At a 10,000 foot level, communication between your network and Meraki’s cloud is for management and configuration data, so if your connection to the cloud is interrupted, your network continues to function and end users won’t notice a difference. All of the features that affect data flow continue uninterrupted. For example:

• Users stay authenticated
• New users can authenticate
• Firewall policies continue to be enforced
• Data encryption/decryption is maintained
• Layer 7 traffic shaping rules continue to be enforced
• Wireless mesh routing operates with full functionality
• Users can roam between wireless APs
• VPN tunnels (site to site, teleworker, and client VPN) continue to operate
• RF features like Dynamic Frequency Selection (DFS) continue
• Performance remains at 100%

How does Meraki’s out-of-band cloud management work? This functionality would not have been possible 10 years ago, but thanks to Moore’s Law and clever engineers at Meraki, we’ve packed enough computing power and memory on every wireless access point, Ethernet switch, and security appliance to do all of the required packet processing internally, without any back-and-forth communication with the cloud. The packet processing software is also very tight, optimized to run efficiently on Meraki devices (similar to how engineers at Apple and Google write advanced applications for iOS and Android devices.) For some features, such as wireless mesh routing, the Meraki devices even communicate between one another on your local network (bypassing the cloud) in order to configure and optimize.

The traffic separation looks something like this:

Meraki runs multiple datacenters around the world, and every customer network is served by at least three independent datacenters. So if a natural disaster were to take out a datacenter that served your network, we’d simply fail over to another datacenter in a different part of the world. All of the configuration data, historical logs, etc. are mirrored in near-real time (at most 60-second lag, typically much less), so in these unlikely events, everything is the way you left it.

Of course, if you lose connectivity to Meraki’s cloud (say because your ISP has an outage), you will temporarily be unable to access reports or make config changes. But if your network is anything like ours, if your WAN link goes down, you’re in fire-fighting mode, not tweaking your wireless config.

 

As an aside, if you’re looking for a cost-effective way to improve your WAN availability, check out our MX security appliances – they’ve got built-in WAN link balancing and failover, so you can run 2 WAN connections into your network (e.g. cable + DSL, and even 3G) and the MX will balance traffic between them. If one goes down it’ll simply move all traffic to the healthy connection. Turns out this approach can save cost too…

 

If you do suffer a WAN outage, there are a small hand-full of end-user facing features on our wireless products that are affected if your connection to the cloud is lost. These are all convenience features, most of which you don’t get with a traditional wireless LAN. If you like the convenience and can tollerate limited functionality in the rare event of a WAN outage, enjoy them! If you’d prefer that there is zero end-user impact if your WAN connection is interrupted, don’t enable them (and use the alternatives listed below instead.) Features that are impacted by WAN failures include:

• Native Active Directory/LDAP integration (without RADIUS)
  This is a handy feature that allows users to authenticate against your AD/LDAP server without running RADIUS. This is super-easy to configure, and is a feature that isn’t available with traditional solutions like Cisco.
  
  This feature does require connectivity to the cloud, so if you want to integrate with AD or LDAP but not require cloud connectivity, simply use a traditional RADIUS configuration:

Fault Tolerant AD/LDAP Authentication using RADIUS

• Meraki-hosted splash pages and captive portal
  Meraki hosts snazzy, mobile-friendly, and customizable splash pages that wireless users can click through (or sign on from) before accessing your network. Since these are hosted on Meraki’s servers, they are super-easy to deploy, without any additional infrastructure in your environment. Since they’re hosted by Meraki, they require WAN connectivity to function, but you can control how new user authentication will be handled in the event that you lose WAN connectivity:
  

  Controlling Splash Page Behavior in Disconnected Environment

• Built-in anti-virus scan (aka NAC)
  While Meraki’s LAN-isolation firewall always ensures that untrusted clients cannot spread viruses or compromise your LAN, Meraki offers an extra layer of protection by optionally scanning clients for antivirus software before allowing them onto the network. If a client isn’t protected, they are placed in a quarantine, from which they can download AV software but can’t access any other parts of the network. This feature is unique to Meraki – no other wireless systems, cloud-managed or otherwise, offer it. We find that for many customers, a full-blown, dedicated NAC system is overkill (lots of configuration complexity, 5-6 figure price tag) but Meraki’s built-in solution offers 1-click peace of mind.
  
  If you run Meraki’s NAC and lose WAN connectivity, you can choose how the network will behave: allow clients on without a scan, or block clients until WAN connectivity is restored. Clients already on the network will be unaffected, and other access control features remain in place (firewall rules, identity-based group policies, etc.) Most of our customers didn’t run NAC at all before they deployed Meraki, so rare interruptions aren’t a major issue. But if antivirus scans during WAN outages are mission-critical, we recommend a dedicated NAC appliance (also be sure to host a downloadable antivirus package behind the firewall, since users won’t be able to go out onto the network if they fail the scan.)
  
  
• Meraki-hosted RADIUS server
  Most enterprise (and even SMB) environments already have a RADIUS server – Microsoft Active Directory, LDAP, FreeRADIUS etc. The vast majority of our customers who use RADIUS authentication (i.e. 802.1x) authenticate against their own server, so that they have one central user database for email, calendaring, wireless LAN authentication, etc. However, Meraki also offers a cloud-hosted RADIUS server for lightweight use. This requires connectivity to Meraki, so if access during a WAN outage is mission-critical, those user accounts should reside on your internal directory server.

There’s a lot of detail about what is affected by loss of connectivity, but in the scheme of Meraki’s features, this is a short list. Our customers find in practice that Meraki’s out of band management significantly improves the reliability and resilience of their networks, combining the centralized management of controller-based systems with the fault-tolerance of a distributed architecture. If you’re already a customer, how has Meraki’s out-of-band architecture benefited your network? What else would you like to know about how Meraki works under the covers? Let us know!

The delegates who are coming:

Marcus Burton @MarcusBurton

http://www.cwnp.com

Sam Clements @Samuel_Clements

http://sc-wifi.com

Daniel Cybulskie @SimplyWifi

http://www.simplywifi.co

Rocky Gregory @BionicRocky

http://www.intensified.com

Tom Hollingsworth @NetworkingNerd

http://networkingnerd.net

Jennifer Huber @JenniferLucille

http://jenniferhuber.blogspot.com

Blake Krone @BlakeKrone

http://BlakeKrone.com

Chris Lyttle @WiFiKiwi

http://www.wifikiwi.com

Andrew vonNagy @RevolutionWiFi

http://revolutionwifi.blogspot.com

George Stefanick @WirelesssGuru

http://www.my80211.com

Stephen Foskett @SFoskett

Wireless Field Day’s organizer, from Gestalt IT

There are several ways you can join in online. Follow @TechFieldDay and @meraki for updates, and use the hashtag #WFD2 to participate on Twitter. We’ll also be showing the live video stream of the event right here on the blog. We look forward to meeting everyone, both in person and online!

• Meraki MS Cloud Managed Switches
• Meraki MX Cloud Managed Security Appliances

Together with our award-winning cloud managed wireless LAN, these products enable enterprises to deploy 100% cloud managed networks, adding visibility and control while eliminating the cost and complexity of traditional solutions.

Meraki MS Cloud Managed Switches

Meraki MS Cloud Managed Switches

We’re now bringing the ease of use, visibility, and control that made Meraki famous to the edge of the wired network. MS switches are centrally managed through the Meraki dashboard and include an industry-first technology called Virtual Stacking. This enables centralized management of up to thousands of ports regardless of the locations of the switches or the scale of deployment. Of course, the MS switches also support traditional stacking.

In addition to the excellent management tools and ease of use, we’ve built the switches from the ground up to support the high performance needs of the network edge. The switches feature a non-blocking Gigabit switching fabric, PoE available on all ports of the PoE models, and the MS42/MS42P support 10 Gb uplink for stacking and high speed core connectivity.

The Meraki MS Cloud Managed Switches are available in four models:

• MS22, MS22P: 24-port GbE switch with power over Ethernet (MS22P)
• MS42, MS42P: 48-port GbE switch with power over Ethernet (MS42P)

Learn more about the industry’s first cloud managed switches on our website.

Meraki MX Cloud Managed Security Appliances

Meraki MX Cloud Managed Security Appliances

As if an entirely new line of cloud managed switches wasn’t enough, we’re also expanding our line of MX Cloud Managed Security Appliances by adding WAN optimization and five new hardware models.

MX Security Appliances are now available in six models that scale from branches to campus and datacenter environments:

• MX60: Security appliances for small branch deployments
• MX80, MX90: 1U appliances for mid-sized branches
• MX400, MX600: Campus and datacenter-class appliances scaling to over ten thousands users, with 10 GbE connectivity and high availability features

WAN optimization

We’ve also added WAN optimization to the MX, allowing network administrators to dramatically reduce branch bandwidth consumption and accelerate application performance. Using a variety of technologies, intra-site bandwidth can be reduced by up to 99%. Applications such as Windows file sharing (CIFS), FTP, HTTP, and generic TCP-based applications can be accelerated up to 209X over un-optimized connections.

WAN optimization is configured and enabled with a single click in the dashboard, and it’s included at no additional charge in the MX Enterprise and Advanced Security licenses.

Cloud management for all parts of the network

Finally, it’s here: cloud managed networking for all parts of the network. Using Meraki wireless LAN, Gigabit switching and security appliances, it’s now possible to have unified, single pane-of-glass visibility and control of the entire cloud managed network.

In response to more “bring your own device” initiatives and the growing demand for mobility, Clayton explains:

• How Taft maintains security for the important information passing over the wireless network
• The need for scalability, ensuring that the wireless network can grow with the company and its increasing WiFi demand
• The seamless integration of the personal, private, and public cloud experiences in the workplace

Read Clayton’s article to see how Meraki can support mobile devices at your company.

Find ILTA’s current publication of Peer to Peer at: http://www.iltanet.org/MainMenuCategory/Publications/Peer-to-Peer

A Motel 6 in Nebraska

Accor North America operates more than 1,100 upscale and economy properties, including economy leaders Motel 6 and Studio 6. ANA sought to upgrade the wireless network for the Motel 6 and Studio 6 brands to the latest 802.11n standard, ensuring that its infrastructure kept pace with its guests’ needs to conduct business, stay in touch with loved ones, and relax with entertainment.

ANA selected Meraki’s cloud managed 802.11n technology to provide its guests with consistent, reliable coverage. Moreover, Meraki’s technology enabled rapid deployment and minimized ongoing maintenance, even at ANA’s large scale. The nationwide rollout was completed in just five months, covering over 620 properties. Each property – up to 600 rooms and 17 buildings – now has complete 802.11n coverage, and up to 35,000 guests use the network each week.

We’re proud to supply ANA with a simple and cost-effective platform that provides value to their guests. Now they’ll not only leave the light on for you, they’ll leave the wireless on as well.

Take a look at this short demo to see how simple WLAN PCI compliance can be.

(Oh, if your wish is to build awesome features like these, then apply to join our Engineering Elves!)

PCI Compliance Reports for Retail

Meraki’s dashboard makes it simple to deploy a PCI compliant wireless network, and now we’ve taken it one step further. Our new PCI compliance reports check your network settings such as firewall rules and password policies against PCI requirements and present a summary report which you can print out. If something’s out of compliance, the report provides guidance on what changes need to be done. Bonus points: we’re also the only cloud networking wireless vendor to pass a level 1 PCI DSS v2 audit.

WIPS Enhancements for Enterprise

Earlier this year Gartner rated Meraki as “Promising” in the 2011 MarketScope for Wireless LAN Intrusion Prevention Systems. Never one to disappoint, we’re delivering on that promise with the new ability to detect and visually map wireless intrusions including rogue APs and DoS attacks. Wondering who’s attacking your wireless network and where they are? Now you can quickly locate and physically remove the intrusions, or use the Meraki access points to wirelessly contain the rogue APs.

Group Policies by Device Type for Everyone

Last year we rolled out group policies, an easy way to automatically assign VLAN tags and firewall rules to specific groups of users. Teachers and students can connect to the same SSID, but based on their RADIUS or active directory groups, be assigned different policies. Now you can also auto-assign group policies to specific device types, so iPads or mobile phones might be restricted to web-only access, no matter who the authenticated user might be.

Teleworker VPN Split Tunnel for Branch Offices and Remote Workers

Meraki’s teleworker VPN solution can be configured in a few clicks. Remote locations just plugin an access point and they instantly have secure access to corporate office resources. With the split tunnel enhancement, you can direct specific traffic to use the VPN tunnel while non-corporate traffic (YouTube, Netflix) stays local.

Out-of-band control

Customers have been using Meraki to build PCI-compliant networks for years, and since Meraki’s cloud architecture is out-of-band, our cloud is out-of-scope of a retailer’s PCI audit. However, we wanted to go above and beyond and deliver an additional level of reassurance. To increase our security, we submitted our cloud networking environment to a complete, on-site level 1 PCI DSS audit (the most rigorous audit level), including audits of our data centers.

Level 1 PCI DSS certified

Even though the Meraki data centers are out-of-band and thus out-of-scope for a retailer’s PCI audit, those who need to meet the requirements of a PCI audit now have the additional reassurance that Meraki’s out-of-band cloud networking architecture also meets those requirements. As the only cloud networking wireless provider to pass a level 1 PCI DSS v2 audit, we’re leading the way to provide the highest level of confidence for security-conscious customers, including those who are looking for infrastructure that meets the same PCI DSS requirements they must adhere to. This also streamlines the audit process for customers going through their own PCI DSS audit.

Meraki’s security features address all of the PCI DSS requirements and help customers to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, and monitor network security. Retailers who use Meraki to maintain a secure retail environment include Starbucks, Burger King, United Colors of Benetton UK, Design Within Reach, and Applebee’s. You can read about their deployments, and other retailers’ deployments, at http://meraki.com/customers/retail.

Design Within Reach uses Meraki for secure WiFi at all 47 stores nationwide

Join us for a free webinar: 10 Steps to PCI Compliant WiFi

Centrally managed from the cloud, Meraki makes it easy and cost effective to deploy, monitor, and verify PCI compliant WiFi across distributed networks of any size. Unlike traditional wireless LANs, Meraki’s security infrastructure eliminates the management complexities, manual testing, and ongoing maintenance challenges that lead to vulnerabilities. Find out more by registering for our free webinar, 10 Steps to PCI Compliant WiFi, on Thursday, November 17 at 11am PT. You can also read more about our out-of-band architecture, security and reliability, and compliance on the PCI section of our website.

Getting the most out of branch connectivity

Internet connectivity at each branch in a large, multi-site network can vary widely in performance, cost, and reliability. Sites are often connected via MPLS or other dedicated lines, which provide high reliability at a high price. Typically, these lines are dropped in to support applications such as VoIP. Consider that a T1 or MPLS connection can range in the hundreds of dollars — and that’s per month, per site! As an organization grows and adds sites to its network, connecting all of them via MPLS can be prohibitively expensive.

As an alternative to high cost leased lines, the MX70 can aggregate multiple uplink connections, such as DSL or cable connections. These links don’t individually have the service levels of a leased line, but they can be aggregated together to provide very high uptime at a much lower cost. This also means you don’t have to give up the low latency of a dedicated line. Instead of upgrading the dedicated line to support growing bandwidth needs, you can augment it with a consumer-grade connection and still keep the dedicated line for business-critical applications, like VoIP. The second link can then be used for non-critical applications, such as web traffic.

Uplink bandwidth can be allocated on a per-connection basis using traffic preferences in the MX70. This lets administrators push web traffic (or other recreational traffic types) over a lower quality link and reserve a higher reliability link for applications such as VoIP and video conferencing. The example below shows web traffic configured to flow over Internet 2 (for example, a cable or DSL line), and all other traffic to flow over Internet 1 (an MPLS or T1 line in this example).

Figure 1: MX uplink traffic shaping

Aggregating multiple links also increases the overall reliability of the WAN connection for your network. The MX70 detects the availability of connected WAN interfaces and automatically performs failover in case one of the links temporarily goes down. This happens when a cable is physically unplugged from a WAN port, and it also happens if the MX detects it can no longer connect to the internet, through layer 3 detection.

Controlling congestion through traffic prioritization

Assigning traffic among uplink connections helps ensure that expensive WAN links are used for the most critical applications. It’s also important that application traffic is properly prioritized for each WAN link. Real time prioritization maximizes the utility of the WAN connection by ensuring your most important applications take precedence over others, especially in cases where the uplink connection is in heavy use.

The MX70′s per-flow traffic prioritization minimizes congestion and ensures critical applications take priority over others during times of heavy use. Figure 2 shows an example for an organization that relies heavily on VoIP / video conferencing. Email is also important, but it isn’t more time-critical than a VoIP call, and online backups are the least time-critical and can be set to low priority.

Figure 2: Traffic prioritization

Connecting branches securely using multiple links maximizes WAN utility at each location, allowing organizations to create a virtualized WAN that enables them to deploy services such as VoIP and video conferencing, seamlessly share information between branches, and support bandwidth-intensive applications. Combined with the MX’s built-in multi-site network management, the virtualized WAN brings significant cost savings and lets network administrators support business-critical applications and services across the entire organization, regardless of location.

Deploying a site-to-site VPN network

Ordinarily, configuring a multi-site VPN mesh network can be complex and tedious. Site-to-site networks need to be established with WAN routes for each peer-to-peer connection, and IPsec needs to be configured. That includes setting up authentication, security association parameters, and possibly manual exchange of keys (or configuration of a key management protocol).

Deploying MX routers into a multi-site networks eliminates the tedious manual configuration of the site-to-site VPN. Adding a site into the network’s architecture is done simply by adding the MX router into the organization, setting the local subnet, and enabling participation in the VPN. The MX routers automatically discover each other through Meraki’s cloud network so you don’t have to manually enable routes between each. Figure 1 shows the high level configuration of a typical multi-site network (only three sites are shown for simplicity).

Figure 1: Meraki MX deployment architecture

On Meraki’s network, “Burlingame MX” is a router at a branch location, as shown in figure 2. Note the VPN mode, subnet configuration, and available VPN peers.

Figure 2: Burlingame MX VPN configuration

The configuration of the Burlingame MX is straightforward, and its 192.168.40.0/24 subnet appears at Meraki’s engineering HQ MX. The engineering HQ MX sits in Meraki’s San Francisco headquarters, and its network has several VLANs that can be selectively included in the site-to-site VPN and made available to the peers on the network. An organization-wide site-to-site firewall can enforce complex custom policies, such as limiting selected traffic between certain sites.

Figure 3: Engineering HQ MX VPN Configuration

By taking advantage of site-to-site VPN, network administrators are able to minimize configuration and management overhead for their branch networks. Using link aggregation, they can even move away from expensive dedicated lines for connecting their branches together. Check out the previous post on connectivity cost savings for more details.