Three network administrators oversee wireless, switching, and security across 42 locations
The secure solution segments wireless access for corporate users vs. guests
Auto-provisioning site-to-site VPN enables 40% savings in connectivity costs
With 42 branch locations and over 1,800 associates scattered across the United States, Andrew McInerney, Data Network and Voice Manager at Penn Mutual, oversees a challenging network. Previously, the mutual life insurance company used a traditional hub-and-spoke VPN service through a telecom carrier to support their distributed network. Over time, however, associates increasingly relied on internet-hosted applications for everyday tasks, which slowed down the network.
“There was a lot of latency,” McInerney explained. “The growing use of cloud-based applications in the financial industry meant our network needed to get up to speed.” Low speeds and high costs, as well as the bandwidth implications of having all data go through headquarters, soon outweighed the benefit of having a fully managed service.
McInerney and his team began looking for alternative networking solutions that they could manage in-house.
McInerney sought a networking solution with a split-tunnel VPN model to reduce strain on bandwidth at the home office. In addition, he hoped to connect the previously wired-only field offices using a wireless solution, while still maintaining network visibility.
With a staff of only three network administrators at the home office in Horsham, PA, he needed proven security to protect Penn Mutual’s confidential data, while providing an easy-to-manage interface for his lean IT team. “It goes without saying that security, in terms of controlling assets and controlling access to wired and wireless networks, is critical no matter which vertical you are in, but especially in the financial industry,” McInerney said.
When McInerney first learned about cloud networking, he realized that the Cisco Meraki web-based dashboard would allow his team to manage all 42 sites from headquarters without requiring extensive training or time spent on deployment or management.
I looked into it and saw that Cisco Meraki captured everything we were trying to do,” he said. He quickly set up a test lab with one Cisco Meraki MX security appliance, one MS switch, and two MR access points. The trial worked flawlessly. “We had to pinch ourselves: ‘Is this really that simple?’
Data Network and Voice Manager
Upon deploying Meraki solutions to the remaining branch locations, McInerney’s team simply cloned the test lab device configurations to the new devices from the dashboard. “We set everything up ourselves, though the Meraki support team helped us get started,” he said. “Cisco Meraki offers an incredible support channel; it’s refreshing. As an IT manager, it’s usually painful to get help, but in this case, it wasn’t painful—it was just a quick phone call away. That’s very important to me.”
McInerney chose a staggered deployment to facilitate the company’s transition away from the telecom carrier. Today, about halfway through their deployment, Penn Mutual has 22 MX security appliances, two MX400s at HQ, and one MX80 or MX90 at each field location. The company also has several MS42/P switches and MR24 access points at each office. McInerney noted that cloud networking makes it easy to deploy as many devices as needed in a scalable way, while the zero-touch configuration plug-and-play hardware increased deployment flexibility. “Now it’s like clockwork—everything is working together perfectly,” he said. “We’ve had a tremendous amount of success.”
In particular, McInerney praised the MX Security Appliance, which, with auto-provisioning site-to-site VPN, securely connects Penn Mutual’s HQ and branch offices without manual VPN configuration. This site-to-site VPN solution also facilitated massive savings in connectivity costs, as Penn Mutual moved from an expensive T1 VPB hub-and-spoke model to using 50Mbps DSL broadband where available.
The MXs at each branch also provide Layer 7 visibility, allowing McInerney to isolate and identify unauthorized platforms for remediation. Layer 3 firewall rules ensure VLAN separation, while Layer 7 firewall rules deny access to specific applications. “The MX gives us visibility into our field networks that we never had before,” McInerney said. That visibility includes content filtering to block categories, including nudity and
SPAM sources, and allows McInerney to easily limit uplink configuration as well as per-device and per-SSID bandwidth. Additionally, specific URLs are blocked (e.g., xfinitytv.net) and whitelisted (e.g., pennmutual.com).
We came from an environment where our field offices had legacy layer 2 switches with minimal visibility. Having layer 7 visibility is incredible. It’s clear to anyone who is viewing the dashboard what is going on at each port.
Data Network and Voice Manager
Whereas associates were previously limited to wired connections, the Meraki APs now provide Wi-Fi at all offices, which subsequently provides greater mobility to Penn Mutual associates. With just a few clicks in the dashboard, McInerney configured two SSIDs across all locations. The corporate SSID is always available and securely connects clients to the LAN via WPA2-PSK authentication. The guest network, primarily intended for office visitors, uses a customized click-through splash page, and pushes all guest clients to a specific VLAN, isolating them from connecting directly to the LAN. Furthermore, the guest SSID is only available during office hours, Monday-Friday from 8 am to 6 pm.
The Meraki MS switches in each branch further secure the network. Penn Mutual uses enterprise security features that are easy to deploy at scale, such as 802.1X port security. The MS switches also simplify network management. Device fingerprinting ensures the IT team can find and identify specific clients, irrespective of which switch or port they are connected to, while virtual stacking allows the IT team to configure ports across multiple sites with just a few clicks and enables them to search by tag or by port, configure trunk vs. access port types, set up native VLANs, and more.
“We came from an environment where our field offices had legacy Layer 2 switches with minimal visibility. Having Layer 7 visibility is incredible. It’s clear to anyone who is viewing the dashboard what is going on at each port,” McInerney explained.
Today, Penn Mutual has a secure network with reliable access for associates and guests. McInerney and his team also boast increased network speeds via traffic-shaping, bandwidth and filtering rules, and WAN optimization. They have complete visibility into clients, devices, and applications on the network. “The reporting feature for management is very insightful and detailed. With the dashboard, you literally have the ability to see your entire network at once,” McInerney said. “The whole project was huge and exciting, but all everyone sees now is a network that is so much faster and easier to navigate.”
Projected costs for legacy 3-year WAN run rate
Internet connectivity (3 years)
Traditional T1 VPB hub-and-spoke model x 45 sites
(1.544-4.632 Mbps Ethernet)
WAN at HQ & DR (45Mbps x2)
Content management (3 years)
Hardware security appliance
Projected 3-year cost with Meraki (including rip and replace)