|
e: 420 bad snype everyday heh man, for some reason today meraki decided to think all of google's poo poo was in Hong Kong so I had to manually whitelist it in their stupid L7 gui thing I was bitching about last page... (luckily since it was impacting so many people, we got like 10 people to do it so it took like 30mins but still 5 hours before meraki decided to put something up)  https://community.meraki.com/t5/Security-SD-WAN/Google-com-incorrectly-Geolocated/td-p/129810 also shows how terrible their layer7 filtering stuff is; ie. no logging at all even with syslog, had to packet capture and for some reason only maxmind (meraki's geo2ip vendor or whatever) was showing all this google stuff in Hong Kong also their temp-fix was their engineer just saying to whitelist hong kong til they figure out whats going on  e: oh they just fixed it and lol gently caress them :> We have worked with our GEO IP vendor and identified a root cause for this issue. Meraki Engineering has pushed a fix to remediate the issue. The fix will apply based on the configured list update interval settings which can be configured under SD-WAN > SD-WAN & traffic shaping. For a more immediate update, users can change their current content rules to a full list or top sites, wait for a configuration update, and revert the changes back to the previously configured setting. These settings can be found under SD-WAN > Content filtering. Hirez fucked around with this message at 18:52 on Sep 24, 2021 |
#
?
Sep 24, 2021 18:43
|
|
|
|
| # ? May 29, 2024 19:29 |
|
|
Honestly for what you're doing it sounds like Meraki isn't the way to go. I use it a fair bit for the auto VPN feature between companies split over multiple locations who want to blend different types of connectivity, but I have static routes out to other boxes (TNSR, MikroTik) when I need to have complicated VPN setups and things like that.
|
|
#
?
Sep 24, 2021 19:51
|
|
|
Anyone deploying Versa? So far liking it a lot.
|
|
#
?
Sep 24, 2021 22:36
|
|
|
There's a lot of stuff with Meraki that annoys me. Not being able to push dACL/Group Policy via ISE to any MX appliance. WiFi on MX appliances not supporting RADIUS accounting. Security Group tagging only working on like 1 switch and 2 AP models. All seems very arbitrary.
|
|
#
?
Sep 24, 2021 23:51
|
|
|
And rebooting a Meraki switch takes loving forever to come back up.
|
|
#
?
Sep 24, 2021 23:55
|
|
|
GreenNight posted:And rebooting a Meraki switch takes loving forever to come back up. but it has rainbow colours you get to tell the meraki tech about while it boots up for 10 minutes...  e: also changing isn't really isn't an option, our "partner company" is like a franchise of animal/dental clinics, that basically has them at every site and they're not replacing those... but they're also dumb and decided to test out the L7 filtering without telling anyone really, and only allowing  & :: (because why would anyone need to access anything else)... then came all the google, office, akamai, cloudflare, etc etc requests to/from like ireland/netherlands and every day is a new website that some clinic just HAS to access and it only works on their phone 
Hirez fucked around with this message at 04:43 on Sep 25, 2021 |
|
#
?
Sep 25, 2021 04:37
|
|
|
Meraki sounds pretty garbage. Just get a FortiGate, problem solved.
|
|
#
?
Sep 25, 2021 05:44
|
|
|
Hirez posted:e: 420 bad snype everyday To be totally fair, the same google ip can be anycasted to both US and HK, so i'm not really sure how you would want to deal with geoip. I see palo altos frequently drop all traffic destined toward the US when told to block china, because they think alibabacloud los angeles/san jose = china
|
|
#
?
Sep 25, 2021 18:34
|
|
|
What's the best way to view the configuration of a specific port? Right now I do a show run and just scroll down to it.
|
|
#
?
Oct 1, 2021 16:55
|
|
|
show run interface <whatever> show run int gig0/1, for example You can also pipe the input to look for specific things or begin at a certain line 'show run | b interface' would start the show run at the first instance of 'interface' in the config (case sensitive) 'show run | i interface' would show only the lines containing 'interface', also case sensitive Filthy Lucre fucked around with this message at 17:04 on Oct 1, 2021 |
|
#
?
Oct 1, 2021 17:02
|
|
|
Bob Morales posted:What's the best way to view the configuration of a specific port? Right now I do a show run and just scroll down to it. If it's Cisco you can just add the interface to the show run command: code:
|
|
#
?
Oct 1, 2021 17:03
|
|
|
< > You look at the config in your config management platform </>
|
|
#
?
Oct 1, 2021 17:50
|
|
|
Just click on the port in the meraki portal!
|
|
#
?
Oct 1, 2021 17:51
|
|
|
Also you didn't specify which config, running or startup. Go Cisco. (Junos 4 lyfe)
|
|
#
?
Oct 1, 2021 20:12
|
|
|
uhhhhahhhhohahhh posted:If it's Cisco you can just add the interface to the show run command: gratzi
|
|
#
?
Oct 1, 2021 21:38
|
|
|
Thanks Ants posted:< God no. I'm imagining some kind of java gui applet that only runs on IE6 and takes at least 10 clicks with loading screens to get any information.
|
|
#
?
Oct 2, 2021 19:40
|
|
|
I set up 802.1x on a new 4500 at our other location in conjunction with Windows NPS. Port authorization and VLAN assignment worked fine. Preferred methods for non-AD device authentication? Setting up users with Mac addresses as the username and password didn't work because of the domain password policy.
|
|
#
?
Oct 10, 2021 14:30
|
|
|
As in an LDAP server that's not Microsoft AD? OpenLDAP certainly is a thing that functions, it's usually a bit harder to administer users unless you can find a good web ui. I'd used one in the past but don't fully remember it's name. It was fine to tie in to freeradius + freebsd server auth tho.
|
|
#
?
Oct 10, 2021 15:42
|
|
|
If it's managed devices you could just do certificate auth
|
|
#
?
Oct 10, 2021 18:22
|
|
|
Have you looked at ClearPass? Edit: Oh, you mean you want a way of authenticating devices that aren't in AD? What type of devices are they - can they just sit on a guest network and not be authenticated and have no access to resources other than the internet? Thanks Ants fucked around with this message at 20:43 on Oct 10, 2021 |
|
#
?
Oct 10, 2021 20:40
|
|
|
Thanks Ants posted:Have you looked at ClearPass? Yes, non-AD devices Printers, CNC machines, random poo poo like a postage meter, video camera, time clocks, access points whatever
|
|
#
?
Oct 10, 2021 23:30
|
|
|
Look into doing SCEP on your certificate authority if you have one: https://techcommunity.microsoft.com...ers/ba-p/397821 Would allow non domain resources to request a cert which could be used for .1x auth.
|
|
#
?
Oct 10, 2021 23:42
|
|
|
gooby pls posted:Look into doing SCEP on your certificate authority if you have one: They don't have set up. Is there a better way to do this? I'm not sure why the guy wants to do this so bad. I would just shut off the ports not being used. Not like people are moving stuff around anyway
|
|
#
?
Oct 10, 2021 23:59
|
|
|
Is there a compliance reason? 99% of my ISE projects are for clients requiring things like centralized TACACS or port security to check off their PCI audit. Spinning up a CA for a domain is pretty trivial if you want to go the eap-tls route with cert auth. Alternatively, most NACs will do MAB (MAC address bypass) but you’d have to compile and maintain a list of MAC addresses for allowed devices.
|
|
#
?
Oct 11, 2021 00:08
|
|
|
I'll have to see if it's part of CMMC We have a Forescout at this location that I have to set up
|
|
#
?
Oct 11, 2021 01:30
|
|
|
Stacked radius to fallback to something supporting MAB and enrollment on the backend ?
|
|
#
?
Oct 11, 2021 05:20
|
|
|
Aware posted:Anyone deploying Versa? So far liking it a lot. If you got a trip report you're willing/able to share I'd love to hear it. We're looking at either them or Aruba as a replacement for our Cisco GetVPN mesh, and maybe as firewall replacement as well. They look pretty similar on the WAN front, but on firewall looks like Versa runs with a standard central device ACL vs Aruba doing zone base pain
|
|
#
?
Oct 12, 2021 13:43
|
|
|
Seems very capable so far but very geared towards ISP/Telco/MSP space. Very complicated deployment but ticks what feels like every box, if you can work out how to get a configuration deployed. We're in PoC phase for some customers and replacing leased lines with it where it makes sense.
|
|
#
?
Oct 12, 2021 14:23
|
|
|
quote:The new firmware includes support for the following features: Yessssss
|
|
#
?
Oct 12, 2021 20:38
|
|
|
Where's RADIUS Accounting on MX devices tho... and sending dACL name via ISE.
|
|
#
?
Oct 12, 2021 20:48
|
|
|
loving Meraki. So we have a stack of 8 Meraki switches that keep losing connectivity to their cloud. They still pass client traffic but they all show offline, so I can't configure switch ports or anything. I opened a case and this is their response.quote:Thank you for contacting Cisco Meraki Support! What the gently caress, really? Do you expect me to reboot a stack of 8 switches every other week? God drat.
|
|
#
?
Nov 11, 2021 23:02
|
|
|
The 390s seem like they were panicked about not having anything properly high end and tried to make a 9300 do the job. I never hear anything good about them.
|
|
#
?
Nov 11, 2021 23:11
|
|
|
GreenNight posted:loving Meraki. So we have a stack of 8 Meraki switches that keep losing connectivity to their cloud. They still pass client traffic but they all show offline, so I can't configure switch ports or anything. I opened a case and this is their response. lol Well that's better than not getting an answer and then hearing about it from another user on the Meraki forums
|
|
#
?
Nov 12, 2021 04:10
|
|
|
If you got meraki in your network I feel bad for you son, I got 99 problems but meraki ain't one.
|
|
#
?
Nov 12, 2021 04:13
|
|
|
About 100 Meraki APs About 70 Meraki security camera's. About 50 Meraki switches with another dozen on order cause reasons. 4 Meraki SD-WAN appliances. Good times.
|
|
#
?
Nov 12, 2021 04:33
|
|
|
GreenNight posted:loving Meraki. So we have a stack of 8 Meraki switches that keep losing connectivity to their cloud. They still pass client traffic but they all show offline, so I can't configure switch ports or anything. I opened a case and this is their response. And what have we learned about shared control planes?
|
|
#
?
Nov 15, 2021 03:19
|
|
|
I guess I ruffled a few feathers. I have a meeting with our Meraki rep, his boss, and some director concerning our switch issues later today.
|
|
#
?
Nov 17, 2021 19:44
|
|
|
Am I huge a dumbass for wanting to use iBGP as an IGP inside two data centres with eBGP between them? It's like 6 devices total.
|
|
#
?
Nov 26, 2021 14:22
|
|
|
uhhhhahhhhohahhh posted:Am I huge a dumbass for wanting to use iBGP as an IGP inside two data centres with eBGP between them? It's like 6 devices total. Yes, don't do that. Just use ospf and area 0 (not proprietary eigrp), optionally something bgp related between datacenters depending on your design. If you need ibgp, run it between loopback interfaces not physical interfaces, this is where your actual igp helps.
|
|
#
?
Nov 26, 2021 15:10
|
|
|
|
| # ? May 29, 2024 19:29 |
|
|
falz posted:Yes, don't do that. Does next-hop-self work with loopbacks and remove the need for another igp? We have two ExpressRoute providers with private peering, one at each DC. We're going to have to use BGP anyway because we're using Azure vWAN and I want to use eBGP with our providers and AS Path Prepend the subnets that aren't local to each DC so that the return traffic from Azure picks the right ExpressRoute but we also get failover across our P2P links between DCs if we lose our ER provider at one of them. So I guess I'm trying to avoid having to do OSPF <-> BGP redistribution in two places.
|
|
#
?
Nov 26, 2021 15:36
|
|