- 14
- 533 450
Fady NETDecorators
Australia
Приєднався 17 сер 2015
In this channel, I will be posting some of the instructions on how to configure network-related best practices based on real-life scenarios.
Cisco Meraki Cross Domains SD-WAN Design
In this video, you will find a detailed guide on integrating two Meraki SDWAN domains - one located in mainland China and the other global. The integration process involves leveraging the Alibaba Cloud service to bridge communication across their core.
Here is the breakdown of the video:
00:00 - Introduction
01:38 - Creating vMX in Alibaba Cloud
08:14 - Establish Site-to-Site VPN across the domains
11:55 - Building Alibaba Cloud Enterprise Network (CEN)
15:31 - Control the Routing
22:18 - Summary
Feel free to check my blog post about the same design:
netdecorators.com/Meraki-China-and-Global.html
My virtual training can be found here:
training.netdecorators.com
Credits to Freepik:
www.freepik.com/free-video/a-screen-display-of-streaming-binary-numbers-loop_179154
www.freepik.com/free-vector/gradient-highlighted-china-country-map-infographic_10980274.htm
Here is the breakdown of the video:
00:00 - Introduction
01:38 - Creating vMX in Alibaba Cloud
08:14 - Establish Site-to-Site VPN across the domains
11:55 - Building Alibaba Cloud Enterprise Network (CEN)
15:31 - Control the Routing
22:18 - Summary
Feel free to check my blog post about the same design:
netdecorators.com/Meraki-China-and-Global.html
My virtual training can be found here:
training.netdecorators.com
Credits to Freepik:
www.freepik.com/free-video/a-screen-display-of-streaming-binary-numbers-loop_179154
www.freepik.com/free-vector/gradient-highlighted-china-country-map-infographic_10980274.htm
Переглядів: 726
Відео
Meraki Single Sign On with Microsoft AD
Переглядів 15 тис.3 роки тому
This video covers the integration part between Meraki Dashboard and Active Directory for enabling Single Sign-On across the two platforms. Here is the official Meraki document: documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_SSO_with_ADFS My virtual training: training.netdecorators.com
Meraki External Captive Portal (Github deployment)
Переглядів 3,8 тис.3 роки тому
This video is a walkthrough of how to deploy an external Captive Portal with Cisco Meraki. The captive portal will verify the users against MySQL database and assign a group policy based on their saved membership in MySQL database. Lastly, a log message will be sent to a Syslog server. I hope you wouldn't mind the music in the background as it helped me while I was coding the project. so, credi...
Meraki to Microsoft Azure - Full Tunnel
Переглядів 17 тис.4 роки тому
In this video, you will learn how to build virtual MX in Microsoft Azure environment. Then, create a gateway to the internet in Azure by building virtual Cisco router. Lastly, getting all the branches to tunnel the traffic to Azure and exit to the internet. Here is the breakdown of the video: 00:00 - Introduction of the setup 01:02 - Building vMX environment 04:45 - Enable Site-to-Site VPN 05:5...
Meraki Client VPN with DUO MFA
Переглядів 19 тис.4 роки тому
This short demo covers how to use Meraki MX for Client VPN (Remote Access) and secure the authentication by using Cisco DUO for 2FA. My virtual training can be found here: training.netdecorators.com
Meraki Captive Portal API
Переглядів 9 тис.6 років тому
This video is a walk through to build a simple Captive Portal to capture user details (name and e-mail) and save it locally on a web-server then integrate it with Meraki Access Points. In this tutorial we used PHP and HTML. My virtual training: training.netdecorators.com
Meraki AP and Authentication
Переглядів 23 тис.6 років тому
Integrate Meraki to an external RADIUS server and utilize multiple options for user verification. The authentication methods covered in the video: - Mac-based authentication - Traditional Dot1X authentication with username/password - Third-party authentication. My virtual training: training.netdecorators.com
Meraki MX Technical Deep Dive (Module 6) - Popular and New
Переглядів 30 тис.7 років тому
If you want to access this training via class-like experience, click below. training.netdecorators.com Wireless Concentrator MX in High Availability Virtual MX (AWS) My virtual training: netdecorators.com
Meraki MX Technical Deep Dive (Module 5) - Dynamic Routing & SD-WAN
Переглядів 42 тис.7 років тому
If you want to access this training via class-like experience, click below. training.netdecorators.com MX as VPN Concentrator MX and OSPF SD-WAN My blog: blog.netdecorators.com
Meraki MX Technical Deep Dive (Module 4) - Gateway
Переглядів 34 тис.7 років тому
If you want to access this training via class-like experience, click below. training.netdecorators.com MX Routing Decisions Site-to-Site VPN MPLS to LAN vs WAN Hybrid Networks Best Practice MX QoS and Traffic Shaping My virtual training: netdecorators.com
Meraki MX Technical Deep Dive (Module 3) - UTM
Переглядів 47 тис.7 років тому
If you want to access this training via class-like experience, click below. training.netdecorators.com Firewalling Rules Content Filtering & IPS/IDS Port Forwarding and Traffic NATting Client VPN Group Policies My virtual training: netdecorators.com
Meraki MX Technical Deep Dive (Module 2) - MX Quick Start
Переглядів 144 тис.7 років тому
If you want to access this training via class-like experience, click below. training.netdecorators.com Getting MX online MX LAN & DHCP MX NAT vs Pass-Through My virtual training: netdecorators.com
Meraki MX Technical Deep Dive (Module 1) - Introduction
Переглядів 59 тис.7 років тому
If you want to access this training via class-like experience, click below. training.netdecorators.com Introduction to Meraki Gateway Landscape Introduction to Meraki Cloud Managed Security Solution My virtual training: netdecorators.com
Meraki AP and RADIUS integration
Переглядів 89 тис.7 років тому
This video covers how to integrate the Meraki platform to a Windows-based RADIUS server and then assign users to different VLANs based on their AD groups. My virtual training: training.netdecorators.com
Hi @Fady Can I set up this lab in packet tracer or any other posibilites to get trail license
I noticed something, you used public ip addresses when you created your VLANs, my question is this one, In a real scenario you can't use public ip ranges as your vlans, is that correct?
You are right, in real life scenario, you would use private IP range for your LAN, however, you can configure any range for your LAN as long as the subnet won’t be routed to the internet.
At 12:15, you say that you "need to add a default route from my LAN pointing to the LAN side of that router", any chance you can explain, I'm a bit lost as to which part of the diagram are you referring to as your LAN?
Valid point. Logic diagram for the traffic from the spoke to the internet via Azure : Spoke --> vMX in Azure --> vMX Azure Route Table --> vRouter Azure LAN route table --> vRouter (NAT) --> vRouter Azure WAN route table --> Azure internet Gateway. So the traffic from the vMX will hit Azure Route Table. I needed the traffic from the vMX to hit the LAN side of my virtual router. so in order for the traffic to flow from the vMX to the router we need the Azure route table to direct the traffic towards the IP of the router. At 12:15 I was configuring the Azure route table of the vMX to point all the traffic to the LAN IP address of the virtual router. Please let me know if its not clear and I will be happy to have 1:1 and explain it more.
Thanks fady for sharing the amazing videos, the way you explained its great. I am waiting for your MS and MR videos.😊
Thanks mate, any specific topic you interested in?
Does the password need to be the same as the MAC address when we create the user? Our company password policy requires more complex passwords.
Hi Reza, that is only if you want to do MAC based authentication without user credentials. This option might be a good for non-dot1x capable devices. Check my other video that might help to solve your problem Meraki AP and RADIUS integration
Nice
If your meraki managed application gets deleted in Azure do you have remove the appliance from meraki and then start the process over again?
No, you just need the token either the old one or generate a new one from the Meraki dashboard -vMX and attach it to the new application in Azure.
What about if you have 50 access points? Do you need to add each one of them as a Radius client?
Yes but you can also do range as client if those AP IPs can be summarized.
This video was 7 years ago but solved my problem today. Thank you
That is great to hear.
Great Videos..Thanks Fady
Hello, I have followed your video to setup the clients in NPS and the radius server settings in the Meraki dashboard, but when I test all the access points fail. I can ping the NPS server from the AP and we previously had setup a radius server for our VPN authentication and that works. Any thoughts why the APs are failing?
Just wondering if you added the APs subnet/IPs as clients to your NPS server?
Curious what you are using for the diagram. Seems easier to use than Visio.
Just Power point, nothing fancy :D
Hello! Thanks for great video! I have very similar design, but unfortunately Meraki Global can't see Meraki vMX on Alibaba. We have Meraki vMX on Alibaba in CN and Meraki vMX in EU. Between them, we have a channel established by China Telecom with BGP routing inside. I've set up a test VM in EU vMX subnet (I did the same for Alibaba). I can ping CN vMX from the test server in EU and vice-versa. I've configured non-Meraki peers on CN and EU hubs, but they are showing the red status. I'm not sure what IPSEC policy I have to use for CN, but Meraki support didn't mention any specific, only said they are must equal on both sides. I'm stuck in this task, some topics on reddit say AutoVPN is ok to use in CN, some say no, only non-Meraki peer. Any idea what will be the right scenario?
forgot to mention - all resources in EU are built on Azure, and we are using ExpressRoute to connect China Telecom.
Hey, so to build a tunnel from outside mainland China to inside is a challenge due to the Chinese firewall, hence i suggested in this video to use alibaba core to route the traffic from China to outside. Can I ask, why you want to build non Meraki VPN?
@@FadyNETDecoratorsHi, thanks for reply! Basically we have a channel from China Telecom (MPLS?) which helps us to bypass Great Firewall. I can ping vmx in China and EU. I suppose we have two different org (China and Global meraki), this is the reason why non-meraki peering is only the option. Or I'm wrong here? I simply see no options for AutoVPN on Meraki dashboard.
If you have a private connection between China and global, then you can use routing to advertise your global subnets to China and vice versa. Here is what I mean: - China MX connects to your MPLS and configure the local subnets (with all your global IPs) so your Chinese network can route the traffic to and of course make sure the return traffic is configured - Global MX also need to be connected to MPLS and configure the local subnets with all your Chinese routes. We won't use any tunnels to connect both orgs, we will just use routing. You can configure BGP with the MXs in China & global and your MPLS, you just need to make sure that those MXs are in concentrator mode.
Excellent Video!! Quick question, though: If my RADIUS is bahind my meraki, and not on the WAN.... how can I connect to the Radius? It's not working ... :(
Is there an option to route the traffic towards internet directly from the VMX ? from the remote MX over full tunnel ? if this is not achievable, please help with explaining why not ?
It can be achieved now by using NAT feature on the vMX so remote subnets of your MXs can be NAT-ted with vMX IP which is known within your Azure environment.
Worth mentioning the token lasts 1hr once generated so if you have a 2 party config and a delay happens using the token it will expire.
Hello, can meraki 8021.x with wildcard certificate be integrated without CA?
Best video.
Hi.. i know about max MAC support by this. can we add more then 1000 mac? Thanks in advance.
Hi, how did you create the wifi to which the iphone connects?
Hello. Nice write up. Question, where did you get your MX's IP address? Is it the WAN IP? Thanks
Thanks, If you are talking about the DUO cfg file, the IP there is the RADIUS server IP not the MX. if you want to add the MX as a client to your RADIUS server then the answer is yes, the IP is the WAN IP of the MX.
@@FadyNETDecorators Thanks for responding Fady. In the AuthProxy.cfg file, the ad_client host is the radius IP. What about for the radius_IP_1= what should I put?
@@graciesager Thanks Gracie, radius_IP_1 would be the MX WAN ip address, sorry I missed that part
@@FadyNETDecorators That's what I've been using all along Fady but keeps timing out. Seems not hitting AD at all. Validation is good though. Any ideas? Thanks
@@graciesager That is interesting, is it possible to check the routing at least to confirm the traffic is hitting the AD?
Hi it is mandatory for this configuration create a Server CA ? I think when you set up 8021x in Meraki is mandatary to have a CA server
Hey Bmuvi, Dot1x needs certificate to encrypt the traffic and you should manage CA to issue and control those certificates but that has nothing to do with Meraki, its more of the way Dot1x works.
Hi Fady, just seen the video and its great. After seeing this i was curious to know, if similar scenario works to authenticate Meraki wireless users using Azure AD through VPN tunnel. Can we achieve this?
Hi Ravi, My colleague Yuji has written really fantastic blog about the use case of using LDAP directly with AP using the local Auth feature, please check the blog post here. apicli.com/2021/12/13/meraki-mr-802-1x-with-azure-active-directory/
@@FadyNETDecorators i will go through. Thanks for quick response.
Gitex2022 Dubai ua-cam.com/video/AdMoXed3DQw/v-deo.html
I am implementing v-MX behind FW. question is i have DNAT option, so if i take your scenario with azure fW, it means ip address of vMX and destination will be branch office public IP address? i get only DNAT option in firewall.
Hi Tariq, one thing to note, Azure might not allow you to DNAT the remote subnets from the branches as they are not defined as Azure VNET, hence I am having this Cisco virtual router to NAT the branch subnets.
Hello, What about to do not having a user database, and we just want to have a guest data portal to cath information for Wifi free ?
Hi Erick, Please check this video that I created sometime back for that use case ua-cam.com/video/LzsNZW-NpP4/v-deo.html
Volume is terrible
Sorry about that
Hi Fady. I have a simple question regarding route leakage and the LAN connection to MPLS. If you are already connecting MPLS to your WAN interface, how can you have a second connection to one of your LAN interfaces? My providers hand off with a single port. I may be totally overlooking something obvious to others... Thanks for the great videos!
Hi Eddie, I wouldn't recommend connecting the MPLS to both the LAN and the WAN of the same MX, but if you want to split your MPLS link into 2, you can use a switch and ask your MPLS provider to at least give you /29. Normally ISP will provide you /30 with a single interface.
love your explanation.
Thanks Aung
This is great. I have an issue where both MX's are showing as Master? How do i fix that? Thanks
That will happen if the MXs loose the heartbeat from the LAN side. If you run packet capture on the LAN and check if the heartbeat messages are received, if so I would recommend to open case with Meraki support as you might have faulty hardware.
@@FadyNETDecorators Thanks for quick reply. Is a cable to each MX250 the recommended configuration for heartbeat?
No direct cable is required. You just need the two MXs to share the same LAN, the heartbeat is happening over multicast address
How can i do with azure add?
Hey Ali, currently, there is no native integration between Meraki wireless and Azure AAD. You will still need a RADIUS server to be the man-in-the-middle, something like Cisco ISE or Windows NPS would work.
@@FadyNETDecorators can i do this with a windows server between azure add and meraki?
@@alisanchez3291 You should be able to use Windows NPS as a RADIUS server and connect it to your Azure AD
please have some detailed explanation for MS and MR as well. Thanks
Will do my best, anything specific you feel will be good to address on MS and MR?
This is the best step by step Meraki video I have ever found online. Great job! Just wondering if you have figured out a way to do a captive portal while keep the RADIUS private - away from public Internet?
Thanks, I have built a splash page with validating the credentials on local database. Its not dot1x but if you can build the logic, it will work without the need to go to have the DB public ua-cam.com/video/LtmaSYwjaP4/v-deo.html
Thanks for make me MX engineer
Thanks mate, happy it helped.
@@FadyNETDecorators very much helped
Hi, in your video, Could you explain what's the API key, how can I get it?
Yuan, API is an admin key you can generate in your dashboard. Here is the steps for you to enable it documentation.meraki.com/General_Administration/Other_Topics/Cisco_Meraki_Dashboard_API#:~:text=test%20API%20calls.%C2%A0-,Enable%C2%A0API%20Access,-For%20access%20to
hello, i would like to know what meraki router model you are using
In this video, the MX is MX250
@@FadyNETDecorators will any meraki router model able to implement this? or you need MX router series?
@@migy220 You actually don't need Meraki MX or router for this implementation.
Great video series !! cheers..... do you have one that covers Meraki MS Switches & how the MX & MS devices are manage from a single platform ?
Thanks Ian. I did another training (not as detailed) but it covers MX and MS and you can access it here netdecorators.thinkific.com/courses/meraki-the-platform-of-the-future
Great tutorial. Thanks.
Great presentation. Used to working on physical devices. I see the power of Virtual Networking definitely the future.
Thanks Robert, I am also coming from the same background. I feel the right balance between Physical and virtual appliances is the winner.
Fady, nice video, question how is licensing handled in a vMX?
Hi Glenn, thanks for your kindness. Meraki has different license tiers for vMX (Depends on the size of the deployment). vMX-S / vMX-M / vMX-L (Currently not available in Azure). Below link has the specs to choose which license is suitable for your project. meraki.cisco.com/product-collateral/mx-family-datasheet/?file
I love how you explain the procedures! It was so easy to understand! Although I was hoping if you could do a tutorial on how to use ad accounts as an authentication method for signing in to Meraki APs. By the way please let me subscribe to your channel!😊
Thanks Roseria for your feedback. I will make video for direct LDAP with the AP. Stay tuned :D
Awesome
Hello Fady, Iam using 4G modem directly connected to my MX. Can i still make client VPN or i need a static public IP to establish it?
Hey, yes, you can do client vpn over 4g, make sure if there is no public ip on the mx to do port forwarding on the 4g modem. Also you can use the dns of the MX to make it easy when the public ip changes
@@FadyNETDecorators I am already getting General public IP from 4G modem. Can i make client VPN with that public IP?
@@shehryarsarwar3109 yes, you should be able to use that public IP. Check the IP on the MX, if its private IP then you will need to perform port forwarding on that modem, otherwise, it should just work.
How to connect authentication with LDAP? Auch as Open LDAP i mean
Hey Roby, you might need to follow this link documentation.meraki.com/MR/MR_Splash_Page/Configuring_Splash_Page_Authentication_with_an_LDAP_Server
I have this setup with mx84 as dhcp server, nps on win2k19 eval , my nps granted access but not IP from dhcp server, did i miss anything? :(
you might need to check the VLANs between the AP and the MX. If you have switch in between, you might need to check the native VLANs as well.
@@FadyNETDecorators kewl! thanks for the reply, my VLAN is just the default VLAN 1, tried moving the AP (MR76) to a trunk port but still not getting an IP, my switch by the way is Cisco C1000 in between my AP and the MX.
@@kewlheadkewlhead4038 Try to have the MX trunk port facing the switch with native VLAN 1. Hope that would work.
@@FadyNETDecorators Oppss! my switch (C1000) port connected to my MX is on dynamic (desirable/auto), if i change it to trunk (vlan 1/native) whole network goes down, port turns BLK status
Hi Sir Really how well you explained, appreciate for such nice explanation .
Thanks Rahul
5 Starts
Hi Fady your recommendation is to use a vASA and not a router for NAT and routing. I assume the same static routes and peering between the vNets applies in this scenario to force ALL traffic to egress from the vMX_RG to the "ASA__RG" via the vASA outside interface? Are there any other caveats to consider when using the vASA instead of the CSR 1000V? Specifically, should I place my vm's in the vMX_RG or in the ASA_RG?
Hi Erie, your assumption is right and the vASA will do the exact same function as the CSR1000V. No caveats out there.. You can use vMX_RG is just a name so you can use it or change it to ASA_RG.