3/31/2023 0 Comments Meraki z3 opendns updater![]() ![]() ![]() The partner sides FW Site to Site tunnel has the new Z3 subnets added to it as I expected all that would be needed would be to ensure these new Z3 subnets were ‘allowed’ at the partner companies end. Users with the Z3 at home connect perfectly to all on-prem devices BUT they Can NOT connect to the device at the end of the site to site non-meraki tunnel. I purchased some Z3 Teleworkers and connected them to the MX64, using the hub and spoke model.Each has its own subnet and is a dhcp server – that about the only configuration I needed to do to have them successfully connect. Users on-site can connect to devices at the other end of the site to site tunnel, and when users vpn directly in to the MX64, they can connect to any local devices And to the devices at the end of the site to site non-meraki tunnel. It has Client VPN set up on it and it has one Site to Site non-meraki tunnel to a partner company. ![]() This MX64 is the only on-prem device, very simple setup, no vlans. The client is sent the requested web page based on applied policy.Hoping someone with Z3 experience can help:Problem: Cant reach devices at the end of a site to site tunnel when connected to the office via a Z3 Teleworker.If the request should be blocked, Umbrella will return an encrypted DNS response pointing to the Umbrella block page.If the request is allowed, Umbrella will return an encrypted DNS response with the appropriate IP.After arriving at the Umbrella endpoint, the DNS query is decrypted and checked against the appropriate Umbrella policy (based on the attached identifier) to determine if it should be allowed or not.Meraki then encrypts the DNS query using DNSCrypt, source NAT's the packet to the MR management IP, and redirects it to the appropriate Umbrella endpoint.Meraki intercepts the DNS query and attaches an identifier to identify which Umbrella policy this request should be checked against.This section of the article describes the expected traffic flow of DNS traffic from clients after an SSID or group policy has been successfully linked to an Umbrella filtering policy. More information can be found in Cisco Umbrella's Policy Precedencedocumentation. The policy list in Umbrella is read in a top-down order and once a match is found for the device ID, no other policies will be evaluated. Once a policy is assigned to a network device (SSID/group policy) in the Umbrella dashboard, any policies below the one selected for the network device will not be checked against. If, for example, an admin were to assign a different policy to a network device (read: Meraki group policy or SSID) in the Umbrella dashboard, that change would be reflected in the Meraki dashboard, however the policy would still show as indirectly applied because it was not applied from the Meraki dashboard. This shows in the Meraki dashboard as Default Policy (indirectly applied) because the default Umbrella policy was not specifically selected from the Meraki dashboard. When a Meraki SSID is initially linked, it will inherit the default Umbrella Policy, which will be the last policy in Umbrella's ordered list. NOTE: The order that policies are listed in Umbrella is important. This can be viewed by logging into the Umbrella dashboard and navigating to Policies > Policy list. Once a policy is assigned to a network device (SSID/group policy) in the Umbrella dashboard, any policies below the one selected for the network device will not be checked against. If, for example, an admin were to assign a different policy to a network device (read: Meraki group policy or SSID) in the Umbrella dashboard, that change would be reflected in the Meraki dashboard, however, the policy would still show as indirectly applied because it was not applied from the Meraki dashboard. When a Meraki group policy is initially linked it will inherit the default Umbrella policy, which will be the last policy in Umbrella's ordered list. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |