Meraki

Brash

I don't have any specific knowledge around LogicMonitor. Based on your comments I'm guessing you've seen this Reddit thread but in case your haven't. https://www.reddit.com/r/meraki/comments/twppv8/comment/iku5i3c/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

Brash

Most likely, this is due to the way the MX implements FQDN's in L3 firewall rules. FQDN-based L3 firewall rules are implemented based on snooping DNS traffic. When a client device attempts to access a web resource, the MX will track the DNS requests and response to learn the IP of the web resource returned to the client device. https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support Essentially, the DNS lookup and response for the website must pass through the MX unencrypted for the MX to snoop it and be able to match for later traffic. If the MX does not receive a DNS lookup, it does not apply the rule. The MX will also periodically time out the FQDN to IP mapping (I'm not sure what this timer is) so if the client has a longer cache, or simply uses the IP only, the MX may stop enforcing the rule.

Brash

Good point! I had thought about this but wasn't sure if it was worth the extra management overhead for patching and licensing. That said, it is definitely cleaner from an AutoVPN point of view. Additional admin access isn't currently a requirement, but I can see a few ways in which that may shift in the coming year or so. I'll mull it over a bit more, but I think this might be the way to go. 👍

Brash

Ah I forgot about that doc. Cool. I'm not a huge fan of hidden backend configurations but it's good that the option is there.

Brash

I've got a bit of a weird design challenge that I figured I'd get some other's opinions and also ask some clarifications. I'm Managing a network of ~30 sites all corporate networks. All of these sites connect back to the DC using a Hub/Spoke model. 7 of these sites now need to have a side-by-side public network for some public access services. These also need to connect back to a server that manages and maintains these public services. I've proposed the following design. The public MX's would be in separate networks and create a separate hub-spoke AutoVPN to the corporate. Whilst the switch is logically in the corporate network, it will have both public and private traffic separated by VLANs. The VLAN gateways are on the respective MX's A couple of things to note here: Security and separation of public and private networks is the primary concern Eg. Technically these networks can be converged to a single MX and AutoVPN, but a single fat fingering of a firewall rule can bring it all crumbling down Money isn't a big concern - Having two MX's with licenses for each of these 7 sites is fine from a financial perspective The corporate MX's have Umbrella integration with SIG Tunnels - The separation as above prevents public traffic from having corporate Umbrella policies applied My main question is: If I'm not mistaken, the public hub will create a tunnel with the private hub. I've heard there is a way to disable this in the backend. Has anyone had experience with this?

Brash

Congratulations all, and especially to the fresh faces joining the club 🙂

Brash

Weird. Shard 280 working fine for me

Brash

In order to renew, you'll need to renew all licenses. To just extend your Co-Term date, you'll need to purchase and apply an additional new license.

Brash

Agreed with what @ww mentioned. Check that the SonicWall aggregation is configured to use LACP. Otherwise the Meraki switch won't be able to negotiate the port-channel.

Brash

Can't comment on the first part of your questions as I don't widely use L7 firewall rules. As for the second part, you can apply L7 firewall rules to specific clients by using Group Policies. You can then assign the group policy to the VLAN (which will apply it to all clients on that VLAN), or manually assign it to specific clients.

Brash

^ 100% Most of the time this is from devices roaming between different WAP's

Brash

For me, it's the ability to use port ranges and lists in ACL's and Group Policies.

Brash · ‎Jan 9 2025

The client will show connected even if they're not authenticated. That's because connection to the SSID is not the same as authentication through the splash page. If you have all of the appropriate settings set to block, the client should be able to connect to the SSID but not be able to reach anything until authenticating through the splash page.

Brash · ‎Jan 9 2025

"Not Authorized" means that the user hasn't clicked through the splash page. Check your settings to verify whether you've got it set to block all traffic until the splash page is acknowledged. Here is a community post with a screenshot for reference Client status is "Not authorized", but the connection is established to acc... - The Meraki Community

Brash · ‎Jan 9 2025

I got round to doing my ECMS last year. A small goal to kick but good to finally do it. This year I'm hoping to do at least one of the following: - Get CompTIA Security+ certified - Get more into automation, especially around ansible and/or puppet - Cleanup my homelab which has become a bit of a mess (both physically and virtually)

Brash · ‎Jan 8 2025

Great job everyone! There really were some standout contributions this month.

Brash · ‎Jan 8 2025

I'm with @DarrenOC on this one. 😆 I'd be hard pressed to get my company to fly me halfway across the globe for a conference.

Brash · ‎Jan 7 2025

@PhilipDAth is spot on. If you have only known standardized devices across the business that support WPA3, you'll probably be fine. But as soon as you have non standardized devices such as guest devices, IOT devices, or if different areas of your business buy devices without IT consultation, you'll likely have issues.

Brash · ‎Jan 7 2025

I've not validated but you might be able to use this API. {{baseUrl}}/organizations/{organizationId}/appliance/uplink/statuses You can add filters such as device tags and serial numbers to the API call. Get Organization Appliance Uplink Statuses - Meraki Dashboard API v1 - Cisco Meraki Developer Hub

Brash · ‎Dec 29 2024

No, you cannot add an MS and a Catalyst switch to the same physical stack Only like-models can be stacked. For example, MS350-48 and MS350-24X can be stacked, but MS250-48 cannot be stacked with a MS350-48. The only exception is that MS210 and MS225 models can be members of the same stack. https://documentation.meraki.com/MS/Stacking/Switch_Stacks#Configuring_a_Physical_Switch_Stack

Brash · ‎Dec 29 2024

Hmmm can't recall. I just checked they had the same voltage and polarity and swapped them in along with the replacement MX

Brash · ‎Dec 28 2024

Support confirmed the issue on 2 MX75's and sent RMA's. Aside from the replacement device, they also came with smaller power transformers. I haven't had any further random reboots on them since then.

Brash · ‎Dec 28 2024

Nothing I can find other than what appears to be a publicly posted slide from 2024 GSX with a few bits and pieces. 60W UPOE 5G mgig ports 4x 10G SFP Uplinks Layer 2+ stacking Planned release Q3 2025

Brash · ‎Dec 20 2024

A couple of simple things to help isolate the problem: - If you ping from the VPN client and capture on the MX 'DMZ' interface, do you see the ping requests? If you do, do you see ping replies from the jace? You could also do captures along the path to the Jace. - Can you verify the jace has the correct IP gateway configured? - Are you able to do ping tests from the Jace?

Brash · ‎Dec 20 2024

You'll need to access the local device status page to determine where the issue lies. It will tell you the status of your MX and it's reachability to the internet and to the Meraki dashboard https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page

About Brash

Brash

Community Record

Badges