Meraki

Mloraditch

I can't quite say anything more, but that was February and what I heard was much more recent but still not official.

Mloraditch

The latest guidance I've received is expect a tiered per seat license. Advanced licenses would not be required but may help with the cost. Regardless anything pre-release like this, only your Partner/Cisco AM will be able to provide any firm info (if they even can)

Mloraditch

Have you tried a factory reset on the problem switch? Upgrading to 18.1? I don't see any specific bugs fixed, but it could be worth a shot. It also just may need an RMA. Have you contacted support yet?

Mloraditch

This is the API command to do this: https://developer.cisco.com/meraki/api-v1/claim-network-devices/

Mloraditch

Yes only MXs do CF. Have you verified the events occur on the dashboard side? If they aren't there, they will not be in the API either. Perhaps someone adjusted the content filtering settings.

Mloraditch

I understand you think it's technical, but the only technical part is when you link the Dashboard to the EA and then you link your smart account(s) to the EA and then your individual products to your smart account. The licenses within the agreement have to be structured correctly for it to work the way you want. My understanding based on all the partner training I've been at and read, is that's possible. It's hard for anyone here to answer your questions specifically because we have no visibility into your specific agreement and EAs have MANY MANY options for structuring/skus/etc. This is why I suggest getting with your Cisco account team.

Mloraditch

I suspect they have the dashboard linked to the Cisco Parts database that CCW-R uses and vMX100s are not in there because they aren't hardware and weren't sold with individual serials. I suspect they never will be, although I'm sure the engineers could hardcode something so they show up.

Mloraditch

The voice vlan field enables CDP/LLDP to send that vlan number to a properly enabled device and it will put itself on that vlan. Those devices will be IP phones or ATAs usually. The errors you are experiencing sound like the phones are not handling the info properly. Suffice it to say there are some unique situations with various vendors where the CDP/LLDP info may not work right for a variety of reasons. Sometimes you have to enabled cdp/lldp on the phones, sometimes they use dhcp options for vlans, sometimes old dhcp options may interfere. Based on what you are posting both vlans work in and of themselves so that leads to me to think something is up with the phones. Can you tell us what manufacturer/model of ip phones you are using and with what type of pbx?

Mloraditch

Shared 149 and 97 in North America both have it working

Mloraditch

MS switches run completely different software than IOS Based. The tool @alemabrahao listed does not cover this type of code. I think I have occasionally seen Meraki listed on Cisco CVE announcements when it might originate from open source code that many platforms share. Regardless this vulnerability doesn't affect MS code as published.

Mloraditch

https://documentation.meraki.com/MS/Cloud_Management_with_IOS_XE/Cloud-Management_IOS_XE_Overview/Cloud_Configuration%3A_Release_Versions_and_Highlights Support for this module was added as part of 17.18 which is in beta. I don't see any caveats listed beyond that.

Mloraditch

Enterprise agreements allow for a lot of changes as long as the overall value doesn't change. This is something you need to discuss with your Cisco Account Team and Partner as only they can speak to your exact contract. I suspect what you want will be possible as management mode flexibility is a key tenant of the current licensing practices for EN SKUs.

Mloraditch

That is the correct license for that model. While you have to assign a subscription to a network, you don't have to assign it to a device so I suspect an issue you need to contact support for. Based on your screenshots, you appear to have things set correctly. Also, this may be a translation issue, but "L" licenses are only for 48 ports. You would need an "M" level license for a 24 port. There is not a feature where you can borrow a higher tier license for a lower product with Meraki.

Mloraditch

There is not a built in alert for this. You can always give feedback so it gets added to the official consideration list: https://documentation.meraki.com/General_Administration/Other_Topics/Give_your_feedback_(previously_Make_a_Wish)

Mloraditch

Can you or someone check the 365 logs, they might be more elucidating? Are you able to test with any other smtp relays or services?

Mloraditch

This indicates the AP is factory reset and not joined to a network. If it is joined in the dashboard to a network, then it is not online properly. You can join that ssid and go to the local status page to try to get an idea of why: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#MR_Series_(includes_Catalyst_Meraki-Managed_mode_wireless_series) Could be general ip connectivity, could be dns. The AP could also be broken. You can try factory resetting it locally as well. If you Meraki switching, support can packet capture on the uplink port and see if they see a good or bad set of traffic. FYI, If it is dead, as an outdoor model, it only has 1 year of warranty for replacement, so if it shipped further back you'd have to buy a replacement if dead, but you can reuse the license.

Mloraditch

I understand your frustration. Make sure you have submitted feedback: https://documentation.meraki.com/General_Administration/Other_Topics/Give_your_feedback_(previously_Make_a_Wish) and you can also reach out to your Cisco AM.

Mloraditch

Just a few fixes: New feature highlights Group Policy ACL on MS130 & MS150 Maximum MAC support in MAC Allowlists 802.1x limited access mode with pre-auth GPACL Local Status Page connectivity diagnostics enhancements Layer 2 multicast live tool Traffic Mirroring: RSPAN & VLAN Based SPAN Fixed issues General fixed issues Fixed a bug that sometimes caused switches in stack configurations to fail to remove older entries from the MAC forwarding table Ms150 fixed issues Fixed a bug that sometimes caused MS150s to experience transmission errors and lose connectivity until they were rebooted Ms425 fixed issues Resolved an issue that caused clients authenticating via 802.1X with an access policy using hybrid authentication to not correctly log their RADIUS sessions Fixed an issue that caused some switches in stack configurations to experience high CPU utilization in multicast scenarios that sometimes resulted in network instability Known issues General known issues MS130 and MS150 switches may not properly display IPv6 RA packets in dashboard packet captures MS130 and MS150 switches may incorrectly remove or update SGT tags when no policy or VLAN mapping is defined. Until a firmware fix is available, correct SGT tags can be preserved by defining a policy for the SGT group in Adaptive Policies, and binding the SGT group to a VLAN using VLAN profiles. In rare circumstances switches may experience uplink instability when IPv6 link-local addresses are enabled. If this issue is encountered it can be resolved by enabling IPv6 RA Guard to block ICMPv6 neighbor discovery messages. Some switches may encounter an error, "incompatible configuration for attributes: allowed_vlans" when attempting to aggregate ports regardless of allowed VLANs configured in Dashboard Ms120 known issues Switches may fail to provide PoE power to legacy access points (always present) Cable tests may report incorrect cable lengths Ms150 known issues Wireless clients may lose connectivity when roaming between access points connected to different members of the same switch stack Ms225 known issues MS225 switches may infrequently stop forwarding client traffic until the switch is rebooted Ms350x known issues Switches may experience an unexpected reboot (present since MS 15) Ms355 known issues Switches in stack configuration may experience some ports failing to reconnect after a firmware upgrade Ms410 known issues Some MS410 switches may encounter alerts for fan failures that will eventually self-resolve Ms425 known issues In rare circumstances MS425 switches may encounter a software crash that results in a reboot

Mloraditch

There is a move to make major versions numbers match the years, some product teams are doing it, some are not. Oddly The security BU is not, but I guess since Meraki goes in the Networking BU which is, they are doing it despite this being as security product.

Mloraditch

So you are trying to allow access to teamviewer? If so you want to review the documentation on FQDN rules: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#FQDN_Support I suspect teamviewer may use a bunch of different hosts and servers and the way the MX does DNS snooping it may not be catching everything needed. Have you tried calling support? Since they can see your config, it should be fairly simple to troubleshoot with them and narrow down what the issue is.

Mloraditch

What exactly are you trying to do? Block teamviewer.com, allow it? and if allow it, what are you overriding, a more restrictive firewall rule? content filtering??

Mloraditch

I'm going to answer what I can: Q1) This completely depends on your environment. I can tell you a VMX doing nothing (i.e. freshly deployed before any traffic is sent to it) is de minimis, but in a live environment, this is entirely related to what you have in azure, if you are using the vMX just for site to site traffic or if you are using it as full firewall as well. Q2) You can upgrade your license from S to M to L, XL has been discontinued. You would have to redeploy the VMX to do this, but the config would be saved in the dashboard. Its functionally equivalent to swapping MX models in a network. Q3) I've never had to tune anything and the documents you link are referring to 3rd party vpn setups not native Meraki SD-WAN. My environments are pretty simple so others may have some thoughts. Q4) I'm not aware of any Cisco Safe guide for Meraki. Q5) As far as multiple Azure Subscriptions I would always use vnet peering inside Azure to link Subs. It's going to be cheaper than using an appliance. Now you could have more complex security requirements and at that point you need to identify your needs vis-a-vis the available solutions. Regarding logging, you have the same logs you do for any meraki in the dashboard. I've never needed to refer to any azure logging beyond deployment errors and those were usually fat fingers, but others may be aware of something else. Given the depth and breadth of your questions, I do strongly suggest working with your Meraki SE/Partner and discussing details of your actual environment. It sounds like you could have quite a complex setup and we can mostly answer in generalities.

Mloraditch

Thanks for sharing this! This image was created before the 9200s and 9200Ls were available, still in beta support at the moment, but they would slide in somewhere between the MS150s and 9300Ls. Depending on your planning timeframe, may want to look at them as well. OP, No matter what I would not be buying new MS225s at this point in time. Newer switches have mGig and uPoE which are critical for Wifi6e, 7, and beyond. I'd definitely talk to your Meraki AM/SE.

Mloraditch

The second API (get organization devices) will get you the chassis macs. I don't know anything about a BSSID repeating itself. I'd have to guess it should be impossible barring some sort of bug or hack but I don't actually know if any RFCs or similar address that.

Mloraditch

Yes the mac listed there is the primary mac of the device.

About Mloraditch

Mloraditch

Matthew Loraditch

Community Record

Badges