Meraki

Nash · ‎Feb 20 2020

Finally got a chance to dig in my scripts, and it was this call. This is probably ugly as heck, but my apparent solution from October: for port in switchportsList: switchNum = port['number'] empties = [] for key, value in port.items(): if value == None: empties.append(key) for item in empties: try: port.pop(item) except: print(f"Couldn't pop {item}") putSwitchport(arg_apikey, arg_serial, port, switchNum, shard)

Nash · ‎Feb 20 2020

None is null, yes. That looks like you're trying to use Update Device Switch Port? What happens when you leave the items with value None out? I ran into this with... I forget the call... a while ago. It may have been this one. The GET request returns None options that'll make it unhappy if you include them with a PUT.

Nash · ‎Feb 20 2020

Thank you! That's one of the nicest compliments I've gotten about my code.

Nash · ‎Feb 19 2020

Okay, for Win10, I'm a broken record: Use a script. There's a lot of problems with the Win10 client that you can fix with PowerShell. If you do the following, your users will normally have better behavior: 1. Never save their credential 2. Always connect from rasphone.exe. Easiest is to make them a shortcut. 3. Set Encryption to optional. 'Required' is not supported with PAP, as Meraki uses, and Win10 assumes it needs to change the password protocol to satisfy the 'required' setting. Since we moved to script installs, it's dramatically reduced the number of VPN repeat tickets my helpdesk gets. They also can fix it quite quickly. 3-5 minutes from the time the client gets on the line.

Nash · ‎Feb 19 2020

What OS is he on? For Win10, how are you setting him up? I've got scripts in my sig that make for a better experience. In Windows, you need your users to not save their credentials.

Nash · ‎Feb 19 2020

Devnet devnet devnet devnet devnet devnet devnet Did I mention Devnet? Because Devnet. It's pretty great. I think also the walk-in self-paced labs.

Nash · ‎Feb 19 2020

@BrechtSchamp wrote: Welcome @SamanthaLu . You'll feel right at home. You can even talk knitting with @Nash ! Yarn management is a very important skill for anyone who deals with layer 1 and I'll fite anyone who disagrees. 🙂

Nash · ‎Feb 18 2020

Unless something changes dramatically, I'll be going. (And would be delighted to have lunch one day with forum people.) My company justifies it since we're a VAR. We rotate who goes each year, so this year is my year. Next year would not be, unless 2 other people didn't want to go. For mgmt - what if you got one of the cheaper passes? They record all the breakout sessions anyway. 🙂

Nash · ‎Feb 17 2020

No, not really. That'd be a violation of privacy. What you could do is either a) ask the old MSP for a read-only account so you can grab the config, or b) ask the old MSP to run @PhilipDAth's backup script. Then you can tweak the resulting script so it'll load onto the new equipment you've setup.

Nash · ‎Feb 17 2020

You'll need to be added as an administrator to your client's existing firewall's dashboard, by someone who has administrator access.

Nash · ‎Feb 17 2020

If your people on the road use Windows 10, check out the PowerShell scripts in my signature. They're about half comments, most of them instructions for changing it from all users to single user, but I try to explain what each segment does. We haven't had problems with the MacOS native client in the latest iterations of said OS. >>Me too. We don't allow that. MSP life. I enlisted every possible person in the chain between myself and the client w/ the AS400, and... no dice. I still worry.

Nash · ‎Feb 17 2020

Yes, what's up? Remember that client VPN is on a separate subnet all its own, so you may have to make adjustments to accommodate that. We also have vendors who demand naked telnet access and swear it's secure, which makes me cry.

Nash · ‎Feb 14 2020

Generally speaking, if an endpoint is publicly accessible for the API, you're going to find it in the docs here. If it's not there, then we don't have it yet. Endpoints are added and improved every month, so if you don't see what you want right now, check back. We can also bug people like @DexterLaBora so he can see what end users would like to have. Sorry not sorry, Dexter!

Nash · ‎Feb 13 2020

Mm, no, no, it's not going to. Is your provider on the 4G router doing carrier-grade NAT? If so, I don't think there's any way you're going to get around that. AutoVPN to a vMX could cope, but you've said that's not an option.

Nash · ‎Feb 13 2020

Is it possible to put the 4G router into passthrough/bridge/whatever mode and slap the WAN IP directly on the MX?

Nash · ‎Feb 13 2020

Is the device in front of your MX using 500/4500 for anything? If not, what happens when you setup port forwarding? Alternately, would the vMX100 work for you?

Nash · ‎Feb 13 2020

Hello! I've used your website to provide gross price checks to people, when I was too lazy to go find out our own partner-specific pricing. 🙂 "It's roughly XYZ..."

Nash · ‎Feb 11 2020

@cmr I've been impressed by it at customers who've had Sophos fw. Very easy to use, and the client has a nice traffic light icon that makes it relatively clear if you're connected or not.

Nash · ‎Feb 10 2020

It's always fun when the problem is people and not actually hardware. By which I mean, it's terrible. Given your situation, what would your ideal outcome look like? Perhaps that can guide what you do. What problem were you solving by replacing the Sophos with the Meraki?

Nash · ‎Feb 10 2020

Yeah no, I'm not at all saying that the client VPN's standards are sufficient. I'd also really like more DH groups for third party tunnels. I'm especially frustrated that the higher level offered is not supported by all end points. We've kept ASAs just for AnyConnect at some clients. Not other vendors, because we're a Cisco VAR/MSP and push people to use uh... Cisco/Meraki... gear. 🙂

Nash · ‎Feb 10 2020

So I work at an MSP, and to be blunt? MSPs aren't beyond trying to encourage you to use their preferred technology, simply because it is easier for them. This is especially true on network equipment. You can mitigate many of the Windows issues using PowerShell scripts, using rasphone, and never saving the credential. I've got scripts in my signature that have significantly reduced the amount of time my help desk spends on Meraki client VPN issues. We have fewer tickets over all, and most tickets are now 5-10 minute redeployments of the VPN via script vs. 20-40 minutes of painful troubleshooting. Regarding security, that's a more complicated question. What ciphers/hash/DH combos are the Sophos fw using? Meraki gives theirs here. Support can change it, but the higher level uses a cipher and DH combo that may not be supported by all endpoints. May I ask: What problem are you having that caused this MSP to make that recommendation?

Nash · ‎Feb 10 2020

Oooh do check out BSides. You can find talks recorded on the Youtubes as well, of course. If you're in the DMV area, you might also try to get tickets to SchmooCon, but honestly... Those are a _nightmare_ to get.

Nash · ‎Feb 10 2020

Hello! You sound like a couple of the folks I'm mentoring right now. They're either done with or chugging through a similar Netacad program at a local college, and interested in going fast and breaking things. 😉 Have you hit up any BSides conventions yet? I think they'd be right up your alley if you haven't.

Nash · ‎Feb 7 2020

@PhilipDAth Docs suggest that ideally the pair members should take turns updating. Appliance Network with Two MXs in an HA Configuration When MX appliances configured to operate in High Availability (HA) (either in NAT/routed mode or when operating as one-armed VPN concentrators), the dashboard will automatically take steps to minimize downtime when upgrades are performed to ensure a zero-downtime MX upgrade. This is achieved through the following automated process: The Primary MX downloads firmware The Primary MX stops advertising VRRP The Secondary MX becomes master The Primary MX reboots The Primary MX comes online again The Primary MX starts advertising VRRP again The Primary MX becomes Master Again The Secondary MX downloads firmware (approximately 15 minutes after the original upgrade is scheduled) The Secondary MX stops advertising VRRP The Secondary MX reboots and comes back online

Nash · ‎Feb 7 2020

@LoxPontus wrote: So having VPN network for example 192.168.3.0/24 and LAN network 192.168.2.0/24 is not good? I'm a little confused. Is your VPN "three" and their LAN "two"? If so, no subnet overlap. But your end user's traffic is all going over your tunnel because you've got them on a full tunnel client VPN. You said mail serv is on-prem for your remote users? Full tunnel = they need to use the mail serv's public IP. If your VPN is "two" and their LAN is "two", or three/three, then that's overlap and that's bad.

About Nash

Nash

Nash King

Community Record

Badges