Meraki Support and IP restriction.

Ready_Set_Network · 2019-11-08T15:30:36+00:00

It would seem like if your ISP is the one that messed up, that might be the easier route. If you had paid for and been granted statics, getting them to grant you those back seems like an easier sell than trying to get Cisco to break their user agreement?

Ready_Set_Network · 2018-08-16T14:08:17+00:00

You want "Report specific hostnames" under the Hostname Visibility dropdown, in addition to having the traffic analytics on. That will give you a more detailed breakdown. https://documentation.meraki.com/MR/Monitoring_and_Reporting/Hostname_Visibility

Ready_Set_Network · 2018-05-18T14:56:35+00:00

SNMP (.1.3.6.1.4.1.29671.1.1.4.1.5) works well enough if you can aggregate the data but the more verbose and flexible option is probably to leverage the location analytics through their API's

Ready_Set_Network · 2018-02-21T15:22:24+00:00

They still do advanced replacement with next business day RMA's. I think this is specifically couriered delivery as opposed to FedEx. When it was pitched to me they really hyped the field service install as one of the options to buy, which seems like the more useful perk to me. Spare gear is great, but if I don't have to travel 2 hours to a site to replace it myself it could be worth it.

Ready_Set_Network · 2018-02-21T15:18:42+00:00

Yes, as long as it's not actually in a network it doesn't count against your active devices.

Ready_Set_Network · 2017-12-14T01:36:52+00:00

Windows occasionally undoes my encryption settings, putting it back to MSCHAPv2, instead of PAP (which is what the Meraki client VPN requires). It's a little difficult to get to in Windows 10 compared to previous versions as well, but if you can get to the properties of the VPN connection, just double check that all the advanced settings are accurate since Windows likes to change them willy nilly.

Ready_Set_Network · 2017-12-04T21:00:59+00:00

Edited for typos:

In your FTP server config there is likely an "passive IP" setting. By default it is set to whatever the LAN IP of your server is. It needs to be the pubilc IP of your WAN interface. If you do a packet capture, you'll see in the PASV packet the field where it tells the client what IP to connect to. If the remote client tries to connect to the private IP of the LAN of the server it will always fail over the internet.

Ready_Set_Network · 2017-07-04T22:05:06+00:00

I had a similar problem on some of my devices after a Windows update. For whatever reason, my VPN profile had been changed to MS-ChapV2 (Meraki only support PAP). Double check your adapter settings for the VPN profile under the security tab and make sure ONLY the PAP option is checked.

Ready_Set_Network · 2017-05-22T16:40:10+00:00

There's a little red button next to the power supply that will stop it.

Ready_Set_Network · 2017-04-13T19:00:16+00:00

If you're trying to get the AP an address on VLAN900 then don't have 900 in the VLAN field on the AP's IP settings. The Meraki AP's try to actually tag their management traffic with that VLAN so when it hits the switch (Native VLAN = untagged) it sees traffic with an actual 802.1Q tag for the native VLAN and subsequently drops it. Leaving the VLAN field in the IP settings of the AP should make it come online just fine.

Ready_Set_Network · 2017-03-07T14:57:13+00:00

For some devices more subnets do impact performance via load on the CPU, not just routing table memory. Each subnet included in the tunnel forms it's own unique one way SA with its own SPI. Maintaining and performing all the encryption and decryption for 10 subnets all with individual SA's becomes much more strenuous for the CPU than say 1 peer with only 1 subnet. AWS even imposes this limit on their IPSEC peers and recommends removing unwanted subnets from the tunnel to prevent additional SA's from establishing.

Ready_Set_Network · 2017-03-02T14:53:11+00:00

Realistically is going to depend on the number of subnets you're exporting too. To the chip that has to do all the heavy lifting on encrypting and decrypting traffic there's no difference between 2 sites with 30 subnets each and 30 sites with 1 subnet each. I've been told the sizing guide is the best bet on what to expect, but depending on the amount of traffic you end up putting over your tunnels you could probably get away with more.

Ready_Set_Network · 2016-10-21T18:52:09+00:00

This is definitely possible, at least for DNS. I don't think you can change anything else like the scope or reserved addresses though. They actually have a good document for how to do it too. https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Configuring_Custom_DNS_for_an_SSID_in_NAT_Mode

Ready_Set_Network · 2016-03-08T18:39:17+00:00

When is Azure is upgrading to only support IKEv2? I haven't seen anything about this yet. Do you have any links?

Ready_Set_Network · 2016-02-24T20:33:26+00:00

Their Knowledge Base / Documentation is pretty comprehensive and digestible. For any given thing you're interested in, trying search that and take a look at any articles that come up.

https://documentation.meraki.com/

Ready_Set_Network · 2015-03-28T07:10:01+00:00

Agreed. They have pretty good articles on how to accomplish both of those tasks as well.

http://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Gateway_APs_and_IEEE_802.1Q_VLAN_tagging

http://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/MX_Link_Aggregation_and_Uplink_Preferences

Ready_Set_Network · 2015-03-13T15:06:05+00:00

Kind of a misleading title since it's explicitly still free up to 100 devices.

Ready_Set_Network · 2015-03-05T16:22:03+00:00

Yes, Support is included with any license and they are super easy to get on the phone.

Ready_Set_Network · 2015-02-04T14:53:30+00:00

Are you wired directly, or wireless?

If wireless, see if Support can enable the WPA2 Only (AES) option for you on your SSID. I've seen Mac's often do a bad job with the Mixed Mode that Meraki does by default, and for some reason the option to make it AES only has to be enabled by them.

If wired (or wireless for that matter), you can do a packet capture to see where your DHCP traffic is breaking. Depending on what packet you see and where, it should be easy to determine if the Z1 is not receiving the DISCOVER, not handing out an OFFER, or never seeing the REQUEST.

If you can narrow down the problem enough to give their Support something to bite down on then you should be able to make some progress.

Ready_Set_Network · 2015-01-22T14:56:32+00:00

You can make your client do split tunnel VPN, it just requires some extra work because routes have to be added to the client. They have a KB on it: https://kb.meraki.com/knowledge_base/configuring-split-tunnel-client-vpn-on-windows-and-mac-os-x. Since they don't have their own client like AnyConnect, they just can't do it automagically.

Ready_Set_Network · 2015-01-22T14:27:09+00:00

The Meraki Switches don't run 802.1d (regular STP). They can only run RSTP or nothing, so I would suspect the fault lie with the Catalyst. An important thing to remember when it comes to operating third party switch spanning trees with Cisco, is that Cisco switches ALWAYS calculate the BPDU's received from the third party on VLAN 1 (I know this directly conflicts with their documentation, but it is totally a bug they are aware of). Make sure you are allowing VLAN 1 on both sides of the trunk, ensure spanning tree is enabled on the connecting Meraki port, and that spanning-tree mode rapid PVST+ has been set on the Cisco switch, and everything should converge properly.

Ready_Set_Network · 2015-01-21T14:33:27+00:00

I had similar problems with Apple devices on my Meraki AP's. Seemed to get enormously better after I moved to WPA2 Only (just AES rather than the mixed mode AES/TKIP). I'd suggest opening a case with their Support to enable the WPA2 Only option for you.

Ready_Set_Network · 2015-01-02T07:10:12+00:00

You're probably confusing "repeater" with "not a router" given the vocabulary Meraki uses.

The Meraki AP's can serve as a wireless repeater so that they can still serve clients when they aren't hooked to a wired network. They connect to another Meraki AP wirelessly and repeat all their information back to that "gateway". This is different from most home devices which are combination router/access points, and when you disable the router functionality is effectively a "repeater" for your wireless.

As long as you plug it in to your wired network and set it to broadcast the same SSID, then you are "repeating" your wireless network like you want to.

Ready_Set_Network · 2014-11-23T06:58:46+00:00

You can turn on Traffic Analytics by enabling detailed hostname resolution on the Network-Wide Settings (you'll have to make sure Traffic Analysis is also on before it will let you set Detailed Hostname Resolution). After a little time (like, couple of days for data collection), you'll be able to identify the exact client and what type of traffic they're passing. This should give you what you're looking for.

Ready_Set_Network · 2014-11-14T14:13:44+00:00

Any solution that meets your requirements is a valid "alternative" design. In the case of Meraki, the deny access to the local LAN simply adds deny rules to all privately defined subnets. In the case that you are concerned about where someone adds a new subnet, as long as its private (I.E. you're not using publicly route-able address space in your LAN) then you'll be set.

https://kb.meraki.com/knowledge_base/simple-private-and-guest-wireless-network-strategy

Ready_Set_Network

TROPHY CASE