Troubleshooting network complications can be an extremely time-consuming and difficult process. Issues such as VLAN mismatch are tough to track down among the mountain of configurations needed to get a network operational.
VLAN mismatches occur when two ends of a link are misconfigured to different VLANs. These can happen over access or trunk links. A mismatch on the link that carries the critical traffic required to keep the network functioning – the Native or management VLAN – causes additional headaches and potential security concerns.
The above image represents a native VLAN configuration where management traffic flows untagged across the switch port links normally. The image below represents a VLAN mismatch.
When the switch port on Switch 2 is misconfigured to VLAN 20, the management traffic will continue to flow between Switch 1 and 2, but any traffic returning to Switch 1 is treated as VLAN 20. This mismatched scenario could result in traffic being altogether dropped or potentially be a security concern if VLAN 20 has access to confidential data not normally accessible to VLAN 1 and the data makes it to the destination device.
Meraki uses two methods to detect VLAN mismatches. The first method is to detect if the link is configured with the same VLAN type or number on each switch port of the link. The second method is to observe if the link is identically configured as an access or trunk (multiple VLANs) connection on both sides of a switch port.
To help users spot the issue, Meraki has implemented VLAN mismatch detection that notifies users when an error is found.
The dashboard now indicates when a VLAN mismatch has occurred on a specific port and what exactly is causing the mismatch.
With the notification, users can now immediately diagnose potential issues in seconds and quickly isolate which port needs to be correctly configured.
To find more information on how Meraki handles VLAN mismatches, head to our documentation page. To learn more about all of Meraki’s safety and security features for switches, consider attending one of our upcoming webinars.
At Cisco Meraki, we’re passionate about helping IT keep sophisticated networks running and secure, without the pain of manual configuration and complex integrations.
Our Systems Manager product is widely known for its endpoint management capabilities, including pushing apps and email settings; configuring device security for point-of-sale systems or in-class student use; and tracking location and device status. Systems Manager is a powerful tool for these classic endpoint management scenarios, but it is also one of the most compelling additions to your network management toolset.
Systems Manager is unique in the endpoint management space for its native integrations with the Meraki wireless, switching, and security portfolios. It’s been engineered to share intelligence and enforce policy in concert with Meraki networking hardware to help admins automate and secure access to the company network based on device posture, location, installed or running software, or users.
And the integrations have only gotten deeper with the recent introduction of automatic profiles to reflect Meraki networking configurations into Systems Manager.
These network-centric features are core to Systems Manager’s ability to deliver value beyond endpoint management and are provided alongside the rest of the Meraki portfolio.
Here are a few of these integrations in action:
Systems Manager provides an easy way to enroll existing devices in the field (including staff and student personal devices) without physically handling each device! Through an integration with Meraki MR access points, network administrators can configure SSIDs to only allow devices with Systems Manager installed onto the network.
Unenrolled devices are sent to a splash page to install Systems Manager before gaining access to the network.
Having Systems Manager talking to Meraki MR access points allows administrators to save time and effort when provisioning SSID access to devices. Wi-Fi access can be automatically deployed to devices based on Systems Manager’s knowledge of device type, user group, location, security compliance, etc. These settings will also automatically update if changes are made to the Meraki MR network.
Additionally, admins have the option to leverage Systems Manager’s built-in certificate infrastructure to provision EAP-TLS WLAN authentication with unique certificates — eliminating the need to manage a certificate authority, RADIUS server, or Public Key Infrastructure (PKI)!
This feature allows admins to provision client VPN automatically with the Meraki MX, while controlling access based on time of day, user group, geolocation, and Systems Manager’s security compliance.
Wi-Fi Security and Network Policy Automation
This feature allows admins to dynamically grant or restrict network access to a device based on its security status, location, installed software and OS version, and more. With this feature, when a device fails to comply with a set security measure (for example, the user disables the antivirus program, jailbreaks a device, removes a passcode, leaves a given territory, etc.), Systems Manager can automatically revoke access to Wi-Fi networks.
Systems Manager allows IT to create dynamic, segmented network policies without the need for dedicated hardware. Meraki access controls such as VLAN assignment, firewall rules, traffic shaping, and content filtering can be dynamically changed based on endpoint posture from Systems Manager. Network access is controlled, updated, and remediated automatically based on granular policies ranging from OS type and time schedule to security posture and user. Requires: Systems Manager (SM) and Meraki security or wireless products (MX or MR products).
For more about using Systems Manager to better inform and automate your network access, join us in an upcoming webinar!
Enterprise organizations and partners spend thousands of dollars per site deploying servers for monitoring and reporting on infrastructure located on-site. With the total number of devices globally, including client devices, ever increasing and becoming more critical to business, monitoring and reporting using traditional means such as SNMP simply aren’t cost effective or scalable any longer.
While the Cisco Meraki dashboard provides IT admins a single interface to monitor and manage their Meraki infrastructure, we appreciate that not all organizations will have deployed the entire portfolio of Meraki devices across all their locations. Moreover some customers may have unique use cases that fall outside of what the Meraki dashboard is intended for. For these reasons, Meraki has been heavily investing in APIs over the last few years. To date, Meraki has hundreds of API endpoints being called over 23 million times every day across three powerful APIs: the dashboard, scanning, and captive portal APIs.
The Meraki dashboard API The Meraki dashboard API allows access to most monitoring and configuration functionality in the dashboard via a RESTful API. This allows customers and developers alike to:
Bulk provision thousands of Meraki devices and networks
Build custom monitoring and reporting dashboards
Automate commonly used functionality of the Meraki dashboard
In February we introduced Wireless Health, a powerful tool that consolidates and intelligently utilizes multiple data sets to rapidly identify anomalies impacting end users’ experience. In September we added a collection of new API endpoints for Wireless Health to expand the monitoring and reporting capabilities to any external analytics system or platform.
The dashboard API is a great way to monitor and report on the state of a device, for example, over a period of time. However, if all you want to do is simply be notified when something changes, then the dashboard API might not be the most efficient way to do this. The dashboard API will perpetually ask “what’s your status” to a device and report back its findings. If calls are being made, say, every 5 minutes, that’s a lot of total responses that are being received, and likely only a handful of them will deliver useful information, i.e. when the device goes offline.
MERAKI WEBHOOK ALERTS We’re pleased to announce the availability of Meraki Webhook Alerts for all alerts within the dashboard. Setting up Webhook Alerts is very straightforward:
Add HTTP servers by defining their unique URL and shared secret [ network-wide > alerts ]
Added HTTP servers can now be selected as a recipient for any alert within the dashboard [ network-wide > alerts ]
In addition to webhooks themselves, we’re releasing new API endpoints for configuring all alert settings, which will include support for configuring the above steps via the dashboard API.
Once set up, the webhook will send an HTTP POST to a unique URL, but only when a certain condition or criteria has been met to trigger an alert. So, for example, if you’re only interested in being notified when a device goes offline, Webhook Alerting will be more efficient since it will only transmit information when the status of the device goes from online to offline.
Meraki Webhook Alerts
Meraki Webhook Alerts sends HTTP POSTs to a unique URL that can easily be fed into a receiving service. A receiving service can be as simple as a Webex Teams space, a Google Sheet logging all network alerts, or something more advanced, such as PagerDuty and ServiceNow, that can take the POSTs and create support tickets, send SMS messages to concerned parties, or even automate corrective action.
A notification of a settings change to the Meraki dashboard posted to a Webex Teams space using Meraki Webhook Alerts
Both the dashboard API and Webhook Alerts have their merits and use cases, and together offer administrators, system integrators, and developers powerful and flexible options to create custom monitoring and alerting.
Real-time alerting Webhook Alerts are fundamentally event-driven which makes them the most efficient option for setting up alerts for critical events.
“Tell me immediately when latency for any of my sites’ APs exceeds 200ms” “Tell me as soon as any Meraki device across any location goes offline” “Tell me when an important device on my network loses connectivity”
Webhooks example: real-time alerting based on a threshold or criteria
Monitoring and reporting over time The dashboard API will provide a more complete picture and historical reporting since it’s continually probing for data. It’ll be the more appropriate option to use to answer questions such as
“How many times did the latency of my access points peak above 200ms over the last week” “What was the latency of the access point in conference room 3 last Thursday at 3 pm”
The dashboard API example: continuous monitoring of a variable over time
The introduction of Meraki Webhook Alerts combined with the dashboard API means that customers and developers can now more easily address their custom reporting and alerting requirements without breaking the bank.
Staring down a 12-camera video wall is a daunting task for anyone. With this much information and so many similar video streams all at once, identifying and responding to incidents can be hugely challenging.
Cisco Meraki has just released an automatic video wall rotation solution in the dashboard. This allows users to cycle through all the video walls that are important to them over a given time interval.
Why This Matters for Security-Focused Users
Aside from giving people the ability to easily view all the cameras relevant to their site, research has shown that the average person cannot effectively monitor a screen for more than 20 minutes at a time.
This means that after 20 minutes of screen time without a major change to the visual, people will start to miss 95% of incidents that occur right in front of them. That’s 95% of theft, intrusions, and all else, missed entirely due to the monotony of the viewing setup. This 20-minute average only decreases if more screens are added.
By giving users the ability to automatically rotate between their video walls, and add fewer video streams per wall, we’ve made a significant effort to mitigate both of these detracting factors.
Configuring auto-rotating video walls is extremely simple, which means you can configure it for your organization quickly.
On the Meraki dashboard, navigate to Cameras > Video Wall, and select the dropdown arrow next to the “Start video wall rotation” button.
Here, you can use the checkboxes to add any of the relevant video walls into your rotation and adjust the time interval between rotations. A minimum of at least 20 seconds is recommended, to give all streams enough time to load and be observed before the next rotation begins.
Once you’ve set all the parameters, press the “Save” button. Finally, click the “Start video wall rotation” button and then you’re all set! You can also toggle the video rotation as necessary, should something important come into view.
Let us know how your organization is utilizing auto-rotating video walls on the Meraki Community!
Whether they’re attending a lecture, studying in the library, or binge watching Netflix in their dorm, college students today expect fast, reliable, and secure wireless at all times.
Meraki cloud-managed access points, switches, security cameras, and more can help provide an always-on experience for students and faculty alike.
Interested in learning more? Visit us at booth #731 at EDUCAUSE 2018!
From October 30 to November 2, 2018, the 2018 EDUCAUSE Annual Conference will unite the best thinkers in higher education IT. Every year, global professionals and technology providers gather to network, share ideas, and discover solutions to solve today’s IT challenges.
Visit us at booth #731 to learn more about Meraki and participate in hands-on demos with Meraki product specialists. These demos will showcase how to:
Use the powerful and easy-to-use Meraki dashboard to configure, manage, and troubleshoot hardware remotely, no command line required
Use Meraki wireless to reliably connect students and faculty across campus
Keep your campus secure with security cameras that include built-in analytics and a game-changing architecture, no NVR or additional software required
Enhance the student experience on campus with APIs delivered by Meraki’s many technology partners
Join us for the session “Keeping Students Safer with Wireless and Security Across Campus” on Thursday, November 1st at 10:45am to 11:30am. We’ll be hosting a customer panel featuring three Cisco higher education customers to learn how they are working to make their campuses safer with smarter security cameras, robust wireless, and network security.
Chris Arcarese, Director, Information Technology Services, Community College of Denver
Alex Henson, CIO, Virginia Commonwealth University
Donald Tharp, CTO, Ashland University
Sherry Watson, Executive Director or Technical Services, Lone Star College
Joyce Kim, Ovum
Stop by our booth at EDUCAUSE and mention this blog post and you’ll get some exclusive Meraki swag!
Not attending EDUCAUSE 2018? No problem!
Register for an upcoming Meraki for Higher Education webinar to learn how your IT team can provide the on-campus experiences that today’s college students expect. You’ll learn about high-density Meraki wireless, scalable switches, easy-to-use physical security, and more, complete with a dashboard demo and live Q&A. Plus, you’ll even get a free* AP, just for attending.
Cisco Meraki has always been fortunate to have the luxury of working to an MVP (minimum viable product) strategy thanks to our cloud-based model. It allows us to launch products, capture feedback from customers, and push out new truly impactful features incredibly quickly. Existing customers enjoy new features with zero cost and complexity, and for new customers, it becomes an even more irresistible product.
Recap of Meraki Insight Earlier this year we introduced Meraki Insight and true to our MVP philosophy, we launched focusing on one primary use case. Recognizing the huge growth of web application usage, particularly for business-critical applications, the first use case Meraki Insight addressed was tracking performance of web applications. Complete end-to-end performance, in fact, from the client right through to the server where the application lives, which could very well be on the other side of the world. Bringing all this information together in one place allows network admins to identify the root cause of application performance issues from days to a matter of minutes. Meraki Insight even goes as far as to suggest what it believes to be the root cause of performance issues.
For the first UI to show how critical apps are performing, we applied a percentile performance score for each application based on several thresholds, such as per-flow goodput (true payload data rate) and application response time. Customers, however, told us that what they really wanted was a quick at-a-glance overview to show the status of the application on the LAN, WAN, and server. Within a matter of weeks after launch we garnered feedback, developed a UI based on that feedback, and shipped the updated UI to all customers.
The rapid evolution of the Meraki Insight UI based on customer feedback
WAN Health Building on the success of the first use case, we’ve now added another to make life for network admins even simpler. We’re pleased to announce the availability of WAN Health for Meraki Insight. WAN Health provides an at-a-glance view of the status of all WAN links, including cellular, across all sites on one page in the Meraki dashboard. Not only does WAN Health provide an up or down status of uplinks, but also how they’re performing, and subsequently which tracked web applications are being impacted. Network admins can easily filter uplinks across their organization to show primary, secondary, or cellular uplinks, by ISP, network tag, and by network.
Monitor the health of all MX uplinks, including cellular, across all sites
Insight to be gained from WAN Health
Quickly identify downed uplinks, including cellular across all sites
Easily monitor signal strength for cellular uplinks across all locations
Quickly isolate sites with underperforming uplinks to make the case for switching ISP or adding cellular as failover
Discover which sites are most reliant on cellular as failover
The perfect companion for the latest MX models During our last MX launch we introduced no less than seven new MX models to cater for the demands of the modern and future branch. All the new MX models are equipped with two wired WAN links as well as classic USB 3G/4G cellular, and 3 models include an embedded LTE modem. With so many uplink options, WAN Health is the ideal addition for the new MX models and is available in GA across the range.
We’ve received tremendous feedback for WAN Health from customers already excited about being able to access key information about all WAN links in their organization in one place to further enhance the ISP troubleshooting capabilities of Meraki Insight. Try out the newest MX models – enabled with Meraki Insight – for free and let us know what you think of WAN Health in the Meraki Community.
It’s been a little over a year since we launched Threat Grid integration with the Meraki MX, and since then, it’s become an invaluable tool for the customers that have enabled this integration. But the customers who haven’t enabled it may not understand why this integration isn’t just important for them — it’s also important for everyone on the internet!
This isn’t the first time we’ve talked about Threat Grid on the Meraki blog. Since its debut, both Threat Grid and the MX have gotten better, but they have also gotten better together. In this blog post we will explore in more technical detail what Threat Grid is and how it fits into the Meraki security architecture. Most importantly, we’ll explore why it’s made the internet a safer place for everyone.
AMP + Threat Grid
Cisco Advanced Malware Protection (AMP) is an intrinsic part of the Meraki MX advanced security offering and has been for over two years. Over that time AMP has scanned hundreds of million of files per week, blocked hundreds of thousands of malicious files per week, and sent thousands of retrospective alerts per week. This is particularly important when you consider that the volume of malware has increase by 10x in the last two years.
As you’d expect, Meraki does this by leveraging cloud technology. Once upon a time, there was a startup company called Immunet AV and they had a super smart solution for telling whether a file was good, bad or hadn’t been seen before; in security geek language, files were labeled “Clean,” “Malicious,” or “Unknown.” That company was acquired by SourceFire, who in turn was acquired by Cisco, just like Meraki. Today, Meraki MX leverages this technology, resulting in customers getting real-time protection from known malicious files across multiple file types and multiple threat vectors.
OK, that’s great, but what about those scary “day-zero” exploits that we hear about in the news all the time? Whilst it’s still true that you shouldn’t believe everything you read, day-zero exploits certainly exist, as after all someone has to get hit first with every exploit. Though we are all tempted to think “it won’t happen to me,” there is a tangible probability that it will. If you’re the person responsible for information security risk management at your organization, then it’s your responsibility to demonstrate duty of care and mitigate as much risk as possible.
This is what Threat Grid helps you do by authoritatively and quickly letting you know if “unknown” files going through your MX are day-zero malware or not.
Threat Grid Deep Dive
As you would expect, Threat Grid is super easy to enable for a MX network. Once enabled, it starts working immediately. When a file is downloaded through the MX, the hash of the partial file is compared against the AMP cloud; if it is unknown to AMP, then it gets sent straight to Threat Grid, as shown below:
The file is then detonated, which is a fancy way of saying opened up and allowed to do its thing, in a virtual Microsoft Windows sandbox environment that is completely separate and distinct from the customer infrastructure. Threat Grid now both actively and passively observes how the file behaves, by looking at how it interacts with system software, services, and network resources. At the same time, Threat Grid parses the things the file does through around 900 behavioral indicators to understand whether the file is malicious or not.
Once this is complete, Threat Grid automatically creates a report with both a high level “Threat score” and links to forensic investigation tools, also built into the platform. An example of this report is shown below:
Finally, if the file was malicious, you’ll receive an email to let you know that something bad got through and with links to Security Center and any relevant remediation steps you need to follow to get back to safety.
The cloud just got smarter
Now if anyone else sees that file come through their Meraki MX, Cisco FirePower, Cisco WSA or AMP for Endpoints-enabled smartphone, it will be instantly blocked because Threat Grid updated the disposition state of the file in the Cisco AMP Cloud. Meaning that you not only detected and can stop the bad guys on your network, but you also stopped the bad guys for the rest of the world!
The people who make this automatic protection happen are Cisco Talos and they are a team of hundreds of guys and girls who are the internet security equivalent of the Justice League (or Avengers, if you prefer). They have had a hand in defusing, deconstructing and protecting against every internet threat you have heard about in the past 2 years. And once they’ve figured out how to stop the bad guys, they pump that knowledge right back in the Meraki MX and other Cisco products. This means that, indirectly, you are helping make the internet a safe place just by being a Meraki customer, more so if you have Threat Grid.
Talos also takes threat intelligence information from many other Cisco security products, including lots that run on or are integrated natively with the Meraki MX, as shown below:
So, if you are already one of the many Meraki customers with an MX network, walk a little taller, because Talos has your back. And if you really need to know whether or not that file the CEO just downloaded was a cat video or a piece of ransomware, then Threat Grid is for you.
Reach out to your local Meraki sales rep to discuss further and start helping make the internet a safer place through simple, powerful cloud technology.
An attacker wanting to eavesdrop on a network has several methods at their disposal to cause harm, notably with “man-in-the-middle” attacks where an attacking device pretends to be a valid member of the network to intercept traffic.
That method of attack is called “spoofing” which enables visibility into the device’s traffic and provides an option for attackers to use more aggressive network-disrupting tactics.
Device spoofing is a significant security threat, and it’s vital that your network have strong defenses. With our MS 10 firmware, Meraki is working to ensure your network remains secure with Dynamic ARP Inspection.
How does spoofing occur?
The attack works by deactivating the regular connection that switches use to pass information to client devices. The attacking device then misdirects traffic through itself by announcing its hardware address to devices that can hear it. The client devices aren’t smart enough to know the difference between the fake and real messages, so they begin forwarding potentially sensitive information to an attacking device.
The attacker can then spy on the traffic before forwarding the message to the correct device without anyone being the wiser.
How to defend against spoofing
Dynamic ARP Inspection (DAI) places safeguards at Layer 2 where bad actors may manipulate these important messages (ARP requests). DAI calls upon the network to verify whether the device handling the ARP requests is real or fake by checking whether that device has been seen before on the network. If the device hasn’t been seen, then messages from the attacking device are ignored.
Configuring DAI with Meraki is easy with MS 10. Note that to avoid disruption to your network, it’s essential to follow the steps in order.
In the Meraki dashboard, first, navigate to Switch > Switch Port and select the port associated with a DHCP Server or Relay. Select “Edit.”
Then navigate to “Trusted” and toggle to “enabled”.
Finally, navigate to Switch > DHCP Servers& ARP > DAI Status and select “Enabled.”
As with all things Meraki, the configuration of Dynamic ARP Inspection can be completed in seconds with our easy-to-use dashboard.
To learn more about other improvements in MS 10, please visit our documentation page or attend a webinar for a demonstration.
The “smart” descriptor gets tossed around the tech world so much today, it’s hard to know what, if anything, actually makes a device smart.
In the case of the Meraki MV security camera line, a mobile-grade processor on each camera means that the power of a smartphone is packed into each device, rendering onsite servers and special software unnecessary. Instead, users simply log into a browser-based dashboard to see rich person detection and motion-sensitive analytics. These tools can help with everything from keeping a campus safer, to streamlining processes in a manufacturing plant, to monitoring foot traffic in even the tiniest of retail locations.
Listen to MV’s product manager George Bentinck describe the benefits of a cloud-based smart camera system and see him demo the dashboard at newsroom.cisco.com.
Whether it’s completing a complicated math test, giving a science presentation, or going on a virtual field trip, students from kindergarten to college are always connected. And while they are preoccupied with completing online school assignments, video chatting with friends, and streaming TV, there is an entire network on the backend making this all possible, which they may not even be aware of. Most importantly, not only are students used to seamless connections across campus and in the classroom, they expect high bandwidth, easy on-boarding, and data security.
Today, IT teams at K-12 schools and higher education institutions are tasked with not only keeping the network secure, which is challenging enough on its own, but also with protecting end user devices and ensuring physical safety. All of these serious responsibilities, paired with limited resources, create a challenge for education IT teams. How do you protect endpoints, networks, and students, all at the same time?
Meraki is uniquely positioned to help education IT teams do just that. With solutions that span all three areas, you can ensure student and staff devices are secure, the network is safeguarded from vulnerabilities, student data is protected, and everyone is safe walking around campus — all from one, easy-to-manage location. Here are a few examples that illustrate what Meraki endpoint, network, and physical security can do for your school:
As 1:1 programs continue to grow in school districts and college students continue to bring tens of devices to campus, endpoint security has become increasingly important. With an endpoint management solution, you can protect students of all ages from seeing inappropriate content, accessing blacklisted sites, and downloading unknown applications by using content filtering, group policies, and advanced malware protection. If a device is lost or stolen, especially one holding sensitive information, you can easily identify its location and retrieve it or remote wipe its contents. Most importantly, by protecting all of the devices that students and teachers use every day, the network can remain secure from common endpoint security vulnerabilities.
Schools and colleges big and small have become regular targets for cyber attacks. Cyber criminals often gain access to private student data or important research, and threaten to share this sensitive information. The first line of defense comes by creating group or user-based policies for students, teachers, and staff, and restricting who can access various parts of the network. With integrated intrusion protection and malware scanning, users can easily stop malicious threats and files before they enter the network while prioritizing trusted educational applications with Layer 7 firewall and traffic shaping rules. With increased network visibility, you can track and shut down rogue APs, set up email alerts when rogues are detected, and contain rogue SSIDs, AP spoofs, and packet floods. Most importantly, with a cloud-managed solution, you can ensure the latest firmware updates are pushed to the network automatically to guard against the latest security threats and vulnerabilities.
Schools are tasked with providing safe learning environments for all students and teachers, without fear of trespassers, poor behavior, or unforeseen incidents. With smarter security cameras, you can quickly identify when a person is where they shouldn’t be and view video analytics of school activity to identify high-risk areas. You can also help deter threats and incidents with the ability to quickly search recorded video and easily share with parents and law enforcement. With granular access controls and visibility from any Internet browser, teachers, principals, chancellors, and even the fire department can view groupings of cameras, or a single camera, and act accordingly. Plus, with video data encrypted at rest and during transport, you get even more protection against cyber threats.
With the perfect blend of endpoint, network, and physical security, Cisco Meraki helps provide the safest environment for schools and colleges. By managing all of your security solutions from a single, web-based dashboard, you can dramatically simplify device, network, and security camera management through remote configurations, video monitoring, and application deployments. The full stack of Meraki solutions work together seamlessly to provide a secure offering for schools. Meraki keeps devices protected, data encrypted, and students safe, while enabling the IT department to spend more time on impactful projects and less time managing and troubleshooting their security solutions.