Archive for May, 2014

Startup Kit Spotlight: Simple Energy

We chose Simple Energy, located in Boulder, Colorado, to receive a Meraki Startup Kit because of the amazing energy that their application showed. After applying for a Meraki Startup Kit, CEO and Founder Yoav Lurie wanted to share some of their culture and enthusiasm, showcased in their YouTube video.

Simple Energy motivates their customers to save energy in a fun way.

Simple Energy is a startup that uses social game mechanics to change how people save energy and how utilities engage customers. They make saving energy “fun, social, and rewarding.”

Given that simplicity is also one of the cornerstones of Cisco Meraki technology, we were pleased to hear that the Meraki Startup Kit installation and deployment process went smoothly. CTO Jim Turpin says,

“I was actually able to install it without anyone noticing on a Friday afternoon in about 15 minutes. It took longer to get it out of the boxes and rack it than it did to configure.”

Cisco Meraki hardware successfully mounted on the rafters of the Simple Energy office.

DevOps Engineer Blake Corbitt gives the Meraki Startup Kit two thumbs up.

Since incorporating Cisco Meraki into the network, Turpin’s day-to-day experience has improved. “I get to spend my time working on our product infrastructure and not making sure that everyone’s wireless works. Since installing the gear, our wireless throughput has doubled and I haven’t had a single complaint about wireless connectivity.”

Simple Energy laptops.jpg

Happy employees using the wireless with zero complaints.

“Things with the new gear are awesome. I love this stuff. It’s rock solid reliable and it just works,” Turpin tells us.

A view of the Flatirons from the Simple Energy deck, now conveniently outfitted with solid WiFi access.

We couldn’t have said it better ourselves. Check back or subscribe to our blog for more Startup Kit spotlights.

From site survey to flawless wireless connectivity

One of the most important elements in any wireless network is the site survey. Without a thorough survey to determine proper placement of access points, even the most comprehensive network setup could leave users experiencing poor wireless performance. But wireless configuration doesn’t end with the site survey or even soon after – it is an ongoing process as environments evolve. This post will review the Cisco Meraki tools available to help streamline wireless network operation, starting with the site survey and continuing through the life of the network.

Site Survey

The goal of a site survey is to find the best location for access points to provide peak coverage for your environment. During the process, the optimal channel and power levels for each access point are also determined. There are a plethora of tools available for conducting an initial manual site survey, and a Meraki access point can be used with any of them. Even without Internet connectivity, a Cisco Meraki AP can be used in conjunction with any site survey tool to determine optimal AP placement. All you need is a Cisco Meraki AP, a PoE injector, and a gateway device such as a laptop or an MX security appliance. This knowledge base article describes the process step by step.

I did a quick tour of the Cisco Meraki office using Ekahau Heatmapper. The image below shows some of the results. By selecting an AP identified in Heatmapper, I can see the received signal strength ranging from very high (green), to poor (red), to no signal at all (white).

Heatmapper

Throughout this site survey process, a handy tool to be aware of is the signal strength indicator native to every Meraki AP. From any device with a web browser, clients can navigate to my.meraki.com in their browser to get real time signal strength and channel utilization data. The image below shows the received signal strength from this mobile device is 33dB along with the channel utilization at 2.4GHz and 5GHz.

mymerakicom

Placing APs on a Map

Finally, once proper AP placement is determined, the Cisco Meraki dashboard has an integrated maps function which will bring the site survey data to life. Simply import a floor plan, or place access points directly on the Google map. Under the Wireless > Maps & floor plans tab, just drag the AP to its proper location. Here is how.

apmapplacement

Manual Channel Assignment

Now that the APs are placed on the map in dashboard, it is easy to assign channels and power levels determined during the site survey. For manual channel assignment, navigate to the Wireless > Radio Settings page in dashboard. Select the newly placed APs, and configure the channel and power settings on the right column. Notice that when an AP is selected for configuration, APs operating at the same channel are highlighted to ensure minimal channel overlap.

manualchannelassignment

Auto RF

Manual channel assignment not for you? Cisco Meraki also has a built-in feature called Auto RF to automatically optimize the channel and power level for any environment. Instead of manually assigning the radio settings, leave the settings at auto. The Cisco Meraki MR18, MR26, and MR34 have a built-in radio just for optimizing their radio settings. Each AP will monitor the RF environment for interference sources and high channel utilization, adapting in real-time to changes in the environment.

Site surveys are crucial, but as network administrators know, they are just the beginning of wireless network management. Cisco Meraki has the tools required to keep a network operating at its best, even after the site survey is complete. For more information, check out these blog posts on getting a network up a running and taking advantage of some of the advanced RF features.

Posted in Company Blog | Comments Off on From site survey to flawless wireless connectivity

Bringing it all together

As part of last autumn’s significant expansion of our cloud-managed switching portfolio, we introduced a pair of aggregation layer switches to complement our hugely successful access layer lineup. This special category of switches delivers 3 primary benefits:

  • Network scaling

  • Performance with High Availability

  • Application visibility for the access switches they aggregate

Network Scaling

Traditional switch architecture breaks down into layers. The access (sometimes referred to as ‘edge’) layer provides direct connectivity to user devices like desktop computers, or Power-over-Ethernet devices like wireless APs and IP phones. Core routers (or routing switches) typically act as the demarcation point between a LAN and the outside world, connecting to the Internet or to private WAN circuits via a security appliance.

Screen Shot 2014-05-22 at 13.40.03.png

In a small network, the core router may provide sufficient connectivity on its own for directly connecting the access layer switches. However, as an organization grows it may run into issues with port capacity, particularly if using structured fiber to interconnect wiring closets. In other words, there may simply not be enough fiber ports on the core router to terminate all the incoming connections.

Enter the aggregation layer switch (sometimes referred to as a distribution layer switch). Meraki aggregation switches are equipped with either 24 or 48 SFP+ fiber interface ports, enabling networks to scale significantly. Using their Layer 3 capabilities it’s also possible to implement large networks using multiple subnets to avoid creating overly large broadcast domains.

Performance with High Availability

Unsurprisingly, concentrating the data from as many as 48 access layer switches through an aggregation switch demands plentiful resources. The Meraki 420 series switches deliver, capable of almost 1Tbps of throughput, and as with all Meraki switches up to 4 ports can be aggregated to provide 40Gb/s of connectivity between any pair.

This level of performance takes the Meraki 420 series into data center territory, and the SFP+ switch ports can accept a range of interface types, including ‘Direct Attach’, a short reach copper interface which runs at up to 10Gb/s. The dashboard will show the interface type connected to each port, together with its raw performance potential which is useful information for remote management. Here’s an example:

Screen Shot 2014-05-22 at 15.30.52.png

Whether used for network aggregation or data center, such a mission critical switch demands high availability features. The 420 series supports the Rapid Spanning Tree protocol for loop prevention, and is equipped for redundant, hot swappable power supplies and fans (also covered in the comprehensive warranty included in the product license). Speaking of power supplies, we recently enhanced the dashboard switch summary screen to include details of power supply status:

Screen Shot 2014-05-22 at 17.32.30.png

Further High Availability enhancements are in the works as we continue to enhance the product, so stay tuned to the blog for more updates.

Application visibility and control for all connected access switches

As with all networking equipment in our portfolio, the aggregation switches include Meraki’s legendary application visibility and control (AVC). Not every organization is able to start afresh with a network built entirely on our technology, so where there is an existing estate of non-Meraki access layer switches passing traffic to the aggregation layer, standards interoperability enables our switches to provide AVC for the connected clients.

When writing this post, we decided to ask one of our customers how the MS420 aggregation switch is working-out for them. Vector Media is based out of New York City, with offices around the US and Canada specializing in ‘out-of-home’ media advertising. They added the 420 to their Cisco Meraki network soon after their launch and here’s what their CTO had to say about them:

“The MS420 is a beast!  As a growing company, scaling is very important to us.  The MS420’s raw switching power has allowed us to expand our network at a rate far faster then I ever imagined.  It removed a massive bottleneck in our network – with lots of room to spare!”

Here’s Vector Media’s 420, working hard in their wiring closet (at the top in this photo, together with a Meraki Security Appliance and a couple of 48 port access layer switches):

May-23-2014-159080PM.JPG

If your network is ready for an aggregation layer, don’t forget we offer free trials of all our equipment, including shipping and support, so there’s no reason not to take one of these powerful switches for a spin.

 

Posted in Company Blog | Comments Off on Bringing it all together

Got ISE?

Over the past few quarters the Cisco Meraki team has expanded every product line, launched a mobile app allowing customers to remotely manage their networks, and also spent time working on some new platform integration to support an ever growing customer base. While many customers run 100% cloud-managed Meraki networks, it is common for customers with existing Cisco deployments at their headquarters to implement Cisco Meraki in their branches. In order to further support this growing customers base, we have added capabilities to make these deployments even more seamless. One of the ways we are doing this is by providing interoperability for Cisco Identity Services Engine (ISE). ISE defines how users gain access to a network, along with a wealth of other functions. This post highlights Cisco Meraki compatibility with Cisco Identity Services Engine (ISE) allowing for easier network-wide management.

ISECIscoMerakiArchitecture

For customers currently using ISE in their traditional Cisco deployments, there is a clear path to deploy Cisco Meraki devices without increased cost or management complexity. ISE compatibility with Cisco Meraki allows administrators to define a single user access policy across on-premise and cloud-managed networks instead of keeping track of multiple databases. This is especially important for enterprise customers with thousands of users. Cisco Meraki devices can be deployed in parallel to other Cisco equipment, like Catalyst and Nexus switches, and all devices will look to ISE for access policies. The network below shows on-premise devices at HQ, and cloud-managed devices in the branches, with network management unified through ISE.

Meraki MR, MS, and MX product lines support authentication, authorization, and accounting (AAA) for ISE. Cisco Meraki devices can be propagated within ISE like below, and then configured in alignment with network wide access policies.

ISE_CiscoMeraki_Integration

We are excited about how this integration streamlines network-wide management, and will continue to develop new integration points with ISE as customer needs evolve. For more information on ISE compatibility, check out this Cisco guide for configuring ISE with Cisco Meraki wireless, switching, and security appliances.

Resource Roadmap

Our resource base has continued to grow around the evolving needs of our customers. Whether you are looking for technical support, background about the company, specific product information, customer use cases, or something else, we will do our best to help you find exactly what you need. Take a look at the following guide to our available help tools, and follow the road to Meraki mastery.

Resource list:

Website

Webinars

Documentation

Knowledge Base

Support

Systems Manager Support Community

Website

The Cisco Meraki website is a fantastic place to start enhancing your networking experience. Here you can:

  • Read customer deployment stories from users in a variety of industries

  • Compare model features and prices in all product lines

  • Learn about the unique technologies at work behind our cloud-based solution

  • Download informational product data sheets

  • Get pricing estimates and a free quote with our online cost calculator

  • Contact our free trial/sales/support teams

A handy cost-calculator is just one of the many resources featured on our website

 

Webinars

Webinars are an engaging way to learn about Meraki directly from our product specialists. These live presentations cover a wide range of topics, including product introductions, explorations of new features, and customer-hosted sessions. Head over to:

  • See the full list of webinar topics, dates, and times

  • Register for any webinars that look interesting

  • Watch recordings of past presentations

  • Find your unique meeting link if you have already registered

  • Ask questions of our presenters during any live webinar

  • Get a free access point, just for tuning in!

Watch past presentations instantly from your computer

Documentation

An organized collection of detailed information about all of our products, Meraki Documentation is a virtual library in which you’ll be sure to find some useful tips. Check it out to explore:

  • Clear explanations about all of our products and dashboard features

  • White papers and data sheets for every Cisco Meraki product

  • How-to video tutorials

  • Quick start overviews to help set up your network

  • Installation guides for every product

  • Licensing information

  • FAQs

2014-05-16 10_23_24-Blog post_ Resource Roadmap - Google Docs.png

One of our video tutorials on how to configure Layer 3 on a Cisco Meraki switch

Knowledge Base

Search the knowledge base for answers to any and all questions you have about our products. Find step-by-step guides on how to configure products and dashboard settings, as well as helpful troubleshooting techniques for common user issues. A few popular articles, written by members of our Support team, include:

Simply type in your question, and our built-in search engine will do the rest

Support

Our rapidly expanding Support team is made up of over 70 in-house network engineers dedicated to providing top quality customer service. From Support, you can expect:

  • Experts in enterprise networking and wireless design to answer your questions

  • A team armed with years of valuable experience, education, and training

  • Access to 24/7 global support

  • Close in-house collaboration with the engineers who build our products, providing an unbeatable supply of knowledge and experience

By phone, email, or dashboard submission – you can count on us to crack your case!

 

Systems Manager Support Community

A truly interactive option for any and all Systems Manager inquiries, find answers to your Meraki MDM questions here. You will be able to:

  • Search for commonly asked questions

  • Start a new discussion about a topic that interests you

  • Share how you are using Systems Manager in your own environment

  • Get feedback and answers from both product specialists and fellow end users

See what people are talking about, and even begin your own discussion in this community portal

This armory of resources at your fingertips 24/7 can help lead to a full understanding and complete control of your Cisco Meraki network. As always, if you have a feature request or support need that is not listed, we encourage you to “Make a wish” at the bottom of any page in dashboard. Our engineering and development teams look at these suggestions frequently, and take the voices of our customers into the highest consideration when rolling out new features and updates. The sky’s the limit!

From unboxing to configuring settings, all under one roof

With its sleek packaging and clean lines, receiving Cisco Meraki gear in the mail can be exciting and thrilling — one thing it doesn’t have to be is daunting.

In fact, we sat a friend, not a Meraki employee, down with nothing more than this guide, a laptop, and a Cisco Meraki access point to see how long it would take someone with little to no networking experience to fully set up their own wireless network. The result? A simple wireless network, setup in 30 minutes. See for yourself…

GETTING STARTED

Creating a Cisco Meraki dashboard

Before opening the box or plugging in the device, you’ll need to create your own Meraki dashboard account at dashboard.meraki.com by selecting Create an account and filling out some basic information. The Cisco Meraki dashboard is not an appliance, but a cloud-based service providing unified management of all Cisco Meraki devices, constantly monitoring, optimizing, and reporting on your network.

New dashboard

Adding devices to dashboard

The next screen gives the option to add devices by providing the device’s serial number or the order number. If you have multiple devices, entering the purchase order number will propagate the dashboard with all the devices in that order. If you already have a dashboard account created or have advanced past this prompt, you can also add devices by navigating to Configure > Add devices, clicking Claim, and again entering either the serial number or the order number.

Claim APs

BASIC CONFIGURATIONS

Now that the devices have been added to the dashboard, it’s time to make a few initial configurations. These will ensure proper communication from your access point to the Internet and the Cisco Meraki cloud, provide admin access to authorized users, and allow effective management and reporting capabilities.

Obtaining an IP address

Sometimes it’s necessary to make changes in order to connect to the Internet. When connected to a Meraki AP or directly downstream from one, my.meraki.com provides local configurations for Cisco Meraki access points. Here admins can perform basic troubleshooting and set static IP addresses for uplink interfaces (It’s also possible to set a static IP address from dashboard if needed).

my.meraki static IP

Cisco Meraki APs are set up to use DHCP out of the box. By clicking into an AP from the the Monitor > Access points page, IP address information is available and can be changed by clicking set IP address.

Set IP Address

Opening firewall ports for dashboard access

The next step is to ensure that the proper protocols and ports are permitted on the firewall side to allow secure communication to the dashboard. If a firewall or gateway exists in the data path between Cisco Meraki devices and the cloud-managed dashboard, communication will be hampered until these configuration changes are made.

Adding admins for role-based dashboard access

It’s typical that more than one person will serve as a network admin and will therefore need access to all or certain parts of dashboard. There are various levels of dashboard access to choose from and by navigating to Configure > Network-wide settings, it’s simple to add new admins under the Network administration section, customizing what they can control and view. A further scroll down on the same page, to the Network alerts section, provides the option to send various alerts to all admins or just certain ones.

Admin Adds

PLUG AND PLAY

With the basic setup completed in dashboard, it’s now time to unbox, plug in, and start using that new AP.

Booting up the AP

Included in the box is mounting hardware for installing the AP in an optimal location. However, before mounting it high on a wall, it needs to be plugged in and have the above configured dashboard settings downloaded. This process simply entails plugging a CAT5 Ethernet cable into the AP’s uplink connector. If powering the device via a PoE enabled switch port or PoE injector, that’s all there is to it. Otherwise an A/C adapter will be needed.

Once plugged in, the AP will automatically attempt to connect to the dashboard to download its configurations and run a self-diagnostic. During this time, the LED light on the device will provide a colorful light show, ultimately settling on solid green or solid blue light (depending on whether clients are associated) if connected properly.

Adding APs to the map or a floor plan

While it’s simple to keep track of one AP, placing the device(s) on a map in dashboard provides quick, high-level information on the health of the networks and of all the devices in your organization.

There are two different ways to visualize your deployed APs. The first is through the integrated Google Maps feature where APs can either be dragged and dropped onto the map (navigate to Monitor > Maps & floor plans and select Place APs on map). Or they can be placed by entering in the location’s address (navigate to Monitor > Access points, select the AP, and click on Edit configuration).

Dashboard Overview

The second way is by uploading a custom map or floor plan that allows a more customized monitoring experience. This is done quickly by navigating to Monitor > Maps & floor plans and selecting Edit floor plans. Clicking the + that appears prompts the upload of a floor plan file whose position will be overlaid on the map and can then be adjusted to fit the physical location. Adding APs to the floor plan is done by selecting Place APs on map and dropping on the location.

Floorplan view

Tagging and renaming APs

APs can also be tagged by location or even renamed depending on needs. This is done on the Monitor > Access points page. Tags are useful for grouping by building, broadcasted SSIDs, or floor. Simply select any number of devices and choose the Tag drop down menu. APs can either be assigned using existing tags or can be assigned a newly created tag. By clicking into an AP from the same page and selecting Edit configuration, the AP can be renamed for easier management or reporting.

ESTABLISHING WIRELESS SETTINGS

Once a wireless network is up and running, it may be desirable to implement additional custom configuration settings to meet your evolving needs. Creating SSIDs with authentication requirements, establishing firewall and traffic shaping rules, and allowing discovery of devices like Apple TVs are just some of the settings that can be implemented quickly and at any time!

Creating SSIDs

It’s possible to configure up to 15 SSIDs per network. The Configure > SSIDs page provides overview information, the ability to enable SSIDs, and renaming options. To enforce association requirements for each SSID, click on “Access control” on this page or by going to Configure > Access control. Simply select from the available options: open, pre-shared key, MAC-based, or WPA2-Enterprise.

Association requirements

Active Directory authentication

Another association option is to authenticate using an external Active Directory server through a splash page. This is useful for preventing network access unless the provided sign-on credentials match those stored on the AD server. On the same Access control page, choose Sign-on with and select my Active Directory server under the Splash pages section. In the newly populated Active Directory servers section on the page, click Add a server and add the IP address of the AD domain controller and relevant admin credentials. It is also possible to use Active Directory as the RADIUS server in the WPA2-Enterprise setting.

AD Server

Firewall & traffic shaping rules by SSID

Now that authorized clients have access to the wireless, establishing firewall and traffic shaping rules by SSID will permit, deny, or limit each client’s use of network resources. The top section of the Configure > Firewall & traffic shaping page is dedicated to Layer 3 and Layer 7 firewalls rules. Here, an admin can set certain rules for every request sent by a wireless user that will be evaluated from the top down, where the first rule to match will be applied. Simply enter the appropriate information in the Layer 3 section or choose the application type in the Layer 7 section.

Firewall MR

The second section of this page allows the admin to set traffic shaping rules that limit per-client bandwidth usage or can limit/open usage by application. Choose Shape traffic on this SSID under the Shape traffic section, then click Create a new rule. In the Definition section click Add + and choose the application groups or specific applications to affect, then set the Per-client bandwidth limit for those selected applications. Admins can establish numerous Layer 7 traffic shaping rules on each SSID.

Enabling Bonjour forwarding for Apple TVs

Often other wireless devices, like Apple TVs, need access to the wireless network. Bonjour is used for automatic discovery of Apple TVs on IP networks and, if on another subnet, needs to be permitted in dashboard. Cisco Meraki uses Bonjour forwarding to allow Bonjour advertisements to be forwarded between subnets. To enable, navigate to Configure > Access control and scroll to the Bonjour forwarding field under Addressing and traffic. Choose Enable Bonjour forwarding and select Add a Bonjour forwarding rule to specify a particular service that the forwarding will be limited to, e.g. Apple TVs.

Bonjour forwarding

DON’T FORGET…

While this blog post covered the basics of getting your Cisco Meraki wireless network up and running, customization is by no means limited to just these topics. Explore your dashboard, browse the Knowledge Base, check out our Product Documentation, or explore meraki.cisco.com for even more information and features.

Posted in Company Blog | Comments Off on From unboxing to configuring settings, all under one roof

#CLUS

It seems fitting that the company which took its name from the city should come home to San Francisco for its premier event, Cisco Live.

Since joining the Cisco family, the Meraki team has been part of Cisco Live events around the world, including London, Orlando, Milan and Melbourne, so we’re naturally very excited to have the show rolling into our own home town.

IMG_20140515_161510.jpg

For those of you lucky enough to be travelling to San Francisco for the event, we look forward to welcoming you and showing you how cloud networking can help you run a finely tuned, multi-site network with ease. We’ll have staff from our Product Management, Engineering, Sales and Marketing teams attending throughout the event, so whatever’s on your mind, there’ll be someone who can help. You’ll find us in the World of Solutions and around the venue wearing black polos emblazoned with our logo.

We’ll do our best to help everyone who can’t attend feel connected to what’s going on through our usual social channels. Look for the hashtag #CLUS and on Twitter and Google+.

 

The critical security tool you may be overlooking

When we think of perimeter security, we often conjure thoughts of stateful firewalls and hard core intrusion prevention systems — two features all Cisco Meraki MX security appliances offer. Content filtering, on the other hand, is often relegated to the more parental role of keeping adult material and spam off the network. But if this is how you make use of the features provided in Meraki’s security appliances, you are missing a golden opportunity to harden security across all your sites.

Meraki provides content filtering on its MXs through a partnership with Webroot BrightCloud, a market leader in cloud-based content filtering. This partnership enables Meraki to provide URL analysis and blocking based on content categories that are kept up-to-date by Webroot (there is no URL lookup file to download and maintain). When running Meraki content filtering in Full list mode, URLs are analyzed via cloud lookup—so no website ever goes unclassified.

Screen Shot 2014-04-28 at 10.43.53 AM.png

Choose from over 70 categories of content to block site-wide or granularly, through group-based policies.

 

Thus, with no manual effort, the Meraki MX can ensure malicious websites (along with any infection vector they host) are blocked—keeping the network secure.

 

Applying filtering policies

 

You have a choice when deploying MX content filtering policies: set site-wide filtering rules or apply policies granularly, to specific users, devices, or groups. Site-wide protection is set by navigating to Configure > Content filtering in the Meraki dashboard, and then choosing the categories you wish to block. You can whitelist or filter specific websites and domains to fine tune control.

 

Screen Shot 2014-04-28 at 10.44.07 AM.png

Enabling content filtering site-wide with the Meraki MX.

 

What if you want to enforce basic site-wide filtering (or none at all), and enforce different levels of content filtering for individual groups of users or devices? For example, what if you want teachers and staff to have a less restrictive content blocking than students?

To set granular restrictions, navigate to Configure > Group policies, and create or select a group policy you wish to modify. In the section labeled “Security appliance only,” you have the option to append to, or override, any site-wide content filtering rules.

 

Screen Shot 2014-04-28 at 11.12.16 AM.png

Enforcing additional content filtering restrictions via group policy.

 

Once your policy is saved, you can then apply it to users or devices.  For example, the MX integrates seamlessly with Active Directory servers, making it easy to link policies to specific groups of users:

Screen Shot 2014-04-28 at 11.33.05 AM.png

Applying “Guest” and “Contractors” group policies to AD groups in the Meraki dashboard.

 

In sum: content filtering is a significant source of network security, and like any other tool, is most effective when up-to-date and applied with precision. The Meraki MX’s content filtering easily overcomes both of these challenges, and we encourage you to use it when securing your network infrastructure.

Posted in Company Blog | Comments Off on The critical security tool you may be overlooking

Let the right one in

With IT networks forming the central nervous system of any organization, managing an estate of wireless access points, switches, and security appliances brings with it plenty of responsibility. Recognizing this, the Meraki team has developed multiple access levels for its dashboard, ensuring just the right amount of visibility and control for every job function. In today’s blog post we’ll look at these access levels and how they can be mapped to different job functions.

Maintaining a complex, disperse network efficiently demands the very best management tools. The intuitive Meraki dashboard provides valuable information to IT managers and service providers who carry the responsibility of maintaining healthy IT ecosystems, tracking performance and use over time. The interface provides a wealth of data in an easily digestible form. Here’s an ideal example – a snippet from a typical monthly summary report:

Screen Shot 2014-05-08 at 09.47.18.png

It’s inevitable that as networks grow, the associated monitoring and control becomes too much for one individual. In larger organizations, particularly those distributed across multiple locations, the functions of configuring, monitoring and supporting data networks often fall to different individuals or teams – sometimes replicated by function at each location. Other Meraki customers choose to have their networks managed by a service provider with staff dedicated to managing select customer networks in some form of Network Operations Center (NOC). Providing granular access for so many organizational scenarios demands well thought-out tools.

Before looking at the specifics, this is a good opportunity to review the Meraki definitions of an Organization and a Network, the basic structural entities used in the dashboard. When a new customer logs in for the first time, the first step will be to create an Organization. This is the top level entity or container, below which networks are created. A ‘Network’ is a container for either a single security appliance or a logical grouping of wireless APs or switches sharing the same configuration settings. Here’s a visual representation with a couple of example structures:

orgsntwks.png

In many cases only a single organization will be required, but for large enterprises comprising multiple divisions it may be desirable to break these into separate organizations with their own admin rights. Managed Service Providers (MSPs) can also use this approach to separate out the various customer networks they take care of, or use separate networks under a single organization, as depicted above.

Once the structure is in place it’s time to establish access privileges.

Organization Admin

At the top of the tree sits one or more organization admins, who are given comprehensive access to all dashboard sections, views and configuration tools, together with a complete list of the organization’s networks (where a regular network admin would see only those networks to which they’ve been given access). Here’s an example which shows networks the organization admin view for the Meraki Corp organization:

 Screen Shot 2014-05-09 at 10.59.09.png

A complete list of categories is viewable on the left – including ‘Organization’, which only these top level administrators will see. The organization menu includes the ‘Administrators’ item where other admins can be created and promoted, as can be seen in this graphic:

Screen Shot 2014-05-09 at 11.43.26.png

There are several useful tools included only in the organization menu, including Location Analytics (which can span multiple networks), Security Reporting of intrusion events and the all-important ability to create new networks. The organization admin role also has the privileges to be able to set up other organization admins, with either full (read-write) or read-only access, and network admins, whose view is restricted to only those networks to which they’ve been awarded access.

Network Admin

Using network admins provides more flexibility, with a couple of additional role types. Network level admins are selected by organization admins, either manually from a list, or automatically based on tags (an approach we detailed in a previous blog post) and are given one of four levels of access on a per-network basis, as shown in this snippet:

Screen Shot 2014-05-09 at 11.48.51.png

 Full

A user with full privileges enjoys comprehensive monitoring and configuration capabilities  for the networks to which they’ve been provided access, making this the best fit for a delegated site admin.

Read-only

Read-only users get the same comprehensive view, which also includes the Overview page showing all networks to which they have access, albeit without the ability to save changes. This option is ideal for junior network admins who do not yet have full responsibility for the networks they work on. It’s also a sensible choice for dashboard demonstrations, which a service provider may like to use to promote their capabilities. Finally, this view is perfect in a NOC environment.

Monitor-only

This restricted view provides a limited read-only Monitor menu, perfect for a manager who merely needs to keep an eye on real-time and trending network use. Note the menu options on the left here compared to what we saw above:

Screen Shot 2014-05-09 at 13.41.03.png

By the way, this screen capture snippet also shows a customized logo in place of the standard Cisco Meraki one. The dashboard provides MSPs the ability to upload a company logo which would appear when the managed customer logs on to their dashboard account, whatever the level of access provided by the MSP.

Guest Ambassador

A minimal interface designed for front desk staff to set up guest user access to the network which we covered in another blog post.

Finally, back at the end of last year we introduced port management roles on our switch line, which enable organization admins to delegate control of individual switch port settings using the same tagging approach we touched on earlier.

Providing granular levels of control greatly assists managers of large and growing networks, both within organizations and – in the case of service providers – between multiple managed organizations. The dashboard makes it easy to establish appropriate levels of access so that junior staff can’t accidentally get out of their depth, or revoke access if, for example, it needs to be suddenly terminated for a departing employee.

We’ve focused our efforts on making the complex task of role based access as intuitive as possible, so that when an admin is working in a specific section of the dashboard, on logical groupings of devices and locations they’re familiar with, it all just makes sense. Do these options cover the way you break down roles and responsibilities in your own organization? Remember, we always love to hear suggestions for enhancements via our Make a Wish box.

 

Posted in Company Blog | Comments Off on Let the right one in

Securely enroll devices with Active Directory

The Cisco Meraki team has made enrolling devices in Systems Manager easier than ever. There are a variety of ways to get devices set up with the mobile device management platform: Apple Device Enrollment Program, Systems Manager Sentry, and individual device enrollment just to name a few.

But, it is important to make sure device enrollment can be controlled. Systems Manager allows administrators to integrate Active Directory with the enrollment process in order to keep tabs on exactly who is enrolling. Below is the enrollment screen users reach by visiting m.meraki.com from their mobile device.

SM_Enrollment

By integrating enrollment with Active Directory, users will be prompted to enter their credentials, and only then, proceed to set up their devices.

SM_enrollment_ad

Setting up enrollment with Active Directory integration is simple. Navigate to the Configure>General tab in Systems Manager in order to configure user authentication settings. Choose Active Directory from the drop down menu. From there, select the Active Directory gateway, which is used to relay AD queries to the LAN. When choosing the MX security appliance as the gateway, we will select a gateway network, and Systems Manager will automatically set up the MX in that network for authentication.

sm_ad_enrollment_config

Alternatively, any Mac or PC running the Systems Manager agent can be used as the Active Directory Gateway. Simply enter the AD server information for your network. Then, select any Mac or PC on your Systems Manager network to act as the Gateway Machine.

sm_ad_enrollment_macpc

Securing the enrollment process is just one of the ways Systems Manager is making mobile device management easier for administrators. Check out these other resources on how to set up Systems Manager from scratch, or enroll devices using Apple’s Device Enrollment Program.

Posted in Company Blog | Comments Off on Securely enroll devices with Active Directory