Come one, come all to the Meraki Quarterly Update! Once every three months, we gather the latest news from our Wireless, Switching, Security, and MDM product specialists and present them to you in a one-hour webinar. What better way to get a condensed update on the latest in cloud networking, straight from the creators?
We will be hosting two webinars for partners and customers at North American-friendly times (keep an eye on the EMEA webinar page for additional sessions). Partners can register in the Partner Portal for the Quarterly Update this Thursday, April 2nd, at 9:00 AM PT. The customer webinar will air on Tuesday, April 7th, at 11:00 AM PT, and you can sign up here.
Ask anybody about their experience of publicly available WiFi of the kind they typically experience in hotels, restaurants and at events, and the response is fairly consistent. It’s not good enough.
There are many potential explanations for this. After all, this is WiFi – a shared, half duplex technology using the air as the transport medium. Like any radio technology, WiFi is subject to performance–sapping interference and signal attenuation from a myriad sources. Walls, windows, water coolers, people, the list goes on.
Getting WiFi right requires thorough planning, particularly the all-important site survey, which will help identify appropriate channels, channel widths, power levels and AP/client density. Appropriate planning only grows in importance as the number of connected WiFi devices continues to increase, from smartphones and tablets to newer ‘things’, like remote controlled cameras and thermostats. Until more radio spectrum is available, increasing congestion is inevitable, eating into the impressive throughput potential of newer WiFi standards like 802.11ac. In case you missed the memo, Meraki APs now have a very useful site survey mode to assist.
Once a quality job has been completed on planning and deployments, most of the remaining causes of reduced performance are beyond the control of the network admin. But there is one simple thing every WiFi admin can do to improve things…. migrate users, and as many as possible, to the far less congested 5GHz band.
It’s simple, the more people, devices and competing technologies trying to squeeze through a single shared pipe, the worse the experience will be for all. The unlicensed 2.4GHz spectrum is that pipe, leading to many referring to this as the ‘junk band’ for WiFi.
Reasons to proactively shift to 5GHz are many:
The typical channel width used in the 2.4GHz spectrum allows for only 3 non-overlapping channels, meaning that in order to avoid interference, APs must be spaced apart with alternating channels. Lower frequencies have greater signal propagation, particularly in open spaces (like concert venues or sports stadiums), so adequate spacing without interference will be more difficult to achieve. In the 5GHz space, there are as many as 24 non-overlapping channels, depending on local regulations and channel width. A well designed network of APs operating in the 5GHz band is far less likely to experience interference from neighboring APs for this reason.
Greater throughput potential
The latest 802.11ac wireless standard, which operates exclusively in the 5GHz band, uses an improved modulation technique which increases throughput for a given pipe (channel) compared to earlier standards. There is also the option to increase the width of the channels (currently up to 80MHz) to increase throughput. This will reduce the number of non-overlapping channels, although in a regular indoor environment the shorter signal propagation of 5GHz signals will mitigate co-channel interference from neighboring APs.
Broad client support
There are certainly still devices supporting only the 2.4GHz WiFi standards (802.11b, g and n). Printers and barcode scanners are common culprits here. However the good news is that the majority of new laptops, smartphones and tablets now contain chipsets capable of either 802.11n or ac. In other words, it’s time to confidently make the leap to 5GHz.
Meraki APs provide the tools to support a smooth migration to greater 5GHz use, without abandoning those devices which are unable to join the party. Perhaps the single most effective step is to configure band steering, which will encourage any device capable of connecting at 5GHz to do so.
Note the new additional setting for minimum bitrate in the 2.4GHz band, another way to ensure best possible performance for newer devices still requiring that band.
Another approach which some Meraki customers choose is to configure one band per SSID. For example, employees or anyone using provided devices, including those centrally managed by the IT team, can be required to use an SSID which only supports 5GHz connections. For everything else, which may include BYOD or guests devices, a separate SSID can be set up using 2.4GHz only (an option our support team will be happy to turn on for any customer wishing to adopt this approach), or dual band with band steering.
If there is a requirement to support both bands in a high density deployment, and more APs are therefore required in a given area, the 2.4GHz radio can be selectively turned off on some APs, leaving 5GHz operational. This allows for a higher AP concentration with less of the co-channel interference issues common on the 2.4GHz band.
With a little planning, your wireless network can be transformed from the traffic chaos in the photo above to something more akin to a racetrack. We look forward to seeing you there!
One of the most popular aspects of the Meraki approach is the ease of deploying and maintaining multi–site networks. This capability is made possible thanks to the centralized, cloud–based architecture we have been operating since we started back in 2006. Configurations can be built within minutes and pushed to thousands of APs, switches and security appliances with just a few clicks of a mouse.
For those setting–up and managing hundreds or even thousands of sites, anything which can be automated will improve efficiency and save time, with a consequential real impact on operational expenditure. In this post we’ll explore how configuration templates can be created and used across the full Meraki stack to streamline deployment to multiple locations.
Before diving into the options available, a quick recap of how Meraki defines a ‘network’. These are essentially logical groupings of network components, so for example, a network could comprise one or more APs and switches, or a single security appliance. Alternatively, a network could be a logical group of more than one product type. For example, Meraki has a network it calls ‘Meraki Corp’ which is a container including all APs, switches and security appliances at our headquarters. The one rule to remember is that there can be only one security appliance (MX or Z1) in a network
In no particular order, here are some of the tools which make building and maintaining multi–site networks easier.
Configuration Sync – replicate and compare APs and Security Appliance configurations
This at–a–glance tool, which lives under the ‘Organization’ tab of the dashboard menu, is designed for networks containing either multiple wireless APs or a single security appliance. The tool enables a comparison between one network and another one or more. For wireless networks, the tool enables comparison and synchronization of:
Allowed and blocked devices
Meraki User databases
Note that the target network can be either a configured network, or a tag name, so in the example above we are comparing the configuration for a network called ‘Corporate WiFi’ with APs tagged as ‘home’.
For the security appliances, the tool will compare settings for:
For switch networks, in either standalone (switches only) or combined networks (containing more than one device type), the cloning tool can be used to copy the following attributes between switches of the same type and port count:
Switch port configuration
RSTP bridge priority
In this example, a search has been done for switches of a certain type which are located on the 4th floor of our building, and tagged accordingly. The configuration for the London branch switch will be copied to the 6 switches found by this search.
Configuration Templates – create master templates for APs and Security Appliances
When deploying to multiple sites, maintaining a standard configuration template can be a highly effective time saver. With this approach, a master network is used to create a template – which appears as a special entry in the networks list – and target networks are then bound to this master. Almost all configuration settings are replicated and every time a change is made on the master network this is replicated to all bound networks. The replication process overwrites any configuration settings which have been made at the individual network level, so this is really an ‘all or nothing’ approach.
Once a network is bound to a template, only a subset of configuration options remain. This might include things like AP channel settings, WPA2 personal passphrases, or IP based VLAN addressing. Note the reduced list of menu options here:
More detail can be found in our excellent Knowledge Base article on the topic. We also recently announced an additional feature enabling the creation of extensible firewall templates for our Security Appliances, ensuring that where subnets are shared between locations, firewall rules are automatically adjusted to match their local addressing schema.
Tags and Profiles for managed client devices
The network infrastructure exists to serve client devices, so our hugely popular MDM solution, Systems Manager, also includes tools to assist with logically grouping and configuring large numbers of dispersed endpoints.
Systems Manager tags can be created to group together devices based on any useful criteria. In an education setting it might be useful to have one tag for ‘staff’ and another for ‘students’. Tagging devices as belonging to a specific business function, like ‘sales’ or ‘engineering’, may help to clearly identify a device’s intended purpose.
Once these tags have been established, profiles containing settings, restrictions and apps can be automatically applied by simply assigning them to tags. Tags can be assigned manually, according to a schedule, or as part of their enrollment into MDM. Apple’s Device Enrollment Program takes the scaling potential even further, enabling the assignment of tags from the moment a batch of newly purchased iOS devices is powered-on for the first time.
This approach makes replication of managed settings, restrictions and apps across tens, hundreds or even thousands of managed devices a cinch. Here’s an example showing the deployment of the Evernote app to all devices in the Physics department:
We’re always looking for ways to make the life of the network admin easier. Templates can play a big part in reducing duplicate effort across multi–site networks, and you can be sure we’re not done yet. Stay tuned for more news on configuration templates coming soon!
Some information in this post has changed.
More about Systems Manager licensing is available here.
Today we are excited to announce a new product structure for Systems Manager (SM). We are streamlining Systems Manager from two products to a single product that will now include all advanced features. SM Standard (free) and SM Enterprise (paid) will become just Systems Manager.
Importantly, nothing will change for existing SM Standard users unless they want it to.
What does this mean?
On March 24th, every new Systems Manager customer will be able to access features that were previously available only with SM Enterprise. Systems Manager, complete with all Enterprise features, is free for up to 100 devices, and as was previously the case with SM Standard, support is available through the Systems Manager Support Community.
For existing SM Standard (free) customers, nothing will change, and users can continue to operate Systems Manager exactly as they have before. They will even be able to continue to enroll an unlimited number of devices free of charge.
For customers wishing to expand their new Systems Manager deployment beyond the 100 free devices, or to obtain 24/7 enterprise class phone support, then they can purchase the required number of device licenses.
As an existing SM Standard customer, what if I want to upgrade?
As of March 24th, if a customers has less than 100 devices, they can convert their SM Standard to the new fully featured Systems Manager at no cost. However, we know that many of these customers could have more than 100 devices, would like access to advanced features, and have enterprise support.
To enable these existing loyal users to take advantage of these benefits, we will offer a steep discount for those upgrading from SM Standard. This one time promotional offer is running until June 2015, and brings an unheard of discount to Systems Manager, which is already one of the most competitively priced and feature rich MDM offerings on the market.
What if I have questions?
Further information will be released on our blog in the coming days and weeks. Make sure to subscribe to get instant notifications when updates are released.
Following the the exciting announcements at Cisco Live! Milan in January, the team will be heading out to Australia for Cisco Live! Melbourne from the 17th to the 20th of March. San Francisco Members of the product management and marketing teams from San Francisco will be joining the local Meraki team for demos, presentations and labs.
We will be exhibiting at the World of Solutions where there will be live one-on-one demos. Make sure you come by, say hello, and learn the latest from Meraki. It is also an ideal opportunity to meet your regional Meraki representative, if you have not done so already.
Apart from the world of solutions, there will be a number of labs and presentations throughout the week. Check the Cisco Live! website for availability and registration for the sessions.
LABEN-1001 – Cisco Meraki Hands on Lab: Cloud Managed Networks
Presented by Joe Aronow & George Bentinck
Wednesday 18 Mar 1:00 PM – 2:30 PM
Thursday 19 Mar 2:45 PM – 4:15 PM
Friday 20 Mar 11:15 AM – 12:45 PM
This self-paced lab is designed to introduce you to the full Cisco Meraki suite of products – wireless, switching, security appliances and mobile device management. During this session we will walk through configuration of each product type, demonstrating the simplicity and power of the Meraki cloud managed solution.
BRKSEC-2900 – Cloud Managed Security with Meraki MX
Presented by Joe Aronow
Wednesday 18 Mar 2:45 PM – 4:15 PM
Meraki’s cloud managed networking portfolio includes out-of-the-box capabilities to help administrators secure their network environments. This session will provide an introduction to the Meraki architecture and a deep-dive into the Meraki MX security appliance product line. The presenter will feature a live demo of key features such as Auto VPN, client fingerprinting, identity-based policies, intrusion detection, and more.
BRKEWN-2013 – Cloud Managed Networking with Meraki
Presented by Peter Stephan
Friday 20 Mar 8:45 AM – 10:45 AM
Cisco Meraki’s cloud-managed networking solution provides the tools to implement scalable networks with dramatically simpler management and powerful network visibility. This session will provide an intermediate level of information about the Cisco Meraki unique cloud architecture, and a deep-dive into an entire network stack solution, including the latest 802.11ac offering, expanded switch portfolio, SourceFire enabled security appliance, and complete MDM offering. The presenter will provide live demonstrations and deployment strategies for key features platform including client fingerprinting, layer 7 traffic shaping, location services, integrated MDM, and hybrid models cloud / on-premise architectures.
The blog here at Meraki is one of the cornerstones of our communication channels for customers and partners. With over 450 published articles on topics as varied as product launches and feature announcements or Meraki culture and employee spotlights; the blog is an essential way of staying informed on all things Meraki.
We know thousands of you view the blog every week, but many of these visitors are not subscribers to the blog. With on average three updates a week, it’s easy to miss out on the latest information if you don’t receive notification of a new post.
To help more of our customers and partners stay up-to-date, and to reward existing loyal subscribers, we are announcing a promotion for the month of March. The winner will receive a Meraki MX64W security appliance, the industry’s first 802.11ac UTM device. With blisteringly fast wired and wireless performance, the MX64W can form the core of your small office, or be the home router of your wildest dreams. To make sure you can experience it to its full capability, the winner will also receive a 3-year Advanced Security license along with enterprise support.
To take part in the promotion, all you need to do is subscribe to the Meraki blog by the end of March 2015. If the total number of subscribers at the end of the month is 1,000 or more, we will randomly pick one winner from among all the subscribers. Current subscribers are automatically entered to win. Additional terms and conditions apply; subscription is not necessary to enter.
With just 12 new subscribers a day we can hit the subscriber target. So if you are not already subscribed, what are you waiting for? If you are, then go tell friends and colleagues to subscribe so everyone has a chance of winning by helping us meet our target of 1,000 subscribers.
In 2013, Sheryl Sandberg’s book, Lean In, brought the gender gap and the struggle for women to attain their career goals into a blazing spotlight. Since then, thousands of groups across the globe have been formed, spearheaded by men and women dedicated to closing this gap and encouraging employees to take on new challenges at work and in life.
As a response to the real and genuine concern that individuals are not reaching their greatest potential, employees at Meraki have formed a group with an action plan to educate, empower, and inspire fellow co-workers. Membership took off as soon as the group was announced, and has been growing steadily with employees eager to discuss a variety of topics, including: Why there are so few females in leadership roles? How can employees build more confidence within themselves to reach for more opportunities? How is a healthy work-life balance achieved and maintained?
The benefit of forming numerous small circles is that members can form trust and confidentiality within their individual groups. The format for the circles is based on LeanIn.org’s Centred Leadership Programme. This five-part series is designed to help members lead with impact, resilience, and fulfillment at work and in their personal life. In between circle sessions, members are encouraged to maintain regular communication by sharing thought-provoking videos, articles, etc. This ongoing line of communication ensures that members always have an outlet and are continually provided with inspirational materials to review.
Small group sessions are a great way for Meraki employees to stay connected and receive support from their peers. Larger group sessions with guest presenters and global syncs twice a year will also provide exciting opportunities for the entire group to come together as a collaborative whole.
As a group designed to support, inspire, educate, and encourage each other, it’s exciting to see what the future holds and how we can empower each other to find our respective strengths and reach for our goals.
Based in Tucson, Arizona, El Rio Community Health Center is one of the largest non-profit health centers in the United States. Fourteen distributed locations provide affordable medical and dental care for more than 900 people every day.
El Rio relies on the fully HIPAA-compliant Cisco Meraki solution to keep their widespread network up and running. The El Rio team needs a stable connection at all times to pull up electronic health records in the exam room, securely access internal resources when on call from home, securely manage mobile devices, and more.
The 14 health clinics and administrative buildings of El Rio
A quick snapshot of the El Rio deployment reveals two MX security appliances set up in their data center to serve as the VPN concentrator and firewall for the network. MS switches offer enhanced visibility and per-port configuration on each clinic floor, and MR access points provide reliable wireless coverage for guests and employees in most clinics. Z1 teleworker appliances enable providers to securely utilize internal resources from home using Auto VPN connections. This is especially important for El Rio nurses and home workers who are on call 24/7. Company-owned mobile devices are also enrolled in Systems Manager to keep track of their location, to ensure passwords are enforced, and to make pushing software to all employees a piece of cake.
The El Rio team is now able to provide open-access WiFi for guests in the waiting room, as well as in the birthing center where visitors want to share pictures with loved ones. Warm spare failover helps ensure redundancy for the MX while the Meraki dashboard provides granular insight into network health, with tools such as email alerts and live troubleshooting to instantly address any potential threats.
With a lean networking team of only 3 people, El Rio benefits greatly from the remote troubleshooting and management made possible by the cloud-management platform. They look forward to all the new features pushed out to customers free of charge, a useful perk of the future-proof cloud model. One of the IT members is colorblind, and especially benefited from the new colorblind assist mode revealed a few months ago.
Color blind assist mode in dashboard
“Meraki gives us everything we need. It offers everything we used to do anyway in command line and then adds enhanced visibility at our access layer. It’s saved us a lot of time, and allows us to focus attention on other projects,” said Todd Portz, the most senior member of the El Rio IT team.
To dive into the full El Rio story, the El Rio IT team will host an interactive webinar with a Meraki product specialist on Tuesday, March 10th at 11:00am – register here to learn more about this health center’s deployment and to ask any questions. New attendees also receive a free AP, just for tuning in.
There is a common security challenge often faced by IT administrators: how to keep client devices from communicating with each other. One specific example comes from the hospitality industry, where hotels typically deploy several switches per floor and connect each room to its own switch port; the issue is how to keep guests in one hotel room from snooping or accessing the traffic of guests in another room.
One way to solve this problem is to assign a separate VLAN to every single port—and then use access control lists (ACLs) or upstream firewall rules to prevent traffic between these VLANs. But creating numerous VLANs and rules can be time consuming, unscalable, and overly complex.
The port isolation feature on the Meraki MS switches takes all the pain out of keeping port traffic separate. Once you enable isolation on various switch ports, Layer 2 network traffic will not be forwarded between them. This means you can have a single guest VLAN servicing all hotel rooms, ensure that guests can access the Internet, and still keep traffic between guests in different rooms completely segregated.
To enable port isolation simply navigate to Configure > Switch ports in the Meraki dashboard, select the ports you’d like to isolate, and then edit those ports. There will be an option to select Isolation:
Once a port has been isolated, you can view its status by selecting the individual port via the Monitor > Switches page:
You can even isolate clients effectively across multiple switches (e.g. access through aggregation) so long as you don’t isolate uplink ports. This will allow isolated clients to pass traffic out to the Internet, while preventing clients connected to upstream switches from accessing clients downstream.
Uplink pathways are green; isolated port pathways are orange. In this deployment scenario, all clients are isolated from one another, but can reach the Internet.
In summary, port isolation allows easy, one-click separation of client traffic at the VLAN edge. It allows groups of clients to be logically grouped into a single VLAN (e.g. “Guest”), but keeps their traffic fenced off so that snooping and tampering can be avoided—a win-win scenario!
This feature is now live in our latest switch firmware release, so if you don’t see it in your dashboard, please either schedule an upgrade or reach out to Meraki support for assistance. And, as always, we love to get your feedback on our new features, so please make a wish or reach out to us and let us know what you think.