What do Meraki MR wireless, MS switching, MX security, and MDM products all have in common? Intuitive cloud management, of course. Enhancing any network with just one of these products provides granular visibility and control, but deploying a combination of Meraki product families introduces a whole set of unique benefits.
Just by clicking on the “Network-wide” menu, you can easily view traffic passing through all networks, any event logs and packet captures you wish, network-wide summary reports, and more. It is also simple to configure alerts, group policies, MDM policies, etc. to be distributed through your entire network.
The centralized monitoring provided by the combined view is invaluable to busy network administrators, as there is no need to go in and manage each network separately.
For example, take a look at the image below. You can view and export event logs for MR, MS, and MX networks in one location. The filter menu allows swapping between device types with just a click of the mouse.
This functionality is also available for traffic analytics, clients accessing any part of the network, packet captures, and summary reports.
Each client is given a status which reflects its current or last known connection – handy, and also another way to search through all clients (ex// is:online or is:wireless)
In addition to convenient monitoring, you can also take action and make quick network-wide configuration changes.
Why deal with hopping between different management consoles when you could make any changes you wish to any device within any network, all from the same page? With a combined view you can define settings for CMX, packet captures, group policies, firmware upgrades, email alerts, new devices, and more, all from the same tab.
View and modify group policies for all of your networks, including MDM
You can grant network administrators full control or read only permissions for the combined network, which apply to all devices within the combined network. You can even tag specific networks and then assign dashboard administrative privileges by tag.
Perhaps you’ve heard about one of our newest feature releases, Network Topology. Combined networks are able to make full use of this intelligent map, which allows administrators to see and export a graphic overview of their logical network topology and the status of any device.
Topology in action
Our mobile device management solution, Systems Manager, is in a cloud-managed network of its own. While it is not yet fully integrated into the combined dashboard, it can be added as a complement to any network, even those without Meraki hardware. Read more about it here to see how simple it is to enroll and manage thousands of mobile and desktop devices.
For an example scenario, detailed menu navigation, combination how-to, and even directions on how to split up combined networks, check out this knowledge base article.
When configuring large distributed networks, small insignificant tasks become time consuming and laborious quite quickly. Meraki cloud managed networking products eliminate a lot of the complexity of this type of deployment with features such as configuration templates and AutoVPN. With configuration templates you are able to rapidly deploy hundreds or thousands of remote sites and connect them together with a VPN in a few clicks.
As we recently announced in our Quarterly update, there have been some enhancements to the features on the MX which allow further automation of multiple site deployments. It is now possible to add firewall rules to your configuration template that are dynamically generated to match the appropriate networks.
A recap on templates
A template is a configuration which can be applied to tens, hundreds, or thousands of MX Security appliances. Networks within a Meraki dashboard Organization can be bound to this template so that they inherit these settings and only has to be configured once. If this configuration is no longer required they can be bound to a different template, or reverted to the configuration state they had before they were bound. This reduces monotonous administrative tasks and prevents human error.
One of the advantages of templates is that they can dynamically allocate subnets and IP addresses for each site. In some instances it may be desirable to have identical subnet and IP configurations at each site, but when this is not the case, unique configurations are required per site. Using templates, a network administrator can choose to have subnets and MX interface IPs created automatically, so there is no subnet duplication or IP overlap.
Making security easy
With many retailers taking advantage of Meraki’s solutions for their stores, PCI 3.0 security is an important concern. The Meraki MX’s built in security features such as anti-malware and Intrusion Detection & Prevention (IDS/IPS) make it simple to deploy a robust security solution. However there is still a need to configure relevant firewall settings to safeguard payment processing systems in a retail environment, or confidential business data in an enterprise.
The new firewall objects functionality in the Meraki dashboard allows network administrators to summarize detailed firewall configurations and replicate them to many sites with templates. This has a huge impact on the amount of work required, firewall rules are only configured once for the template, no matter how many remote sites you have. In an organization of 500 remote sites, with a simple firewall rule set of only 10 lines, that’s a saving of 490 lines of configuration or 98% less work !
It’s all in the name
When configuring an MX template an administrator will create the VLANs and associated subnets that need to be replicated at each site. The key step in this process is assigning a name to this VLAN. This name is the object identifier that is referenced on the firewall page.
Now when configuring the firewall rules for the template, the name of the VLAN can be selected. This means that no matter what network mask is automatically generated for that site, the firewall rule will reflect the subnet correctly. For example in the screenshots below, ‘home’ and ‘corp’ are referenced as aliases for the actual subnet at that site.
If the firewall rule needs to be specific to a particular host within the subnet, the ‘Add host bits’ button allows you to define a specific host for the site at which this rule applies. Again this is exceptionally useful in retail environments, where it is common for devices to have specific host addresses. A good example of this is that every cash register on every site could have addresses .5, .6, & .7
Extensible Firewall Templates are a flexible and easy to use feature for configuring your Meraki networks. From corporate branch sites, to retail outlets and large scale teleworking using the Meraki Z1, templates improve the operational efficiency of the network administrator and allow lean IT teams to respond quickly to business needs on tight deadlines.
Once again, the BETT show again proved to be a great kick-off to the year due to the large number of people attending and the shear size of the event. This year the design team took things to another level, with an elegant and clean stand that stood out from the crowd, nicely reflecting the Meraki products’ sleek appearance and management simplicity.
As we have come to expect from the largest education trade show in Europe, iPad management and MDM was a hot topic at BETT with many visitors to the stand wanting to know more about Meraki Systems Manager. With a wealth of new features added since our last visit to the home of BETT at the Excel centre, it was great to be able to offer even better and easier ways of addressing the needs of schools and educators. A primary example of this is the addition of Apple Device Enrollment Program (DEP) support and dynamic policy application. If you want to find out more then make sure you visit meraki.cisco.com/sm and try it for yourself for free.
One of the great things about BETT is meeting existing Meraki customers, especially those who we met the previous year as prospective customers and have since deployed. In particular it was fantastic to catch up with members of the team from York College. York College was an early adopter of Meraki technology, one of the first higher education customers in the UK. Listening to them about their experience over the last three years was a real pleasure. Hear for yourself in the video below.
You may have noticed that the video is a little dark in the interview with York College. Unfortunately, that afternoon there was a total power outage at the Excel center lasting over 10 minutes. For the exhibitors with racks of equipment, servers and appliances running their demonstrations, it was one of those nightmare scenarios. Once again this highlighted the benefits of cloud infrastructure with the Meraki devices coming back online within minutes of the power returning.
Away from the stand, we teamed up with long term UK partner Softcat in the Schools Learn Live Secondary theatre. Here Meraki Technical Evangelist Simon Tompson provided an overview of the unique Meraki dashboard, before handing over to Steve Nesbitt from The Beacon School and Lee Sands from the King Edward VI College. Steve and Lee provided detailed insight into their infrastructure by giving a live demonstration of their respective school’s production networks to a packed theater. Listen to Steve’s segment in the video below.
If you’d like to come meet the Meraki team then please subscribe to the blog, if you haven’t already done so. This way you will find out about upcoming events so you can come and see us when we are next in your part of the world.
Getting ready to attend an event soon? Thinking of providing free WiFi to attract guests to your booth, as well as for general use for booth staffers? With as little as one device and a few minutes, you can create a standout network fit to handle the rigors of the day.
Over the years, the Cisco Meraki team has assisted numerous customers set up their main event WiFi infrastructure, including BT and LeWeb. Many venues allow exhibitors to broadcast their own WiFi from their booths, which can be challenging in a congested environment. We’ve put together some recommendations for how you can overcome these challenges and have resilient, high performance WiFi at events.
Using the right devices
Using high throughput, multi-radio APs, like the 802.11ac MR34 will allow 802.11ac and 11n clients to operate on the 5 GHz band, while keeping slower 802.11b/g clients on the 2.4 GHz band. These APs have a third-radio built-in which provide 24×7 protection from malicious broadcasts, packet floods, etc. while also performing automatic RF optimization.
At most event venues, the environment is going to be heavily saturated with WiFi. The Meraki RF optimization continuously monitors the environment, measuring channel utilization, interference, signals from non-Meraki APs, and more. Based on this information, the AP will automatically adapt its settings for optimal performance.
Setting restrictions early
Having a radio dedicated to RF optimization helps inform the auto channel assignment process that is enabled by default in Meraki networks. This is especially useful if you decide to place more than one AP at your booth for added coverage, in which case the Meraki 8-port switch may be of use to help distribute your stand’s Ethernet drop.
If both staffers and guests will be using the WiFi, it may make sense to create separate SSIDs. For instance, when Meraki attends an event, we rely on an Internet connection to run our product demos. We create a demo SSID dedicated to staffers and an additional SSID dedicated to guests, where bandwidth usage can be shaped as needed.
With limited bandwidth in a highly dense area, it’s essential to define how guests access the network and consume data. Because you are likely providing free WiFi as a way to attract guests to your booth, it may be desirable to create a splash page advertising your business and location at the event. This can be done in a variety of ways, including captive portal, click through splash page, or Facebook Login. Facebook Login requires visitors to “Check In” to your business’ page before accessing the network.
Once guests have accessed your event WiFi, it is key to establish limits on bandwidth usage so that as more users connect, each has an optimal experience. By creating per-device bandwidth limits of ~512 kb/s, users will still be able to have acceptable performance. Keep in mind, that you can always loosen these restrictions if usage isn’t as high as expected.
Further configurations can be applied that will deny access to certain bandwidth abusing applications using Layer 7 firewall rules. Or, more precisely, you can set Layer 7 traffic shaping rules that will rate-limit specific applications that are traditionally considered bandwidth hogs. Once these rules are in place, you can relax because the Meraki APs will automatically balance traffic on your network, ensuring guests are receiving the experience you intended.
Analyzing the results
The most important takeaways from live events are the connections you make with the attendees and leads you converse with. While collecting business cards or scanning badges is an effective method for retrieving lead information, there are some tools already built into Meraki devices that can take these analytics one step further.
With CMX (Connected Mobile Experiences) Analytics, you can see the trends of your visitors throughout the day and use this information to tailor your event presence in following days or at other events. Were there particular times of the days where attendance and connection was higher? Were there certain events at the booth where guests stayed longer than other times? You can use this information to tweak your offering and really make the most of your investment at the event.
The Facebook Login method provides benefits during the event: providing details about your business and event location on your Facebook page, gaining “check ins”, word-of-mouth promotion via Facebook stories, etc. This feature also allows you to peruse the Facebook insights platform to learn more about the demographics of your guests and once again change your advertising method depending on your guests’ profiles.
The best part is that once you’ve created this event configuration in the Meraki dashboard, you re-use or duplicate within minutes for any future events. There’s no need to redo configurations every time. Not only will this get you up and running quickly, but if an unforeseen event strikes, like loss of power at the venue, your network will come right back without any action on your part once power is restored.
How will you use the Meraki platform to promote your business at your next event? The possibilities are endless…
As many of our readers know, we’re big enthusiasts of feature velocity: we seamlessly update our customers’ Meraki equipment with new features and firmware regularly—at no additional cost or licensing. We document these changes in blog posts and in our product manuals—and there are several resources available for learning about new products and features.
Network topology intelligently maps the physical links of a network.
Additionally, we’ve just released an updated MX Security Appliance sizing guide to account for the speed boost of our newly-released MX64 and MX64W models. We’ve run each appliance through its paces in the lab and modeled different types of scenarios (e.g. “everything on” or “high-bandwidth K-12”) to account for the typical traffic patterns of each case.
The updated Meraki MX Security Appliance sizing guide provides several scenarios for realistic throughput measurement.
So, don’t wait—go take a peek at these great resources (or any of the others you find in the links above), and get up to speed on the latest and greatest Meraki features. Happy reading!
Just a few short weeks ago, the Meraki team launched the first of an exciting new webinar series, the Meraki Quarterly. The purpose of these sessions is to provide our customers with an overview of the product and feature releases that have made the news over the past quarter.
Curious to find out more details about some of the releases covered in the webinar? Check out these highlights:
MX Security Updates
Geographically-based firewall rules – For security reasons, it may be useful to limit which countries your traffic originates from and where it’s sent. In the MX traffic analytics page, you can now view the originating country for traffic and create Layer 7 firewall rules to deny “traffic to/from” or “traffic not to/from” specified countries. (Access this under Configure > Firewall > Layer 7 Firewall Rules)
List update intervals – Meraki MX Security Appliances deliver automatic signature updates via the cloud for added network security, which means you never have to worry if they are up-to-date. However, depending on your connection, it may not be ideal to have hourly updates, for instance, on a cellular link where charges can be costly. Now there’s a way to easily control how frequently the updates occur depending on your needs. (Access this under Configure > Traffic Shaping > List update interval)
DHCP lease live tool – In large networks, keep an eye on DHCP leases in real-time, as well as which ones are about to expire. (Access this in the Live Tools section on the MX overview page)
VLAN object templates – In template-based networks, where every firewall may have a different IP address or a different subnet, it can be difficult to create a firewall rule that doesn’t use a generic network object. We’ve decided to use VLAN names as native network objects; for instance, using the VLAN names, you can block traffic from the VoIP VLAN to the Guest VLAN. In larger deployments, where every location has a different IP range, they would still have the proper firewall capabilities based on the master template. (Access this under Organization > Monitor > Config templates)
MR Wireless Updates
MR32 / MR72 with BLE technology – Just a couple of months ago, we released two new 802.11ac Meraki APs, complete with built-in Beacon (Bluetooth Low Energy) technology, expanding 802.11ac technology to more deployments. The team also released complimentary wireless antennae. Not only are there internal antennas for 2.4GHz and 5GHz bands, a third radio and antenna dedicated to real-time scanning for security threats and RF optimization, and an antenna for Bluetooth, but there are also redesigned WiFi antennas for the outdoor APs.
New features for all APs – Not limited to new hardware, the Meraki wireless team launched a spread of new features across the entire wireless portfolio. From authentication resiliency to flexible bitrate selection to a dedicated site survey mode, these new additions enhance the already robust wireless offering and put more tools in customers’ arsenals.
MS Switch Updates
Port security enhancements – Now when you have a voice VLAN client (i.e. VoIP phones) connected to your switch, you can simultaneously bypass authentication for the voice VLAN device, while requiring authentication for clients connecting through the phone. (Access this under Configure > Access policies > Voice VLAN clients)
Network topology – Creating network diagrams can be a painstaking process that can go out of date just as soon as they’re completed. The new Network Topology feature provides an automatic and dynamic view of your entire network infrastructure, updated and rendered in real-time. Not only can you click into any devices directly from this topology view, but you can also see connection information and trace device routes. This network topology can be quickly exported from dashboard for compatibility with other software, like Visio. (Access this under Network-wide > Topology)
Systems Manager MDM Updates
Evolving MDM – With over 22,000 customers using Systems Manager and covering millions of devices, the Meraki team has been able to identify numerous MDM trends and consequently enable features like the ability to dynamically reassign devices in shared mobile device programs, enhanced BYOD policies, and data security / NAC.
Known user integration – Using Systems Manager Enterprise, customers can tie client identities and policies to existing identity services. With this integration, admins can assign rules, settings, and more to devices based on how they log into the network.
This is only the beginning for this new webinar series, so stay tuned for the next quarterly update! In the mean time, check out what we’ve been up to over the last year…
For the first time ever, we’re providing a significant preview of our security roadmap. Coming to a Meraki MX Security Appliance near you: Intelligent Wide Area Networking (IWAN). That’s right: we’re adding the MX to the Cisco IWAN portfolio.
What is IWAN?
Intelligent WAN (IWAN) is a collection of Cisco technologies and products that provide the security and resiliency of an MPLS network without the cost and complexity. By leveraging inexpensive broadband Internet links, organizations can also gain more bandwidth and speed along with this reliability.
How the Meraki MX will provide IWAN functionality:
There are four main pillars to IWAN: transport independence, application optimization, intelligent path control, and secure connectivity. The Meraki MX already supports some of these. For example, transport independence means any available link can be used to relay traffic efficiently. The MX’s dual-WAN uplinks, VPN, and cellular pathways can already be configured for application optimization and failover if a link suddenly goes offline. The MX also supports secure connectivity through disruptive Auto VPN technology, which enables secure site-to-site VPN in seconds via the Meraki dashboard.
What’s new and upcoming will be dual-active path support for VPN as well as intelligent path functionality, namely performance-based routing (PfR) and policy-based routing (PbR). These upcoming features will allow simultaneous VPN traffic out of both WAN uplinks, as well as intelligent link selection based on factors like latency, loss, or policy.
There have been two significant trends in the management of highly distributed sites: first, applications are moving from the datacenter to the cloud, exerting pressure for more bandwidth; second, remote locations are connecting directly to the Internet rather than tunneling back to headquarters. In short: organizations need cheaper bandwidth that still provides the reliability and security of more expensive MPLS solutions.
These features are ideal for customers who want a lightweight, easily-deployed IWAN solution that is intuitive to maintain. Often, this means organizations managing multi-site deployments with lean IT staff who want to transition away from costly MPLS links for WAN connectivity. These new features will complement the extensive Cisco IWAN portfolio and provide more options for customers.
When will these features become available?
We anticipate that these new features will be accessible for all MX customers, regardless of MX model, this summer (2015)—although we may have some functionality available earlier than that. Please see our IWAN page for additional information or register for an upcoming webinar to learn more!
Meraki enterprise-grade solutions can be used to simplify networking for organizations of any size. From multinational corporations with hundreds of branches to a single-site operation, the deployment possibilities are endless.
One nautical example of Meraki for small business is the Royal Victoria Yacht Club (RVYC) in British Columbia.
The oldest yacht club in Western Canada, RVYC is a bustling hub for sailing, training, moorage, and social events. With 3 buildings, around 1,000 members, and 0 dedicated IT staff, their volunteer committee turns to Meraki for simple, reliable network management.
The Club first adopted Meraki cloud-managed MX60 Security Appliances to protect their LAN. Quickly enamored by the simplicity of dashboard and the granular remote management capabilities, RVYC soon deployed MS220 Switches and MR18/MR66 Wireless Access Points as well. Switches and APs are located in Club buildings as well as in electrical boxes out on docks to provide property-wide WiFi coverage and enhanced visibility into all aspects of their network.
The RVYC: fiber optic cables run under docks to provide WiFi coverage over land and water
RVYC now benefits from many tools provided by Meraki cloud management, including automatic email alerts to inform volunteers about network status, 3-click Auto VPN to securely connect 3 buildings, content filtering for their family-friendly campus, traffic shaping to separate guest and admin traffic, business intelligence provided by CMX location analytics, device enrollment tracking with Meraki MDM, and more.
“All our costs come out of membership dues,” Terry Pettigrew, volunteer IT manager, shared. “We have saved tens of thousands of dollars in time and labor costs with Meraki.”
Intrigued? Learn more about how the Royal Victoria Yacht Club is using the Meraki solution to support a mobile point-of-sale system, automated meter reading, event WiFi, and more by joining us for a live webinar tomorrow at 11:00 am PT: sign up here.
Hope to see you there!
Sea of lights: one of the many events hosted by RVYC
We’re thrilled to announce exciting, first-of-its-kind hardware for our security product line: a comprehensive Unified Threat Management (UTM) box sporting an 802.11ac radio for blistering gigabit wireless. Our brand new Cisco Meraki MX64W Security Appliance for small branch sites clocks in at twice the firewall throughput of our previous model, the popular MX60W, while sporting a slimmer chassis. The MX64W’s two-radio architecture allows dual-concurrent, 2 x 2 MIMO operation and supports both 2.4GHz and 5GHz clients.
The MX64W Security Appliance for small branch sites sports 802.11ac wireless.
The MX64W is ideal for organizations managing multiple small branch locations that want rock-solid security and 11ac wireless (about 3 times faster than today’s 802.11n standard) in a single device.
For those who don’t need the integrated gigabit wireless but still want improved firewall throughput over the MX60, the MX64 delivers the same security and speed boost in a wired-only chassis.
The MX64 Security Appliance for small branch sites improves processing speed over previous models.
Both the MX64 and MX64W support bleeding-edge and market-leading intrusion prevention (IPS) via an integrated Sourcefire engine. IPS is performed via rulesets: pre-defined security policies that determine the level of protection needed. Sourcefire refreshes rulesets daily to ensure protection against the latest vulnerabilities—including exploits, viruses, rootkits, and more—and these are pushed via the cloud to MX customers within an hour, with no manual staging or patching needed.
Combine this threat protection with integrated malware/anti-phishing and cloud content filtering, and network admins have a robust security solution that is easy to deploy and seamlessly maintains itself.
MX64W is ideal for retailers
Retailers looking to gain insight into in-store foot traffic can take advantage of the MX64W’s built-in location analytics platform, included at no additional cost or licensing requirement. Location analytics in the MX64W works just as it does with our MR wireless access points: you can track mobile devices that have their wireless enabled to glean insight into proximity, engagement, and loyalty metrics. You can compare these metrics across store locations from within the Meraki dashboard, or export the analytics data using our API.
CMX location analytics is built into the Meraki MX64W Security Appliance.
Additionally, both the MX64 and the MX64W support integrated Facebook Login that allows guests to authenticate to guest VLANs or networks (wired or wireless) using their Facebook credentials. This provides several benefits: you get access to aggregate and anonymous demographic data Facebook provides about your organization’s Facebook Page and on check-ins — statistics like the age and gender of those groups of people connecting. Also, your organization will be mentioned on guests’ Newsfeeds, providing branding visibility. Finally, Facebook Login provides an intuitive, seamless way to enable guests to access Internet resources.
For more information
The MX64 and MX64W are now available and shipping globally! Please check out our sizing guide and MX datasheet for additional information and details, or feel free to contact us anytime.