Meraki Launches Community

In order to enable collaboration between customers, the team at Cisco / Meraki has launched a new community page located at

community.meraki.com

MerakiCommunity

The program is aimed at partners, customers, and technical folks.    As you know the Meraki team has always been about “What do you want to see”.   Consider the success of the “Make a wish program”

This is a great place to discuss problems, ideas and solutions – and Meraki will be watching.   This is a great place where “Make A Wish” could grow into real discussion by the Meraki community to help push ideas back directly into the Meraki team.

Sign up today, and join the discussion.

Advertisements

Meraki Disrupts Surveillance Industry with Meraki Vision

Update:  After posting additional details and clarification were provided and as a result edits were made to make things a little more correct.

This came out of the blue for me today – clearly I am off my game but today Meraki is launching “Meraki Vision”

Not a Traditional Offering

Analog days we had coax cameras to capture cards, and now IP cameras that send H.264 and JPEG streams to “NVR” or Network Video Recorders.   Even companies like QNAP and Synology offer up NAS devices that will record from a myriad of cameras both expensive and cheap.

Difficult Technology

There is no question existing technologies are difficult, and everyone has their own proprietary way of dealing with it.   Even Ubiquity who were selling a very successful series of standards based cameras took heat when they installed proprietary software on them in order to force people to use their NVR platform – a few years later they reversed that decision.

Different codecs, different stream types, different camera features and a mixture of protocols have made this difficult to deploy.  With today’s announcement Meraki has decided to disrupt this normal way of doing this – and eliminate the traditional NVR (storage) and VMS (management) platforms as they typically exist today

Meraki Vision

mv1

The goal at Meraki is to expand beyond networking, first with the MC74 line I previously wrote about and now in the security camera world.   With solid state storage becoming cheaper and an existing extensible management platform at Meraki they are able to provide a cloud managed security product line.

High End Specifications

Two cameras will be offered at launch,  MV21 Indoor Model will be $1,299 (List USD) (works with 802.1AF Power) and MV71 will be $1,499 (List USD) for an outdoor (802.3AT POE+ required).  The outdoor will have a heated chassis.

Both will feature a 5 megapixel camera and 720P HD recordings.  3-10mm Vari-Focal lens for a flexible field of view and a wide angle where appropriate or zoomed in for long shots.

Cameras do support IR illumination up to 100 feet and have good low light performance.

Wall Mount, Pole Mount and Bracketed mounts will be available at launch

Cloud Licenses which include all hardware support will run $300/YR/Camera with options for up to 10 years with significant discounts.

Video Wall, Motion Search, Granular User Access

No NVR Required – Dashboard!

Meraki’s MV line will not require any NVR on site, and no Video Management Software (VMS) that will all exist in the Meraki Dashboard.   They have no interest in following the old way.

Each camera will have 128GB of on board storage, or in Meraki’s estimation about 20 days of footage.   To eliminate the need for centralized storage the camera will perform motion indexing and thumbnail storage in the camera.    For Meta data, it will use 50kbps of bandwidth, when viewing BW it depends on how many cameras you are viewing, and a few other factors.   Camera’s will allow local access (Question is, will it be a standardized stream you could send to another NVR or another monitoring app..)

mv4

mv3

You can create different layouts right on the Meraki Dashboard and provide multi user access to give individual users access to only their cameras.

One of the best features of the Dashboard – and to be honest my first concern was – streaming all these cameras to the cloud – the cameras do their own storage, and for live view, the dashboard figures out if you are local to the camera, and if you are the streams are delivered directly from the camera, to your workstation.   If you are not local, the streams are proxied via the dashboard.

mvwall

Individual Cameras can have motion search capability to look for motion.

mvmotionmv5

 

 

Justin’s Take

This would appear to be a very complete offering for a first launch.   As someone who has actually built camera systems in the past it is missing only a single thing – a PZT camera offering.   We need cameras that can do patrols, and cameras that auto-zoom and long lenses for outdoor surveillance.     The platform is a very good start, I do hope that Meraki has even more offerings coming down the pipe for this line.

The few customers I have spoken to regarding this today all said they want the ability to record the video somewhere else.  If someone smashes the camera, you would normally get the video of the smash – and then black – in this case you get nothing with all content on the camera.

This isn’t it.   If we are doing security cameras and phones now – I am willing to bet card access, building security, and other IOT plans are in the works over there.    It would make the most sense to have a single platform to manage all of these things.    How about a Meraki NAS with cloud backup?   Desktop Meraki Backup services?    The ideas for things cloud managed are endless.

The question is – how big are they going to get ?   How far will Meraki take this?

Some time ago I was talking about Meraki maybe being re-banded – I could see it already “Cisco Cloud Networking” or “Prime Networking”  – it wasn’t something I was looking forward to, I would rather Meraki is left to their own devices (pun intended).    This little green skunk works in California is quickly turning into the one stop networking shop.

I want to get my hands on one of these things as quickly as possible – when I do, I will bring it to you live.

Protect From the Apple Upgrade DDOS using Meraki

iOS 10 will be available on September 13th – This means that on that day your network is going to get hammered.    100 employees, even on a 1GB internet link could reek havoc into your network when they all start downloading the iOS 10 update at work.

Why at work?  Limited download speeds at home, limited bandwidth at home, bored at work – whatever it is, each time a huge iOS update is announced, I get calls about slow networks.   This is especially important for Guest and Public Access internet services – stadiums, ice rinks, recreation centres – or as many think of it ‘That spot I go to download!’

Protect Quality of Experience With Meraki

The last thing we need is this new Apple download getting in the way of the quality of the experience for your business apps and real users.

Meraki offers a few options for helping with this, and it is as easy as a few dashboard changes.   If you are using a mixed MX/MR environment, I recommend doing this both at the wireless and at the edge, especially because desktops can pull the update as well.

Remember – Layer 3 rules are always processed before layer 7 rules so this is only a tip, you might be adding this to your existing rule set so take care.  You may need to add this to group policy if you have deployed individual group policies based on VLAN or AD Group.

Capture The Right Traffic!

Meraki categories iTunes updates as “Music” so to throttle this properly we actually need to use the Music category, but many Apple updates also come down using an application that identifies simply as Apple.COM.  So to ensure we catch this, we should create two rules to ensure that we are catching ALL of the traffic types.   Technically Apple could use different methods to distribute the new update, and we do not know what they will use or how it will be categorised.

Users also have the option of downloading the update to their PC – which might technically be iTunes Traffic.   We cannot look into the future, so I plan to be sure to catch this traffic by creating a few rules

An intelligent way to do this could be to look at how many users you think you have and then throttle based on a calculated amount, if you have 100 meg internet, and 200 apple devices and want to use 50MB max, you could give 256K / user.  Remember traffic shaping is per session.

These rules should be added to both the traffic shaping for your wireless, and for the MX device if you have both.

Throttle apple.com

This traffic identifies as “Application: Apple.com”  so we need to create the appropriate rule.

merakiapple2

In this case I am going to limit each user to 256K,  I don’t want to totally prevent it from working – but I don’t want 100 people eating my network – 200 x 256K is 51Mb!

merakiapple4

 

Throttle “Music”

Sometimes iTunes traffic identifies as Music.

merakiapple1

So we need to ensure we capture that traffic as well, the nature of Apple’s environment makes it difficult to figure out how they will distribute this.  Once again as above, we will limit it to 256Kb

merakiapple5

 

That is it!   You are protected against the onslaught of Apple Update madness.

Meraki Wireless Concentrator – Tips and Tricks

I have deployed the Meraki MX series many times, along with the MR access points.    One of the most popular articles I have written to date was Meraki Guest Access – The Better way an article about another way to deploy guest access in the network with fine grained policies across perhaps multiple networks.

One of my recent deployments I had a customer who wanted to tunnel all guest traffic back to an MX – similar to how his existing legacy wireless system does it, so that he could send that traffic back to a dedicated connection OUTSIDE the firewall.   Basically the idea is that we want guest traffic to never get anywhere near the corporate network.     We also had multiple sites in play across a L3 WAN, so simple VLAN segregation would not work. (yes yes, I know there are other ways to do it, but we are keeping it simple here)

Meraki MR has the ability to L3 or VPN tunnel traffic back to an MX – but be aware of the following warning and important design considerations.

This configuration is designed for use with an MX in passthrough/concentrator mode, tunneling to an MX in NAT mode is not supported.

Screen_Shot_2015-07-09_at_11.01.17_PM.png

This warning comes from the Meraki web site, right here where it discusses the various modes in the MR.      The problem is – it will not stop you from trying, and even in NAT mode, the “Wireless Concentrator” options still show up in the MX config screens.    It even tries to work if you configure it, and in some cases it actually functions – but – not supported.

Important MR L3 Tunnel Caviats

    1)    Only Pass through / Concentrator mode is supported

As mentioned above, even though it might appear to let you configure it – and while I have had it working at clients before, it is not supported.   As a result there are many core MX features that are disabled, for this reason, I would not buy the advanced security license for a dedicated MR concentrator device.   Those features do not really function in this mode if you are using it primarily as a concentrator (they do work if traffic is traversing through the device interface to interface)

    2)    Content Filtering is not supported in passthrough mode

While layer 7 filtering is a component of the wireless access point – web page content filtering by category is an MX function, and in pass through mode the traffic from the MR’s doesn’t really pass through the MX, so the content filter is skipped.   Funny enough URL blacklists do still work, but the categories do not.

    3)    No DHCP

You don’t get a DHCP server in this mode, which means you need some kind of DHCP for your guest users.   Whatever your edge device is or switch could handle this.  DHCP requests are tunnelled back to the MX and broadcast at the MX – so you can have a remote DHCP for this.

    4)    Tunnels can only terminate on the “Internet” interface

If you are trying to do this in NAT mode (Which you shouldn’t be doing)  this will trip you up.   Either way understand that the way it works is that the MR contacts the Meraki Dashboard and reports the public IP it is on, so does the MX, and then the VPN tunnel is created between the two devices using those IP’s as a baseline.  So this traffic is really designed to go to the internet.    You can override this behaviour in case your MX is on the inside of the network (has a private IP on the INTERNET interface), if you go into the MX Wireless concentrator screen you can put an internal IP on the MX and make it take the “inside” route if you want.  Your mileage may vary here.     However if you try to use NAT mode, and force the AP’s to use the “inside” interface of the MX — forget it — that will not work, the VPN process in the MX isn’t listening on the inside interface – only on the outside – again NAT mode is not supported.

    5)    SSID’s with down Tunnels do not transmit

If your MR cannot open a tunnel to the MX – the SSID will NOT transmit.    So keep this in mind, if you do not see the SSID broadcasting out of your access point – that is a real great indicator you have a tunnel problem.

You might need 2 MX Devices

So some might ask “Wait, in some designs I might need 2 x MX devices to acheive what I want to do then, one in pass through to terminate my tunnels, and one at the edge”  — Yes that is correct.   As the MX you use for the tunnel termination cannot do content filtering on that traffic – and it also can not provide DHCP, you will need another device to get involved in this case.    Another MX would be the right solution.   If you are smart the way you deploy the VLAN’s on the second MX, you could create different SSID’s with different security zones and it would be quite easy to manage it all as well.

 

Watch out for hair-pinning

You may run into some hair-pinning issues with this design,  so be careful of your packet flows.   It’s possible that you could end up going out your firewall, back in, and then back out again.     Packet Capture is your friend here.

Use Packet Capture to Confirm

When troubleshooting the tunnel creation on the MR,  take packet captures of the AP, while pressing the “test connectivity” button in the SSID configuration – you should see the MR attempting to bring up a tunnel with the MX – do the same on the MX interface as well to see if there are responses.   Isn’t it great we can take “remote” PCAP’s on this platform.

I hope this provides everyone with some important rules when it comes to this design, and tips on architecture for your next project.

 

 

Meraki – What is so special?

Meraki has been in the limelight for some time, however when Cisco started to really put money into the organisation, and let them use some of their IP, the R&D really took off. In the past year and a bit we have seen amazing things come out of the Meraki camp, and the new MC74 telephone is just one of those very interesting developments.

Many call me a “fan boy” but really I am just a “get things done” person – and when it comes to the needs of a large majority of my clients, I can get things done, faster and better much of the time with Meraki.

I really see Meraki as ahead of its time, if you look at disruptive technologies like the Apple Newton or Google Glass – these were all technologies that simply came out too early. This is why I feel many people do not understand the real benefits of something like Meraki.

Why am I calling it “Meraki” – why not talk about switches, routers, firewalls and features. That’s because just like Meraki’s own marketing campaign “Full Stack” I like to call the entire suite “Meraki” – as a single entity.

Automation At Heart

There is two camps out there right now, the SDN camp which is really focused at those doing difficult things many times – and then there is the automation camp which is really more related to doing difficult things easier.

For those in the super huge enterprise, or service provider space, they need to automate difficult things because it takes a long time. For those in Medium business space, we need to automate because it makes what we do easier, Cisco is leading the way with features like iWAN App and EasyQOS are leading the charge when it comes to enterprise automation.

However just like these products are new, and somewhat mis-understood, I think the real value of Meraki is baked right in, it is the ability to automate the difficult tasks that provides value.

If you are an organisation of 100-250 people, your IT budget is not getting big enough fast enough, and your team is not doubling as your workload is – so making things easier to manage through automation and simplification must be a focus.

Time to Value

I keep saying that I want to have a race, pick IT equipment vendor #1, and have the best expert you have build X/Y/Z network while someone does the same on Meraki. Anyone who has worked on the stack KNOWS that the Meraki will be faster.

It’s about workflow and tools. In today’s complicated world of inter-networking technologies, in order to deliver true value I need a management stack, that means products like Cisco Prime, or Wireless Engine, or APIC – any number of tools are needed to provide next-gen network management visibility and manageability. Meraki starts with all of that — done for you — it is running already. This is a HUGE time to value.

What this means is that automated, managed, monitored (all the way to Layer 7) and well operated networks are automatic with Meraki. The deployment tools, management and monitoring are where you start – not what you do when you are finished. This translates to extremely rapid time to value for customers. Add in the template capability and the fact devices are all self provisioning and you can do something that no other vendor will let you do. Program, build and deploy network equipment that is still in transit. Yes, that’s right, normally my clients networks are already configured before the hardware even hits the dock.

New Features – Free

When most clients purchased Meraki products last year, they didn’t get many of the features you have today, Advanced Malware Protection (AMP), iWAN, Port Isolation, templates, NetFlow, these are not small features – these are huge – and with most vendors you would be forced into a costly upgrade – upgrade, click enable on feature – done. That is one hell of a way to deliver value.

Disruptive Marketing

Why did Meraki get as popular as it did, and as a result catch Cisco’s eye? Geeks. Meraki figured out that if they can win over the geek community, they can win over the customers, after all the geeks make the product recommendations. We all knew how they did that — Free Gear — who doesn’t want some free gear to play with at home – Meraki figured out how to get geeks to try their product – fall in love with it, then buy more.

They have also started running “free switch” offers as well if you want to try those out — oh and you keep them when you are done.

This continued with their partner community. You will see partner SE’s labelled as “CMNA” Cisco Meraki Network Associate – of which yes, I am. Once you pass a test, and take training you receive this certification. Why are these classes full of students, over and over and over? — Free Lab Gear — Meraki provides a switch, firewall and AP to each person that passes the course.  This also means each and every certified CMNA has their own lab to test, learn, troubleshoot and solve problems with.   I have re-deployed my trial firewall at more customers as a temporary trial than I can count, every single one, ended up purchasing a Meraki MX.

Easy to Learn

The interface is just so darn intuitive. Honestly everyone I show the interface to says things like “Wow I don’t need training for this, it is all very obvious” — and it is.

To give you an idea how obvious it is, the Meraki CMNA certification course is a single day. That is right, routing, switching and wireless – in a single day. We are not talking about expert un-boxers either, 802.1X, troubleshooting, routing protocols, firewalling, it is all covered in that single day. Caviet – they do require you to have existing skill-set, CCNA recommended.

Their training is also out of the ordinary, instead of providing you with a long list of screenshots, they identify outcomes as you build your training lab – you are not walked through how to do things – they say things like “Go to the firewall, and create a new vlan” – expecting you to figure it out. Studies have shown 80% better retention in students that figure things out vs those who are walked through something.

Subscription Fears

This is the single biggest argument I hear against Meraki. However when was the last time you purchased switches and routers from any other vendor and didn’t buy their support. Yes, I will admit there are some clients who buy switches without support and then carry spares, but that doesn’t provide you with software support, or a 24×7 helpdesk, when Meraki delivers on value, the support system really does work – with an integrated help system built right into the portal, and no fumbling around to get the vendor access to gear to help you, I swear I save at least an hour per help incident.

With security becoming a huge focus for many organisations, subscriptions can be seen everywhere these days. Luckily you get a huge amount of value from Meraki, integrated AMP and SourceFire built right in to the firewall.   Customers who had purchased 3 year subscriptions, 3 years ago didn’t even have SourceFire, or AMP – but they do now.  That right there is worth the cost of admission.

Summary

Cisco has left Meraki alone – and that is a good thing, the same thing happened with Linksys as well. The reality of this means the Meraki team can continue to operate as a skunk works building amazing disruptive new technologies. That does not mean that technology has not trickled down from the mothership, SourceFire, PoE power supplies, AMP and many Cisco technologies have found their way into the Meraki line up.

For clients 0-500, Meraki is a natural fit for 90% of them, but just like any product it has to be qualified, and when properly qualified for a client – no product delivers the ease of use, time to value, and overall manageability of a Meraki full stack.

I cannot wait to see what they do with that phone.

Meraki drops the MIC on AMP for MX

Meraki has dropped AMP – Advanced Malware Protection into the latest BETA.

In a continuing effort to “keep up with the Jones’s” at their internal competitor that is — everyone other department at Cisco.   Meraki has added added Advanced Malware Protection to the MX line, currently in Beta.

One of the great things about Meraki is the ability to simply enable the BETA code trains in your dashboard, while I wouldn’t recommend this for production networks, anyone with lab gear, anyone with a CMNA or anyone with a strong business reason can enable BETA code at anytime on their devices.

I contacted Meraki to get the BETA AMP services installed on my MX64 by opening a ticket but was advised the MX64 beta with AMP was not released yet.

AMP uses a global threat intelligence database with a database of over 500 million known files, and they get 1 million new samples every single day.      More information about AMP is available on this link HERE.

So what does AMP get you in this new beta?

— AMP File Scanner – Downloaded file are checked against the database before a client can get a hold of it

— Security Centre Reporting – you can now report suspected malicious files right in the new Security Center.   This page bring IPS and AMP togeather giving you a holistic view of your network threats.

— Retrospective Alerting – In english?   If someone downloads a file and 2 days later that file is identified by AMP that it would have been blocked – you get an alert.  Now this IS cool – Administrators should really value a tool that looks in the past to tell you “Hey, this file might have infected your network, better go look”

AMP does require Advanced Security License on MX – but let’s be honest, who doesn’t purchase that license these days.

Meraki continues to roll in new value with their gear, with ease and functionality.   While Meraki used to be a great fit for the 200-300 and less customers with features like AMP, larger and larger organizations will start to consider the MX.    However as I have said many times – we need proper dynamic routing protocol support in MX, it is the biggest thing holding it back!

 

Meraki Launches Wave 2 AP

Cisco launched their merchant based 1830/1850 series Wave 2 AP’s with integrated controller, and we did get our hands on one – but have not done a full review yet.

Meraki has now hit the street with the M42,  a full on AC Wave 2 AP 3×3:3 with support for MU-MIMO – or Multi User MIMO.

mr42_front-top_transparent-450x150 (1)

The new Bluetooth Low Energy and Beacon technology is in there as well – also a feature not commonly used yet.    If you are still running on older Meraki gear without the dedicated security and RF optimization radio, this does have that and it will give you better security performance.   Plus you can do cool real-time spectrum analysis from your couch.

rf-optimization.jpg

It’s worth mentioning – investment in MU-MIMO technology for AP’s might be a little early, as MU-MIMO 100% requires client side support in order for it to function.    Right now nobody is selling Laptops, Phones, or anything with 802.11 AC Wave 2 support – and it’s not something you can just upgrade.

You can still get the 802.11AC MIMO benefits on your existing AC clients — of which there are very few,  most new Apple products support AC, but smaller products are generally 1 stream anyway, so it doesn’t make a big difference.    The big deal here is once we have 1 stream Wave 2 clients, we can use multi streams for more clients instead of more speed.  Which for multi user environments is more important.

Wave 2 – doesn’t help you right now – at all – so jumping on the Wave 2 bandwagon on your AP’s will give you great bragging rights but no more performance.