Last year I convinced the School to go for a complete network overhaul keeping the long-term technological requirements of our school in mind.
What were the upgrade requirements?
- Gigabit switches with ten-gigabit uplinks
- Core Cisco(Cat 6500) network switches had to be upgraded with the newer Supervisory module that supported 10 G fiber modules.
- Wireless access points with AC technology
- A firewall that can support over 10000 concurrent connections, IPS, IDS, Malware Prevention & packet shaping.
The reason: Our network infrastructure was aging, reached their end of life. With the existing 1g uplinks, we were facing bandwidth bottlenecks, loss of instructional time for the teachers and students due to wireless and network troubleshooting plus we were not equipped to upgrade our server infrastructure in the future to support 10g or 40g uplinks.
What did we decide on ?: We did some extensive research on Cisco, HP, and Meraki and decided to go for cloud-based Meraki solution. The management of the access points and switches seemed simple and did not require a ton of technical knowledge as compared to the Cisco controller-based wireless and traditional command line based switches, the Meraki provided a simple, intuitive GUI to make magic happen, I was a bit skeptical about requiring an internet connection for managing the bulk of our network. But we went ahead and decided to go for the Meraki MS350 for our switches, MR 42 for indoor access points, MR 72 for our outdoor access points. Meraki MX 600 for our firewall and upgraded our Cisco Core with Supervisory module VS-S2T-10G, which enabled us to go 10G and future proofed for 40G.This entire investment came to about 1 million $. I was going to miss the traditional command line utility for managing Cisco Network because I invested a lot of my time and energy in learning that plus it made me look too cool :)We went with a trusted partner who had tons of experience with providing network solutions.
How did it all go? We took the summer break as the perfect opportunity to do all the installation, which went on for roughly a month. We had a few quirks with the technical setup and such, but the availability of support 24/7 via Chat and Phone with Meraki I was a huge benefit.
Meraki WiFi Pros:
- Manageability: A Beautiful dashboard with a consolidated view of the current clients, Access points status and switch status was a blessing in disguise, this helped us identify faults and be proactive.Easy to set up and configure the Access points, it was easy to create SSID’S, VLAN, change the radio settings &Channel width, monitor channel interference, monitor the clients on the AP, restart them etc.. One really cool feature was the ability to tag access points for, e.g., you could tag the access points on the 7thgrade with anything, and you could search for access points with a particular tag and monitor just them and make bulk changes.
- Security: Meraki AP provides Layer 3 & 7 firewall on an SSID level, which enables us to block certain applications, ports, IPs and sites for the student SSID while keeping them open for the staff SSID, Air Marshal feature from Meraki can be set up in such a way that all rogue SSIDs connected to the School network is contained.
- Traffic Shaping: it is even possible to set traffic shaping rules on an SSID level for e.g. We can set up rules in such a way that a single client in a particular SSID cannot cross over 1 MB per second.
- Access Control: You can setup SSID authentication via Radius server or login VIA splash page & LDAP, additional parameters include checking your computer for Antivirus before letting you use the network, etc. For using Radius server there is documentation on setting up a Windows server 2012 as a Radius server, I would recommend it and setting it up in such a way that only machines in a particular group in active directory can connect to the SSID – of course, you can’t use it on the mobile devices
- Additional features: There is a Packet capturing tool(you can capture the traffic to and from the client and AP) for some advanced troubleshooting.Cable testing from the AP to the switch port. Supports 80 MHz on the 5GHz band to take advantage of the Wireless AC to utilize bandwidth between the clients up to 700 Mb per second.
- Firewall settings: layer 3 & 7 firewall rules can be set up at the firewall level, adding them to the firewall and SSID is what I would recommend because we want to try and contain the threat at the first point of contact (which is the AP ), so the valuable processing power of the firewall can be utilized for IPS, IDS, and NAT, PAT, etc.
- Security Center Dashboard: Perhaps one of the top features of the MX 600 is the security center ( comes at a price by buying the Firewall Enterprise Advanced license ), the Security dashboard gives you a nice view of the malware and IPS threats coming in from around the world plotted on a world map. It also tells you the clients on your network with possible malware infections and contains them ( this is cool ) until we had the Meraki we had no clue on how many hackers and bots were trying to infiltrate into the network.
- Access Control: You can set up Internet access Policy via LDAP groups, for e.g. You can say only members of the staff group in the AD can access certain applications and websites.
- Setting up NAT and PAT is a breeze
- Load balancing: Dual WAN ports, so it essentially becomes a load balancer, this was a huge plus because we have to pay a serious amount of cash for a 100 Mb IP VPN internet connection (we are paying about 15000$ per month 😦 – but with the MX 600 we had the dual wan ports so we could buy a cheaper 100 Mb business fiber and double our bandwidth using the second WAN. It even has a backup 4g dongle provision in case both the WANs fail.you can also set up flow preference to have certain traffic go through WAN 1 or 2
MS 350 Switches pros:
- VLANS: Easy to setup VLANs and trunk ports on the GUI, assigning access VLAN ports and voice VLAN ports is a breeze.
- Routing: L3 routing ( only on the MS 350) is possible too for advanced network topology, we don’t have much use with because of the way our network is set up.
- Stacking: The MS 350 is capable of physical and virtual stacking
- Security: Mac filtering is easy, and LDAP authentication is a breeze on an individual port level.
- Advanced troubleshooting: Cable testing to see if all the pairs are crimped correctly, Ability to see which client is connected to which port & a Packet capture utility to analyze traffic between a switch port and wired clients.
- There is not much really, one thing I wished it had was the ability to set up the packet shaping for an entire SSID rather than an individual client on a per-AP level, this might be a bit hard to explain, for, e.g., our wireless is comprised of different SSIDs and each SSID is tagged with a particular VLAN, so it would have been beneficial for us if we could set it up to assign a certain amount of bandwidth for the entire SSID, meaning we don’t want the whole student SSID to cross more than 30 Mb in total which is not possible, you would need something like a blue coat packet shaper to achieve this.
- Weird issues with AP’s not accepting clients
- Some settings take a few seconds maybe even like a minute to get pushed to the APs because they are cloud managed the settings take a while to travel all the way from the internet to our local AP, even things like restarting the AP’s take longer than expected in some cases.
- Noticed Some channel interference with Apple TV and Mac clients
- Some of the clients show up with the wrong names – looks like the reporting is taking time to update on the dashboard ( again this is the disadvantage of moving to a complete cloud solution )
- The AC & 5 GHz capable Clients always seem to connect to the 2.4 GHz in spite of having excellent 5GHz strength. BTW the signal interface is much less on the 5GHz band, which is why I want them to connect to them in the first place
- The band steering feature in the Wireless SSIDs to try and move the 5GHz clients to the 5GHz band does not work as well as accepted and is flaky
- The wired clients show up with the wrong MAC address, sometimes the port where the wired clients are connected shows up wrong too, noticed this is an issue mainly with Apple TVs and Mac wired clients
- There is not a way to bulk restart all the switches at once; this would have been a good way to restart all the AP’s at once too.
- Again the inability to set up the packet shaping for an entire VLAN rather than an individual client on a per-VLAN level is a major drawback.
- Pricing on the advanced license is very steep.
- Easy to manage dashboard, accessible from anywhere
- Good for a school environment, because it is easy to maintain and you can free up some of your time to involve yourself in other cool projects.
- Your entire network seizes to function if your support license has expired ( sounds pretty scary – don’t worry when they are close to expiry they do a good job of reminding you, you just need to find the $$)
- You need to factor in the price of the licensing over a long-term meaning ing you need to work out a Network keep alive cost projection for the lifetime of the equipment and that could be expensive for smaller organizations.
I am sure I missed out a lot of points, but I will keep updating this post on a regular basis, so check back or contact me to know more if you plan on investing in Meraki, I can show you how we have it all set up.