Archive for September, 2014

Meraki Mobile App: Introducing V2

The Cisco Meraki team is thrilled to introduce version 2 of the Meraki dashboard mobile app. It’s packed with new features and available now from the Google Play and Apple iTunes app stores.

Rich, detailed visibility

Rich visibility into users, devices, and applications is key to understanding network behavior and making informed policy decisions. The mobile app now includes Layer 7 application visibility and automatically reports applications—and categories—that consume bandwidth on your network. Identifying bandwidth–hungry apps like YouTube and Skype, as well as recreational ones like Facebook and sports websites, is intuitive and easy. This visibility reveals trends of an entire network and is also available for any specific client, identifying the network behavior of top bandwidth consumers.

Application Visibility

Application Visibility

 

Do more on the go

IT admins often have to authorize users onto their guest wireless network, a necessary but time–consuming task. The app now supports guest authorization, meaning admins don’t even have to go back to their desks to approve and onboard users onto the guest network.

img_0037

Onboarding a guest is as easy as navigating to the guest SSID and approving users as needed, so it’s not necessary to open the Meraki dashboard on your laptop to authorize guests. The user list can be sorted, allowing easy identification of authorized and unauthorized guests through the app.

CMX Analytics

CMX Analytics give insight into the aggregate behavior of users and visitors in an environment, measuring data such as visitor capture rate, loyalty, and visit frequency. This data helps IT and operations teams optimize their business to attract more passersby and convert them into paying customers. A new view shows summarized CMX analytics, letting administrators quickly measure the trends and performance of any location in an organization. Find summarized CMX metrics and the link to CMX details from the Summary tab.

CMX Analytics

Enhanced for mobile

The team has been constantly adding richer, more detailed visibility into Meraki network devices and has re-designed the device details view into a tabbed interface. This makes it easier to find the most important information about a switch or access point. Troubleshooting tools have a new, dedicated tab, making it easier to remotely track down network or client issues.

IMG_0022

As always, send us feedback and enhancement requests using the make-a-wish feature, found in the “More” tab.

Posted in Company Blog | Comments Off on Meraki Mobile App: Introducing V2

Shellshock Bash Bug: Meraki is not affected

As many of you are now aware, a widespread vulnerability known as Shellshock found in the Bash shell—a piece of software running on millions of computers (including most servers and computers running the Mac OS X and Linux operating systems)—has been making headlines.

It’s a nasty bug, and it’s been lurking in the Bash code for years. It’s on par with the Heartbleed vulnerability in terms of potential seriousness and the sheer number of systems that might be exposed.

Here is what Meraki customers should know: Cisco Meraki devices are not vulnerable to the ShellShock exploit as they don’t run any affected software.  Some components of the Cisco Meraki cloud backend do run software that is within the scope of this vulnerability, but were patched the day it was announced to remove any exposure.  In addition, customers using the MX Intrusion Detection and Prevention (IPS) feature with the “Balanced” or “Security” rulesets automatically received Sourcefire signatures to detect and block this vulnerability within 24 hours of the announcement.

For information on other Cisco products, please see the Cisco advisory on the Shellshock vulnerability.

Posted in Company Blog | Comments Off on Shellshock Bash Bug: Meraki is not affected

Keeping the wolves at bay

Did you know the creator of Snort and founder of Sourcefire, the world’s most popular network intrusion detection and prevention technology, is now the chief architect for Cisco’s Security division? The Meraki MX family of Security Appliances has been protecting networks with embedded Sourcefire technology and malware detection since 2012. With both solutions now under the Cisco umbrella, there’s no doubting we have a formidable, industry-leading security platform to offer our customers. Today we’ll recap the reporting and configuration tools provided for intrusion detection and prevention in the dashboard.

The Internet is a wild place, and connecting an MX directly to the internet with a public IP address on its WAN interface will quickly reveal this, with the Security Report page lighting-up with intrusion attempts. Here’s an example, with a snapshot taken just 24 hours after security monitoring was turned on, prior to any action being taken.

Screen Shot 2014-09-23 at 15.46.00

Firstly, the potential threats are grouped into threat levels, high, medium and low. These are not arbitrary classifications, but are based on the Common Vulnerability Scoring System (CVSS) which seeks to standardize the rating of IT related security threats. The threat descriptions themselves are based on the Common Vulnerability and Exposures (CVE), which is effectively a dictionary of publicly known network threats seen around the world. With a multitude of sources for these threats – government agencies, vendor software patches, AV software – the CVEs help by using a common language and means to synthesize threat information sources.

The security report will generate a list of intrusion attempts and the Meraki dashboard will make its best attempt to decipher these for the network admin. Here’s an example:

Screen Shot 2014-09-23 at 13.38.18

In this case the admin clicked on the first signature description to obtain further details. Note the hyperlinks pointing to related CVE descriptions. Occasionally these will be links to articles or blogs which detail the threat. The Rule ID itself is a rather cryptic reference which follows this format:

<threat category> : <signature> : <version number>

If we take the signature from the Rule ID in the example above and use a search engine to search for “sourcefire 26233”, the first entry which comes back contains an explanation of the signature.

In this case, the CVSS was a High, indicating action should be taken. The security event list includes details of the source and destination for the threat as well as a timestamp. The network admin could simply work with the owner of the local device to ensure any potential vulnerability is contained and patched. Alternatively, if Intrusion Prevention is switched on then, depending on the ruleset selected, attacks like these could be blocked altogether before they ever enter the LAN environment. The ruleset merely determines above which CVSS level identified threats are proactively blocked. More details can be found on our documentation page and in this previous blog post which outlines the mechanism the MX used to lock down Heartbleed within a day of its discovery. As a timely sidenote which underscores this fast reaction time, our customers using Meraki MX with Intrusion Detection turned on have already received signatures enabling them to identify the Shellshock vulnerability which was announced only yesterday.

Tuning security filtering takes a little practice to ensure only undesirable traffic is blocked. Fortunately the dashboard makes it easy to take account of so–called false positives, providing a means to whitelist specific domains, sub–domains or URLs, very useful for customizing the way in which your network environment is locked-down.

Finally, Kaspersky Malware Detection is also featured on the MX, enabling the appliance to filter traffic which could be considered malware, trojan horses or phishing websites, whether destined to, or originating from the LAN.

Working with our colleagues in Cisco, our customers can rest assured that the security of their networks is in safe hands and we’re ready to react quickly when the next Internet gremlin gets out into the wild.

Posted in Company Blog | Comments Off on Keeping the wolves at bay

We’re hiring – check out our open positions

From customer trade shows to team outings to break room snack time, Merakians take every opportunity to have a good time at work. The Cisco Meraki team is hiring for positions in a variety of departments and our fabulous new jobs page showcases these positions and life at Meraki.

By way of introduction, Meraki has a beautiful office near AT&T park that features a patio overlooking the San Francisco Bay where employees can enjoy a healthy lunch, fresh fruit, an afternoon espresso, or the occasional treat from the ice cream fridge.

Cisco
Meraki employees enjoying some sunshine and lunch on the patio

To burn off the calories from the various treats, Meraki employees have a lot of options when it comes to staying fit. Meraki has been home to teams of sports such as soccer, basketball, cycling, volleyball, and even golf. These sports teams are great opportunities to meet folks in other departments while getting a great cardio workout. If team sports aren’t your thing, the Meraki office has an in-house gym or the often-preferred option of running along the San Francisco Bay on the Embarcadero.

basketball
Meraki lady ballers after an intense game of 3 on 3

We work hard, but we like to take breaks. Another unexpected venue for exercise comes in the form of the rocket slingshots and the impromptu battles that arise on Friday afternoons.

rockets
Katie and Pablo quickly reload as Ben covers them during a rocket war

Being a dog-friendly office, it’s not uncommon for Meraki employees to run into our four-legged friends on a regular basis. While some dogs show up for work everyday, others are occasional guests.

dogs
Cooper and Daizy take a quick sun break on the couch

Like what you see but aren’t located in San Francisco? We also have an awesome, close-knit team in London that gets to experience some unique Meraki bonding activities.

photo
The EMEA team experiences the phenomenon of human foosball

At the end of the day, our main purpose is to make cutting edge products that work well and make our customers happy. The biggest reward is getting to meet our awesome customers and hear about how Meraki products have changed their lives.

paul and customer
Product specialist Paul Wolfe gets a hug from an appreciative customer

Want to join in on the fun? Check out all of our open positions here.

Posted in Company Blog | Comments Off on We’re hiring – check out our open positions

A new player in Enterprise Mobility Management

systems-manager-enterprise

Today we are excited to announce Systems Manager Enterprise, a brand new addition to the Cisco Meraki product lineup. This cloud-based enterprise mobility management (EMM) solution packs a whirlwind of features encompassing device enrollment, provisioning, monitoring, and security. Here is a quick snapshot of some of the new features.

  • Network policy integration – streamlines security policies from client devices to wireless access point, switch, and security appliance configurations
  • Mobile data security – allows for a clean separation of enterprise data and personal data
  • Cisco Identity Services Engine (ISE) integration – allows Systems Manager to directly communicate with ISE for device enrollment and posture assessment
  • Seamless user enrollment – ties people to their devices by integrating enrollment with Active Directory
  • Samsung Knox integration – allows for greater functionality across android devices
  • 24/7 phone and email support

Systems Manager Enterprise has a unique advantage given that Cisco Meraki not only offers mobility management but also an end–to–end networking solution. Unlike other products that add on to an existing networking solution, Systems Manager Enterprise is built on the same platform that is used to power wireless access points, switches, and security appliances. This advantage enables Systems Manager Enterprise to communicate with the network, providing a truly seamless policy management experience for administrators from the networking infrastructure all the way to personal devices. Let’s take a look at how Systems Manager takes into account security compliance, geofencing, and user identity in order to dynamically apply policies to the device and to the network.

Security Compliance

Systems Manager Enterprise has rich visibility into managed devices from client health, to geofencing location, and most importantly, their security posture. Security compliance checks whether devices are encrypted, locked, jailbroken, and more before dynamically assigning device settings, apps, and content. Below, the ‘Guest’ policy requires that devices have antivirus software running, and antispyware installed.

Security Compliance

 

Administrators can define any number of security policies based on the needs of their various user groups. In the example below, policies have been created for BYOD, Guest, and Secure devices, each with differing requirements.

SecurityPolicies2

 

Apply security policies to Systems Manager profiles

Once policies are defined, they are linked to Systems Manager profiles, which define device restrictions, network settings, content, and more. In the example below, the ‘Exchange’ profile pushes out Exchange settings, and admins can ensure that these settings are only pushed out to Secure-compliant devices.

ExchangeProfile

Apply Systems Manager profiles to the network

Finally, these policies go one step further by integrating with the network group policies. Network group policies define everything from VLANs to firewall rules and content filtering policies. The example below shows a ‘Corporate’ group policy with a layer 3 firewall rule allowing access to corporate resources.

CorporateGroupPolicy

Prior to Systems Manager Enterprise, administrators needed to keep track of which users and devices met security requirements before granting access to LAN resources. Systems Manager Enterprise allows group policies to be dynamically applied to the network, the same way we can dynamically push content and settings to devices within Systems Manager.

The example below is of the ‘San Francisco – Security Appliance’ network. The group policies have been applied to Systems Manager devices and are given a priority, similar to creating access control lists on a firewall. If Systems Manager devices are ‘secure-compliant’ then the ‘Corporate’ group policy from above will be applied. Next, they will receive the BYOD policy if they are tagged with ‘BYOD’. And lastly, if devices are ‘secure-violating’ then they will receive the ‘remediation’ group policy.

 

mdmgrouppolicies

In this manner, administrators can easily apply network access, content, and device restrictions to compliant devices, and remove the same settings from violating devices. With this seamless flow and communication from device to network, enterprise security can be achieved without massive expenditure and load placed on IT teams.

For complete details on network integration and other Systems Manager Enterprise features, check out the product page and the datasheet. We will also be hosting a special webinar where we will take a deep dive into the product and give a live demo of some of the new features. Systems Manager Standard continues to be free for new and existing customers, and to try out Systems Manager Enterprise, sign up for a free 30 day free trial today.

 

Posted in Company Blog | Comments Off on A new player in Enterprise Mobility Management

Supporting next-generation Hotspot 2.0 infrastructure

Every network service provider and carrier in the world is aware of Hotspot 2.0 and its implications for cellular data offload and increased adoption of public WiFi networks. With its inclusion in and the proliferation of Apple iOS7 and Samsung android platforms, providers are just now beginning to see the global mobile device population become capable of automatically associating to carrier hotspots. This is just the beginning of growth: Hotspot 2.0 Release 2 will add automatic provisioning of network selection policies (i.e. the ability to provision mobile devices with Hotspot 2.0 settings over the air instead of being limited to initial factory setup).

Carrier cellular networks are already saturated with data; as each provider begins execution on strategies to implement WiFi offload and capitalize on Hotspot 2.0, they face a number of considerations beyond simple evaluation of Hotspot 2.0 support by AP and vendor. How much capital investment is required to support a pilot, regional, and national deployment? How can an infrastructure gradually scale while maintaining visibility into customer usage and offload. Many wireless access points can support Hotspot 2.0 technology; the Cisco Meraki platform is uniquely suited to deploy and manage regional and national hotspots with minimal capital investment and immediate time-to-market. It is useful to understand the history of hotspots in order to understand how big of a leap forward Hotspot 2.0 and Meraki are for carriers.

hotspot2_0

Hotspot 2.0

Hotspot 2.0 allows users to roam seamlessly from a cellular network (3g/4g) to a WiFi network. Without Hotspot 2.0, clients can switch from cellular to WiFi, but users must manually select an SSID, perhaps click through a splash page, and are provided no assurance on the safety of the target WiFi network. Hotspot 2.0 addresses these limitations providing a simple and secure roaming experience for the user. Hotspot 2.0 allows clients to learn about the target wireless network before connecting: security settings, speed, venue type, free or paid, and most importantly, if the network has a roaming agreement with their cellular provider. Clients no longer have to know which SSID is safe. If the network is partnered with their cellular provider, client devices will automatically connect, bypassing SSID and basic security selection.

Benefits of Hotspot 2.0

The implementation of Hotspot 2.0 brings benefits across the board. Most notably, carriers benefit by offloading ever-increasing cellular traffic. Hotspot 2.0 also provides a mechanism for partners to monetize roaming partnerships with carriers, creating an ecosystem of coverage. Finally, users are a big winner, with access to secure, speedy internet access, especially in areas where cellular coverage is limited due to user density.

Simplifying Hotspot 2.0 deployments

As carriers look to deploy Hotspot 2.0 networks, there are a plethora of non-trivial details to address beyond simply supporting the standard. National deployments require an infrastructure that can scale and be quickly piloted. The Cisco Meraki solution is perfect for doing proof of concepts, rapid deployment, and scaling from 1 to 100, or 10,000+ sites. In fact, the MSP portal is specifically designed to manage a solution just like this. Cisco Meraki’s multi-tenant architecture is fully redundant, secure, and scalable; carriers simply need to deploy the APs. The Cisco Meraki platform also provides the most flexibility for evolving networks. Given that a change to the Hotspot 2.0 deployment could affect hundreds or thousands of access points, the ability to push out a mass configuration update and sync is crucial for network admins.

Just as important as quickly deploying and scaling new hotspot networks, carriers need a mechanism to measure customer adoption in order to be successful. How can network usage be monitored and measured? Cisco Meraki allows for complete visibility of network resources as well as who is using the network, and how much traffic they are using. Partners can retrieve data about users, sites, and load. Data can be zoomed to specific areas, or aggregated across an entire deployment right in the Meraki dashboard, or exported to correlate with a carrier’s customer databases.

The scalability, deployability, and centralized management provided by Cisco Meraki’s cloud architecture uniquely suits the needs of small and nationwide Hotspot 2.0 installations. From rapid deployments to distributed management and customer analytics and visibility, check out how partners are using Cisco Meraki platform to provide managed service offerings and custom-branded dashboards for users.

Posted in Company Blog | Comments Off on Supporting next-generation Hotspot 2.0 infrastructure

Transforming the City of Palma de Mallorca into a Smart Destination

Technology continues to revolutionize the way people interact, shop, and carry out day to day activities. In Mallorca, the City of Palma is taking great steps to integrate technology into the daily operation of its seaside district, which is one of Europe’s most popular vacation destinations with over a million tourists every year. Using Cisco Meraki APs, they are working to enhance the quality of life by providing free wireless to their residents and visitors throughout the Playa de Palma.

People are constantly using their mobile devices to make informed decisions on travel, shopping, food, and to keep up to date on news. However, high data roaming charges often dissuade visitors from using their mobile devices while vacationing, preventing them from learning about special events or unique cultural opportunities promoted online.

In an effort to provide the best possible visitor experience, the City of Palma began looking at new concepts that would provide a more tech-friendly environment for tourists. As a member of the Spanish Network of Smart Cities (RECI), it was crucial for the city to create a framework that built upon the idea of Smart Cities and developed solutions that could be replicated in other cities.

Finding a solution to support millions of users

After reviewing several ideas, the city partnered with MallorcaWiFi to deliver accessible WiFi using the Cisco Meraki cloud networking solution, which provides easy-to-use management of distributed networks via a centralized dashboard. “We’ve been trusting the Cisco Meraki solution for six years and chose it here because we wanted to provide the best possible service: management, capacity, scalability, and adoption of new features,” remarked Mauricio Socias, MallorcaWiFi CEO. MallorcaWiFi’s proposal stipulated that they would not only manage the daily operation of the entire network, but would also carry the complete investment for the project in exchange for advertising contracts with local businesses. Once deployed, the city and tourists would benefit from the wireless at no additional cost.

Blanketing beaches in free WiFi

Phase One of the project, spanning an area of 5 km along the first line of Palma beaches, was completed in just three months. “The installation process with Cisco Meraki was very easy and fast,” said Socias. “Most of the time was spent on the strategic placement of equipment on 15 meter tall lampposts and working on partnerships to place APs on buildings and other structures where service would be provided to the most users.” In areas where the APs would be exposed to extreme environmental conditions, such as humidity, salt, and high temperatures, rugged Cisco Meraki outdoor APs were used. Depending on deployment location and available infrastructure, APs are connected either via Ethernet cable or through an automatic, self-configuring mesh network.

“We’ve been trusting the Cisco Meraki solution for six years and chose it here because we wanted to provide the best possible service: management, capacity, scalability, and adoption of new features.” – Mauricio Socias, MallorcaWiFi CEO

Beachside

MallorcaWiFi is taking full advantage of the 15 different SSIDs available on every Cisco Meraki network for local businesses, organizing public safety, promoting cultural events, and more. Each local business, including hotels and cafes, that chooses to purchase advertising contracts on the wireless is assigned an SSID with a unique authentication method. Companies are implementing custom click-through splash pages or Facebook WiFi login, which enables clients to “check in” to the location to access the free wireless, providing increased brand awareness for the companies. Built-in features allow MallorcaWiFi to shape traffic to restrict access to heavy bandwidth applications, while prioritizing other apps that tourists rely upon.

Making management simple and reliable

With only two technicians and two account managers from MallorcaWiFi ensuring the network’s daily operation, the centralized management provided by the Cisco Meraki dashboard is key. The team’s work is facilitated by numerous built-in features that assist in providing a reliable and secure network environment. For example, RF optimization automatically ensures strong performance on each AP in MallorcaWiFi’s high density wireless environment, maximizing the network performance, while Air Marshall detects and neutralizes wireless threats like rogue SSIDs and malicious broadcasts. Using the web-based dashboard, admins can quickly analyze any problems and troubleshoot remotely, without the need to go on-site. “We work with the dashboard in real time, anywhere, at any time,” notes Socias. “It is simple and very effective.”

Playa de Palma SS

The benefits of increased wireless usage

Since the deployment of the first phase of the project, the City of Palma has seen a steady increase in daily connections, initially at 3,500 daily connections using 1.5 TB of traffic and surging to more than 25,000 daily users now. This influx in wireless usage has benefitted the city in numerous ways, including increases in tourism at cultural sites, awareness of tourist presence throughout the city, and overall public works and safety. Additionally, the placement of the Cisco Meraki wireless solution along the beaches of Playa de Palma provides opportunities for local companies to develop new business practices, increasing revenue and improving visitor experience. “Innovation, adaptation, and trust were important considerations for us when choosing a wireless solution,” said Socias. “The implementation of the Cisco Meraki network has seen unprecedented success in these areas. 95% of users accessing the network are tourists using smartphones, with more than 25,000 unique daily users connected!”

Read the full case study on the Meraki website for even more information and how the City of Palma de Mallorca is benefitting from the installation of Cisco Meraki devices.

Posted in Company Blog | Comments Off on Transforming the City of Palma de Mallorca into a Smart Destination

Calling Meraki partners, new and old

In every way, we seek to make the experience of selling Meraki as simple and enjoyable as possible. These aren’t just words, and today we’d like to share this shining example of our philosophy being put into practice.

pog1

The Cisco Meraki Partner Onboarding Guide is designed to provide a comprehensive introduction to our hugely successful suite of products and software, and answer the most common questions on the minds of those new to our portfolio. For example, do you know how to explain what happens if a network built with Meraki temporarily loses connection the cloud? Do you know how to identify potential customers? How are apps deployed to managed devices using Systems Manager?

You’ll find help with conversation starters, objection handling, positioning within the broader Cisco portfolio, and lead generation tools. There’s also a list of the many useful resources to help deepen your knowledge and become a standout partner.

You can find this great document by logging on to our partner portal, clicking on the Collateral tab and then to the second link under Program Details.

Happy reading.

Posted in Company Blog | Comments Off on Calling Meraki partners, new and old

Spotlight: The Cisco Meraki Free Trial Support Team

While many partners, customers, and tech enthusiasts have heard of the Cisco Meraki Free Trial Program, Free Trial Support and the benefits it offers have not been as widely recognized. “This isn’t just support – we are a different team, dedicated exclusively to being a knowledgeable point of contact for the customer for the entire duration of the free trial,” explained Ryan, the team lead.

free-trial-support-1

Clayton, Sean, George, Ryan, and Vik – the Cisco Meraki Free Trial Support team

To recap, the Free Trial Program allows prospective customers to evaluate every Cisco Meraki product for free in their own environment. Once you have signed up for a trial and your gear has been delivered, the Free Trial Support team will reach out and ask if you are interested in scheduling a set-up call. A team member will work with you one-on-one to help get your equipment running, integrated into your existing network, and tested, all over the phone and around your schedule.

If you decide to take advantage of Free Trial Support, each call is tailored to your unique networking concerns. The team asks what you would like to learn and crafts a custom solution to help evaluate the product. This can be as simple as a walk-through of the dashboard interface or as granular as how to map your specific settings from existing equipment to Meraki.

The team can help integrate Meraki equipment into your network with no downtime or disturbances. “In many cases, people do not want to rip out their firewall to try out some new gear. We can help build a test that is non-disruptive to your current environment,” said George.

free-trial-support-2

This guided tour often touches on the more complex products in the Meraki solution that many people are hesitant about self-testing, such as switches and security appliances.

“What we can show is the Meraki way of doing something that might be considered a difficult task you wouldn’t want to tackle on your own,” said George. “We can explain and show people how easy it is to configure something in minutes that would normally take hours.”

Meraki simplifies many traditionally painstaking aspects of networking, with no loss in functionality. In many cases, it takes someone pointing out just how easy it is for people to believe it. “‘That’s it?’ tends to be the most common question we get during these trials. People think it’s too easy to be true,” said Sean.

“It can be very rewarding when you can imagine a person’s face lighting up on the other end of the line, when they can start to envision how much the solution can simplify their life,” said George. “And when they are so happy about the weekends they’re getting back,” added Sean.

What can you do to prepare for the best free trial experience? “Prepare a network diagram, we will love you,” said Ryan. “Draw out what equipment is plugged into what to help facilitate conversation.”

network diagram

A quick sketch of your network helps guide the call

Furthermore, support from this team does not end with that first set-up call. “We’ll check in multiple times during the course of your trial to ensure your experience is smooth, and we’ll provide all the contact information you need to reach us in the event of questions or trouble,” explained Clayton.

“Our interaction with you doesn’t end with the walk-through,” said Ryan. “You have a technical resource you can call at any time.”

Signing up for the 100% risk-free evaluation is easy, parting with the gear tends to be the difficult part. Physically sending it back is a breeze – the round-trip shipping is on us. However, if you like the product and have it already set up and incorporated into your network, feel free to keep it. So give it a shot, you’ve got nothing to lose!

 

Posted in Company Blog | Comments Off on Spotlight: The Cisco Meraki Free Trial Support Team

OSPF, the Meraki way

When packets need to leave their own subnet to find their destination they need a map to show them the way. These routes can be manually defined using a static route which works great until a manually–defined destination router becomes unavailable, at which point the traffic flow drops. Dynamic routing protocols address this obvious flaw by automatically learning how to reach known destinations, and the most popular of these is known as OSPF (Open Shortest Path First).

As we announced back in June, OSPF is being rolled-out to our Layer 3 switches, so now would seem the perfect time to cover the essentials of this powerful routing protocol. We’ll go on to explore how Meraki has – once again – taken the pain out of configuring and running a complex networking environment comprising multiple subnets.

The first popular dynamic routing protocol used in Local Area Networking was RIP (Routing Information Protocol), which used the simple criteria of hop count (how many routers must I pass through to reach my destination) to select a route, but suffered from inefficiencies and scaling issues. A smarter solution was needed, and OSPF became that solution. Let’s walk through a high-level review of the fundamental components of the OSPF protocol.

Route Selection

Back in the 1950s, a Dutch computer scientist by the name of Dijkstra invented an algorithm which calculates the shortest path between any number of nodes which become ‘neighbors’ once a learning process is complete. This algorithm has many practical uses and has been applied in a number of ways, including robot movements, military planning, and commercial shipping. The key benefit is the ability to take into account a number of criteria when determining the path with the lowest ‘cost’, for example, the speed of flying packages in an airliner versus sending by container ship, the price of fuel, the number of ships which can fit through the available shipping lanes, and so on.

The Dijkstra algorithm applies well to the world of networking, and for this reason it formed the basis for route selection in OSPF when the protocol first emerged at the end of the 1980s. Paths to learned destinations are selected based on bandwidth/link-type or can be manually selected.

Link States and Adjacencies

When a router (or routing switch) enables OSPF it sends out a hello on all interfaces with OSPF enabled. Other routers in the vicinity will receive these and (as long as they’re configured to get along) will then form an ‘adjacency’ with their new neighbor. Once this adjacency is established, routers will then exchange link-state advertisements and learn the common network topology in which they sit. From this they are then able to derive a routing table using the Dijkstra SPF algorithm, enabling efficient communication between subnets.

This ‘link state’ approach is a far more efficient use of network bandwidth than RIP, where entire routing tables are flooded throughout the network regularly. With OSPF, other than a regular hello (heartbeat) packet, only changes in the availability of routers (links) will trigger a refresh of the link state database and the routing table. Timers are implemented for how frequently a hello is sent out by OSPF–enabled routers, and a dead timer is also configurable, depicting when a router should be considered out of service, triggering a respin of the SPF algorithm.

Areas

Another great efficiency of OSPF is its use of areas, essentially logical groupings of routers, the routes from which can be summarized before being passed into other areas. An OSPF domain, or autonomous system, always begins with Area 0, also known as the backbone area. In a relatively small LAN, Area 0 may be all that’s required, but as a network grows, multiple areas can be created around this backbone. The beauty of scaling to multiple areas is that link state updates only need provide information relevant to their own area, without having to know the entire autonomous system’s routes, which saves on bandwidth and CPU cycles on the routers. The topic of areas gets complex and there are multiple types, but essentially they are the way in which OSPF can grow to considerable scale, potentially running an entire global private WAN.

Implementing OSPF the Meraki way

Our engineers and User Interface (UI) designers take great pride in the clean, accessible look and feel of the Meraki dashboard. Incorporating a complex protocol into such a UI was no mean feat, and took some time to get right. The priority was on providing the controls which would enable Meraki–to–Meraki dynamic routing, but also crucially, the ability to interoperate with routers and routing switches from the traditional Cisco family and others.

This screen grab captures all the OSPF settings available. Now that we understand the fundamentals of OSPF, these will make sense:

OSPF Settings

For our more OSPF–savvy readers, Meraki’s implementation is based on OSPF v2 and supports Normal, Stub and Not–So–Stubby area types. Also notice the option for MD5 authentication, which enables routers to securely identify one another prior to forming adjacencies.

Once OSPF is enabled, the network admin will need a way to monitor things, so we’ve enhanced the switch live tools which appear when Layer 3 routing is enabled. Firstly, the routing table will now show which routes have been learned via OSPF (as opposed to statically defined), and the source router ID – a unique identifier within an autonomous system – and switch from which the route has been learned. Where that switch is a Meraki one it will be shown as a hyperlink, enabling the admin to jump straight to that switch’s view:

Routing Table

Finally, the OSPF neighbors can be displayed. Note the search function which exists throughout the Meraki dashboard and greatly assists in quickly locating a desired object:

OSPF Neighbors

We’re looking forward to enabling our customers to supersize their networks. As is always the case with the Meraki dashboard, the look and feel will evolve over time in response to the feedback we receive, particularly utilizing our ever popular Make–a–Wish box.

If you’d like to discuss our OSPF implementation with others, our online community of Meraki users and enthusiasts is a great place to try.

Posted in Company Blog | Comments Off on OSPF, the Meraki way