuck with whatever we can legally purchase in country, hoping it can support a reasonable security level, and try to connect that back to civilisation as best we can. ... View more

Re: AWS vMX has lost all site-to-site VPN link

by Pugmiester in Security / SD-WAN
‎06-16-2020 01:22 AM
2 Kudos
‎06-16-2020 01:22 AM
2 Kudos
I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference. Ports used to contact the VPN registry: Source UDP port range 32768-61000 Destination UDP port 9350    Ports used for IPsec tunneling: Source UDP port range 32768-61000 Destination UDP port range 32768-61000 https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN ... View more

Re: vMX reliability in Azure / AWS

by JimmyPhelan in Security / SD-WAN
‎04-22-2020 01:21 PM
1 Kudo
‎04-22-2020 01:21 PM
1 Kudo
I had never really looked at or considered a HA vMX setup. Its a VPN Concentrator when you boil it down. Same reason we dont bother backing up the VM in Azure. It is actually easier and quicker to just redeploy it and let the config come back down!   Now the problem with the above is a lack of automation. It can mean downtime.   Something that would be really awesome is a monitoring method that would trigger a redeployment of the vMX through powershell scripts.   I have a good few vMX in the wild, and i have not had a blip on them. I wish they did more, but then, why would you buy an ASAv or CSR1000 for twice the price... ... View more

Re: Revealing the Meraki Community All-Stars!

by GeorgeFrendl in Community Announcements
‎04-22-2020 01:55 AM
‎04-22-2020 01:55 AM
Nice! ... View more

Re: Cannot get a vMX alive in AWS

by Pugmiester in Security / SD-WAN
‎04-09-2020 01:42 AM
‎04-09-2020 01:42 AM
Ironically, the setup we did in Azure to test came up almost straight away. Untangling the right options and getting things in the right NSG to start with is more of a challenge there and as you can't change the vMX appliance once it's deployed it meant we had to tear it down and rebuild it again but once we had that done it was up and running. ... View more

Re: Does disabling all SSID's on an AP turn off the WiFi antennas completel...

by Meraki Employee MerakiDave in Wireless LAN
‎02-26-2020 09:41 PM
3 Kudos
‎02-26-2020 09:41 PM
3 Kudos
No, disabling the SSIDs (even all of them) does not actually shut down the radios.  You can also disable the hidden meshing SSID as mentioned earlier, but there too it will not shut down the radios.  Note that on the Radio Settings page, you can turn off the 2.4GHz radio completely.  But the 5GHz radio minimum is 1dBm.  So if 5GHz, sounds like you would need to shut down every-other AP by disabling PoE on the respective switch ports, would probably be easiest & fastest.     However, if you're finding that there's way too much overlap and the APs are all tuning themselves down to only 2dB, and you have a high density deployment, sounds like 500+ devices in the same room, then the best way to deal with that is directionality.  That is, in a HD deployment the primary design priority is spectrum re-use, and the best way to achieve that is with directional antennas.  Pretty standard for auditorium and lecture hall or exhibit floor type of deployments.   If that's not an option and you'll have to use the APs you have on hand, then you'll need to keep fine tuning to find the sweet spot.  Be sure to try using 20MHz channels on 5GHz, go with 12 or 18Mbps minimum bit rates, and only after you've done all the standard fine tuning, you can then also play with RX-SOP, but only do that like 1 or 2dB at time, then re-test.  Leave time between each tweak, and run Update Auto Channels, and give that time to run.  There are built-in delays by design to prevent an unnecessary ripple effect of channel/power changes across the network, so run it overnight for example.   Also, if you're not using meshing, then disable it.  If that option is not visible on the Network Wide > General page, call Support ans ask them to enable that option in your Dashboard.     I'll assume you opened a Meraki support ticket earlier, and they did a scrub of your current config with the model of AP and the firmware it's running, just to rule out any known issues?  You might also try toggling the Client Balancing setting on/off, and possibly band steering on/off which has on occasion caused some strange disconnect issues, but there too, it's a function of AP model/chipset, firmware version, and client device make/model/drivers.  Will take a bit of trial and error to really narrow that down, but Support can assist.     ... View more

Re: Multiple MX's in different networks but the same organisation on the sa...

by Kind of a big deal BlakeRichardson in Security / SD-WAN
‎11-18-2019 10:58 AM
‎11-18-2019 10:58 AM
@Pugmiester we run exactly what you are wanting multiple MX on the same ISP subnet with different LANS.  ... View more

Re: Bypass URL filtering for a single client IP address

by Kind of a big deal PhilipDAth in Security / SD-WAN
‎11-11-2019 05:32 PM
‎11-11-2019 05:32 PM
The built int "whitelist" policy can also be applied to a client to bypass all restrictions. ... View more

Re: Time for a survey — and another chance to snag swag!

by RJordan-CCS in Community Announcements
‎10-23-2019 03:09 PM
‎10-23-2019 03:09 PM
Done.  The magnet sculpture would look smashing next to my collection of hard drive magnets... ... View more

Re: Retrieving the LDAP list from AD is intermittent at best.

by Pugmiester in Security / SD-WAN
‎09-09-2019 01:38 AM
‎09-09-2019 01:38 AM
Hi @PhilipDAth, I'll ask our server team to double check but there was nothing that jumped out last time. We do have the Symantec AV client installed on all of the DC's, all running the same policy but some happily respond and others don't, but not consistently. MX1 might get a response from DC1 but MX2 doesn't. I'm not 100% certain how to confirm the certificates but is one MX works and another doesn't, I would have thought the certificate was OK. I'm just finding it difficult to find a pattern to be able to poke something with a stick. ... View more

Re: NAT from the DMZ onto the LAN

by Pugmiester in Security / SD-WAN
‎08-01-2019 12:39 AM
1 Kudo
‎08-01-2019 12:39 AM
1 Kudo
That's the conclusion I was getting to as well. The good news is, we don't have to rip out the Checkpoint to get the MX's live so for a little extra breathing space I can leave the setup as it is initially so we can work out a solution with a little more breathing time. ... View more

Re: MX Limitation

by Hussam-Bay in Security / SD-WAN
‎07-12-2019 01:17 AM
‎07-12-2019 01:17 AM
Also you can't configure IPSec vpn  between two MX if the WAN ports have private IPs. The MX will not negotiate IPSec unless the port has internet connection, the port status will show failure until it gets internet connection. Hence, if you have two sites connected via MPLS then you can't have VPN between them since the WAN ports don't have internet connection. ... View more

Re: Support for more than 2 WAN subnets on the WAN side

by hockeydude in Security / SD-WAN
‎06-17-2019 02:56 PM
‎06-17-2019 02:56 PM
Gateway for MX is IP of upstream router. 1:1 NAT Philip is talking about is for servers/workstations on LAN communicating to internet using upstream router's subnets. So... Pretend MX 10.0.0.2 talks to upstream router 10.0.0.1. Server on LAN has IP 192.168.0.100 which NATs to 10.0.0.100. From there setup rule on upstream router to NAT 10.0.0.100 to whatever subnet is available on WAN. Depending on your public IP block, you can give outbound an explicit IP which would be different from default gateway. ... View more

Re: [CONTEST CLOSED] Wi-Fi 6: tell us your hopes and dreams!

by Community Manager MeredithW in Community Announcements
‎06-03-2019 03:34 PM
5 Kudos
‎06-03-2019 03:34 PM
5 Kudos
Congratulations to our contest winners, @Franzman and @nbentsendk! 👏 👏 👏 🎉 ... View more

Re: Best practice to install remote MX's in HA

by Pugmiester in Security / SD-WAN
‎06-03-2019 04:53 AM
‎06-03-2019 04:53 AM
Thanks @PhilipDAth, not a bad idea at all, especially if there's not a big difference in cost to begin with. ... View more
Kudos from
User Count
AmitP
AmitP
1
DSCP_jpk
DSCP_jpk
1
PhilipDAth
Kind of a big deal PhilipDAth
2
CptnCrnch
Kind of a big deal CptnCrnch
2
RB___
RB___
1
View All
Kudos given to
User Count
GiacomoS
Meraki Employee GiacomoS
1
PhilE
Meraki Employee PhilE
1
JoshNansoz
Meraki Employee JoshNansoz
1
pratikvyas
Meraki Employee pratikvyas
1
UCcert
Kind of a big deal UCcert
1
View All
My Accepted Solutions
Subject Views Posted

Re: Azure Vmx peering

Security / SD-WAN
869 ‎03-16-2021 09:38 AM

Re: Activating BGP without configuring a peer yet

Security / SD-WAN
793 ‎02-25-2021 03:40 AM

Re: AWS vMX has lost all site-to-site VPN link

Security / SD-WAN
1042 ‎06-16-2020 01:22 AM

Re: Dashboard Page Unavailable

Dashboard & Administration
2266 ‎11-13-2018 07:35 AM

Re: Hot standby MX64 LAN side failure not working as expected

Security / SD-WAN
3424 ‎10-31-2018 07:05 AM

Re: New MX firewalls seem to be affecting other routers on the LAN

Security / SD-WAN
2442 ‎07-06-2018 05:23 AM
View All
My Top Kudoed Posts
Subject Kudos Views

Re: Azure Vmx peering

Security / SD-WAN
2 869

Re: Non-Meraki VPN network reachability

Security / SD-WAN
2 936

Re: AWS vMX has lost all site-to-site VPN link

Security / SD-WAN
2 1042

Re: Does disabling all SSID's on an AP turn off the WiFi antennas completel...

Wireless LAN
2 2421

Re: Revealing the Meraki Community All-Stars!

Community Announcements
2 10369
View All
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2022 Meraki