Archive for January, 2012

Meraki’s resilient out-of-band cloud management

We recently had a great discussion with the networking gurus from wireless field day about our cloud managed architecture, and how it works under the covers. There was a lot of interest in our out-of-band cloud management: which parts of the network require connectivity to Meraki’s cloud, how customer networks are affected during a WAN failure, and what engineering advancements went into our design. We thought we’d recap the conversation for all of our customers:

At a 10,000 foot level, communication between your network and Meraki’s cloud is for management and configuration data, so if your connection to the cloud is interrupted, your network continues to function and end users won’t notice a difference. All of the features that affect data flow continue uninterrupted. For example:

  • Users stay authenticated
  • New users can authenticate
  • Firewall policies continue to be enforced
  • Data encryption/decryption is maintained
  • Layer 7 traffic shaping rules continue to be enforced
  • Wireless mesh routing operates with full functionality
  • Users can roam between wireless APs
  • VPN tunnels (site to site, teleworker, and client VPN) continue to operate
  • RF features like Dynamic Frequency Selection (DFS) continue
  • Performance remains at 100%

How does Meraki’s out-of-band cloud management work? This functionality would not have been possible 10 years ago, but thanks to Moore’s Law and clever engineers at Meraki, we’ve packed enough computing power and memory on every wireless access point, Ethernet switch, and security appliance to do all of the required packet processing internally, without any back-and-forth communication with the cloud. The packet processing software is also very tight, optimized to run efficiently on Meraki devices (similar to how engineers at Apple and Google write advanced applications for iOS and Android devices.) For some features, such as wireless mesh routing, the Meraki devices even communicate between one another on your local network (bypassing the cloud) in order to configure and optimize.

The traffic separation looks something like this:

Meraki runs multiple datacenters around the world, and every customer network is served by at least three independent datacenters. So if a natural disaster were to take out a datacenter that served your network, we’d simply fail over to another datacenter in a different part of the world. All of the configuration data, historical logs, etc. are mirrored in near-real time (at most 60-second lag, typically much less), so in these unlikely events, everything is the way you left it.

Of course, if you lose connectivity to Meraki’s cloud (say because your ISP has an outage), you will temporarily be unable to access reports or make config changes. But if your network is anything like ours, if your WAN link goes down, you’re in fire-fighting mode, not tweaking your wireless config.

As an aside, if you’re looking for a cost-effective way to improve your WAN availability, check out our MX security appliances – they’ve got built-in WAN link balancing and failover, so you can run 2 WAN connections into your network (e.g. cable + DSL, and even 3G) and the MX will balance traffic between them. If one goes down it’ll simply move all traffic to the healthy connection. Turns out this approach can save cost too…

If you do suffer a WAN outage, there are a small hand-full of end-user facing features on our wireless products that are affected if your connection to the cloud is lost. These are all convenience features, most of which you don’t get with a traditional wireless LAN. If you like the convenience and can tolerate limited functionality in the rare event of a WAN outage, enjoy them! If you’d prefer that there is zero end-user impact if your WAN connection is interrupted, don’t enable them (and use the alternatives listed below instead.) Features that are impacted by WAN failures include:

  • Native Active Directory/LDAP integration (without RADIUS)
    This is a handy feature that allows users to authenticate against your AD/LDAP server without running RADIUS. This is super-easy to configure, and is a feature that isn’t available with traditional solutions.This feature does require connectivity to the cloud, so if you want to integrate with AD or LDAP but not require cloud connectivity, simply use a traditional RADIUS configuration:

Fault Tolerant AD/LDAP Authentication using RADIUS

  • Meraki-hosted splash pages and captive portal
    Meraki hosts snazzy, mobile-friendly, and customizable splash pages that wireless users can click through (or sign on from) before accessing your network. Since these are hosted on Meraki’s servers, they are super-easy to deploy, without any additional infrastructure in your environment. Since they’re hosted by Meraki, they require WAN connectivity to function, but you can control how new user authentication will be handled in the event that you lose WAN connectivity:

    Controlling Splash Page Behavior in Disconnected Environment

  • Built-in anti-virus scan (aka NAC)
    While Meraki’s LAN-isolation firewall always ensures that untrusted clients cannot spread viruses or compromise your LAN, Meraki offers an extra layer of protection by optionally scanning clients for antivirus software before allowing them onto the network. If a client isn’t protected, they are placed in a quarantine, from which they can download AV software but can’t access any other parts of the network. This feature is unique to Meraki – no other wireless systems, cloud-managed or otherwise, offer it. We find that for many customers, a full-blown, dedicated NAC system is overkill (lots of configuration complexity, 5-6 figure price tag) but Meraki’s built-in solution offers 1-click peace of mind. If you run Meraki’s NAC and lose WAN connectivity, you can choose how the network will behave: allow clients on without a scan, or block clients until WAN connectivity is restored. Clients already on the network will be unaffected, and other access control features remain in place (firewall rules, identity-based group policies, etc.) Most of our customers didn’t run NAC at all before they deployed Meraki, so rare interruptions aren’t a major issue. But if antivirus scans during WAN outages are mission-critical, we recommend a dedicated NAC appliance (also be sure to host a downloadable antivirus package behind the firewall, since users won’t be able to go out onto the network if they fail the scan.)
  • Meraki-hosted RADIUS server
    Most enterprise (and even SMB) environments already have a RADIUS server – Microsoft Active Directory, LDAP, FreeRADIUS etc. The vast majority of our customers who use RADIUS authentication (i.e. 802.1x) authenticate against their own server, so that they have one central user database for email, calendaring, wireless LAN authentication, etc. However, Meraki also offers a cloud-hosted RADIUS server for lightweight use. This requires connectivity to Meraki, so if access during a WAN outage is mission-critical, those user accounts should reside on your internal directory server.

There’s a lot of detail about what is affected by loss of connectivity, but in the scheme of Meraki’s features, this is a short list. Our customers find in practice that Meraki’s out of band management significantly improves the reliability and resilience of their networks, combining the centralized management of controller-based systems with the fault-tolerance of a distributed architecture. If you’re already a customer, how has Meraki’s out-of-band architecture benefited your network? What else would you like to know about how Meraki works under the covers? Let us know!

It’s Almost Time for Wireless Field Day 2

We’re really excited to take part in this year’s Wireless Field Day by hosting a session at Meraki’s San Francisco headquarters on Thursday, January 26 at 4PM Pacific Time. We’re looking forward to a lively and interactive session with some of the thought leaders of the wireless networking industry. Most importantly, we can’t wait to meet the delegates that were selected for this year’s Wireless Field Day:

The delegates who are coming:

Daniel Cybulskie @SimplyWifi

Stephen Foskett @SFoskett

Wireless Field Day’s organizer, from Gestalt IT

There are several ways you can join in online. Follow @TechFieldDay and @meraki for updates, and use the hashtag #WFD2 to participate on Twitter. We’ll also be showing the live video stream of the event right here on the blog. We look forward to meeting everyone, both in person and online!

Posted in Company Blog | Comments Off on It’s Almost Time for Wireless Field Day 2

Introducing 100% Cloud Managed Switching & Security

Less than three weeks into the new year, we’re incredibly excited to kick off 2012 with two major new product introductions:

Together with our award-winning cloud managed wireless LAN, these products enable enterprises to deploy 100% cloud managed networks, adding visibility and control while eliminating the cost and complexity of traditional solutions.

Meraki MS Cloud Managed Switches

Meraki MS Cloud Managed Switches

Meraki MS Cloud Managed Switches

We’re now bringing the ease of use, visibility, and control that made Meraki famous to the edge of the wired network. MS switches are centrally managed through the Meraki dashboard and include an industry-first technology called Virtual Stacking. This enables centralized management of up to thousands of ports regardless of the locations of the switches or the scale of deployment. Of course, the MS switches also support traditional stacking.

In addition to the excellent management tools and ease of use, we’ve built the switches from the ground up to support the high performance needs of the network edge. The switches feature a non-blocking Gigabit switching fabric, PoE available on all ports of the PoE models, and the MS42/MS42P support 10 Gb uplink for stacking and high speed core connectivity.

The Meraki MS Cloud Managed Switches are available in four models:

  • MS22, MS22P: 24-port GbE switch with power over Ethernet (MS22P)
  • MS42, MS42P: 48-port GbE switch with power over Ethernet (MS42P)

Learn more about the industry’s first cloud managed switches on our website.

Meraki MX Cloud Managed Security Appliances

Meraki MX Cloud Managed Security Appliances

Meraki MX Cloud Managed Security Appliances

As if an entirely new line of cloud managed switches wasn’t enough, we’re also expanding our line of MX Cloud Managed Security Appliances by adding WAN optimization and five new hardware models.

MX Security Appliances are now available in six models that scale from branches to campus and datacenter environments:

  • MX60: Security appliances for small branch deployments
  • MX80, MX90: 1U appliances for mid-sized branches
  • MX400, MX600: Campus and datacenter-class appliances scaling to over ten thousands users, with 10 GbE connectivity and high availability features

WAN optimization

We’ve also added WAN optimization to the MX, allowing network administrators to dramatically reduce branch bandwidth consumption and accelerate application performance. Using a variety of technologies, intra-site bandwidth can be reduced by up to 99%. Applications such as Windows file sharing (CIFS), FTP, HTTP, and generic TCP-based applications can be accelerated up to 209X over un-optimized connections.

WAN optimization is configured and enabled with a single click in the dashboard, and it’s included at no additional charge in the MX Enterprise and Advanced Security licenses.

Cloud management for all parts of the network

Finally, it’s here: cloud managed networking for all parts of the network. Using Meraki wireless LAN, Gigabit switching and security appliances, it’s now possible to have unified, single pane-of-glass visibility and control of the entire cloud managed network.

Posted in Company Blog | Comments Off on Introducing 100% Cloud Managed Switching & Security

A Look at Mobile Devices in the Workplace

Is your organization seeing a dramatic increase in the number of iPads and mobile devices being brought to the office?  That’s what happened at Taft, Stettinius, and Hollister LLP.  Brian Clayton, the Director of Information Systems, had to respond – and in his article “More WiFi, Less Hardware,” featured in the newest issue of Peer to Peer, a publication by the International Legal Technology Association (ILTA), he describes how he transformed his law firm’s wireless network with Meraki’s cloud-managed solution.

In response to more “bring your own device” initiatives and the growing demand for mobility, Clayton explains:

  • How Taft maintains security for the important information passing over the wireless network
  • The need for scalability, ensuring that the wireless network can grow with the company and its increasing WiFi demand
  • The seamless integration of the personal, private, and public cloud experiences in the workplace

Read Clayton’s article to see how Meraki can support mobile devices at your company.

Find ILTA’s current publication of Peer to Peer at: