This is the fifth in a series of blog posts that focus on wireless technology and security at Cisco Meraki.
Meraki APs are known for their ability to form ad hoc wireless mesh links to one another and then route across those links. This functionality automatically works over large distances and allows customers to extend their LANs.
One might naively think that all that would be required for this type of connection to work is line of sight between the two transmitters. However the physics of electromagnetic wave propagation make this a little more complicated than that. Luckily, a French physicist named Augustin Jean Fresnel (pronounced Fre-nell) worked this out in the early 19th century. In this post we will explain why this is the case.
Ya’ canna change the laws of Physics (Captain)
In order to understand how this works we first have to understand the true nature of the radio waves we use in Wi-Fi. They look like this:
Image credit: NASA
As we can see, all radio waves take the form of a sinusoidal wave that we’re all (hopefully) familiar with from high school mathematics. These radio waves will move in a straight line from the transmitter to the receiver.The problem arises when radio waves that emanate from the transmitter spread out at an angle, creating an effect known as diffusion. This can be seen in the 5GHz radio profile of the Cisco AIR-ANT2513P4M-N antenna, which is compatible with Meraki’s outdoor access points and used in highly direction use cases, as shown below:
Taken from – https://www.cisco.com/c/en/us/td/docs/wireless/antenna/installation/guide/ant2513p4mn.html
If no obstacles are encountered by the radio waves then they will just keep going until they run out of energy. However, in an urban environment they are likely to encounter a surface, which can reflect the radio wave in such a way that it is received at the receiver but is “out of phase” with the original radio wave. So that if the reflected radio wave is half a wavelength (or a multiple of half a wavelength) behind the original unreflected radio wave. This can reduce the power of the received signal and is called “phase cancellation.” It works like this:
This results in a loss of signals because the two waves combine with one another, as illustrated below:
What Monsieur Fresnel did was calculate how out of phase the signals would be for an elliptical area (kind of like a sausage shape) between the transmitter and receiver. There are infinite zone sequences, but for the purposes of point-to-point radio, and hence Wi-Fi signals, only the first three are important. These zones are illustrated below:
The first and third zones have the cancellation effect shown above, whereas the second zone actually has an additive effect. This simply means that in order to maximize the signal we need to keep the first Fresnel zone as clear from any sources of obstruction and reflection as possible. The most widely accepted guidance is that the first Fresnel zone must be 60% clear of obstructions, i.e., an obstruction can’t protrude more than 40% into the zone from the direct line of sight at any point between the transmitter and receiver, like this:
If you need to calculate what the Fresnel zone would be for your point-to-point Meraki wireless connection then all you need is this, or if you have a few hours to spare you can derive the equations from first principles.
As long we follow this pretty simply rule for point-to-point links then it’s all smooth sailing then, right? Well, there is one more thing to consider — and this may come as a shock to Kyrie Irving (even though he was just trolling) — but the curvature of the earth can also be an obstacle.
When a length point-to-point link is over 7 miles, the curvature of the earth will impede into 60% boundary we discussed above and shown below:
In order to mitigate this effect the height of the transmitter and receiver become very important, especially when you are trying to enable network service in remote areas without cellular service for interesting use cases.
Even though Meraki APs will automatically create point-to-point links with one another, we still need to be careful when implementing the service. Meraki magic still has to obey the laws of physics.
Here at Meraki, we have a plethora of snacks, candies, and sweets to choose from. So I was mortified when I found that my special gluten-free and vegan cookies had been snatched from my desk!
I was determined to find out who the culprit was. I went out and bought a traditional security camera, and after hours of reading the manual, harassing our technical engineering team, running cables, and setting up an NVR, I finally had the camera ready to go. I brought in more cookies, left for an all-day meeting, and recorded the scene of the crime all day — only to realize I was going to have to watch the entire day’s worth of footage to figure out who took my cookies. Since my boss didn’t classify finding the cookie culprit as a high priority project, I was stuck yet again.
Luckily, there is a new, much easier way to find thieves, hooligans, and cookie-snatchers, with very little detective work required. With Meraki MV security cameras, you can view video footage through the intuitive, web-based Meraki dashboard from anywhere. Using the Motion Search and heatmap features, quickly and painlessly find important moments in video footage in just a few clicks.
So, I borrowed a MV security camera from the product team, plugged it in, and voila! After collecting a days worth of footage, I just logged into the dashboard, retroactively selected the area around the cookies, and was instantly presented with only footage that showed movement around that area. Even with his sneaky disguise, I caught the offender.
Our customers also use Meraki MV security cameras in creative ways. The city of Fayetteville, AR, uses MV in government buildings across the city to protect its workers and residents and solve for unique business challenges. They can easily identify who tracked mud into City Hall, which carriers delivered damaged packages, and what sports equipment needs to be replaced in the city gym. Once cameras are deployed in the parking garages, they plan to monitor traffic patterns to see when the garage is most utilized, and make adjustments accordingly. Better yet, the IT team can provide dashboard access for specific cameras to building managers and security guards, so they can monitor and search video footage as they see fit, without any training or technology experience.
All of this has freed up the IT team to focus on deploying more cameras and participating in more impactful projects. They currently have 61 indoor and outdoor cameras deployed, with many more scheduled to deploy over the next couple of years. Read the full City of Fayetteville case study here.
A little over a year ago, Cisco Meraki launched a brand new product category and expanded its portfolio to include security cameras. The introduction of MV brought a revolutionary architecture to the physical security world, placing video storage and processing onboard each camera. Today we are announcing MV12, representing the next leap forward in security cameras and advanced video analytics.
Unlike many other video analytics solutions that require bulky servers, expensive software, and oftentimes dedicated camera hardware to operate, MV12 stays true to Meraki’s core values by offering an all-in-one solution. By taking advantage of the same hardware that powers many of the world’s smartphones, and placing one on every single camera, the heavy lifting of analyzing video happens at the edge–not in the cloud or on a server.
What does this mean in terms of functionality? At launch, MV12 will already be implementing machine-learning-based computer vision, which are just fancy words describing the cameras’ ability to detect people (not to be confused with “facial recognition,” which ties images to unique identities) and get more accurate over time. MV12 uses this functionality as the foundation for tools like people counting. But best of all, this is just the starting point for a multitude of functionalities that can be implemented on the MV12 platform.
Plus, the same standard license introduced with MV21 and MV71 gives users access to every part of the dashboard, providing not just the analytics piece but also the ability to configure, manage, and monitor a global deployment of cameras from anywhere in the world. This makes MV12 extraordinarily scalable, efficient, and cost effective for a multitude of deployments.
The new product family also brings an exciting laundry list of additional hardware features and enhancements:
Managing mobile devices is an increasingly daunting task for many organizations, as needs evolve from basic app and content management to protecting data and networks, setting granular policy configurations, meeting compliance standards, and managing user identity. As demands on IT teams increase, device management products like Cisco Meraki Systems Manager have evolved to include the capabilities needed to support the full cycle of device management.
The term Enterprise Mobility Management (EMM) has been used to describe a new evolution of mobility management – those that provide policy and configuration management tools for applications and content. In today’s market, there are many EMM products, and organizations may find it difficult to compare functionality and features between competitive offerings.
By providing a platform for peer reviews, Gartner’s Peer Insights Customers’ Choice program allows customers to anonymously review and rate the many EMM products on the market in four categories: Evaluation and Contracting, Integration and Deployment, Service and Support, and Product Capabilities.
Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.
Gartner Peer Insights Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and overall ratings for a given vendor in the market, as further described here and are not intended in any way to represent the views of Gartner or its affiliates.
The Gartner Peer Insights Customers’ Choice Logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved.
This is the fourth in a series of blog posts that focus on wireless security and technology at Cisco Meraki.
Wireless networks underpin most of our day-to-day activities, all while sharing the same relatively small frequency spectrum. As such, the protocols that dictate how these networks work are exceptionally polite by design, and for good reason. This is because wireless networks, like humans, are half-duplex, meaning only one station or person can talk at anyone time.
However, this politeness can also be used against such networks by potential “bad actors.” This post will detail how Cisco Meraki access points help our users’ networks from being excessively impacted by such malicious (intentional or otherwise) devices.
How can broadcasting be bad?
You may be asking “why would a network broadcast be a bad thing? On my wired network, protocols use broadcasts all the time,” and you would be correct that broadcasts are seldom a problem on the wired side of network (but not always). However, as we have previously discussed, wireless is a shared access medium, so if someone was continually talking (packet flood discussed below), we would have to wait for them to stop. More importantly, when an access point transmits to a client on a wireless network, it has to transmit at a speed that the client can understand. For a broadcast frame, this speed is actually the slowest supported data rate of the BSSID and is often a basic data rate.
This means that when transmitting broadcast (and management) traffic, the access point can only talk as fast as the slowest data rate at which the BSSID will accept a client association. If the default settings for minimum bit rate have not been changed, then an access point will send the broadcast frames out at up to 150 times slower than it could do (though this isn’t something Meraki recommends).
This can render the 802.11 network unusable, as the access points are always busy transmitting or waiting for the malicious broadcast traffic (if another AP or client is broadcasting). This behavior is often weaponized by bad actors into a DoS attack against wireless networks.
Meraki APs help minimize excessive broadcast traffic from entering the wireless medium from the wired network by enabling Proxy ARP. This means that an access point currently serving a wireless client responds to an ARP request from the wired portion of a network on behalf of the wireless client, which would have otherwise been sent as a broadcast.
Additionally, Air Marshal can alert Meraki network administrators to malicious broadcast traffic that has been seen by the access points in their network, as shown below:
Then, the administrator can investigate the local environment to ascertain and mitigate the source of the malicious broadcasts.
What is a packet flood?
In a similar manner to misusing broadcast traffic, a client or AP could send out large amounts of 802.11 management (beacon, association, and authentication) frames, knowing that an access point is bound by protocol to process and, where appropriate, respond to them. This is akin to an inquisitive toddler peppering their parent with questions, without waiting for a response, over and over again.
As any teacher or parent will know, working in this kind of environment requires either the patience of a saint or the unconditional love of a parent. Alas, for 802.11 networks, access points, whilst being very polite, lack both of these things! As such, when a client behaves in this manner, it is detrimental to the performance of the overall wireless network in much the same way as excessive broadcast traffic.
As with malicious broadcast traffic, Air Marshal will alert the administrator that the access points within their network are seeing this potentially nasty behavior and display the frame type, as shown below:
Then, the administrator can investigate the local environment to ascertain and mitigate the source of the malicious broadcasts.
Other things to consider…
Finally, one other type of network-level transmission that can cause issues in 802.11 networks is multicast traffic. Unlike wired networks, wireless networks typically send multicast traffic flows over the wireless medium as broadcast traffic. In order to alleviate this potential issue, Meraki access points enable IGMP by default. This has the effect of converting the multicast stream into (potentially multiple) unicast transmissions that are likely to be transmitted at much higher speeds.
This is essential in classroom environments, where students could be watching a multicast HD video stream as illustrated above.
Similar to the “evil twin” attack discussed in the previous blog post, there is nothing that can be done to mitigate these risks while still complying with the 802.11 network standard. However, the power of the Meraki dashboard and access points provide instant visibility into threats in an organization.
For more information on Air Marshal and spoofs please see the following additional references:
In a rural public school district in Honesdale, Pennsylvania, Scott Miller, Director of Technology, had a vision: to set up a 1:1 iPad initiative for his students, flip his district’s classrooms, and ensure that every child had the same access to technology no matter their economic background. With a 1:1 initiative, the Wayne Highlands School District IT team knew they could improve student engagement, understanding, and enthusiasm with personalized learning, peer interactions, and new communication methods. But with more than 20,000 students supported by a 10-year-old network, how could Scott make that vision a reality?
With chalkboards and hand-written essays, cramping hands and tired eyes were all too common in schools of yesteryear. But classrooms today are tasked with providing a different learning experience — one that incorporates technology in all aspects to enable more impactful lessons, easier peer review, and new ways of understanding traditional topics. Hector Reyna, CTO at Socorro Independent School District knew this was a priority, but when his district started to explore implementing a 21st-century learning model, complete with digital literacy, collaboration, and problem solving tools, they discovered that their access points and underlying network were not going to make the cut. How was Hector going to provide the foundation for the education his students needed to thrive in today’s digital world?
From four schools in 2013 to 13 by the end of 2018, Ascend Public Charter Schools has rapidly expanded over the last five years to accommodate more teachers, more students, and more opportunities for learning. But the growing pains from exponential expansion quickly became a reality — each school had its own network, with different vendors, separate controllers, and slow VPN connections. The mythical wireless coverage was practically useless, making it hopeless for teachers to conduct digital lessons and preventing students from participating in digital curriculum. Managing Director of Technology, Emeka Ibekweh, knew he needed to consolidate all of the schools’ networks into one and provide adequate coverage, but with what budget?
IT leaders at K-12 schools across the United States face a similar challenge: to provide the best learning experiences for students, even with aging infrastructure and limited technology budget. Although this challenge is unlikely to fade in the short-term, IT leaders can address it today. All three of these schools were able to make their networking dreams become a reality with E-rate funding. With funds received through the E-rate program, Wayne Highlands deployed a reliable network to support a 1:1 device program, Socorro implemented district-wide wireless to provide equal access for all of his students; and Ascend rolled out a full network refresh to simplify network management.
As we mentioned earlier this week in our latest launch blog post, we’re thrilled to announce some new features that are coming soon toall Cisco Meraki wireless customers: Wireless Health and RF Profiles (including customizable Rx-SOP settings, which help mitigate co-channel interference in high-density environments).
These features are critical for today’s wireless deployments. We increasingly depend on wireless for our network connection, so it’s imperative that administrators have insights into end users’ experience. It’s also paramount that wireless settings be quickly tailored to different coverage scenarios and that these settings can be pushed across a number of APs.
Wireless Health helps IT teams verify that client devices can access the network as expected and that they have a fast, reliable experience. It does this by looking at all the steps necessary to provide a seamless experience — from associating to an AP, to network authentication, to obtaining an IP address, to hostname resolution via DNS — and displays metrics and anomaly data about each. This allows network administrators to rapidly identify where in this chain of events something is going wrong and to more quickly remedy the issue.
Wireless Health illuminates problematic steps in a client’s path to network connectivity.
There are many, many root causes of problematic connectivity. Among other things, authentication failures can happen when client credentials aren’t accepted by a RADIUS server, when the wrong pre-shared key is used for a given wireless network, or when a misconfiguration or an overloaded server prevents requests from getting through. DHCP failures can occur when a client device doesn’t receive an IP address — either because the DHCP server fails to respond or because there are no more available addresses to hand out. DNS failures can happen if a DNS server doesn’t respond to a client request for hostname resolution. And finally, success is measured not only by whether a client can successfully connect to a network, but also by whether that client can then pass traffic — so Wireless Health also details traffic failure rates.
Once a client has successfully connected, Wireless Health displays detailed metrics about network latency, identifying which types of traffic are showing performance problems at various thresholds of performance (measured in milliseconds).
Quickly identify which types of network traffic are experiencing the worst latency problems.
Network administrators can drill down and get granular metrics on latency across their network at the AP level and at the device type level, helping them quickly identify the worst-performing APs and clients.
Latency at the AP level.
Latency by client device type.
These metrics and anomalies are synthesized into a holistic, network-level view that allows administrators to quickly identify networks with problems that require attention.
Wireless Health provides network-level statistics on latency and connectivity.
Each wireless network is a snowflake: it faces its own unique coverage challenges, configuration, and design — no two are exactly alike. It’s common for IT administrators to deploy several APs configured for a specific RF scenario (for example, a large, crowded auditorium) in one location, while needing to configure networked APs elsewhere for a different RF profile (like a small lobby or guest area). The radio settings for these two groups of APs can look quite different even though all of the access points are on the same network.
Enter RF Profiles. This feature allows network administrators to easily customize RF characteristics by deployment and manage diverse MR installations through the configuration of templated radio settings. These settings (which comprise a profile) can then be applied, en masse, to groups of APs. RF Profiles will include predefined templates for typical auditoriums, open offices, and outdoor coverage scenarios to help IT quickly configure wireless settings for maximum performance.
RF Profiles allows radio settings to be easily deployed to all the APs applied a given profile.
The radio settings that can be configured within a given RF Profile include:
Dual band and single band support for both 5 GHz and 2.4 GHz radios
Minimum mandatory data rates
Minimum and maximum transmit (TX) power levels
Receive sensitivity via Rx-SOP/CCA (801.11ac Wave 2 only)
RF Profiles includes a new setting that can be configured: Rx-SOP (Receive Start of Packet). Rx-SOP helps mitigate co-channel interference (when two or more radios use the same channel) in extremely dense environments by allowing an AP to disregard transmissions that do not meet a specified signal strength threshold.
In high density environments with many client devices trying to connect to a wireless network, IT admins typically deploy more APs to increase overall capacity. But adding more APs introduces interference, since the odds that two APs within earshot of each other use the same channel increases. By ignoring signals that don’t meet a certain threshold strength, Rx-SOP allows an AP to ignore clients on neighboring access points who are using the same channel — mitigating their ability to interfere.
RF Profiles (including RX-SOP) will be rolled out as a free and seamless update for all Meraki wireless customers sometime near the end of February of this year. Wireless Health will also be rolled out as a free update for all wireless customers, and a generally available beta will make its debut next month.
As always, we’re keen to hear your thoughts and feedback, so please drop us a line on social media or leave a comment in our Meraki Community. You can also check out our wireless webinars or visit us at meraki.cisco.com for more information.