Community Record
27
Posts
3
Kudos
0
Solutions
Badges
Nov 23 2024
4:11 AM
@PhilipDAth Much appreciated! I have been used to build most of my VPN connectivity around DAP, so this was a huge problem when we started to move towards Meraki. At the moment I still stay with my old ASA's as VPN Concentrators for only this feature. Hopefully when Meraki enable the SAML Group Policy thing it will start working!
... View more
Nov 5 2024
1:53 PM
2 Kudos
Oh okay good to know. I still see both ip_flow and firewall. I tried to fiddle a bit more and here are my findings: When I disable Flows, then I do not see any syslog from my L3, S2S or even ip_flows. When I enable Flows I see ip_flows and vpn_firewall. Finally when I enable both Flows and syslog on L3 Firewall, then I see firewall, ip_flows and vpn_firewall So here is my conclusion; When using both Flows and syslog under L3, then I get more details whenever a rule is hit compared to only running with Flows enabled. But basically I see double information with ip_flow and firewall entry. When it comes to Syslog on S2S, then I see that when I am only running with Flows enabled, then I do not see any 'deny', but only traffic that is permitted. If I enable Syslog then I start to see 'deny' if they hit the rule. Thank you Raph!
... View more
Nov 5 2024
12:15 PM
I just tried to remove "Flows" under General and even though I still have some L3 rules with syslog enabled, then I do not see anything other than "urls" in the trail log now. I have to enable "Flows" to see ip_flow, vpn_firewall and firewall entries. In General: ip_flow traffic handled "locally" in the MX L3 Firewall? firewall traffic handled "locally" in the MX L3 Firewall? vpn_firewall traffic sent over VPN Tunnel?
... View more
Nov 5 2024
10:49 AM
Hi, I have a quick question regarding Syslog behavior, particularly with L3 rules and Site-to-Site VPN. We've set up our Syslog server with Flows configured, and everything has been running smoothly. However, after integrating a SIEM/SOC solution that needs to receive logs, I enabled Syslog with Flows. This caused instability and significant packet loss to the branch (MX95) where Syslog was enabled. When I disabled Flows, connectivity returned to normal. I suspect there may be too much traffic over the VPN tunnel, but I’d like to clarify what the Syslog option on a rule actually does. Even when I uncheck it, I still see a lot of logs on my Syslog server when doing a "trail". Will I still receive all logs if this option is unchecked, or what is its specific purpose? I’ve read the documentation but still find it confusing. Could someone explain it in simpler terms? Thanks!
... View more
Hey, I was wondering if it is possible to change which switch that will serve the role as a Master (Active)? For now I have followed the guide how to set up a stack and it seems like I have done it correctly :). https://documentation.meraki.com/MS/Stacking/Switch_Stacks As you can see below, the 4th switch now serves the role as: Active (I believe that means master?). Is it somehow possible to change that to the first one or is this just how it is and being set by the lowest MAC-Address? What does this actually mean for my configuration as I haven't been able to locate the tech docs explaining what the different Role types actually does or is this basically the same as a Master in Cisco classic?
... View more
As promised here is the answer from the Support: This type of behaviour is expected when using port profiles and templates, please refer to the following documentation that states this behaviour: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Port_Profiles#:~:text=The%20configurations%20from%20Port%20profiles,and%20it%20is%20expected%20behavior As highlighted in the blue box, this is expected and I was advised to use the Feedback option from the Dashboard which I did. Maybe we will see some changed one day :). Thanks everyone!
... View more
Hi Ryan_Miles. Exactly - I hope that it will be changed or at least be a feature/setting where you can toggle it on or off. I would rather know what my current setting is, not what it was.
... View more
Alright! Thanks for a quick response. I have submitted a ticket with the above information. I will post when I have an answer.
... View more
Hi all, I'm currently setting up new Meraki MS130-48X switches for the first time and was looking at the ability to use Port Profiles. So far I have been able to create the different Port Profiles as either a Trunk or an Access ports with the desired VLAN(s). As shown below, you can see one of the Profiles are set up as an Access Port (VLAN105) But, when I head over to my Switch and want to configure a set of Ports that should be a member of that Port Profile then it shows my type as "Trunk". Could just be the UI not updating correctly, or have I done something wrong? Here is a picture of how the Ports settings are set: Thank you...
... View more
Labels:
- Labels:
-
Interfaces
-
Layer 2
Nov 21 2023
6:42 AM
Hi all, I have been trying to lock down our servers not being able to reach the Internet. Most servers are allowed to retrieve signature updates from our protection suite and that works very well. All servers are also pointing towards our WSUS. But here is my problem. I need my WSUS server to be able to reach Windows Updates via Internet, but I just can't get it working. Is there anyone in here that have it working and could point / show the config of how you got it working. What addresses did you allow in your L3 Firewall and perhaps I need more in the L7 rules or Content filtering. Please help - thank you.
... View more
Oct 12 2023
12:05 PM
So basically you get more stacking power and then there is something about the maximum routing clients. Is that really it. Is the MS250 and MS350 running on the same hardware as C9200L?
... View more
Oct 12 2023
12:03 PM
I'm sorry, I don't know how I can ask in a better way. I was just curious if the bandwidth got divided if x amount was stacked or something like that. But overall it seems that they are pretty equivalent. But thank you for your help and suggestion :).
... View more
Oct 12 2023
11:19 AM
Hey, Thanks for the link, but it says physical + virtual on both, when I look at stacking capabilities? Nevertheless, am I right that the C9200L stacking bandwidth support is 80 Gbps, like the MS250 while the MS350 is 160 Gbps?
... View more
Oct 12 2023
11:01 AM
Hi all, I am about to purchase new switches for one of my offices and I was initially offered some C9200L units, which I have running in some other offices. Meanwhile we started to migrate to Meraki, both Firewalls and also Wireless. So I thought I would give a Meraki switch a try, but I don't want to make any "downgrades", compared to the C9200L which has been rock solid and performed very well. I was mainly looking at the MS250 model, to get the layer 3 feature (compared to MS220) which would be needed in some cases. But then I also started to look at the MS350 model. Now I'm confused, which model would you prefer and why? Does the MS350 have the same horsepower as the MS250 or is there a difference of how much it can switch internally, stack speed etc.? What about features, are they the exact same as well? Thank you 🙂
... View more
Mar 24 2023
4:46 AM
Ouch, you might be right :(. Wonder if this is a thing that will be worked on or just not supported.
... View more
Mar 24 2023
4:44 AM
But is OKTA also able to use RSA Tokens / SMS Tokens / Grid Cards and so on?
... View more
Mar 23 2023
1:51 AM
Hey, Yes I have tried with 30 seconds and also 60 seconds, but no difference. I'm sure it must be me doing something wrong, but I just can't figure out what it is, neither could the Entrust technician 🙂
... View more
Mar 22 2023
8:40 AM
Yes, but looking at the integration it looks like this is being done in the Cloud and the integration with my Radius servers and policies will then no longer be in place? But, if I move ahead with the SAML integration, how do I then get the SAML displayed on my MX? I can only under "Anyconnect" see the following authentication types: RADIUS, Meraki Cloud Authentication and Active Directory". My appliance is running: FIRMWARE Up to date Current version: MX 17.10.4 Do I miss something in the steps somewhere?
... View more
Mar 22 2023
2:35 AM
Hi, I'm stuck and I don't know if my configuration is wrong or if this is just a limitation of how the interaction between Radius/Meraki/Anyconnect works at the moment. Currently I have my old Cisco ASA5500 series Firewall set up, with Anyconnect using DAP profiles and Multifactor Authentication (Entrust) running on a Radius server. It works perfect and is easy to use. But my Firewalls are getting old and we have decided to move on and have chosen the Meraki as our new platform. So far so good. I got Anyconnect up and running with my Radius server, and I can filter the logins with which group a user is a member of (from the AD) and then throw that back to the Meraki, so I make sure the right "Group Policy" is deployed (almost like DAP). The problem start, when I introduce my "Entrust" solution, which is our Multifactor, running as a piece of software on the Radius server. The setup is exactly the same as when it runs with the ASA, but when I try to log in, the authentication prompt tells me "Login failed." after I have typed in my user credentials. But what really happens behind the scene is, the username and password was validated successful and now the Anyconnect client waits for the "Challenge/Response". If I then type in the OTP received (Text message), Anyconnect will tell me that "You have successfully connected to client VPN". To me it looks like the Anyconnect and Meraki are having some issues doing the "Challenge/Response" part, which works fine on the ASA. Same configuration on the NPS more or less. I've been in contact with Entrust, which ran through the logs and everything seems to be right on their end. It sees the Radius authentication, it then fires the Challenge/Response where I receive the text message and finally it accepts the response and verification is successful. Do any of you have some similar setup, or perhaps know if this is a limitation of how Anyconnect is working on Meraki as if now? Thank you.
... View more
Labels:
- Labels:
-
Client VPN
-
Other
Mar 2 2023
5:37 AM
I believe the reason it because I have been used to work with the ASA Firewalls, where most of these rules defined whether you wanted to go to another network locally or if you tried to reach another network via your IPSEC tunnels. That's basically it. So now I just have to think different and the fact it is "splitted". If you ask me in one month, when I have created, changed and deleted rules then I might say it makes a lot of sense 🙂
... View more
Mar 2 2023
5:17 AM
And now I clicked accept on the wrong post here. Can I change that :)?
... View more
Mar 2 2023
5:16 AM
Thanks for the documentation. I went through some of it, but it still doesn't made 100% sense. It is probably just a matter of getting used to it coming from another appliance :).
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 923 | |
| 1 | 2093 |
