When Cisco Meraki introduced MV security cameras two years ago, the goal was to create a product for an industry that had seen little in the way of fresh, innovative approaches to solving common problems in decades. MV featured a new architecture that fundamentally made the business of installing, managing, and interacting with security cameras easier, more enjoyable, and less resource-intensive.
A year and a half later, MV12 came into the picture and brought advanced analytics to the MV family, including computer vision powered by machine learning—all without the need for any servers or additional software complexity. But with the introduction of in-dashboard analytics came tons of questions about additional analytics capabilities.
Today, MV Sense joins the MV family as a tool to help users create better, smarter business solutions. MV Sense is the first installment in a broader analytics category called Meraki IQ, a powerful class of intelligently processed data delivered via simple APIs.
Further underpinning this dedication to enabling customers to make use of cameras as sensors, the MV lineup grows to include MV22 and MV72, indoor and outdoor varifocal cameras featuring the same powerful processor as MV12.
The in-dashboard analytics tools found on MV smart cameras—motion heat maps and person detection/tabulating—can provide users a wealth of high level information about foot traffic and behavior patterns, but the use cases for MV’s machine learning algorithms are so vast and varied that we wanted our customers to be able to take advantage of it in their own way. Enter MV Sense, a new way for customers to interact with and build on top of the person detection data that comes out of MV12, MV22, and MV72 cameras. Each MV Sense license allows users to access person detection data produced by a camera (including location, time, and count) via a set of both RESTful and MQTT-based APIs.
This means that those once far-fetched or cost-prohibitive ideas can become a reality. MV Sense allows for solutions that do things like:
Trigger a special in-store media display to begin playing if there are more than 10 people in close range of the screens
Understand wait times in grocery queues around the world
Quickly understand and alert emergency personnel if there are people left in a building during a fire drill or evacuation
Set off an alarm if the person count next to a dangerous piece of machinery in a manufacturing facility drops below the safe minimum
The most exciting part? 10 MV Sense licenses will be included with every MV organization to allow for tinkering to begin right away.
Advanced analytics are now available on two new hardware models—a duo of indoor and outdoor varifocal cameras, MV22 and MV72. They feature not only the same processor as MV12, but also many of the same hardware benefits: audio recording, wireless capability, and 256GB of onboard storage, all with the added bonus of optical zoom, which can be configured and adjusted simply via the Meraki dashboard.
MV72 also features increased weather- and impact-resistance ratings from the first generation, IP67 and IK10+. IK10+ happens to be the highest impact resistance rating available, meaning those advanced analytics can now be deployed anywhere and everywhere.
The edge-storage architecture of MV smart cameras was created thoughtfully and deliberately to serve Meraki customers’ needs. This meant building a product that would accommodate those customers who had real-world bandwidth constraints and limitations. Still, there are times when it’s necessary for particular cameras in a fleet to offload their storage or have a backup of the data, and that’s where the cloud archive tool for MV comes in.
Cloud archive comes in 90- and 180-day storage options and can be enabled on a per-camera basis, allowing for custom-tailored storage solutions for every organization. This means that only critical cameras will back up their video to the cloud and bandwidth limits can be adhered to. Cameras will continue to retain footage locally in addition to the cloud copy, providing redundancy and greater peace of mind.
Troubleshooting network complications can be an extremely time-consuming and difficult process. Issues such as VLAN mismatch are tough to track down among the mountain of configurations needed to get a network operational.
VLAN mismatches occur when two ends of a link are misconfigured to different VLANs. These can happen over access or trunk links. A mismatch on the link that carries the critical traffic required to keep the network functioning – the Native or management VLAN – causes additional headaches and potential security concerns.
The above image represents a native VLAN configuration where management traffic flows untagged across the switch port links normally. The image below represents a VLAN mismatch.
When the switch port on Switch 2 is misconfigured to VLAN 20, the management traffic will continue to flow between Switch 1 and 2, but any traffic returning to Switch 1 is treated as VLAN 20. This mismatched scenario could result in traffic being altogether dropped or potentially be a security concern if VLAN 20 has access to confidential data not normally accessible to VLAN 1 and the data makes it to the destination device.
Meraki uses two methods to detect VLAN mismatches. The first method is to detect if the link is configured with the same VLAN type or number on each switch port of the link. The second method is to observe if the link is identically configured as an access or trunk (multiple VLANs) connection on both sides of a switch port.
To help users spot the issue, Meraki has implemented VLAN mismatch detection that notifies users when an error is found.
The dashboard now indicates when a VLAN mismatch has occurred on a specific port and what exactly is causing the mismatch.
With the notification, users can now immediately diagnose potential issues in seconds and quickly isolate which port needs to be correctly configured.
To find more information on how Meraki handles VLAN mismatches, head to our documentation page. To learn more about all of Meraki’s safety and security features for switches, consider attending one of our upcoming webinars.
An attacker wanting to eavesdrop on a network has several methods at their disposal to cause harm, notably with “man-in-the-middle” attacks where an attacking device pretends to be a valid member of the network to intercept traffic.
That method of attack is called “spoofing” which enables visibility into the device’s traffic and provides an option for attackers to use more aggressive network-disrupting tactics.
Device spoofing is a significant security threat, and it’s vital that your network have strong defenses. With our MS 10 firmware, Meraki is working to ensure your network remains secure with Dynamic ARP Inspection.
How does spoofing occur?
The attack works by deactivating the regular connection that switches use to pass information to client devices. The attacking device then misdirects traffic through itself by announcing its hardware address to devices that can hear it. The client devices aren’t smart enough to know the difference between the fake and real messages, so they begin forwarding potentially sensitive information to an attacking device.
The attacker can then spy on the traffic before forwarding the message to the correct device without anyone being the wiser.
How to defend against spoofing
Dynamic ARP Inspection (DAI) places safeguards at Layer 2 where bad actors may manipulate these important messages (ARP requests). DAI calls upon the network to verify whether the device handling the ARP requests is real or fake by checking whether that device has been seen before on the network. If the device hasn’t been seen, then messages from the attacking device are ignored.
Configuring DAI with Meraki is easy with MS 10. Note that to avoid disruption to your network, it’s essential to follow the steps in order.
In the Meraki dashboard, first, navigate to Switch > Switch Port and select the port associated with a DHCP Server or Relay. Select “Edit.”
Then navigate to “Trusted” and toggle to “enabled”.
Finally, navigate to Switch > DHCP Servers& ARP > DAI Status and select “Enabled.”
As with all things Meraki, the configuration of Dynamic ARP Inspection can be completed in seconds with our easy-to-use dashboard.
To learn more about other improvements in MS 10, please visit our documentation page or attend a webinar for a demonstration.
When MV12 launched back in February, wireless functionality was mentioned, but the specifics were promised for later in the year. Today, the wait is over, as wireless functionality on all MV12 models is now available.
But why wireless anyway? It’s a great question, and the answer is rooted in the architecture of analog camera deployments.
Looking at the back of an analog camera, there are two inputs: data and power. Power for analog cameras traditionally comes from low voltage power supplies—the very same that are hooked up to badge access systems, powered doors, and other facilities infrastructure. Data is transmitted using coaxial cable.
Cabling for an analog camera system.
IP cameras, on the other hand, typically receive data and power via Ethernet, from a PoE-enabled switch.
Users looking to upgrade from analog to IP often realize that after including labor, downtime, and the recabling itself, the process may end up being cost prohibitive, especially at smaller or remote site locations. Consequently, it may not be surprising that these locations are often where VHS-based NVRs can still be found.
A new approach, and a new accessory
Realizing that a recabling requirement can often derail an entire project, we wanted to find a better approach. Utilizing over ten years of Meraki’s wireless experience, MV12 security cameras have been built to be able to connect to any industry standard WiFi network as a wireless client. This means data no longer has to travel via that Ethernet cable.
So how to solve the power dilemma? Starting today, a new Meraki power adapter is available, converting those low voltage power supplies (12VDC/24VAC) into PoE. Installers can simply unplug the power wires from an analog camera, connect them to the terminals in the power adapter in either order (the accessory figures this, and the input voltage, out for you, so no guesswork is required), and an Ethernet cable plugged into the RJ45 port will deliver PoE to a camera.
What about the data? SSID authentication information can be entered in the dashboard. After downloading this configuration through the LAN, cameras can be powered on with this new accessory within range of a wireless access point (it doesn’t have to be a Meraki AP, though centralized management of APs and cameras is a bonus if it is!). And that’s it—the coax cable can simply be left in the wall and will no longer serve a purpose.
This process is quicker, less expensive, and less disruptive than the typical recabling process, and will enable more customers to take advantage of MV12’s advanced analytics, easy-to-use interface, and centralized management.
The pace at which new security threats are being introduced and propagated online has reached exponential levels, gaining speed with each passing year. Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share intelligence in a programmatic way. These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Securing your wireless users from malicious attacks — particularly these “DNS blind spots” that exist in many networks and are exploited by 97% of advanced malware — is of paramount importance. Unfortunately, recent surveys indicate that 75% of organizations do not actively monitor and apply security for DNS.
It is within this context that we are excited to announce support for integration between Meraki MR wireless access points (APs) and Cisco Umbrella (formerly OpenDNS).
Umbrella is the industry’s first secure internet gateway, a cloud-delivered first line of defense against threats like malware, ransomware, and phishing. Umbrella enforces security at the DNS layer by identifying requested web domains hosting nasty stuff — malware, phishing, etc. — and block end user access to them. Umbrella also enables more secure DNS querying through a tool called DNSCrypt, which automatically encrypts DNS queries between your network and Umbrella’s servers, effectively eliminating the chance that your queries will be the victim of eavesdropping or man-in-the-middle (MITM) attacks. This secures the “last mile” of a client’s internet connection, which is often left exposed and vulnerable.
There is no additional cost or charge for taking advantage of this integration (which is available to all Meraki wireless customers who have upgraded to our latest MR26.x firmware), but Meraki wireless customers who wish to integrate with Umbrella will need a separate Umbrella license and account with that service.
Enabling Umbrella integration
So, what does this mean for admins of Meraki wireless networks? This integration with Umbrella enables Meraki admins who obtain Umbrella licenses (WLAN, Professional, Insights, or Platform) to seamlessly assign DNS filtering via Meraki group policy or SSID to specific subsets of wireless clients, or to them all.
Enabling Umbrella integration takes only a few steps. First, the Meraki and Umbrella dashboards must be linked via the Umbrella Network Devices API key. Once this API key is generated from within the Umbrella dashboard, it needs to be copied into the Meraki dashboard by navigating to Network-wide > General.
Enabling Meraki + Umbrella integration within the Meraki dashboard.
Once the Meraki and Umbrella dashboards have been configured, linking a Meraki SSID or group policy to an Umbrella security policy is easy (note: Meraki group policies must be set to use ‘Custom SSID Firewall & Shaping Rules’ to link an Umbrella policy to them). After this initial setup, a unique identifier is generated behind the scenes for the specified Meraki SSID or group policy and is used by Umbrella to determine how to evaluate traffic from that Meraki network moving forward.
To link a Meraki SSID to an Umbrella policy, navigate to the Wireless > Configure > Firewall & Traffic Shaping section of the Meraki dashboard. There, you will find a button to link Umbrella policies.
Linking an Umbrella policy to a Meraki SSID.
By default, the last policy physically listed in the Umbrella dashboard’s ordered policy list will be inherited by a Meraki SSID unless a different policy is selected from the dropdown list.
To link a Meraki group policy to an Umbrella security policy, navigate to the Network > Configure > Group policies page in the Meraki dashboard and choose the specific Meraki group policy that you want to link. Under the ‘Layer 7 firewall rules’ section of that policy, you’ll be able to choose which Umbrella policy you’d like to apply.
Applying an Umbrella DNS policy to the Meraki ‘VIP Umbrella Clients’ group policy.
Once a Meraki SSID or group policy has been successfully linked to an Umbrella security policy, clients connecting to that SSID or who have been applied that group policy will have their DNS queries encrypted (if the AP supports 802.11ac) and verified against the corresponding Umbrella policy. Encrypting DNS queries between Meraki APs and Umbrella DNS endpoints helps secure the ‘last mile’ of client web browsing and protects against devastating MITM attacks or packet snooping that can reveal which websites client devices are browsing.
An example Umbrella policy may prohibit access to known malicious web domains or websites that host specific types of content, like gambling or peer-to-peer domains. If the client’s request for access to a given website is allowed, Umbrella will return an encrypted DNS response with the appropriate IP address. If the request is denied, then an encrypted DNS response pointing to the Umbrella block page will be returned instead.
Taken together, Meraki wireless and Umbrella integration provide a significantly more robust security framework for IT admins looking to protect clients from web threats in a more proactive way. Instead of waiting for a malicious site to infect a machine and then using tools like antivirus to detect and remediate, Meraki MR customers can rest easy knowing that they are protected from ever reaching harmful sites in the first place.
Interested customers should contact Meraki Support to have this feature enabled. This feature requires an early-release MR firmware version that can be enabled with Meraki support assistance.
We are happy to announce the availability of our MS 10 firmware update for Meraki switches. The update introduces new features that improve the overall security, efficiency, and resilience of your network.
Let’s take a moment to review several of MS 10’s most notable features!
MS 10 introduces 802.1x Multi-Auth and Multi-Host authentication options to Meraki switches.
Multi-Authentication requires each host on a shared port to authenticate individually to gain network access. This log-in process is vital for network security in deployments with many autonomous clients.
Multi-Host Authentication allows a single host to open port access for subsequent clients after a single authentication. For example, someone using a desktop with multiple VMs would only need to authenticate a single time to gain access for all of her virtual machines. This reduces the frustration of needing to log-in multiple times when only a single authentication is needed.
Resilience: Enhanced Storm Control
Network storms occur when a set of switches endlessly forward packets between themselves, which clogs network bandwidth and causes normal network traffic to grind to a halt.
Enhanced Storm Control provides greater protection against network storms by allowing administrators to set limits on how much bandwidth can be allocated for certain types of traffic. If a storm does occur, damaging traffic will be limited to only a percentage of your total bandwidth capacity.
Resilience: Unidirectional Link Detection (UDLD)
Unidirectional link issues happen when a fiber cable is damaged or misinstalled and causes a loop that has the potential to disrupt the entire network.
A switch with UDLD prevents this type of loop by shutting down the port where a unidirectional link is detected. This keeps your network stable and more resilient against common causes of fiber-link errors.
Efficiency: Equal-Cost Multi-Path (ECMP)
Meraki uses OSPF routing which directs packets by determining the lowest-cost path to a destination. However, in situations where multiple equal-cost paths are available, some paths may be underutilized.
With Equal-Cost Multi-Path (ECMP), traffic is automatically load-balanced across up to 16 OSPF-learned paths which promote greater network efficiency.
Efficiency: Port Anomaly Detection
Port Anomaly Detection (formally called Spanning Tree Protocol /LAN Anomaly Detection) encompasses multiple enhancements for identifying and resolving spanning-tree and link issues. With the upgrade, the switch port icon indicates physical link errors and excessive link-status changes (STP issues). The individual switch ports will also display orange or red in the dashboard when these types of issues are detected.
More broadly, Anomaly Detection furthers Meraki’s mission of providing in-depth visibility into your network. By providing detection of erroneous network behavior, we help ensure network stability and scalability.
Increase your network’s resilience
If you would like to learn more about MS 10’s improvements, please visit our Knowledge Base or contact us directly.
For a full list of improvements, please login to your dashboard for more information:
In keeping with the age-old Meraki philosophy of empowering our customers to do more with less, people-counting analytics on MV12 has finally arrived!
We’re excited to see this new set of tools build on top of an already impressive (and necessary) security product. Now, MV12 can act not only as a great security camera, but also as a sensor for businesses big and small — no servers or extra infrastructure needed.
If you’re already familiar with our wireless product line, this rollout might feel reminiscent of our WLAN Location Analytics tool, and it should! At Meraki, we love the notion of providing our customers more intelligence with less infrastructure, an idea especially apparent with MR and now MV.
How does it work?
Using the advanced processor on our recently launched MV12 security camera, and built-in, anonymized person detection (not to be confused with unique facial recognition/identification) software, video is stored and analyzed on-camera, at the edge. This metadata is sent to the cloud and aggregated into people-counting metrics independently of the video itself. Plus, over time this software will become more accurate using machine learning.
To see this functionality in action, just click on the ‘Analytics’ tab for an individual camera and select the time resolution (minute-by-minute, hourly, or daily) and timeframe of interest. The ‘People count’ section of this page shows an at-a-glance overview of your busiest time period, estimated peak occupancy over that period, and the total number of entrances. Remember that the ‘Total Entrances’ value will double count individuals if they leave a frame and then return, since this data is anonymized. Consequently, we encourage thoughtful placement of cameras intended for use as sensors to minimize both double counting (place them in an area with restricted traffic flow moving in one direction, like an ‘Entrance Only’ door) and occlusions (where two people or objects pass in front of one another, making it difficult for the camera to see what’s going on).
Clicking on the ‘Most Utilized’ and ‘Peak Occupancy’ results will jump directly to that moment in the camera’s historical footage so you can quickly analyze what events may have driven that spike in traffic. Drilling down into each bar in the people counting bar chart will also take you to the corresponding piece of footage, making it simple to investigate anomalies.
You’ll now be able to observe and quantify granular foot traffic patterns through a given frame.
For retailers: monitor the ebb and flow of customers throughout the day, optimize staffing headcount to make sure your customers get the attention they need, and increase the efficacy of marketing campaigns by targeting days of the week with the greatest or least traffic.
In schools: track general attendance patterns, see which areas of campus are used most frequently, and make a business case for updating facilities and equipment based on usage patterns.
At offices: figure out whether it makes sense to add more common spaces, or repurpose these areas based on popularity with office-dwellers. And are those pricey espresso machines actually getting used anyway?
Of course, these examples represent only a fraction of the uses cases now available with this additional functionality. Coupled with motion heat maps (available on all MV models), it’s never been quite so easy to see the big picture quickly.
Does this mean my MR Location Analytics setup is now redundant?
Definitely not! Think of these tools as complementary. Because MR access points count mobile device wireless signals throughout a wireless network, they provide a broad “macro” level view of foot traffic through, say, an entire store location. People counting on MV only tabulates traffic within that visual frame, making it more accurate on a “micro” level, like an individual product display within that store. By pairing these two features, you can quickly gain insights across multiple levels of your business.
Since Meraki launched the MV family nearly a year and a half ago, the wishes coming in from the Make a Wish tool in the dashboard have not stopped flowing. One of the most consistently requested features? Motion alerts. Today, this handy tool is available across all MV hardware models.
Whether for keeping tabs on valuable merchandise in a retail store, increasing the efficiency of a shipping and receiving dock, or keeping school grounds clear of trespassers, motion alerts have enormous business potential across all verticals. The engineering team behind MV has created an exceptionally straightforward way to implement alerts and we can’t wait to see how our customers use them.
Once a camera’s alerting schedule, minimum event trigger length, and alerting region have been selected, alert behavior can be configured on the Alerts page (alongside offline device alerting). The default alerting email(s) can be used, or add a motion-alert-specific email address for more granularity.
Each alert generated by the dashboard will link directly to the relevant video clip, no manual video scrubbing needed. Take a peek below.
Pro-tip: most major mobile carriers allow you to send emails to an SMS phone number (see the list of phone number “conversions” by carrier below). Take advantage of this “hack” in the dashboard to get motion alerts sent directly to a mobile device as a text.
Crediton Dairy in Devon, England, is a major supplier of milk products to grocery stores across the UK. The milk processing plant employs about 160 workers in both factory and office roles. When IT Manager Benjamin Evans and his team realized it was time to upgrade their existing CCTV system, they looked to Meraki, whose access points they had already been using.
The team had a dated CCTV system that was only deployed in a couple of areas around the facility.
The processing plant spans a large area and contains several tall structures, like silos, making it difficult to survey multiple areas at once.
A constant stream of lorries (or delivery trucks) driving through the facility introduces potential safety hazards for workers.
An initial deployment of 16 MV71 cameras helps cover a majority of external areas.
Benji and the team relied heavily on the Meraki mobile app when physically installing cameras.
“Literally plug it in, and it’s up and running.”
The Operations team, as well as the Health & Safety team, utilize the camera feeds to monitor potential hazards throughout the site, such as high traffic areas.
The team already encountered and resolved one incident involving a lorry driving into a barrier with the help of their MV deployment. They were able to prove the cause of the accident and assign liability accordingly.
Benji and his team have saved both time and money due to the “plug-and-play” nature of the cameras, and the lack of extraneous hardware, like a UPS.
The architecture of the cameras allows the team to monitor video feeds locally without impacting the company’s bandwidth usage.
The team is exploring the possibility of expanding their deployment into the factory to help monitor processes and ensure employee safety, both inside and outside the facility.
Hot on the heels of our previous switch release (here) comes our MS210 stackable access switch.
We designed the MS210 to provide network administrators the option to stack the new 1G switch to the 10G uplink of the MS225.
Large enterprise networks often require multiple switches to handle office traffic but have only modest bandwidth needs per switch. However, many desire the flexibility to enhance their bandwidth capability as the organization’s tech needs grow.
The MS210 provides incredible power and flexibility to our switch line. Seven MS210s linked to a MS225 for its 10G uplink (to form a stack of eight) creates one of the most versatile and economical switch options available — all easily configurable using the Meraki dashboard.
The MS210 line features basic Layer 3 connectivity and comes in both 24- and 48-port models along with PoE and PoE+ power options.