Next week, members of the Cisco Meraki team will be heading to fabulous Las Vegas, Nevada to participate in Interop 2015. Designed to connect the IT community, Interop is an annual technology conference held in Las Vegas, London, and Tokyo. With a variety of speakers, workshops, and networking events, Meraki is very excited to participate.
If you happen to be at the event, come say hello! We will be at booth #1327 next Tuesday, Wednesday, and Thursday, April 28th-30th.
Hope to meet you soon! We’d be happy to give you a demo of our cloud managed network portfolio.
The Cisco Meraki dashboard has a little magic happening: on every dashboard page, there’s a small box where customers can make a wish for additional features or functionality on that page. We’ve covered wishes before in other blog posts, but want to highlight here how these wishes are turned into real dashboard tools.
What actually happens
When customers make wishes, those wishes are sent directly to our entire development team. Sometimes, an engineer sees a wish that intrigues her but she needs more context to understand what the submitter wants; other times, she may decide she loves the wish idea and want to develop it. In the former case, the engineer will reach out to the wish submitter for some additional insight or a conversation about the wish; in the latter case, the engineer may conceivably start working on the wish immediately—or schedule time to develop it.
Building a wish feature will often take at least a day or two. Then, the feature will have to undergo a code review by a team of engineers—and this can take as little as 3 days, depending on complexity. But several wishes are granted within a week or two of an engineer seeing the request.
Additionally, wishes get sent to our product team, who notice when specific wishes are requested several times. The product team will often use wishes to guide roadmap development, and so may reach out to engineers if there’s a critical mass of interest in a given feature.
Wishes do come true
As an example, here are three wishes that became real features of the Meraki dashboard.
1. Color-blind mode for the dashboard. Enabling a color-blind assist mode for viewing dashboard reports is a great example of the power of wishes. This feature, while important, is one that would likely not have been built based on sales traction alone. But after a wish, it became a reality. In fact, a few Meraki employees who are color-blind themselves make heavy use of this feature—so we’ve benefitted directly from the wish system ourselves!
What typical Meraki dashboard alerting looks like to those with normal vision.
What Meraki dashboard alerting looks like to those who are color-blind and who use the assist mode.
2. DHCP lease usage by VLAN. This is a slick feature in the MX Security Appliance’s local health and status page (Monitor > Appliance status). If you’re using the MX as a DHCP server, you can now gain visibility into IP address pool exhaustion on a per-VLAN basis.
3. Device configuration status. All Meraki gear receives seamless updates throughout the year for firmware and feature enhancements. Network administrators have always been able to schedule dates and times for these updates, and one wish that’s now in production is the ability to manually deploy updates directly from the local status page of any Meraki device.
So Meraki wishes really do come true, and they are an important part of our product development cycle! Wishes help us ensure we’re spending time building out features that matter to you, our customers, and they are a way for us to get critical feedback. So if you have a wish, make a wish—we’re listening!
Whew! 2015 is speeding by, and we know it’s easy to miss technical releases that could enhance your network. Not to fear, the Quarterly Update webinar is here! In this recurring webinar, we take the product managers for our wireless, switching, security, and MDM product lines, sit them down in a room, and give each of them about ten minutes to discuss what’s new and what’s to come.
You can view a recording of this past week’s quarterly update on our webinars page, and check out a brief overview of each product manager’s report below.
First: Wireless Update
To begin the Quarterly update, Matt, our wireless product manager, discussed the new MR32 and MR72 802.11ac APs with integrated Beacon technology. He shared details on how Bluetooth Low Energy (BLE) and Beacons are quickly becoming the opt-in alternative to WiFi for location services, and gave examples of how Beacon technology can be used for dynamic customer engagement. He also demonstrated some new radio tools in the Meraki dashboard, such as “auto” visibility and 5GHz channel width.
Matt, Wireless Wizard
Next up: MDM Update
Our Systems Manager specialist, Paul, explained the recent evolution of Systems Manager from two products (Standard and Enterprise) to one (Systems Manager). Existing Systems Manager customers can still take advantage of promotional pricing if they choose to update their platform. Reasons to make the switch to the full Systems Manager feature set include complete security and automation, network policies applied based on device status, and dynamic group assignment.
Paul, MDM Overlord
And then there was a: Switching Update
Lawrence kicked off his switching update with a discussion on the current state of the switching market. He stressed the unified wireless and wired management available with Meraki. With true unified network access, not only do you gain ease of use, but you can also reveal the previously hidden details of your network. He gave an overview of a year of new MS switching features, and dove into some particularly useful enhancements including network topology and ethernet power reporting.
Lawrence, Switching Maven
Last but not least: Security Update
Joe wrapped up this webinar with an MX security update. He gave an overview of the MX security appliance strong industry growth, and highlighted the benefits of Unified Threat Management providing one-stop security. He recapped this past quarter’s launch of the MX64 and MX64W, the industry’s first 802.11ac UTM. He also elaborated on some new IWAN features for the MX, including dual-active path, performance-based routing, and policy-based routing.
Joe, Security Pundit
There you have it! The second Quarterly Update. For more details, check out our webinars page for a PDF and recording of the live session.
With six sites spread throughout Ohio, Wisconsin, and Florida, you’d think it would be a challenge for a small IT team to monitor, configure, and troubleshoot an entire network from headquarters. In the case of Cohen & Company, a CPA firm, you thought wrong! With the remote management capabilities of the Meraki dashboard, centrally monitoring a healthy, intelligent network is easy.
Cohen & Company, a successful CPA firm, makes it their mission to help customers make the most of available financial opportunities.
Prior to Meraki, the Cohen & Company network was outdated and suffered from an unstable wireless connection. Their IT team was searching for a comprehensive solution with content filtering capabilities, as well as intrusion detection and prevention, when they heard about Meraki and decided to give it a shot.
Michael Tylicki, IT Infrastructure Manager at Cohen & Company, and his team were primarily responsible for testing the Meraki solution, and then rolling out a variety of MX security appliances and MR access points to all locations. The team preconfigured all hardware before sending it to the sites, where workers with no technical knowledge were able to easily install the new gear.
In line with their networking needs, the MX security appliance supplies built-in intrusion detection and prevention powered by Sourcefire. It offers secure site-to-site VPN between all sites, making it easy to safely share internal resources. Traffic shaping and bandwidth management are simple to configure, allowing their IT team to prioritize work traffic and limit, or even block, non-mission critical web applications. The automatic MPLS to VPN failover built into every security appliance has also proven beneficial, keeping the network uptime high and preventing voice calls from dropping.
The MR APs offer a reliable wireless connection for all Cohen & Company locations. The team has configured separate employee and guest SSIDs, with the employee network requiring 802.1x authentication and the guest network simply requiring a shared passkey. The team created a custom splash page for the guest SSID, and uses time-based policies and heat mapping in the Meraki dashboard to monitor how and when this network is accessed.
An overview of the Cohen & Co. organization in the Meraki dashboard.
In addition to the security appliances and access points installed at all branches, remote users and auditors also benefit from the Z1 teleworker appliance. With this portable device, employees working away from the office can still securely access the corporate network and any necessary internal resources. Cohen & Company also enrolls all company-owned devices in Systems Manager, the Meraki mobile device management offering, for monitoring and management purposes. Systems Manager offers IT the ability to manage software inventory, send alerts to users who are nearing capacity on their local drive, and remotely wipe devices in the event they go missing.
All the features and equipment mentioned above are managed together through a single pane of glass, within the Cohen & Company dashboard. It’s easy to get an instant and comprehensive overview of the entire network, and then drill into granular details if desired. Remote troubleshooting tools, such as packet captures and remote reboots, and instant email notifications help keep the network healthy, without the need for onsite IT.
To hear the full story, check out a recording of the webinar Michael hosted last week here. Keep an eye on our webinars page for more live customer presentations in the future!
Security administrators have a lot on their plates these days. Are my devices secure? Are devices running the appropriate apps? Are devices running apps they shouldn’t be? Could those apps or processes cause system wide vulnerabilities? The list goes on. Systems Manager has recently implemented a feature to help answer these burning questions, and also provide tools to remediate potentially threatening events.
Now Systems Manager has the ability to whitelist and blacklist applications on all device types, and if necessary quarantine those devices until the problem is resolved. This is accomplished via an addition to the Security Policies in Systems Manager. Security Policies allow admins to define a set of rules for client devices, and then determine whether clients are compliant or not with a given policy.
In the Systems Manager network below there are two different policies, ‘Secure’ and ‘MerakiSecure’, each with varying requirements.
These policies can check if a device has anti–spyware running, disk encryption enabled, a passcode configured, and much more. New to this list is the ability to take a look into the applications on the devices. We have added 3 features to security policies: mandatory running apps, application blacklist or whitelist, and mandatory applications. These new features allow a tremendous amount of visibility and control over what is happening on client devices.
With the mandatory running apps feature, admins can define processes that are required to be running on Windows and OS X devices. For example, admins can ensure a specific VPN client is installed and running. Admins can also filter for potential vulnerabilities such as devices that are running known malicious processes. These devices can be immediately identified across an entire fleet of clients and with the help of Systems Manager they can be quarantined by limiting their network access with group policy integration.
The client overview page below is listing all devices that are compliant with the MerakiSecure policy, and if they are not compliant we can see the reason/s they are failing. From here the administrator can decide how to deal with non compliant devices, by manually or dynamically applying Systems Manager profiles to set usage restrictions, or by quarantining devices on the network with group policy integration.
In addition to looking into applications on Windows and OS X devices, we can also do the same for applications on Android and iOS devices. The application whitelist and blacklist settings, along with mandatory applications, can be applied to all devices so we can simply enter ‘facebook’ to blacklist all apps named facebook.
Systems Manager allows various methods of defining apps in this field, such as using the complete app identifier, or use wildcards to specify all apps by a specific vendor. To get more detail on syntax options you can simply hover over the info bubble to the right of the setting.
This feature is available now in your Systems Manager network. We are excited to hear what you think of the feature, and how we can keep enhancing compliance policies to provide the best tools to secure devices in your environments. Keep us posted in the make a wish box.
In March we ran the March to 1000 promotion for new and existing subscribers to the Meraki blog. We saw an unprecedented number of people sign-up to receive news from the blog, and we easily surged past our target of 1000 subscribers. Thank you to everyone who participated and encouraged others to subscribe. We will shortly be announcing the winner of the competition and contacting them directly to arrange delivery of their shiny new MX64W and Advanced Security license. Keep an eye on your inbox to see if you have been selected!
Due to the number of new subscribers we achieved in March, we would like to run a smaller promotion for all subscribers to give more people a chance of receiving some Meraki love. At the end of April we will select ten of our blog subscribers to receive a limited edition Meraki t-shirt.
Modelled for us by Technical Evangelist and blog writer @merakisimon, this is the latest t-shirt design, currently only available to Meraki staff. If you are chosen at the end of April, we will ship you a shirt of your prefered size. Oh, we should add, terms and conditions apply.
If you have yet to subscribe to the blog, then this is a great reason to do so today. To subscribe, navigate to the blog homepage, click the ‘Subscribe’ button, and enter your email address. Existing subscribers can sit back and relax, as you will be automatically entered. Thanks again to all our readers, and if you have any comments or suggestions for the blog, please drop us a note on twitter @meraki.
Come one, come all to the Meraki Quarterly Update! Once every three months, we gather the latest news from our Wireless, Switching, Security, and MDM product specialists and present them to you in a one-hour webinar. What better way to get a condensed update on the latest in cloud networking, straight from the creators?
We will be hosting two webinars for partners and customers at North American-friendly times (keep an eye on the EMEA webinar page for additional sessions). Partners can register in the Partner Portal for the Quarterly Update this Thursday, April 2nd, at 9:00 AM PT. The customer webinar will air on Tuesday, April 7th, at 11:00 AM PT, and you can sign up here.
Since last fall’s new E-Rate Modernization Order was released, the Meraki team has been working tirelessly to bring reliable, high performance, and cost effective network solutions to the education community. We’ve put together some amazing offers for E-Rate eligible schools and libraries, created an E-Rate & Meraki FAQ, and have been working to provide you with all the information you’ll need this funding year.
We’re not done yet! Just a couple weeks ago, USAC announced a new filing date for Form 471, extending the bidding and filing period until 11:59:59 pm EDT on April 16.
This announcement has given thousands of schools who had not yet finalized their decisions, additional time to test solutions, request bids, and craft the best possible solutions for their districts.
We’ve taken advantage of this extension by having some of our current customers join us for interactive webinars. During these sessions, they’ve been gracious enough to share their experiences with their fellow districts and talk about their use of the Meraki solution, as well as the ease with which they manage and monitor their networks. Take a look at some of their stories:
As the days tick down to the final filing deadline for the 2015 E-Rate funding year, be sure to tune into one of our upcoming webinars. You’ll find out more about how the Meraki solution can provide your district with a future-proof network for years to come, while also increasing your overall control and network performance:
Ask anybody about their experience of publicly available WiFi of the kind they typically experience in hotels, restaurants and at events, and the response is fairly consistent. It’s not good enough.
There are many potential explanations for this. After all, this is WiFi – a shared, half duplex technology using the air as the transport medium. Like any radio technology, WiFi is subject to performance–sapping interference and signal attenuation from a myriad sources. Walls, windows, water coolers, people, the list goes on.
Getting WiFi right requires thorough planning, particularly the all-important site survey, which will help identify appropriate channels, channel widths, power levels and AP/client density. Appropriate planning only grows in importance as the number of connected WiFi devices continues to increase, from smartphones and tablets to newer ‘things’, like remote controlled cameras and thermostats. Until more radio spectrum is available, increasing congestion is inevitable, eating into the impressive throughput potential of newer WiFi standards like 802.11ac. In case you missed the memo, Meraki APs now have a very useful site survey mode to assist.
Once a quality job has been completed on planning and deployments, most of the remaining causes of reduced performance are beyond the control of the network admin. But there is one simple thing every WiFi admin can do to improve things…. migrate users, and as many as possible, to the far less congested 5GHz band.
It’s simple, the more people, devices and competing technologies trying to squeeze through a single shared pipe, the worse the experience will be for all. The unlicensed 2.4GHz spectrum is that pipe, leading to many referring to this as the ‘junk band’ for WiFi.
Reasons to proactively shift to 5GHz are many:
The typical channel width used in the 2.4GHz spectrum allows for only 3 non-overlapping channels, meaning that in order to avoid interference, APs must be spaced apart with alternating channels. Lower frequencies have greater signal propagation, particularly in open spaces (like concert venues or sports stadiums), so adequate spacing without interference will be more difficult to achieve. In the 5GHz space, there are as many as 24 non-overlapping channels, depending on local regulations and channel width. A well designed network of APs operating in the 5GHz band is far less likely to experience interference from neighboring APs for this reason.
Greater throughput potential
The latest 802.11ac wireless standard, which operates exclusively in the 5GHz band, uses an improved modulation technique which increases throughput for a given pipe (channel) compared to earlier standards. There is also the option to increase the width of the channels (currently up to 80MHz) to increase throughput. This will reduce the number of non-overlapping channels, although in a regular indoor environment the shorter signal propagation of 5GHz signals will mitigate co-channel interference from neighboring APs.
Broad client support
There are certainly still devices supporting only the 2.4GHz WiFi standards (802.11b, g and n). Printers and barcode scanners are common culprits here. However the good news is that the majority of new laptops, smartphones and tablets now contain chipsets capable of either 802.11n or ac. In other words, it’s time to confidently make the leap to 5GHz.
Meraki APs provide the tools to support a smooth migration to greater 5GHz use, without abandoning those devices which are unable to join the party. Perhaps the single most effective step is to configure band steering, which will encourage any device capable of connecting at 5GHz to do so.
Note the new additional setting for minimum bitrate in the 2.4GHz band, another way to ensure best possible performance for newer devices still requiring that band.
Another approach which some Meraki customers choose is to configure one band per SSID. For example, employees or anyone using provided devices, including those centrally managed by the IT team, can be required to use an SSID which only supports 5GHz connections. For everything else, which may include BYOD or guests devices, a separate SSID can be set up using 2.4GHz only (an option our support team will be happy to turn on for any customer wishing to adopt this approach), or dual band with band steering.
If there is a requirement to support both bands in a high density deployment, and more APs are therefore required in a given area, the 2.4GHz radio can be selectively turned off on some APs, leaving 5GHz operational. This allows for a higher AP concentration with less of the co-channel interference issues common on the 2.4GHz band.
With a little planning, your wireless network can be transformed from the traffic chaos in the photo above to something more akin to a racetrack. We look forward to seeing you there!
One of the most popular aspects of the Meraki approach is the ease of deploying and maintaining multi–site networks. This capability is made possible thanks to the centralized, cloud–based architecture we have been operating since we started back in 2006. Configurations can be built within minutes and pushed to thousands of APs, switches and security appliances with just a few clicks of a mouse.
For those setting–up and managing hundreds or even thousands of sites, anything which can be automated will improve efficiency and save time, with a consequential real impact on operational expenditure. In this post we’ll explore how configuration templates can be created and used across the full Meraki stack to streamline deployment to multiple locations.
Before diving into the options available, a quick recap of how Meraki defines a ‘network’. These are essentially logical groupings of network components, so for example, a network could comprise one or more APs and switches, or a single security appliance. Alternatively, a network could be a logical group of more than one product type. For example, Meraki has a network it calls ‘Meraki Corp’ which is a container including all APs, switches and security appliances at our headquarters. The one rule to remember is that there can be only one security appliance (MX or Z1) in a network
In no particular order, here are some of the tools which make building and maintaining multi–site networks easier.
Configuration Sync – replicate and compare APs and Security Appliance configurations
This at–a–glance tool, which lives under the ‘Organization’ tab of the dashboard menu, is designed for networks containing either multiple wireless APs or a single security appliance. The tool enables a comparison between one network and another one or more. For wireless networks, the tool enables comparison and synchronization of:
Allowed and blocked devices
Billing pricing plans
Meraki User databases
Note that the target network can be either a configured network, or a tag name, so in the example above we are comparing the configuration for a network called ‘Corporate WiFi’ with APs tagged as ‘home’.
For the security appliances, the tool will compare settings for:
For switch networks, in either standalone (switches only) or combined networks (containing more than one device type), the cloning tool can be used to copy the following attributes between switches of the same type and port count:
Switch port configuration
RSTP bridge priority
In this example, a search has been done for switches of a certain type which are located on the 4th floor of our building, and tagged accordingly. The configuration for the London branch switch will be copied to the 6 switches found by this search.
Configuration Templates – create master templates for APs and Security Appliances
When deploying to multiple sites, maintaining a standard configuration template can be a highly effective time saver. With this approach, a master network is used to create a template – which appears as a special entry in the networks list – and target networks are then bound to this master. Almost all configuration settings are replicated and every time a change is made on the master network this is replicated to all bound networks. The replication process overwrites any configuration settings which have been made at the individual network level, so this is really an ‘all or nothing’ approach.
Once a network is bound to a template, only a subset of configuration options remain. This might include things like AP channel settings, WPA2 personal passphrases, or IP based VLAN addressing. Note the reduced list of menu options here:
More detail can be found in our excellent Knowledge Base article on the topic. We also recently announced an additional feature enabling the creation of extensible firewall templates for our Security Appliances, ensuring that where subnets are shared between locations, firewall rules are automatically adjusted to match their local addressing schema.
Tags and Profiles for managed client devices
The network infrastructure exists to serve client devices, so our hugely popular MDM solution, Systems Manager, also includes tools to assist with logically grouping and configuring large numbers of dispersed endpoints.
Systems Manager tags can be created to group together devices based on any useful criteria. In an education setting it might be useful to have one tag for ‘staff’ and another for ‘students’. Tagging devices as belonging to a specific business function, like ‘sales’ or ‘engineering’, may help to clearly identify a device’s intended purpose.
Once these tags have been established, profiles containing settings, restrictions and apps can be automatically applied by simply assigning them to tags. Tags can be assigned manually, according to a schedule, or as part of their enrollment into MDM. Apple’s Device Enrollment Program takes the scaling potential even further, enabling the assignment of tags from the moment a batch of newly purchased iOS devices is powered-on for the first time.
This approach makes replication of managed settings, restrictions and apps across tens, hundreds or even thousands of managed devices a cinch. Here’s an example showing the deployment of the Evernote app to all devices in the Physics department:
We’re always looking for ways to make the life of the network admin easier. Templates can play a big part in reducing duplicate effort across multi–site networks, and you can be sure we’re not done yet. Stay tuned for more news on configuration templates coming soon!