Meraki

Nash · ‎Sep 10 2020

@GreenMan wrote: Do you have a specific reason for running 15 (beta) firmware? Unless you're needing something specific that's only in the beta firmware, running with Stable or Stable RC will likely be more reliable. If there is a particular feature you're trying, it wouldn't be HTTPS Inspection, would it?https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/HTTPS_Inspection I too would be curious if you've enabled HTTPS Inspection. That's going to eat all the resources you've got and then some, compared to performance without it enabled.

Nash · ‎Jul 22 2020

JSONLint, for all your validating needs.

Nash · ‎Jul 20 2020

"SOMETHING HAS CHANGED" was my first thought when the page loaded, honestly. I'm glad it was on purpose! It looks nice.

Nash · ‎Jul 20 2020

@Johan_Oosterwaa wrote: Yes you can 😉 As i have done this many time In that case, are you sure your JSON is well-formed? Also, are VLANs enabled on your network? I feel like I ran into mystery failures on non-templated MX networks, and the ultimate problem was that VLANs were not enabled. No enabled VLANs, no access to the VLAN calls. Might have changed though.

Nash · ‎Jul 20 2020

@Edgar-VO wrote: I am pretty sure you cannot change the IP addresses when a site is bound to a template.... There for you need to unbind, but then you loose a lot of details of the site,... Also wondering why you make your own definitions within python, simply use the meraki API and not use your own requests REST API calls and live is much easier. "Easier" is a matter of opinion. I use Python and the requests module because I use the requests module with REST APIs from multiple vendors, and it's a standard method. SDKs all have their own quirks.

Nash · ‎Jul 18 2020

I strongly recommend Philip's generator. Otherwise, you can use a PowerShell script in Win10 to add the routes you need. I've got a (no longer maintained but valid) script in my signature line that you can steal commands from.

Nash · ‎Jul 18 2020

Has this firewall ever connected successfully? Such as when connected to your existing network, which presumably has a valid uplink, as opposed to the ISP modem directly? If it's connected before: Have you called your ISP? I'd set the WAN1 uplink back to what the config should be, with everything set auto-auto. Does the ISP see traffic coming from your firewall's mac address?

Nash · ‎Jul 18 2020

So your MX are all bound to a template that includes the vlan setup, but you want to override that part of the template? Pretty sure you can't: https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple_Networks_with_Configuration_Templates#MX_-_Template_VLAN_IP_Address_Range_Allocations https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/MX_Templates_Best_Practices Specifically: "If unique is chosen, each network bound to the template will get a unique subnet based on the configured options. The MX does not support local VLAN overrides on templates." So you're getting a 400 Bad Request response because you're asking it to do something that you're not allowed to do, b/c the network is using a template that includes vlan setup. By the way, I strongly encourage you to look into the available exceptions for the requests module instead of passing all errors the way you are. Unless you are deliberately passing a generic error and aren't concerned about why an attempt at a particular request failed.

Nash · ‎Jul 10 2020

Congratulations! Glad to see you both join the club. You've been everywhere.

Nash · ‎Jul 8 2020

100% bait and switch title! 🙂 But a clever solution to trying to integrate a new friend. I hope your buns decide to be chill with each other and can romp around your home together soon.

Nash · ‎Jul 5 2020

@bxdobs wrote: Please Disregard my previous posting ... tried another machine which had exactly the same results with W10 Pro 64b Turns out in this case the 691 error was CORRECT ... there may be an issue with the Meraki Dashboard used from the latest Firefox browser ... I explicitly CHANGED the PW for the VPN User to something simple as a temporary test ... this temporary password apparently wasn't accepted by the dashboard ... don't recollect seeing any error message when I pressed the change button so will take a closer look at this as a possible issue Anyway I have now put back the original PW and reset all users ... all working now I've caught myself before by thinking I've hit save when I haven't, when the save button is all the way at the bottom of the web page. I feel your pain.

Nash · ‎Jun 30 2020

On the dangers of IoT and fish front. If you can, I'd put those cameras on a separate subnet with some firewall rules, in addition to patching the heck out of em.

Nash · ‎Jun 30 2020

I mean you'll have to read the (heckin) manual for part of this, because that's how we API, but: You want to know number of devices that have associated to the wireless network in a given span of time? I use Python so this is going to be Python-y. If you need to know on a per AP basis, you could: Pull a list of APs (Pull on a per org or per network basis; check model[0:2] in Python to see if it's an MR) Pull a list of clients per AP Drop it in a spreadsheet using something like openpyxl If you need it on a per-network basis: Pull network clients Check the SSID field for a value OTHER THAN null Drop list of clients into a spreadsheet using something like openpyxl. Then just run this as a cronjob someplace, or do it on demand via CLI or a Flask app, and there you go. If you have a bunch of networks, get fancy, make a table of contents, and do one tab per network in openpyxl. I need to refactor it badly, but I've got an example here that I threw together for a per org device inventory. Caveat: I use kludges because I run into networks with a bunch of APs that aren't placed on a map and I am unable to place on a map accurately, so heatmap is not... so useful for me. You don't want to be me, maybe.

Nash · ‎Jun 25 2020

Turn off "Send All Traffic" with the slider button? You can verify traffic routing properly by using something like the iNetTools app, which gives you a proper traceroute, or just comparing a google search for "whats my ip" before and after you connect to the VPN.

Nash · ‎Jun 18 2020

@Mick_R wrote: Thank you for answering, do you mean no Meraki will do what I need? That is correct. No Meraki firewall will do VPN NAT on a standard IPSEC tunnel. ('Third party tunnels' in Meraki slang.)

Nash · ‎Jun 15 2020

Just adding another voice agreeing that what you actually want is the scanning API. "Where are the people and when" is a really common question to ask, which is why Meraki made the scanning API.

Nash · ‎Jun 11 2020

I'm excited to see who the new folks are! So many people are making great contributions.

Nash · ‎Jun 8 2020

Try @PhilipDAth's PowerShell script generator. Once you've got the script put together, you'll need to re-install the VPN on your end user's computer(s) using the script.

Nash · ‎Jun 8 2020

You can find out if a specific org's admins have 2FA enabled, but I don't know of an endpoint to check if the org requires 2FA. I went looking recently.

Nash · ‎Jun 8 2020

@webfrank wrote: Hi, you can use a third party application to perform a full organization/network backup/restore. Disclaimer, I work for V-App.io which has a Cloud Network Backup application specific for this task It's not correct to state that you can perform a "full" restore, based on the limited endpoints we've got. (Not a criticism of the API team - they add stuff constantly, and it takes time to build/test!) If you've got L3 routing going on via Meraki switches, you've got to recreate that manually. OSPF? Manual. Client VPN on the MX? Manual. Users on your MX? Manual recreation.

Nash · ‎Jun 4 2020

Meraki does not support VPN NAT on tunnels like that, no.

Nash · ‎Jun 2 2020

It's a bit of a strange implementation. I once saw it completely baffle a room full of folks who'd been doing OSPF for years, so please don't feel bad for not catching it.

Nash · ‎May 29 2020

Do you have nmap or PowerShell available on premises? What happens if you try the appropriate ports on nmap or via powershell at test-netconnection -comp "IP address" -port 80 -info detailed? change -port to whatever number you're using. What happens with traceroute? What kind of WAN link do they have? Does their ISP device have a firewall on it? Can you access those sites if you connect a device directly to their WAN uplink, such as your laptop w/ a nice software firewall turned on? Just some thoughts while you work with support.

Nash · ‎May 29 2020

Okay, just recapping: 1. No content filtering enabled. 2. No ACL blocking those IPs. 3. nslookup/dig internally resolve to the same IPs that you see elsewhere 4. You've rebooted the device Have you called support on this one yet?

Nash · ‎May 29 2020

Ooh, glad you got it, but yeah. Never trust your ISP DNS unless you've absolutely got to for some reason. Hint: Haven't met a reason yet.

About Nash

Nash

Nash King

Community Record

Badges