The Halloween spirits have been sweeping through our headquarters this week. Sneaking in over auto VPN, flying through the air over WiFi, and streaming down the cabling from our switches, reaching each and every desk in the building.
The results speak for themselves! Here’s the team who delivered yesterday’s record-breaking One-Hour Switching webinar during which we unveiled our exciting new Topology feature…
The office was temporarily invaded by a small army of ghoulish creatures, who actually turned out to be rather tasty!
In one final act of defiance before being shown the door, the spooks had a particularly nasty affect on our MDM Product Manager…
Fear not, we’re busy chasing the last of the nasties away so business can return to normal next week.
Today, we’re thrilled to announce an innovative new feature that makes troubleshooting and support more intuitive, provides even greater visibility into networks, and is available out-of-the-box with no additional configuration or licensing needed: network topology. This feature automatically maps your network deployment, shows direct and redundant links across wired and wireless infrastructure, and is essential for troubleshooting network issues that would otherwise require manual mapping, overlay monitoring software, or keeping track of MAC address tables.
A typical network topology view mapping switches, APs, and a perimeter security appliance.
Network topology is available for all Meraki customers running combined networks with Meraki gear (MS, MX, or MR), or for customers running uncombined switch networks. To reap the full benefits of topology, however, Meraki MS switches should be deployed.
You can find the topology feature in combined networks under Network-wide > Topology in the Meraki dashboard; otherwise, check Monitor > Topology in your uncombined switch network.
How it works
The network topology feature intelligently maps equipment in your network, giving you a hierarchical, physical layout of how your gear interconnects. There are several things you can do with network topology, like searching for network devices by name, tag, or device type to quickly view how equipment is deployed.
Looking at gear in a corporate network tagged “guest,” and running a guest SSID or guest VLAN. Gear not meeting our search criteria is automatically dimmed.
In the topology view, squares represent MX security appliances, rectangles represent MS switches, and circles represent MR access points. Non-Meraki equipment is also detected if it is one hop away (and will appear as an empty diamond); depending on the protocols supported by a non-Meraki device, the topology view may be able to discern LLDP data like model type, IP, and manufacturer.
You can also quickly see alerting or disconnected equipment that may require additional troubleshooting, and (if the alerting device is a Meraki AP, switch, or security appliance), click into that device to troubleshoot further.
An alerting Meraki MS switch, telling us it’s having a power supply problem.
Learning which physical links in your network are most heavily-trafficked is also easy; simply hover over individual network links to learn statistics about that connection’s negotiated speed, usage, and number of directly connected clients using it in the past day. If you are trying to diagnose physical bottlenecks in your network, there is no easier way to find it.
You can even see if either a link or specific switch ports have been blocked by the Spanning Tree protocol (STP) to help prevent data loops.
By default, if entire links have been disabled by STP, they will be hidden from view. If you opt to view all physical links—not just those currently forwarding traffic thanks to STP—all you need to do is select the checkbox to “show redundant links.”
In a nutshell
Network topology is an incredibly useful tool for visibility into—and troubleshooting of—networks.
There is no need to schedule a firmware update to have topology functionality; the tool is now live in the Meraki dashboard.
To have the full functionality described in this post, a Meraki MS switch must be deployed in the network—without switches, visibility will be restricted to devices that are a single hop away from MX security appliances or MR access points.
Topology shows non-Meraki equipment, and depending on the protocols supported, useful information like model, IP, etc.
To sum up, we’re really excited about our new network topology feature and want to hear what you think. Please reach out or make a wish and give us your thoughts!
Meraki’s class-leading cloud networking solution was born out of an MIT PhD research project called Roofnet. To this day we remain passionate about the advancement of technology, with many of our engineers and new recruits coming to us with a background in research.
Continuing in this tradition, the engineering team at Cisco Meraki is excited to announce a new Meetup group dedicated to the hackers of the Bay Area. Cisco Meraki Tech Talks is designed to bring together those interested in distributed systems (like cloud technologies), computer networks and other technologies dear to our hearts.
We’re kicking things off by inviting some of our favorite speakers from recent academic conferences as well as those doing interesting work in industry. Beyond the initial timetabled sessions we’re on the lookout for additional interesting speakers, so if someone comes to mind, please drop us a line.
Oh, and in case the subject matter alone isn’t enough, we’ll also be providing food and drinks at every talk, which will all take place at our beautiful San Francisco headquarters.
We look forward to welcoming you and please spread the word.
Color blindness affects 8% of the male population and 0.5% of the female population. There are many varying types and degrees of colorblindness, but the most common of these are protanopia, red weakness, or deuteranopia, green weakness, which results in a difficulty in discriminating between red, orange, yellow, and green. By simulating what the Cisco Meraki dashboard users experience would be for colorblind users, and can immediately see a problem for those who cannot distinguish between red and green.
What dashboard looks like to users with normal vision
What dashboard looks like to colorblind users
Device status and connectivity graphs are almost impossible to read for colorblind users. Luckily, there are some simple changes that can greatly improve this experience. There is now a color assist mode in the dashboard that modifies the green hues to blue in order to allow for clearer distinction in device status and alerting functionality. By navigating to ‘my profile’ at the top right corner of the dashboard, color blind assist mode can be enabled on a per user basis. By hovering over the “enable red/green assist mode” button, we can get a preview of what the changes will be.
Without red/green assist
With red/green assist
With red/green assist enabled, here is what the status and connectivity graphs will look like for colorblind users. The blue status shows all of the devices that are healthy, and the brown/red shows the problem areas.
Colorblind simulation with red/green assist mode enabled
Check it out in the dashboard and keep us posted via the ‘make a wish box’ on ways we can keep improving the Cisco Meraki product experience.
We’re very excited to be featured in the latest episode of Techwise TV, filmed entirely at our San Francisco office and presented by Cisco’s very own “geeks you can trust”. There are interviews with our Product Management and Product Marketing leads, together with a closer look at the solutions and architecture which set Meraki cloud–managed networking apart.
If you’re new to Meraki this will certainly be worthwhile viewing and there’ll be an accompanying workshop on October 23rd in which a real working Meraki network will be built before your eyes.
Google recently disclosed a vulnerability in SSLv3 known as the POODLE bug. SSL is an encryption protocol used to secure data transmitted over the Internet. SSLv3 is a very old version of this protocol, almost 18 years old, and is mainly used in some older web browsers such as Internet Explorer 6 and earlier.
In order to ensure security for users accessing the dashboard from the web, the Cisco Meraki team has disabled support for SSLv3 on the Meraki dashboard and meraki.cisco.com. Those affected will need to upgrade their browser in order to access the dashboard. A list of vulnerable browsers can be found here; anything marked with a red “no” in the TLS 1.0 column is vulnerable. The most recent versions of all major browsers–Chrome, Firefox, Internet Explorer, Safari–all support TLS and will continue to work with the Meraki dashboard and meraki.com.
Meraki servers, infrastructure, and network devices are not affected by this vulnerability. This includes Meraki access points, switches, security appliances, and Systems Manager clients.
Like every team at Cisco Meraki, the London-based Meraki Support team has been growing rapidly over the past few years. Providing enterprise-caliber support for customers worldwide requires an exceptional group of diligent, hard-working, and intelligent individuals working together. We recently sat down with Rob, one of Meraki’s support managers, to chat about his early experiences as a part of this group, as well as seeing it grow and develop into a high performance, world-class team.
Harboring an interest in a wide-variety of topics, Rob is a bit of a jack-of-all-trades. He dabbles in all sorts of games, refines his guitar skills during breaks at work and at home, and fosters a deep passion for quantum and astrophysics. When Rob first heard about Meraki, he researched the company quite a bit, learning as much as he could about the products, the employees, and the culture.
With a background in IT administration and an internship in the Cisco Advanced Lab Operations (CALO) program under his belt, the position was a logical fit. Combined with a like-minded culture that would embrace his non-work interests, it wasn’t long before he interviewed for a role in the London Support office and joined the then small but mighty team. In less than a year, he had risen in the ranks, becoming the UK Support team manager.
Initially, Rob’s role focused on working with individual customers to identify solutions to their problems and advise them on configurations to optimize their networks. However, as his role shifted to management, so did his duties. While he still gets to have hands-on interaction with customers, it’s to assist in high priority or escalated cases, offering his experience and knowledge to the team. On a higher level, he now has the opportunity to be a mentor to his employees, optimize processes that benefit the team and customers alike, and ensure that overall operations are running smooth.
One of the projects he’s most excited about is redoing the existing lab where the team reproduces customer scenarios to better diagnose potential issues. In conjunction with this overhaul, he’s also creating a Cisco training lab in the US and UK. This will permit the various Technical Support Engineer (TSE) teams to practice and earn additional certifications that will allow them to advance their skills and integration knowledge. On-going education, personal development, and training on new technologies are just some of the benefits that Rob strives to provide for his team.
“The culture here is very unique. The TSE’s walk around, chat with each other, and ask questions,” Rob explains. “It allows the entire team to assist with a case in an open and collaborative environment. The customers only see the end result, but the entire team contributes.”
Convinced that Meraki is the best of both worlds – the unique feel of a startup combined with the backing of a corporation like Cisco – Rob’s enthusiasm can be seen daily. “We hire the best. And because we have a collaborative environment, one person’s knowledge instantly makes the entire team more specialized,” says Rob. “It’s a close knit team, you work together on problems, socialize together, play games like foosball or Wii together, have food together. It’s great to be a part of this group.”
The Cisco Meraki Support team is always looking for new members to share knowledge and have fun with, so take a look at the openings on our jobs page!
Educational institutions can easily find themselves between a rock and a hard place: there’s the mandate to deploy greater technology in classrooms, yet the complexity involved—managing mobile devices, licensing, CIPA compliance, and security—can be daunting for schools with lean IT staff, limited time, and several locations to manage.
Deciding which equipment to purchase often boils down to things like appliance cost or which device claims the most features. But these metrics fail to account for intangible expenses that can quickly pile up: lengthy deployment times; the additional costs of complex licensing and support; the time spent configuring, maintaining, and troubleshooting equipment; the cost of erroneous configuration that might expose your network’s flank to attack.
The Cisco Meraki MX security appliance was designed from the ground up to provide a secure, scalable, intuitive solution for protecting a given network, but it also addresses the intangible costs just described. In this post, we’ll highlight a few of the many ways the MX does this.
Rock-solid security that’s easy to deploy
Complex deployment is a security issue. Why? Because if security is hard to install, it’s less likely to get implemented in a timely fashion—and less likely to be configured correctly. Pilot error is no joke; security is hard and usually response times need to be rapid. If you can’t get your security appliance up and running when you need to, it’s like having no security at all.
We took this into consideration: deploying an MX is so simple, you don’t even need to be on-site. If you must quickly configure several MXs to deploy a baseline level of security across campuses, that’s also easy with templates that enable settings to be applied once and then propagated out to all your appliances. You can also securely connect your schools using VPN in mere minutes. Furthermore, MXs do the hard work of keeping themselves running the latest firmware and features, automatically pulling updates from the cloud.
Just because the MX is easy to install, it doesn’t mean it’s lacking powerful security. In fact, the Meraki MX sports a stateful, next-gen firewall, CIPA-compliant content filtering, Safe Search and YouTube for Schools integration to protect students, malware/anti-phishing scanning, and market-leading intrusion prevention (IPS) from Sourcefire, the makers of SNORT. Not only is intrusion prevention updated daily to protect against the latest threats, but these updates are automatic—no need to manually download or patch your IPS, or worry about a misconfiguration.
Reduce network complexity
Once your security solution is deployed across your campus, you want it to be easy to manage and maintain. Being able to view security threats, bandwidth abuse, BYOD devices—and then push out tailored policies to address these—is paramount.
With the Meraki dashboard, you can centrally manage all networks, devices, and clients from any Internet-accessible device. It only takes a quick search to discover which devices, operating systems, and users are accessing network resources:
With this visibility, you can push out group-based policies from your MX to block, prioritize, or throttle specific applications, whitelist or blacklist devices, apply specific firewall or content filtering rules, and more.
Speaking of visibility and control: if your school is moving forward with 1:1 initiatives, the MX integrates seamlessly with our mobile device management product, Systems Manager, so you can manage your network and mobile devices from a single, intuitive pane of glass!
In addition to being easy to deploy and maintain, the MX’s integrated IPS offers easily-digested security reports so network admins can see in real time where attacks are coming from, which clients are implicated, and how best to mitigate—no need to parse through complex logs.
Visibility and control comprise only one aspect of reducing network complexity. The MX also simplifies traditional licensing and support paradigms, so security features can be deployed without a lot of fuss. In fact, there are only two MX licensing options: Enterprise and Advanced Security. All technical support and feature/firmware updates are included with each license so you never need to worry about per-user overages or whether you’ll have the right support tier to get a problem solved.
Meraki MX licensing options: Enterprise or Advanced Security.
Improves with age
Here is a point worth highlighting: every Meraki MX investment is future-proofed. Roughly each quarter, new features are released and seamlessly pulled by the MX from the cloud. Most recently, MX customers woke up to discover they had geo-based IP firewall rules, HA warm spare failover, and datacenter failover, among other things, for no additional charge. So when you consider the feature velocity built into every MX, you can rest easy that your security appliance investment will continue to pay off for years to come.
Highlights of the past year’s feature updates for the MX security appliance.
So there you have it: a rock-solid security solution that is easy to deploy and maintain, reduces complexity, and gets better with age! Keep these characteristics in mind as you search for security solutions, and remember that difficult-to-deploy, complex security is itself a hazard.
For additional information on how the MX addresses challenges in the K-12 and educational space, see our MX for Education solution guide and here, and here.
Saxon Energy Services is an international oilfield and drilling services company based in Houston, Texas. They have an expansive global reach, with over 3,800 employees in 13 countries.
All rigs are mobile, and stay in one location for varying lengths of time – anywhere from 1 week to 1 year. Many rigs are in extremely remote areas, with the nearest cell tower at least a half hour drive away.
Saxon set up satellites at these distant sites to connect employees back to headquarters and the rest of the world, but bandwidth overage charges soon started rolling in. They were paying thousands of dollars in overage charges per location per month when they decided to test out the Cisco Meraki MX80 Security Appliance in Alaska. With the bandwidth and traffic shaping features built into every MX, they were able to eliminate the overage charges immediately. “Meraki paid for itself in the first week,” reflected Sheldon Wong, the Network Specialist for Saxon.
After seeing the elimination of overage charges as well as the unprecedented visibility into all of their networks in the Meraki dashboard, Saxon began deploying the MX80 to rigs everywhere.
The MX80 is set up right behind the satellite modem on these mobile rigs. Site-to-site VPN securely connects all sites to headquarters, or to various regional headquarters. From there, the central network provides rigs access to internal resources, such as the virtual platform to order supplies. “It used to take hours to drive to regional headquarters and order supplies,” said Wong. “Now it takes hours for the supplies to be delivered, since we can log in and order them locally.”
The Saxon Network IT team includes Wong and a handful of regional IT staff. With this relatively lean crew and no IT staff aboard the rigs, the ease of management and remote troubleshooting built into the Meraki solution were very attractive features.
“With Meraki, we’re able to manage many more devices and networks in less time than before. We keep sending out equipment to more regions, because as more managers see it, they want it too,” said Wong.
“Now when we get complaints about a slow Internet connection, we can log in and see what’s going on with a particular device,” said Wong. “The live tools in the dashboard are amazing, we can ping to the device and see if it’s something on our end or theirs that is causing the problem.”
Saxon IT now has deep insight into all of their networks, and can make sure that network is being used appropriately. They have customized group policies to specify network access and settings for different types of users, blocked bandwidth abusers, changed admin access settings for different regions of the world, and much more from the web-based dashboard.
“We keep discovering new features along the way,” said Wong. “We were originally intrigued by the traffic shaping and remote management of devices, but then discovered WAN optimization, remembering connected devices, content filtering, addressing VLANs, etc. It’s all great.”
Advanced network control has proven useful for more than just preventing overage charges. The IT team can now allow employees on assignment to reliably connect with friends and family members back home with perks like Facetime and Skype, without maxing out their bandwidth. “I’ve had people come up and say ‘Thank you, you saved our marriage,’” said Wong. “It really helps boost morale on long assignments.”
Want to hear the full story? Register for next Thursday’s interactive webinar, where Sheldon Wong will share his experience with Meraki security, host a live walk-through of his management dashboard, and host Q&A alongside a Meraki technical evangelist. Hope to see you there!
Last week we were very excited to usher in the all new Systems Manager Enterprise into the Cisco Meraki product family. Along with enhanced policy management and end-to-end network and device security, Systems Manager Enterprise offers capabilities that simplify device management for growing networks as users (and their new devices) join an organization.
The first step in scaling a deployment is enrollment. As users enroll their devices in Systems Manager (manually or dynamically as they join a wireless network) the enrollment process can be integrated with Active Directory. This allows for enhanced security and to cuts down on the number of unknown devices in a network. Before AD integration, administrators needed to manually tie users to their devices. Now this can be done automatically with Systems Manager. Furthermore, AD groups can also be tied to devices, and policies can be automatically applied based on the AD groups. In this blog post we will take a look at how to implement this feature using Systems Manager Enterprise.
Configure AD integration in Systems Manager
First, configure the settings for your AD server in Systems Manager under the Configure > General tab. One or multiple AD servers can be configured. Here is a detailed explanation of how to configure user authentication with Active Directory.
‘Owners’ and ‘Auto tags’ are applied to devices
Now that the AD server is tied to Systems Manager, as users enroll, Systems Manager will query their username and groups from Active Directory. In the Configure > Owners tab as seen below, we can see that the first two users have enrolled with Active Directory as indicated by the ‘AD’ in the type field. The user ‘paul’ is in 3 AD groups: Administrators, Corporate, and Users.
By navigating to the client view of Paul’s device, we can see that the AD groups were also created as ‘Auto tags’. On this page, we can also see that the ‘Owner’ has been automatically assigned to the AD username ‘paul’. Having the owner preassigned is helpful for when we want to push out Exchange settings to Paul’s device, as those attributes are already tied to Paul from enrollment.
Dynamically apply policies based on AD groups
Finally, policies are dynamically applied based on the user’s AD groups. By navigating to MDM > Profiles, we have created a ‘Passcode’ profile. When the scope of this profile is defined, we can indicate that only users with the AD group of ‘Corporate’ should receive these settings.
Profiles can be used to define much more than enforcing a passcode. Administrators can set device restrictions, push out WiFi and VPN settings, deploy documents, and more. To test out these features, you can set up trial Systems Manager Enterprise for free, right here.
