It’s never fun when your network suddenly stops working, especially when the problem turns out to be more subtle than those configuration changes you just saved. Even worse: your network seems to be smoothly humming along, but you’ve been compromised unknowingly. What could cause such catastrophic behavior? Rogue DHCP servers on your network.
DHCP is one of those Layer 2 protocols you never notice until it crashes or misbehaves. But, while DHCP may often be treated like the proverbial ugly stepchild, neglecting DHCP security comes with significant risk. After all, DHCP provides clients connecting to your network with IP addresses and configuration parameters such as subnet mask, default gateway, and DNS server information.
If these parameters become corrupted, the smooth flow of network traffic can abruptly halt. Worse, if a setting such as the default gateway is maliciously defined, network security is immediately jeopardized but you may not immediately notice. This makes detecting rogue DHCP servers paramount, especially given the ease with which they can be deployed.
Meraki’s switches operate at the same TCP/IP layer as the DHCP protocol and record which devices are sending DHCP server traffic. You can easily see if a non-authorized device is replying to DHCP requests from connecting clients.
View a list of all network devices replying to DHCP requests for the last month.
The image above shows that a device named Godzilla is replying to DHCP requests made by several clients on Meraki’s network. You can see Godzilla’s MAC address, as well as the VLANs and subnets it is servicing DHCP requests for. To get a more detailed view of any particular reply, you can click view packet:
View individual replies to client DHCP requests and learn what IP parameters may be corrupted.
This view provides the details of a DHCP server reply, including the IP address being offered to the connecting client and additional parameters such as lease time, subnet mask, default gateway, and DNS server information.
If Godzilla were not an authorized DHCP server, we could easily contain it. Simply search for Godzilla’s MAC address in the Monitor > Clients page to determine which switch and port it is connected to. Click into the connected switch and drill down to the individual port.
Port-level view of Godzilla, giving more details about the device.
Click “Edit configuration” and disable the port servicing Godzilla. This immediately disconnects the device from your LAN.
Port configuration settings allow you to disable a port and make several other useful changes
Detecting and disabling a rogue DHCP server is as simple as that. With the immediate threat contained, you can now track down the physical location of the rogue device. Re-enabling the port is as simple as repeating the steps above and selecting “enabled” in the port configuration menu.
Recent updates have made this DHCP server visibility possible at the switch level, so stay tuned for more posts detailing new features!
Over the past few years, we’ve seen an increasing trend toward using mobile devices in classrooms. As a key learning platform, this implementation of technology is positioned to have a significant effect on the future of the K-12 environment. In an effort to prepare districts for deployments, we hosted two special webinars: in the first, Eric Curts from North Canton City Schools shared tips on optimizing your district’s network, while the second covered strategies for iOS deployment models and device management, restrictions, and more.
Providing Secure BYOD at North Canton City Schools
Eric Curts, Technology Director at North Canton City Schools, joined us to share how he is using the Meraki solution to support BYOD, as well as school-issued tablets and desktops across 7 schools. By using custom L3/L7 firewall rules, L7 traffic shaping, and device policies, he created a secure network ensuring safe browsing and bandwidth prioritization for educational applications.
See how easy it is for Eric to manage his network on the fly and support a growing mobile device initiative.
The Ultimate Guide to iOS Deployments for K-12
When preparing your school’s network to handle iOS device deployments, you have options! We’ve created a great deployment guide outlining strategies and tips for successfully supporting and managing content on these devices, including supervising devices, managing restrictions, deploying apps, and more.
Whether student-owned or school-owned, check out the Solutions Guide for detailed information and ownership models and look for upcoming webinars where we’ll take a deep dive into deployments.
I spent some time1 poking around, looking for what chipset it used for WiFi, to see if it was the Broadcom BCM 4335 that some reports had indicated.Â Unfortunately, the only Broadcom chip photographed was a 4752 which is used for GPS. There’s also a Qualcomm “ESC6270” but I think that’s a version of the Gobi QSC6270 3G modem. So, the search continues for the first chipset vendor to ship 802.11ac on a mainstream phone…2
(1) Ok, way too much time.
(2) Anyone who wants to send me my very own HTC One or SGS 4 so I can perform my own teardown – well, go ahead.
As IT Director of Drs. Goodman & Partridge, OB/GYN, Matthias Goodman manages the network for the practice’s 15 locations across Arizona. Earlier this week, Matthias joined us for his first webinar to explain how he deployed Meraki wireless to upgrade outdated APs and quickly expanded to Meraki security appliances and switches. Using Meraki’s comprehensive single pane of glass networking solution, Matthias and his lean IT staff are able to manage the rapidly growing OB/GYN practice even as it brings several new offices online this year alone.
With Meraki, Matthias is able to support the practice’s demanding EMR application, sustain reliable connections for offices with connectivity issues, and provide secure guest WiFi with scheduled SSID availability.
Watch the video to find out more about how Meraki helps Matthias keep up with Drs. Goodman & Partridge’s rapid growth.
Mobile apps are changing the way we work, play, and literally how we get around. San Francisco-based Uber has been in the news lately because of how they’re using mobile technology to transform the transportation and logistics industry.
At Meraki, now part of Cisco, we’re happy to be at the forefront of how mobile is transforming businesses with solutions like Meraki Systems Manager that enables Mobile Application Management (MAM).
As Uber has expanded into 30 markets across North America, Europe, and most recently Asia, they’ve adopted Meraki Systems Manager to support their UberDriver mobile app, which powers their business and dispatches ride requests to their drivers.
As mobile applications become an integral part of business operations, more and more businesses are deploying custom, internal apps not distributed through traditional public app stores. Systems Manager’s Enterprise Apps feature enables businesses to securely deploy their proprietary apps to their fleet of mobile devices using our cloud-based device and application management platform.
The Enterprise Apps feature allows an administrator to host their own app and simply provide a URL to the app or securely uploaded it onto Meraki’s servers for deployment to their mobile devices. The feature also includes options to selectively remove the app from the device and prevent backing up app data to an unauthorized iTunes account.
“Every Uber partner has an iPhone in each of their cars. Keeping track of which partner had which phone and dealing with lost or stolen devices used to be a time-consuming manual process,” says Bryan Stitt, Uber’s Infrastructure Engineer. “With Meraki SM, Uber can remotely manage and monitor all of our devices with just a few taps.”
Android users need not worry: Systems Manager also provides the ability to deploy custom Android apps that are not in the Google Play or Amazon Kindle store using the Backpack feature in Systems Manager. Android application packages can be pushed out via Backpack and subsequently installed on the device.
We’re excited to see companies like Uber—who also use Meraki’s wireless products—using mobile technology to rethink and transform mature markets like transportation.
If you are an organization looking to deploy your own Apple iOS or Android Enterprise Apps, get on board with Meraki’s Systems Manager— it’s 100% free and takes some of the hassle of going mobile in your business.
Last week, we had several great webinars highlighting Meraki products in action. From Retail to K-12 to Healthcare, we showed how you can use granular analytics to improve business, leverage your switches to do more for you, and gain six-figure cost savings with wireless and security appliances.
Enabling the Next Generation Retail Experience with Dynamic Analytics
Deep visibility into the users, devices, and applications on your network gives you insight into not only who is accessing your business’ network, but how they’re using it. We showed you some of the innovative ways you can create a smarter shopping experience by using your network to turn potential clients into loyal, repeat customers and improve customer experience.
Check out the video to learn how to increase conversion rates, drive store visits with targeted offers to mobile devices, increase foot traffic, integrate network sign-on with your CRM, and much more.
Your School’s Switch Should Do More Than Just Switch
Keep your school’s network ahead of the curve by making your switches work harder for you. In this webinar, we worked through many common problems that K-12 IT teams face daily and showed how simple they were to troubleshoot with Meraki’s intuitive cloud-managed switches.
Find out how you can easily monitor the use of your network, manage settings on the fly, and spend more time on what’s really important.
A Case Study: ABHOW’s Path to Six-Figure Savings
Chris Franks, Corporate Network Manager at American Baptist Homes of the West, shared his experiences easily managing a distributed network of 43 senior living communities across 4 states, supporting 5,000+ residents. With Meraki wireless APs and security appliances, Chris has created a more efficient and scalable network thanks to features like Layer 7 traffic analysis, site-to-site VPN, and WAN optimization.
See how simple it is for Chris to gain complete control over his network while he saves hundreds of thousands of dollars by replacing MPLS and using Meraki devices.
Meraki’s Systems Manager teams have been hard at work, and we’ve been delighted to receive your feature requests from the built-in “make a wish” button at the bottom of every page in the Meraki dashboard. I’m happy to share a handful of new features we’ve recently rolled out in Systems Manager: enrollment restrictions, HTTP global proxy, granular profile installation, and additional privacy settings.
Enrollment restrictions allow you to set the IP ranges from which a device may enroll into Systems Manager. This restriction only applies during the enrollment phase, and, once enrolled, the device can receive monitoring and management commands while connected to any network.
Enrollment of devices that are connected to a Meraki network can be streamlined through automatic discovery and enrollment into Systems Manager, but a simple checkbox prevents devices from enrolling without a code.
Device enrollment restrictions
HTTP global proxy
Proxies force HTTP traffic through a particular server, which makes them popular solutions in schools and healthcare providers to ensure CIPA or HIPAA compliance as well as in corporate environments that filter web content. You can now configure the proxy in Systems Manager either manually or by using an automatic .pac URL, and you can push those settings to your supervised iOS devices.
Global proxy configuration
Granular profile installation
Profiles let you create different policies for different groups of devices. For example, the profile below is only applied to devices that have the “marketing” and “ipad” tags.
Granular profile deployment
The device details page now shows a detailed report of the profiles installed, checks the device’s compliance state, determines if a device is supervised, and enables granular debugging and controls.
Device profile details
In BYOD environments, IT must carefully balance device security with employee privacy. Our new privacy settings allow you disable location or SSID tracking on a per-profile basis. Since profiles can be applied selectively to devices, Systems Manager now allows tracking of some devices but not other, more sensitive ones. IT departments can manage BYOD or corporate-owned devices while still protecting end-user privacy.
All of these features are currently live in the Meraki dashboard. If you don’t have an account already, you can sign up for free online.
Meraki has been revolutionizing the way we think about switches. Our switches can do way more than just switch, and now have even more enhanced security and power saving features. Two of these are Wake-on-LAN and port scheduling. Customers are able to realize huge power savings, security, and manageability benefits with these new additions to the product line.
Time-based SSIDs have been on Meraki wireless products for a while now, and this feature has now made its way to our switch products. Time based ports allow us to disable ports at certain times, and even create multiple port schedules for different use cases. Below we have created an “energy savings mode” which enables ports from 8am to 5pm and disables them at all other times.
Once a port schedule is created, we can apply it to one or many switch ports just like we have done below. We even have a templates for commonly used schedules such as 8 to 5 on weekdays only.
Port schedules provide several benefits, such as power savings. Some customers use time based ports to disable PoE ports powering APs or VoIP phones. This is an easy way of turning off these devices when they aren’t required during non business hours. Another benefit is enhanced network security. We are able to disable ports during times when they are most susceptible to a physical security attack. This prevents malicious users from connecting devices to open switch ports.
Another power saving feature is Wake on LAN, which allows you to power up sleeping or powered down devices. Operation is pretty simple. The Meraki switch sends a magic packet, yes that is the official standard, containing the MAC address and VLAN of the target device. End devices configured for Wake-on-LAN will be listening for the magic packet even in low power mode. If the magic packet is received, the effect is just like hitting the power button. From here, you will be able to access resources on the remote device.
Wake-on-LAN allows IT admins to be more flexible while reducing network operating costs. Instead of keeping every device powered up for the off chance it might be needed, we have the freedom to put devices into power saving states, with the confidence that they can still be accessed if needed.
Wake-on-LAN also greatly simplifies manageability of network resources. Without this feature, IT administrators would have to physically be on site to access sleeping devices. Wake-on-LAN allows administrators the flexibility to wake up a device from any location by utilizing the Meraki cloud platform.
Port scheduling and Wake-on-LAN features will begin rolling out to customers in the next few weeks so stay tuned. Check out our other new switch features like traffic analytics and DHCP visibility to find out more.
We keep finding ways to simplify our customers’ network infrastructures and our engineers have really outdone themselves on the Meraki Auto VPN solution. In a nutshell, VPNs authenticate and establish trust between peers in order to share data securely over an unsecure connection. That being said, not all VPNs are created equal. I’d like to point out a few highlights of what makes the Meraki Auto VPN solution extra special when compared with a traditional VPN implementation.
Meraki’s Auto VPN operates like a regular IPsec VPN, but with one major difference. All MXs in the VPN are communicating with the Meraki cloud platform, which allows the sites to more easily coordinate and establish a VPN tunnel. The cloud platform already knows everything about the network configuration: private IP address, local subnets, WAN IP addresses, etc. Our initial VPN setup is greatly simplified with Meraki now that the Meraki cloud is playing middleman.
Auto VPN Setup
To set up site-to-site VPN, simply select split tunnel or full tunnel. Split tunnel sends only intranet traffic over the VPN, while all Internet traffic goes directly to its destination.
Split tunnel configuration needs just a single click, and local subnets are automatically populated and distributed to the rest of the network.
If you want all traffic, including Internet traffic, to traverse the VPN, then select full tunnel. For a full tunnel, you will choose which firewall you want to use as the “full tunnel concentrator”. In the example below, the MX at headquarters acts as the concentrator, therefore all traffic will go through our HQ site before heading to its final destination.
Your local networks are automatically imported and you can choose which subnets you would like to advertise across the VPN tunnel, and that’s pretty much it. So, what’s next after our VPN is up and running?
Self-healing Auto VPN
There are a variety of events that, under normal circumstances, would require our network admins to re-configure the VPN, but thankfully, the Auto VPN keeps our network up and running on its own. A change in the public IP address would put a normal VPN into a tailspin. For example, an interruption in your WAN connection could cause your network to fail over to a secondary connection or 3G or 4G connection. The secondary connection would have its own public IP address and break the VPN tunnel. Instead, Auto VPN is able to communicate the IP address change to all VPN peers, and the VPN tunnels are automatically re-established.
A change in your local network subnets or a change of a rolling encryption key would also normally result in some intervention by a network admin. The Meraki Auto VPN mitigates these network interruptions by keeping both sides of the VPN up to date on their neighbor’s status. Any change on one end would require a redo of the VPN configuration because both sides must match, but with the Meraki cloud helping out, both sides automatically get updated when there are changes.
Something unique to the Meraki Auto VPN is that it is a mesh by default. This means that when you add another site, a site-to-site VPN is created between that peer and each other site. You don’t need to go back and configure the route to the new peer at all of the existing peers. Below, we can check out the remote VPN participants on Meraki Corp network which are automatically imported when we turn on VPN.
Easily monitor VPN status and find sites via the integrated map.
This type of configuration has a few advantages. It is extremely reliable, because all of our peers can still communicate if the main site goes down. A mesh configuration also offers reduced latency for sensitive applications like VoIP, because each spoke can talk to the other spokes directly .
We hope you like these auto VPN features as much as we do and we are looking forward to hearing your feedback when you try it on your own network. Check out how a couple of our customers (Vector Media and Essex Property Trust) are using the Meraki MX for VPN already.