Hands up all network admins who’ve heard the words “the network’s slow”. We’ve all been there, and in this post, we’re going to take a look at how policies can be used as one approach to fine-tuning your increasingly congested network. First things first: to fix a problem it first needs to be understood. Fortunately, the Cisco Meraki solution has excellent, comprehensive application-layer visibility into how network bandwidth is being consumed, and it’s also easy to identify the time-sinks — those applications which consume little bandwidth, but plenty of time. Twitter, anyone?
Having identified applications and behavior which could potentially impact overall network experience, it’s time to bring out the tools to begin tuning, and as you’d expect, Cisco Meraki provides a comprehensive toolkit for the job, including:
- Network policies
- Group based
- Access policies
- SSID based
- Device based
Network policies
Sometimes referred to as global policies, these are the rules which apply to all network users, and therefore the ones to use with most care. The MX Security Appliances and MR Wireless Access Points both provide bandwidth limiters, Layer 3 and Layer 7 category-based firewalls, traffic shaping and content filtering. The dashboard controls are super-intuitive, really exemplifying the benefits of a well thought-out user interface.
Group Based
Applying universal rules may not be the most realistic way to police your network. If we take the example of social networking, it may be considered an essential tool for the marketing team, less so for other departments. Rather than a blanket ban, it makes sense to apply custom policies to each group of users. The admin could allow unrestricted access to social media for one team, while shaping traffic elsewhere to ensure business-critical apps aren’t impacted by all those cute cat videos. For educational environments, it’s possible to configure safe web searching and YouTube for Schools within these group policies. Group policies can be applied to clients manually, or the process can be automated by allocating sets of rules to specific LDAP groups.
LDAP group called ‘Guests’ with custom policy ‘Guest’ to be applied to users within that group.
Access Policies
Access policies deal with the network perimeter, i.e., do we allow a given user onto the network or not? This policy is more common in enterprise environments and can be based on either 802.1X or on a list of approved device MAC addresses. An optional guest VLAN can be provisioned to ensure everyone gets at least some level of network access.
SSID Based
Within the Meraki wireless environment, network admins can apply policies to individual SSIDs. This might be useful if looking to prioritize performance for employees over guest users, for example. Bandwidth limits (per-client or per-SSID on each AP), firewall rules, traffic shaping and content filtering can all be configured separately for each SSID. Oh, and there’s one more thing…
Device Based
Still configured on a per-SSID basis, but useful enough to consider on its own, device based policies are becoming increasingly useful as the number of devices joining our networks grows. A set of custom rules can be applied to a range of devices as we can see here.
Assign policies automatically based on device type
In this way we can ensure that devices officially sanctioned for use on the network can be given preferential treatment over, for example, personally owned devices brought into the workplace.
Putting it all together
What’s really interesting about all this control, is just how granular we can get with our policy design with minimal effort. Consider a rule for Android devices which joined our guest network, restricting YouTube bandwidth to 1 Mb/s and blocking all music streaming services. It takes just two minutes to configure. Today’s networks are far more fluid than those a decade ago. Not only is the volume of traffic so much higher, but the variety of applications and devices has expanded significantly. At a headquarters, where bandwidth is abundant, concerns over network performance may be minimal. On a branch site hanging off a DSL connection, however, controls like these can prove enormously helpful. Is your network running like a finely tuned engine?