Archive for August, 2018

Privacy where you need it

In keeping with Meraki’s commitment to privacy and security, privacy windows for MV cameras are now available in the dashboard. This flexible tool allows users to draw up to 10 boxes within a single camera feed to mask out sensitive areas. From desks that contain confidential materials to hospital rooms and beyond, users can now ensure flexible privacy across an entire deployment.

Best of all, for customers looking to increase retention or fine tune analytics data, privacy windows will block motion and person detection. This means users can cover areas of persistent motion, like a ceiling fan or a lobby display screen in conjunction with enabling motion-based retention settings to maximize storage. Areas outside of a particular shop display can be masked so these zones are excluded from people-counting data.

To enable this feature, users simply navigate to an individual camera feed and select the ‘Settings’ tab. Then scroll to ‘Privacy Window’ and draw up to 10 boxes within the video feed. These boxes can overlap to cover irregularly shaped areas.

That’s it! As always, we’d love to hear from you: let us know how you plan to use this feature on the Meraki Community. Or, get in touch with your sales rep to get your hands on a risk free trial of MV.

Posted in Company Blog | Comments Off on Privacy where you need it

Sweet Home Chicago

Chicago Postcard - Meraki

It’s an exciting time here at Cisco Meraki. We just opened up our new Chicago office, and we could not be more thrilled to be part of a city with such a vibrant and diverse culture.

What excites us the most about being Chicago’s newest residence? Is it the iconic skyline?  The culinary scene (after all, Chicago is home to the world-famous deep dish pizza)? Or is it the 2016 World Series champions, the Cubs?

It’s all of the above!

We love it all, from the architecture to the food to Millennium Park. However, what excites us the most about our presence in Chicago is that we get to be a part of an inclusive community that has tremendous strength, integrity, kindness, and is forward-thinking. Above all, we want to be immersed in the Chicago spirit of breaking down barriers, pushing forward when the going gets tough, and making the impossible possible.

There is no hiding the fact that Chicago is going through a tech boom. But what’s different about this tech boom is that unlike other cities, Chicago is not being consumed by tech; instead, tech is being consumed by Chicago. That Meraki and other tech firms have been attracted to Chicago says a lot about the magic of this amazing city.

Here is what excites some of our team members about having a Chicago presence:

Kayla Canvasser, People Ops Recruiter

What makes the city so special?

When I first moved to Chicago, I was interviewing for a new job. Before my interviews, I would go to grab a cup of coffee with my rolling suitcase. What I remember the most is all of the complete strangers that take time out of their day to stop and ask me if I was interviewing and to wish me luck. There is a warmth and friendliness here in Chicago that you can’t find anywhere else. There is a feeling of community from the minute you step into the city. It is almost like you are part of a big family. It is a big city with small town values.

What do you hope Meraki specifically can bring to the Chicago community?

I hope Meraki can show that tech can be a diverse, inclusive community, a place where you can be your full self, and everyone is welcomed. I also want to spread that same message to the different organizations here in Chicago and help move the city forward together.

If you had to describe the city of Chicago in three words, which words would you use?

Scrappy, hungry, and energetic.

Tania Spezza, Marketing Manager

What makes the city so special?

Chicago is a world-class city when it comes to art & culture, public parks, and the lakefront. With such down-to-earth people, there’s a feeling of being welcome once you step foot into the city. Chicago is also a very diverse city; it’s a melting pot which will be great for hiring because we need different types of people to bring in new ideas. And for me, Chicago is home — I’m a native Chicagoan and it’s great to be back!

What excites you the most about the tech momentum happening in Chicago?

What excites me is that Chicago gets to have a stake in the tech game — we have some of the country’s best schools along with smart, dedicated, and hardworking people. You don’t have to be in San Francisco or Silicon Valley to make an impact. You can work at an awesome tech company without having to trek to the West Coast.

What do you hope Meraki specifically can bring to the Chicago community?

Aside from jobs, I think we can make a big impact by partnering with some of the community organizations we have in Chicago and directly impact different communities that are in need.

Geoff Winston, Account Executive

What attracted you to move to Chicago?

A change of scenery and a chance to pursue my theater and improv passion and be able to take my career to the next step. It is the best of both worlds!

What do you hope Cisco Meraki specifically can bring to the Chicago community?

A group of passionate people to help meet the needs of the community. We’ve recently worked with the Christopher House and helped them build an outdoor park area. I can see lots of ways we can help work with the youth community as well as time goes on.

If you had to describe the city of Chicago in three words what would they be?

Tall, funny, and fresh.

Interested in learning more about Meraki? Come to our Open House on September 5 — check our Twitter for more information. And check out our open roles if you’re interested in working with us!

Thanks for the warm welcome, Chicago. We look forward to building a bright future together!

Look Ma, no wires!

When MV12 launched back in February, wireless functionality was mentioned, but the specifics were promised for later in the year. Today, the wait is over, as wireless functionality on all MV12 models is now available.

But why wireless anyway? It’s a great question, and the answer is rooted in the architecture of analog camera deployments.

Looking at the back of an analog camera, there are two inputs: data and power. Power for analog cameras traditionally comes from low voltage power supplies—the very same that are hooked up to badge access systems, powered doors, and other facilities infrastructure. Data is transmitted using coaxial cable.

Cabling for an analog camera system.

IP cameras, on the other hand, typically receive data and power via Ethernet, from a PoE-enabled switch.

Users looking to upgrade from analog to IP often realize that after including labor, downtime, and the recabling itself, the process may end up being cost prohibitive, especially at smaller or remote site locations. Consequently, it may not be surprising that these locations are often where VHS-based NVRs can still be found.

A new approach, and a new accessory

Realizing that a recabling requirement can often derail an entire project, we wanted to find a better approach. Utilizing over ten years of Meraki’s wireless experience, MV12 security cameras have been built to be able to connect to any industry standard WiFi network as a wireless client. This means data no longer has to travel via that Ethernet cable.

So how to solve the power dilemma? Starting today, a new Meraki power adapter is available, converting those low voltage power supplies (12VDC/24VAC) into PoE. Installers can simply unplug the power wires from an analog camera, connect them to the terminals in the power adapter in either order (the accessory figures this, and the input voltage, out for you, so no guesswork is required), and an Ethernet cable plugged into the RJ45 port will deliver PoE to a camera.

What about the data? SSID authentication information can be entered in the dashboard. After downloading this configuration through the LAN, cameras can be powered on with this new accessory within range of a wireless access point (it doesn’t have to be a Meraki AP, though centralized management of APs and cameras is a bonus if it is!). And that’s it—the coax cable can simply be left in the wall and will no longer serve a purpose.

This process is quicker, less expensive, and less disruptive than the typical recabling process, and will enable more customers to take advantage of MV12’s advanced analytics, easy-to-use interface, and centralized management.

To learn more, check out our free launch webinar or get in touch with your sales rep!

A New MX Lineup for the Modern Branch

You are probably aware of the increasing use of cloud-hosted applications, as well as the worldwide availability of reliable LTE coverage. You’ve almost certainly witnessed the increasing use of mobile devices, growth of video traffic, and increasing security threats. These trends challenge modern organizations to adapt to a complex landscape with higher bandwidth requirements, multiple uplinks, and threats that can take down networks. Despite these complexities, IT admins can use new technologies to position their branch networks for a successful future.

What’s new?

Today, we are excited to announce brand new additions to our MX and Z products, with multiple new MX security & SD-WAN appliances, along with a new Z-Series teleworker and IoT device. With upgraded and improved hardware, the additions to the MX line feature higher throughputs, faster Wi-Fi, and integrated LTE modems. The built-in modems will offer a greatly simplified way to connect remote locations or provide failover redundancy via LTE.

The MX67 and MX68 lineup

The new MX products benefit from state of the art new hardware features designed to deal with an evolving branch environment:

  • Up to 450 Mbps Throughput
  • 802.11ac Wave 2 Wireless
  • Integrated 300 Mbps CAT 6 LTE cellular modem

The MX family adds six new models to the highly successful MX64 and MX65 small branch security & SD-WAN appliances. The new MX67 and MX68 products include models with wired, wireless, cellular, and PoE+ capabilities.  Both the MX67C and MX68CW feature region-specific SKUs to accommodate separate cellular bands. Meraki is partnering with mobile providers to fully certify the cellular platforms across all regions. For more details of MX67, MX67W, MX68, MX68W, and the cellular MX67C, MX68CW visit the MX datasheet.

The new Z-Series

We are also delighted to add a new model to our feature-packed Z-Series teleworker gateway family with the Meraki Z3C, now with LTE. A built-in 100 Mbps CAT 3 LTE modem in the Z3C provides an elegant way to add redundancy for teleworker deployments. Our customers are also excited about using the Z3C to securely connect remote or isolated machinery such as vending machines, ATMs, and kiosks.

LTE in the dashboard

Similar to the rest of Meraki’s products, these new cellular MX and Z-Series models offer exceptional visibility via the Meraki dashboard. For these models, IT admins can monitor current traffic and historical performance, as well as the ability to troubleshoot and configure their LTE connections. For example, the dashboard allows users to configure and reset their cellular connection with a few clicks of a button. There will be a new LTE API, and the dashboard will make it simple to manage devices at scale using templates.

The Meraki MX continues to march forward in its mission to provide market-leading threat intelligence and an intuitive SD-WAN offering to keep customers connected and secure. Try out the new devices for yourself with a free trial, and let us know what you think.

One more thing…

Speaking of free trials, for those purchasing the new MX and Z-Series models in the next three months, we have an additional treat: a free 45-day trial of Meraki Insight, our intuitive tool for monitoring and troubleshooting WAN and application performance. With Insight, IT admins can monitor the status of all uplinks in the organization, and troubleshoot any network outages within seconds. It also provides detailed performance metrics to understand the root cause of ISP outages. Contact a Meraki sales representative for more information.

To learn more about the MX67 and MX68 models, as well as the Z3C, watch the launch webinar or visit the What’s New page.

Cisco named a Major Player by IDC MarketScape!

This year marks the second year in a row that Cisco has been named a “Major Player” in the IDC Worldwide Enterprise Mobility Management Software Vendor Assessment (doc #US43294018, July 2018)!  Cisco was recognized in this report for the Systems Manager product.

As endpoint management evolves in the market, we’ve seen customers look to Systems Manager to solve a diverse set of IT needs, including pushing apps and software to end devices, keeping devices up to date, locating and recovering devices that go missing, and remotely provisioning and monitoring access to organizational networks. This year, Systems Manager completed a variety of development initiatives including Cisco Security Connector integrations, the Chrome OS Enterprise support launch, new Apple features, full Android Enterprise support, and further Cisco on-premises and Meraki network integrations.

Systems Manager also allows customers to leverage unique, native integrations with Cisco Meraki wireless, switching, and security solutions. Providing an end-to-end management experience for our customers is a top priority at Meraki, and are thrilled to see this concept of single pane of glass integration resonating.

Systems Manager’s strong focus on automation and dynamic network policy enforcement is demonstrated by the Systems Manager Sentry suite of features. Systems Manager Sentry features are designed to share intelligence with Cisco Meraki network and security products to allow IT teams to automate decisions about network and data access depending on the state of a given device, including installed software, security policies, location, and more.

Device onboarding, settings assignment, application management, and network access are just some IT responsibilities that can be simplified, automated, and dynamically updated with Systems Manager.

Join us for full tour of Systems Manager features and functionality, including a live demo in the Meraki dashboard by signing up for an upcoming webinar!


Posted in Company Blog | Comments Off on Cisco named a Major Player by IDC MarketScape!

Protecting your Network from the Latest WPA1/WPA2-PSK Vulnerability

On August 4, 2018, a new method to exploit a known vulnerability was announced by Jens Steube from the Hashcat project for wireless networks that use WPA1/WPA2-PSK (pre-shared key), allowing attackers to obtain the PSK being used for the particular SSID. The vulnerability affects most wireless vendors using roaming technologies, including Cisco Meraki, and targets information exchanged between the client and AP via management frames during roaming inherent in the 802.11 protocol. Customers using Meraki APs are vulnerable if using fast roaming (802.11r) with PSK.

The attack is an alternative approach to gather information for existing attacks that can be used to determine the PSK. The attack exploits the case wherein the PSK is transferred over the air in a hashed manner. Using PSK to secure Wi-Fi networks is not considered the most secure approach, as networks are still prone to social engineering attacks wherein the PSK can be distributed to the users outside the organization.

Meraki has already identified at-risk customers and notified them about the vulnerability. Additionally, a warning has been added to the Meraki dashboard notifying customers if their configuration makes them vulnerable. SSIDs using WPA/WPA2-Enterprise are not affected by this vulnerability as the key generation process is very different as compared to PSK.

What is the attack?

Roaming technologies were developed to improve the access point handoff experience of wireless client devices as they physically move about a given network and, by virtue of distance and signal strength, automatically associate and disassociate with various access points (APs). Associating with a new AP takes time due to the necessary authentication. Fast Roaming (FT) speeds up the authentication and association process for roaming clients, helping to protect against packet loss and poor performance in high-bandwidth applications like VoIP calls or streaming content.

As part of the attack, an attacker can target the re-association process to obtain the unique master key ID used for the specific client. The master key ID is derived from the master key (also PSK) and name, AP MAC address and client MAC address. Since the master key is derived from the PSK and other details can be easily obtained, an attacker can obtain the key. Because this attack uses a dictionary attack to determine the PSK being used, it is highly recommended that admins use strong passwords that are not susceptible to guessing attempts.

Am I affected?

Only customers using FT with WPA/WPA2-PSK on Meraki APs are affected. To gauge impact, customers can leverage a new tool available in the Meraki dashboard by going to Announcements > KRACK & PMKID Vulnerability Impact to check any networks that might be affected. Customers can easily turn off 802.11r (FT) for all affected networks directly from the tool. Only customers affected by the PMKID and/or KRACK vulnerability will see the tool in the dashboard.

To determine whether 802.11r is enabled for a given Meraki wireless network, navigate to Wireless > Configure > Access Control in the Meraki dashboard, and look under Network Access:

We strongly urge all customers to disable 802.11r when used with PSK. Our technical support staff is available to assist with any questions or concerns you may have.

For additional details about the attack and our updates, please refer to our FAQ. Read Cisco’s Product Security Incident Response Team (PSIRT) vulnerability disclosure for more technical information.

Meraki MR + Umbrella: A Match Made In the Cloud

The pace at which new security threats are being introduced and propagated online has reached exponential levels, gaining speed with each passing year. Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share intelligence in a programmatic way. These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.

Securing your wireless users from malicious attacks — particularly these “DNS blind spots” that exist in many networks and are exploited by 97% of advanced malware — is of paramount importance. Unfortunately, recent surveys indicate that 75% of organizations do not actively monitor and apply security for DNS.

It is within this context that we are excited to announce support for integration between Meraki MR wireless access points (APs) and Cisco Umbrella (formerly OpenDNS).

Umbrella is the industry’s first secure internet gateway, a cloud-delivered first line of defense against threats like malware, ransomware, and phishing.  Umbrella enforces security at the DNS layer by identifying requested web domains hosting nasty stuff — malware, phishing, etc. — and block end user access to them. Umbrella also enables more secure DNS querying through a tool called DNSCrypt, which automatically encrypts DNS queries between your network and Umbrella’s servers, effectively eliminating the chance that your queries will be the victim of eavesdropping or man-in-the-middle (MITM) attacks. This secures the “last mile” of a client’s internet connection, which is often left exposed and vulnerable.

There is no additional cost or charge for taking advantage of this integration (which is available to all Meraki wireless customers who have upgraded to our latest MR26.x firmware), but Meraki wireless customers who wish to integrate with Umbrella will need a separate Umbrella license and account with that service.


Enabling Umbrella integration

So, what does this mean for admins of Meraki wireless networks? This integration with Umbrella enables Meraki admins who obtain Umbrella licenses (WLAN, Professional, Insights, or Platform) to seamlessly assign DNS filtering via Meraki group policy or SSID to specific subsets of wireless clients, or to them all.

Enabling Umbrella integration takes only a few steps. First, the Meraki and Umbrella dashboards must be linked via the Umbrella Network Devices API key. Once this API key is generated from within the Umbrella dashboard, it needs to be copied into the Meraki dashboard by navigating to Network-wide > General.

Enabling Meraki + Umbrella integration within the Meraki dashboard.


Once the Meraki and Umbrella dashboards have been configured, linking a Meraki SSID or group policy to an Umbrella security policy is easy (note: Meraki group policies must be set to use ‘Custom SSID Firewall & Shaping Rules’ to link an Umbrella policy to them). After this initial setup, a unique identifier is generated behind the scenes for the specified Meraki SSID or group policy and is used by Umbrella to determine how to evaluate traffic from that Meraki network moving forward.

To link a Meraki SSID to an Umbrella policy, navigate to the Wireless > Configure > Firewall & Traffic Shaping section of the Meraki dashboard. There, you will find a button to link Umbrella policies.

Linking an Umbrella policy to a Meraki SSID.


By default, the last policy physically listed in the Umbrella dashboard’s ordered policy list will be inherited by a Meraki SSID unless a different policy is selected from the dropdown list.

To link a Meraki group policy to an Umbrella security policy, navigate to the Network > Configure > Group policies page in the Meraki dashboard and choose the specific Meraki group policy that you want to link. Under the ‘Layer 7 firewall rules’ section of that policy, you’ll be able to choose which Umbrella policy you’d like to apply.

Applying an Umbrella DNS policy to the Meraki ‘VIP Umbrella Clients’ group policy.


Once a Meraki SSID or group policy has been successfully linked to an Umbrella security policy, clients connecting to that SSID or who have been applied that group policy will have their DNS queries encrypted (if the AP supports 802.11ac) and verified against the corresponding Umbrella policy. Encrypting DNS queries between Meraki APs and Umbrella DNS endpoints helps secure the ‘last mile’ of client web browsing and protects against devastating MITM attacks or packet snooping that can reveal which websites client devices are browsing.

An example Umbrella policy may prohibit access to known malicious web domains or websites that host specific types of content, like gambling or peer-to-peer domains. If the client’s request for access to a given website is allowed, Umbrella will return an encrypted DNS response with the appropriate IP address. If the request is denied, then an encrypted DNS response pointing to the Umbrella block page will be returned instead.

Taken together, Meraki wireless and Umbrella integration provide a significantly more robust security framework for IT admins looking to protect clients from web threats in a more proactive way. Instead of waiting for a malicious site to infect a machine and then using tools like antivirus to detect and remediate, Meraki MR customers can rest easy knowing that they are protected from ever reaching harmful sites in the first place.

Interested customers should contact Meraki Support to have this feature enabled. This feature requires an early-release MR firmware version that can be enabled with Meraki support assistance.

To find out more, speak to a Meraki sales representative today.

Wi-Fi Fit For Healthcare Communications

It’s no secret that ubiquitous Wi-Fi is modernizing the world we live in across a number of different industries, ranging from retail and education to manufacturing and even healthcare. Doctors, nurses and other healthcare professionals require the ability to be reached immediately when in the building for emergencies as well as the ability to quickly transmit information to colleagues so that patients are receiving the best treatment possible.

The healthcare industry is under a lot of pressure to stay current with the digital age and the need for rapid communication, so it makes sense that a key enabler to the modern day digital revolution is fast, reliable Wi-Fi. Wi-Fi has evolved from a simple means to connect without cables and check an email or browse a website to becoming the primary method for client devices to access network resources in most organizations.

In many workplace environments, Voice over Wi-Fi (VoWiFi) calling is now a key communication method, and healthcare is at the forefront of leading industries to take advantage of VoWiFi solutions. In several hospitals, VoWiFi is the only way for a patient to communicate with a nurse. However, not every Wi-Fi solution is ready to support VoWiFi, especially in challenging environments such as hospitals where interference is prevalent and heavily attenuating walls (such as those found surrounding radiology labs), which stop Wi-Fi signals in their tracks, are present.

Healthcare institutions need Wi-Fi solutions that can stand up to harsh Wi-Fi environments to support VoWiFi calling and that work with a chosen and trusted provider of Wi-Fi calling and messaging. This is where Meraki and Ascom are the perfect prescription for healthcare organizations ailing from legacy communication systems!

Prescribing Fast, Reliable Wi-Fi With AscomAscom MycoAscom is a global solutions provider that focuses on healthcare data mobility solutions for customers around the globe. Their wireless handsets, which are used by doctors, nurses and administrative assistants, are renowned for their durability and reliability. Ascom phones are purpose-built for specific industries, including healthcare, with secure data messaging and instant communications as parts of the core feature suite.

Meraki and Ascom recently teamed up to undergo a series of interoperability tests (using Ascom’s popular i62 and Myco phones) to ensure that healthcare customers who are currently, or considering, using Meraki in their environment are fully capable of satisfying their voice and messaging needs using the WLAN. At the end of this testing, it was found that Meraki met all requirements to ensure that healthcare customers can reliably use Ascom phones with Meraki MR 802.11ac Wave 2 access points on the latest stable firmware release.

Meraki Wi-Fi, The Perfect Medicine for Configuration Headaches

Traditionally, designing a network for VoWiFi has been a tricky endeavor. After meticulous RF site surveys both before and after the wireless network deployment, network administrators must then turn the focus toward complex RF and WLAN configuration steps. This introduces loads of complexity, and plenty of opportunity for errors that can result in the WLAN performing suboptimally and causing communication problems among doctors, nurses and the patients that they are trying to support.

Thankfully, Meraki wireless is engineered with simplicity in mind. Administrators can follow our recommendations outlined in our Wireless Voice Deployment Guide and implement our guidance around radio settings, access control, and firewall & traffic shaping settings. Once these handful of configurations are completed, Meraki takes care of the rest by automatically implementing a variety of 802.11 amendments and features behind the scenes to fully optimize the environment for critical VoWiFi functionalities such as roaming and power savings.

A Healthy Network Is a Happy Network

With certified interoperability between Meraki MR access points and Ascom phones, combined with best practice default configurations in Meraki wireless pertaining to security, roaming, and quality of service, Meraki Wi-Fi is a perfect fit in healthcare environments. Especially when considering the new monitoring tools made available for all Meraki wireless networks with Wireless Health.

Meraki and Ascom have come together to show that both solutions complement one another and interoperate to provide a high performing, reliable VoWiFi service that healthcare organizations can leverage to bring the efficiency and rapid mobility that healthcare professionals require to support patients in the today’s digital healthcare facilities. Those that are interested may find these detailed interoperability reports between the Meraki MR 802.11ac Wave 2 APs and the Ascom i62 as well as the Ascom Myco.

Your Back to School Checklist

Summer is coming to a close faster then we would all like to believe. Families are slowly returning from weeks at sandy beaches and crystal clear lakes, postponing their back to school shopping trips for as long as possible. But soon enough, students will need new backpacks, stylish clothes, and the latest gadgets for their first day of school.

While parents are busy checking items off of their back to school shopping list, IT teams at K-12 school districts nationwide have a technology list of their own to attend to. With blended and personalized learning, 1:1 device programs, and BYOD continuing to have a growing impact, IT teams need to make sure their networks are ready to handle the increase in traffic for the 2018/2019 school year.

Luckily, with a new school year comes a new round of E-rate funding, with around $3B available for K-12 schools to use for networking infrastructure. As the last year in the five year funding cycle, now is the time to take advantage of this opportunity and invest in powerful new solutions.

Here are three E-rate eligible products that you should add to your back to school list this year:

Meraki MR access points: Deliver superior performance in high-density wireless environments with Meraki access points. Easily throttle bandwidth hogs, filter content, block unwanted traffic, and prioritize educational apps for 1:1 or BYOD programs, with no network slowdowns. Let teachers spend more time teaching and students spend more time learning with seamless access to digital learning resources and no shortage of bandwidth.  

Meraki MS switches: Provide a seamless network experience for students and staff with access and aggregation switches that can be managed and configured from anywhere. With zero-touch provisioning, enhanced network visibility, and the ability to troubleshoot network issues remotely, Meraki switches are the perfect backbone for K-12 school districts.

Meraki MX security appliances: Secure school networks with group policies, automatic firmware updates, and intrusion prevention. Stop malicious threats and files before they enter the network, while analyzing files retrospectively to spot compromising behaviors in the future. By building a strong security system, schools can stop cyber criminals from gaining access to private student data.

It’s time to figure out your school year priorities, what new technologies to invest in, and how to fund your plans. Attend one of the webinars in our E-rate webinar series to learn more about how you can better support students and staff with improved networking infrastructure with E-rate funding. We will have technical deep dives into Meraki access points, switches, and security appliances for K-12. Register today!