Archive for June, 2018

Stumptown Coffee Roasters: an MV Case Study

When Portland-based Stumptown Coffee Roasters needed a security camera and monitoring solution for their distributed and rapidly growing operation, they quickly settled on Meraki MV. Stumptown was already using Meraki wireless, switching, SD-WAN, and networking security solutions in their retail environments, so exploring security cameras was an easy decision for Travis Luckey, Stumptown’s former Director of Technology. With their core focus on product quality, Stumptown’s team found real value in having the ability to monitor remote sites and processes while also minimizing the need for onsite visits and troubleshooting. Their cafes and roasting facilities are scattered across the U.S., making centralized management, ease-of-use, and straightforward monitoring from any geographic location key features of the solution they would need.

Original Challenges

  • Stumptown’s headquarters are in Portland, along with some major operations facilities and cafes, but they also have facilities in New York City and Los Angeles, plus a distribution center in Seattle.
  • They needed a solution that would cut down on installation and configuration time while allowing the team to manage the entire operation from a centralized and/or remote location, if needed.
  • Luckey’s team loved the Meraki IT solution and wanted a camera solution with the same benefits.
  • The IT team wanted to be able to give different levels of camera access to various members of the executive, management, and respective operational teams.
  • Existing legacy systems were selected and installed ad hoc by local managers over many years, making it difficult to manage everything.

“Meraki cameras gave us the ability to deploy nationwide and centrally manage a single product platform for security footage.” – Travis Luckey, Director of Technology


An MV71 deployed at Stumptown’s Southeast Portland cafe and roastery location

The Deployment

  • The team installed over 50 indoor and outdoor Meraki cameras.
  • The company has standardized on Meraki cameras for their nationwide deployment.
  • MV cameras are used for both retail security as well as monitoring distribution centers (ten locations in total).
  • Anywhere from two to four cameras were installed at each site alongside a full stack of Meraki networking gear.
  • The IT team loved that there was no DVR infrastructure to install.

“[It’s so easy]…most junior level IT staff are able to do just about all of the configuration and management across our entire Meraki deployment.” – Travis Luckey, Director of Technology

 

Results

  • A small number of dedicated IT staff are able to monitor locations all around the country with minimal training time.
  • Installation is easy enough that the IT team can stage cameras and then ship them to a non-technical Operations Manager for installation, at which point the IT staff helps walk them through the physical deployment.
  • Both Tier 1 technical staff (IT, technical operations, systems administrators) and Tier 2 non-technical staff (Operations, Retail Managers, and company executives) are able to have differing levels of access to video pertinent to their respective roles.
  • During a footage recovery exercise following a bank robbery near a Stumptown location, administrators were able to pull video footage in a matter of minutes; the police officer told Travis this was one of the easiest footage recovery cases he had ever worked on.
  • The IT team now has full visibility into the full deployment from coast-to-coast and can troubleshoot any potential issues with cameras or the network before they grow into bigger business problems.
  • Firmware and security updates roll out seamlessly, with little to no effort required by Travis’s team.
  • Using Meraki cameras, plus the rest of the Meraki networking portfolio, has changed the Helpdesk staff’s roles dramatically. They spend significantly less time troubleshooting, and more time on new projects. The change has been so dramatic that they have changed their titles to IT Business Partners.

“It was really remarkable how easy it was to troubleshoot a potentially business-interrupting problem. I fell in love with the platform at the moment I realized that.” – Travis Luckey, Director of Technology


To learn more about Meraki MV security cameras and how they provide both physical security and advanced analytics in a single package, check out our catalog of free webinars or get in touch with your Meraki rep today.

Building a more resilient network

We are happy to announce the availability of our MS 10 firmware update for Meraki switches. The update introduces new features that improve the overall security, efficiency, and resilience of your network.

Let’s take a moment to review several of MS 10’s most notable features!

 

Security: Multi-Auth/Multi-Host

MS 10 introduces 802.1x Multi-Auth and Multi-Host authentication options to Meraki switches.

Multi-Authentication requires each host on a shared port to authenticate individually to gain network access. This log-in process is vital for network security in deployments with many autonomous clients.

Multi-Host Authentication allows a single host to open port access for subsequent clients after a single authentication. For example, someone using a desktop with multiple VMs would only need to authenticate a single time to gain access for all of her virtual machines.  This reduces the frustration of needing to log-in multiple times when only a single authentication is needed.

 

Resilience: Enhanced Storm Control

Network storms occur when a set of switches endlessly forward packets between themselves, which clogs network bandwidth and causes normal network traffic to grind to a halt.


Enhanced Storm Control provides greater protection against network storms by allowing administrators to set limits on how much bandwidth can be allocated for certain types of traffic. If a storm does occur,  damaging traffic will be limited to only a percentage of your total bandwidth capacity.

 

Resilience: Unidirectional Link Detection (UDLD)

Unidirectional link issues happen when a fiber cable is damaged or misinstalled and causes a loop that has the potential to disrupt the entire network.

A switch with UDLD prevents this type of loop by shutting down the port where a unidirectional link is detected. This keeps your network stable and more resilient against common causes of fiber-link errors.

 

Efficiency: Equal-Cost Multi-Path (ECMP)

Meraki uses OSPF routing which directs packets by determining the lowest-cost path to a destination. However, in situations where multiple equal-cost paths are available, some paths may be underutilized.

With Equal-Cost Multi-Path (ECMP), traffic is automatically load-balanced across up to 16 OSPF-learned paths which promote greater network efficiency.

 

Efficiency: Port Anomaly Detection

Port Anomaly Detection (formally called Spanning Tree Protocol /LAN Anomaly Detection) encompasses multiple enhancements for identifying and resolving spanning-tree and link issues. With the upgrade, the switch port icon indicates physical link errors and excessive link-status changes (STP issues).  The individual switch ports will also display orange or red in the dashboard when these types of issues are detected.

More broadly, Anomaly Detection furthers Meraki’s mission of providing in-depth visibility into your network. By providing detection of erroneous network behavior, we help ensure network stability and scalability.

 

Increase your network’s resilience

If you would like to learn more about MS 10’s improvements, please visit our Knowledge Base or contact us directly.

For a full list of improvements, please login to your dashboard for more information:

Access Policies

Dynamic ARP Inspection

Unidirectional Link Detection (UDLD)

Storm Control for MS

 

Servicios de Gobierno Definidos por Software

Servicios de Gobierno Definidos por Software y la nueva Arquitectura de Servicios Administrados para ITC del Gobierno

por Juan Castilleja Consulting Systems Engineer Cisco Meraki castille@cisco.com

Por décadas los administadores de la infraestructura de comunicaciones y tecnologías de información (TIC) de las Dependencias de la Administración Pública Federal han adquirido a través de complejas licitaciones servicios de conectividad privada entre sus oficinas centrales y remotas, enlaces a Internet, así como infraestructura de red alámbrica e inalámbrica, telefonía y un sinnúmero de componentes tecnológicos para poder soportar las operaciones del Gobierno, dónde los anexos técnicos del proceso de licitación siguen estando enfocados en describir caracterísiticas de los componentes tecnológicos, generando rigidez e incapacidad para desplegar nuevos servicios y capacidades que la ola tecnológica genera durante la vida del contrato.

En la actualidad, cada vez son más los servicios que los Ciudadanos y los Empleados de Gobierno demandan se encuentren en línea, generando dinámicas de digitalización de los actuales procesos, provocando el que veamos cada día más y nuevos servicios de Gobierno Digital.

Estos servicios de Gobierno Digital (Government Digitization) requieren estar siempre en línea, accedidos vía red privada e Internet, a través de aplicaciones móviles, con contenidos de imagenes y video,  pero sobre todo,  deben ser desplegados de manera ágil y contar con la flexibilidad para ajustarse a las condiciones y requerimientos variables que se demandan. Bajo los procesos de digitalización gubernamental, los empleados de Gobierno, pero sobre todo los Ciudadanos, no pueden esperar a los “tiempos de TI” cómo sucedía en el pasado.

En el plano tecnológico, se ha evolucionado de enlaces dedicados a enlaces privados virtuales  basados en MPLS, y en años recientes a la evolución de habilitación de redes virtuales, superpuestas y definidas por software (SD-WAN). Esta última, SD-WAN, ha dejado de ser un conjunto de tecnologías de laboratorio para pasar a la adopción masiva, tanto por fabricantes de tecnología, operadores de servicios y usuarios.

Todo esto conlleva a la necesidad de tecnologías de conectividad, comunicaciones y cómputo que puedan ser elásticas, es decir que crezcan conforme la demanda del servicio lo requiera, y que ajusten sus capacidades y rendimiento de manera dinámica y automática; los Servicios de Gobierno Definidos por Software aprovechan las tecnologías de conectividad  privada y oferta de Internet de banda ancha disponibles, así como las nuevas tecnologías y plataformas de red elásticas, poderosas pero simples, las cuáles son orquestadas y automatizadas de manera  centralizada a través de software que permite generar los servicios de gobierno con tecnología que simplemente funciona.

Esta Arquitectura cambia los paradigmas de las redes tradicionales, ya que abstrae el software del hardware y envía el plano de control a la Nube,  lo que permite la creación de redes superpuestas virtuales (redes overlay) las cuáles son Orquestadas y Gestionadas de manera centralizada y en una sola vista, consolidando en un solo punto de gestión los enlaces, seguridad e infraestructura de red (WAN, LAN, WLAN) de las multiples oficinas remotas de la Dependencia con las oficinas centrales, permitiendo una rápida implementación, optimización de costos de ancho de banda, menor TCO, así como la simplificación de la operación, contando además con visibibilidad y analíticos que permiten proteger los SLAs de los servicios y aplicaciones, así como contar con indicadores de usabilidad para medir el impacto de los servicios contratados.

La Arquitectura de Servicios de Gobierno Definidos por Software(SD-GS) es la piedra angular para la creación de una nueva forma de Servicios Administrados para ITC del Gobierno, ya que habilita a los administradores de TIC del Gobierno a poder solicitar servicios de comunicaciones y TI de la Administración Pública de una manera simple, automatizada, elástica y con la visibilidad de lo que sucede en los servicios contratados.

Al cambiar paradigmas con respecto a las redes tradicionales, esta Arquitectura permite que las Licitaciones de tecnología de información y comunicaciones se enfoquen en qué servicios tecnológicos se  requieren para soportar los procesos de digitalización y gobierno digital que los Ciudadanos y los Empleados del Gobierno demandan, dejando al lado los requerimientos basados en componentes tecnológicos y un sin fin de  protocolos y funcionalidades que éstos deberían cumplir.

Desde la perspectiva del Opeador de Servicios, la Arquitectura SD-GS le permite la integración de nuevas tecnologías de última milla, de mayor capacidad y cobertura, así como un nuevo portafolio de servicios, lo que amplía sus posibilidades de oferta en los procesos de adquisición.  Además, la orquestación y automatización que ofrece la arquitectura de gestión centralizada en la nube, les permite una rápida implementación, optimización de costos, menor TCO, así como la simplificación de la operación, contando además con visibilidad y analíticos que permiten proteger los SLAs de los servicios y aplicaciones, así como contar con indicadores de usabilidad para medir el impacto de los servicios contratados.

En resumen, la Arquitectura de Servicios de Gobierno Definidos por Software  habilita los nuevos servicios de Gobierno con tecnología que simplemente funciona!

Haz click aquí para acceder a la documentación técnica (white paper)

por Juan Castilleja Consulting Systems Engineer Cisco Meraki castille@cisco.com

 

Posted in Hidden | Comments Off on Servicios de Gobierno Definidos por Software

Get off on the right foot with Systems Manager Training

We’ve all been there. We purchase a new solution, begin setting it up and doubt sets in – does my approach scale? Is this the right configuration? Will one wrong decision now cost me weeks of work later? If only there was a simple and affordable way to get off on the right foot.

Good news! Cisco Meraki is introducing a free training program for  all customers who purchase a minimum of 200 Meraki Systems Manager licenses. This program gives customers the opportunity to get the most out of Systems Manager right from the start with the help of expert Meraki Systems Manager trainers.

This expert team has seen it all – from questions about integrating Apple’s DEP program to Android Enterprise deployments, supervising devices that are already in the field, protecting point of sale devices, and best practices around securing a mobile workforce or student/staff environment. Take advantage of this team’s knowledge and experience working with with all sizes of organizations across global industries!

Both new and existing Meraki customers that complete a new purchase of a minimum of 200 Systems Manager licenses (per purchase) as of March 1st, 2018 will be contacted by a Systems Manager expert within 30 days of the purchase to schedule a training appointment. This will provide an opportunity for customers to describe their individual needs and deployment considerations and enjoy customized training.

Please reach out to your Meraki sales rep to learn more, or contact us to get started!

Posted in Company Blog | Comments Off on Get off on the right foot with Systems Manager Training

All About Auto VPN

By Steve Harrison

Virtual Private Networks (VPN) have been a mainstay in corporations for the past 20 years. They allow companies, government agencies, and departments to make potentially sensitive communications over an untrusted network. In the last few years, they have become the transport independent overlays of most SD-WAN solutions.

The problem is that the configuration of these technologies and the plethora of phases, modes, and encryption algorithms means that getting and staying secure can be a laborious task. This is where Auto VPN from Meraki offers a quick and easy way to become—and automatically stay—secure via the cloud.

At Cisco Meraki, we’ve been talking about VPN for a long time. However, up until now, we haven’t described what makes our Auto VPN different from everyone else’s “normal” VPN.  In this blog post, we’ll show how our technology takes the hassle out of designing, configuring, and maintaining VPNs.

It started with Punch!

First, before we even think about VPN-ing from one MX to another, we need to know where and, more importantly, how they talk to one another. In order to do this, we leverage a service we call “punch”—we use this because our MX security appliances aren’t necessarily directly connected to the internet. They could be behind another public firewall or deployed in VPN concentrator mode in either a DMZ or data center core network.  

The punch process automatically tries to “punch” its way out to the internet/public IP space through any Network Address Translation (NAT) device. To do this, a technique called UDP hole punching is used (if your Meraki MX is behind an older “NAT-unfriendly” firewall, then we can use a technique called manual port forwarding to get around it). The MXs also use punch (or manual port forwarding) when it comes to tunnel establishment.

After Punch comes registration

The punch process is actually the “client” in a client-server relationship, with the server portion being the “Cisco Meraki VPN Registry.”  The VPN Registry is a service independent of the Meraki dashboard, used to register each MX’s public and interface IP addresses. The Registry then uses some simple logic to understand how to route between the various MXs in an organization (in order to create VPN tunnels). Namely:

  1. Check for match – If the MX’s public IP and the interface IP match, then the MX in question is directly connected to the internet on that WAN interface
  2. No Match – MX WAN circuits with different public IP addresses should route between those public IP addresses directly
  3. Route Initiated – If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses

The VPN registry then passes this information to the dashboard.

Then the (Meraki) magic

Not only does the dashboard now know how to route between all the MXs in the organization, it also knows how many WAN paths each MX has, as well as the desired VPN topology. All of this together means that the dashboard magically knows:

  • Who to build tunnels to and, more importantly, how to route
  • Which IP subnets are accessible via which remote MX
  • How to route to an indirectly connected (i.e., one without a direct tunnel) MX
  • That both sides of the communication are entirely trusted and authenticated, as they are both authenticated, authorized, and managed by the dashboard

The above traditionally took days or weeks of careful planning and the provisioning of static IP addresses, route-maps, and tunnel parameters. Then, this would have to be configured into all the routers that form part of the organization (usually outside of working hours), eating up time and money. Also, routers normally have to do a special secure handshake with one another to ensure that they are who they claim to be and that the medium over which they are communicating is insecure.  

The Auto VPN on the MX has two key benefits over the technologies traditionally used:

First, on the MX all of the above “magic” happens within the first 30 seconds of an MX powering up, or is there by default as both sides are managed “automagically.”

…but before continuing, we have a little myth-busting to do, as there is no such thing as a completely secure encryption algorithm, as Alan Turing and company at Bletchley Park proved. In order to stop people from seeing your information, you need to regularly change the keying material the encryption algorithm is using.

The only way to do this effectively is to continually update the keying material you use with your encryption algorithm to encode your information (text) into ciphertext. This means that periodically you should change the keying data on every router. This keying material should be unique on a per virtual path basis; you can understand this is a massive task fraught with many misconfiguration dangers.  

This is the primary reason a lot of organizations with such setups simply “set and forget” their configurations and don’t realize how dangerous this can be.

(Now back to our originally scheduled programming!)

Second, and by far the most important advantage of Meraki and the dashboard, is that all MXs regularly check-in for an updated configuration file. This way, the dashboard can automatically refresh such keying material succinctly, thus maintaining tunnel security effectively and effortlessly.

All you need to do now is sprinkle a little patented Meraki magic dust and you have an enterprise-class, industry-leading SD-WAN solution.

Conclusion

Meraki Auto VPN takes a traditionally complex technology and transforms it with 100% cloud-based technology to make it simply work. Oh, and it’s so easy to configure that even your salesperson can do it. It’s also the baseline for SD-WAN and being able to save your business a lot of money. If you want to learn more and get free Meraki kit, watch our on-demand SD-WAN webinar or contact a Meraki sales rep for a demo and trial.

References

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto_VPN
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_between_Cisco_Meraki_Peers

Posted in Company Blog | Comments Off on All About Auto VPN

Meraki at IFSEC 2018

It’s hard to believe, but IFSEC 2018 is just around the corner, and the Meraki team will be back for a second year. From 19 – 21 June, stop by Booth D520 at ExCeL London to chat with the team, ask for a demo, and see some of the newest MV security camera developments and feature releases in action. Get hands-on with MV12 hardware and see the tiny camera that’s shaking up the surveillance and video analytics worlds with built-in computer vision and machine learning.

The Merakians staffing the booth will be happy to answer all your burning questions about the rest of the Meraki portfolio as well!

We can’t wait to see you there!

Meraki’s first time attending IFSEC in 2017

 

The Next Big Thing In College Sports: Video Games

Your parents probably urged you not to spend all of your time playing video games or you likely limit the amount of time your kids can spend with a controller in hand. But what if I told you that kids nowadays get into college, even with a scholarship, for playing video games?

eSports has taken the college sports scene by a storm, with more and more colleges and universities offering eSports teams every year. The National Association of Collegiate Esports (NACE) was formed to support this growing program, and ESPN broadcasts video game competitions. Different video games have specific competitive seasons, making this an exciting year-round sport. Games include Dota 2, Counter-Strike, League of Legends, Halo, and many others. Believe it or not, more people watch eSports competitions in a year than the NBA finals.

Different capabilities are needed to support an eSports team than for a more traditional sport like baseball or football. Ditch the large stadiums and bleacher seats; complex computer labs are required to support the high-quality computers and accessories needed to play the games, with viewers tuning in online to watch the matches take place. To support this, a high-density, reliable, and secure network is necessary to ensure eSports games can go on without hitting the network client limit, experiencing bad latency issues, or having the network go down altogether. And a strong Internet connection is imperative to making sure eSports competitions can go on without a hitch.

The IT team at Illinois College knows this all too well. When deciding to launch their eSports program in the summer of 2017, they knew they needed a robust network to support a room full of gamers eager to win League of Legends championships. But first, they had to build a brand-new facility in the middle of campus, stocked with several computer and console gaming stations. Equipped with Cisco Meraki MR access points, MS switches, and MX security appliances, the Meraki Gaming Center was born. Students can now receive full-ride scholarships to join the Illinois College eSports team, a part of the school’s overall athletics program.  

Think you can go back to college for your Mario Kart skills? Probably not. But when incoming students start pressuring your college or university to provide an eSports team, will you have the network to support it?

Watch the webinar recording with Illinois College CIO and Assistant CIO, Marc Benner and Patrick Brown, to hear how they are supporting their eSports program with Meraki. They also have a full-stack Meraki solution that supports all students and teachers on-campus, complete with access points, switches, security appliances, security cameras, and endpoint management, for a robust network for all students. You will even see a demo of their Meraki dashboard. 

Bringing the Meraki Magic to Cisco Live US 2018

The arrival of summer in the United States means a few things: sunny weather, celebrations of dads and grads, and Cisco Live US. The networking world is already abuzz about Cisco’s biggest event of the year, which for 2018 will focus on how technology leaders can digitally transform their organizations.

Meraki has been hard at work for the last few months on creating innovative new experiences for attendees at this year’s conference. Here’s a sneak peek at what we’ve got up our sleeves:

1. Digital Workplace

The centerpiece of Meraki’s presence at Cisco Live US 2018 is a brand new, experiential center called Digital Workplace. Rather than merely showing off our products at different booths, we decided to showcase our vision of the workplace of the future.

What does that mean? Of course, you’ll be able to interact with the latest and greatest Meraki gear, from our cloud-managed networking solutions to our new line of intelligent cameras. But more importantly, the Digital Workplace will let you see how all of Meraki’s solutions can create an environment where workplace management is drastically simplified and systems like lighting, heating, and security can be made more efficient based on network data.

For a preview of our approach to the Digital Workplace concept, check out this blog post.

2. Innovation Showcase: Unlocking Digital Innovations with Meraki

Always a popular draw, Todd Nightingale, SVP and GM of Meraki, will once again take the stage for a session at this year’s Innovation Showcase. We’ve been up to a lot recently, from launching MV12 to unveiling new products that make the network more intelligent and extensible. Todd will discuss how innovations like these will help IT admins everywhere build simple yet powerful solutions that can impact every aspect of the workplace for the better.

Todd will speak on Wednesday, June 13 at 4:30 PM. You won’t want to miss it!

3. DevNet Zone

For the third consecutive year, Meraki will be part of the DevNet Zone in the World of Solutions. Our Solutions Architecture team has created exciting solutions using Meraki’s cloud-based APIs. Take a look for yourself to find out what’s possible with APIs, from location-based services to asset tracking and more.

To get a free Meraki switch, complete our exclusive learning lab in the DevNet Zone at Cisco Live! Learn more here.

4. #MerakiMission

To make Cisco Live even more fun, we’re giving attendees opportunities to win awesome Meraki swag. #MerakiMission is a new experience that guides attendees through a series of challenges ranging from demos to fun selfies with the Meraki team. As a thank you for participating in #MerakiMission, we’re giving away some awesome, limited edition Meraki swag!

Learn more about #MerakiMission here.

Visit our new CLUS website for all the details. See you in Orlando!

Posted in Company Blog | Comments Off on Bringing the Meraki Magic to Cisco Live US 2018