Category Archives: Meraki

A Little PCAP Reader for iOS+ Meraki Remote Capture = Handy

I had been pecking away at a problem at a remote site, where phantom ringing was driving staff nuts on their Ring Central VoIP phones. I’ll spare you all the nasty things I want to say about the frailty of Ring Central phones and try to stay on topic… These devices are clients on a Meraki network, which means that you can capture their packets remotely, while doing analysis locally.

image0

It’s a nice feature, as it really helps you to exercise a common network troubleshooting task that traditionally requires you to be within the network environment to carry out. I had left the office, and my Wireshark-equipped workstation behind for the day, but found myself with free time, my iPad, and the phantom ringing problem on my mind.

Hmmm. I wonder if there are any PCAP-related apps for iOS? I doubt it, but what the hell… Let’s take a look and see if there is anything I can break down those remote capture files with… If I had my PC with Wireshark on it I wouldn’t need this… But all I have is my iPad… Let’s see.. 

Whoa- what’s this?

It’s an app for iOS called Telluric, and it reads (to a certain extent) packet capture files. It doesn’t do 802.11 radio header stuff. It doesn’t actually CAPTURE packets. You can’t really do display filtering or fancy stuff like Wireshark can. But it does do a decent job when no other tools are available, provided you have access to remote packet capture and local download (or can have someone send you a pcap file).

Sure, it’s a niche app of limited value. But it helped me find the source of my problem when I had no other real options:

image1

It’s time for a firewall rule. Sorry, Mr. Vicious.

(I do know that there are online resources for dumping and analyzing packet capture files. Don’t ruin the mood.)

 

 

Don’t Forget About Those OTHER Meraki MX Firewall Rules

I’m a long-time user of the Meraki MX security appliance product line. Going way back to the MX-70, I have found tremendous value in what the MX products can do for my far-off sites. (Here’s an old- and I mean old- case study that gets into the early appreciation of the MX line.) I’ve probably set up maybe 65ish total MX devices through the years in multiple states and countries, doing site-to-site VPN, stand-alone, and also some pretty creative configurations. Despite my experience, I was recently reminded that I don’t know it all about a product that I feel extremely comfortable calling myself an expert on.

In one remote site that connects to the main network with site-to-site VPAN, an NTP vulnerability was flagged on a couple of audio visual devices. The device vendor was of absolutely no help (go figure), and our security team asked if we could help from the Meraki side. “Oh sure…” says I. “We got a firewall to leverage.”

We needed to cabash NTP between the remote site and the main network. I pulled up the Firewall page on the MX and set to work. This is an area in the MX I’ve probably manipulated maybe a couple of dozen times, for everything from stopping phantom ringing on 3rd-party hosted IP phones to simple outbound protocol blocks.

L3 Firewall

That image represents like three stages of desperation in getting rules right- as nothing I did worked. I simply could not tame the NTP beast to/from the two hosts, and it was making me feel silly. My first inclination was to blame Meraki- surely this stupid box must have issues! Except it didn’t… about the only thing Meraki could have done is perhaps mentioned on the L3 Firewall Page that there is a seperate firewall rule set on the VPN configuration page for site-to-site rules. That looks like this:

Site-to-Site FW

I had just never did firewall rules for the site-to-site tunnel. I didn’t know after many years! But I did leverage the Meraki “search our documentation” repository to get educated, with this document that explains it. There’s nothing complicated about it, you just have to know where to find it the first time you need to configure rules for the tunnel versus the Internet edge.

And now you know, too.