Changelog: Wireless Bridge-mode Client Isolation

Another week, another exciting round of feature enhancements from the Cisco Meraki Engineering team. The biggest announcement was the addition of a new Bridge-mode Client Isolation feature for MR networks.

L2 client isolation has been a distinguishing feature of Meraki NAT-mode SSIDs for some time and is an incredibly useful security tool to prevent wireless clients from communicating with each other on the same SSID. NAT-mode is great if public DNS, AP-delivered DHCP, and client IP NATing to the AP’s management IP is fine for your use case. Guest service in a click.

MX Design: Integrating Non-Meraki VPN into AutoVPN

I was working on large Meraki MX VPN deployment project recently and was asked to explain a common theme I’ve had to give guidance on time and time again with customer VPN designs – how do you integrate non-Meraki VPN peers with an existing AutoVPN domain? Well, this is one of those topics that requires a little more detailed explanation and this seemed like a perfect place to unpack it.

How do the two VPN solutions work and what are ways we can cleanly merge the two together?

Changelog: UI Updates, Uplink Overrides, and Office365

New Warm Spare UI for MS and MX

Some of you may have noticed a slight change in the warm spare configuration in my recent MX warm spare design writeup. The Meraki UI/UX team has updated the warm spare configuration in Dashboard for both MX and MS. Configuration has moved to the switch and security appliance status pages.

The new interface is more intuitive all around. A particularly useful addition is the warm spare serial dropdown selection.

Meraki Wireless Bridge Mode: Better By Default

At a recent technology conference and I found myself answering questions on Meraki wireless design with a curious network engineer. His company was in the process of replatforming their corporate wifi to Meraki wireless and he had some questions around segmenting guest access.

Their existing wireless design used a single controller appliance positioned in a data center DMZ zone so guest wireless traffic could be filtered by a firewall (after exiting the controller). This has been a common deployment for adding firewall protection to untrusted wireless networks for almost a decade.

Changelog: New Firewall and Client API Updates

L3 Firewall Rules Programmable via API

The MX layer 3 firewall rules can be found under Security Appliance > Firewall > Layer 3 > Outbound rules in Dashboard. The L3 firewall ruleset allow outbound firewall filtering for all traffic crossing a routed boundary. This includes both inside-to-outside (LAN port > WAN port) packets as well as inter-VLAN routed traffic within the MX.

While the firewall UI makes adding or modifying rules simple, it’s not well suited for bulk import of hundreds or thousands of entries. Enter L3 FW API!

MX Design: Warm Spare

Building redundant WAN routing and security services mitigates a critical single point of failure in mission-critical networks. If a single gateway fails, a standby unit can seamlessly continue servicing clients without disruption.

There have been many proprietary and standards-based gateway redundancy protocols developed over the years to solve this problem. HSRP, VRRP, GLBP are all common examples.

The Cisco Meraki MX security appliance offers a similar HA solution called warm spare mode. Enabling this option provides a seamless way to create a highly-available pair of MX appliances with automatic configuration, gateway, and VPN peer syncing.

Gartner: Operational Simplicity in 2017 Business Models

If you’re in any way involved with enterprise technology and haven’t seen Gartner’s 2017 Strategic Roadmap for Networking report, then I encourage you to give it a quick read. Very illuminating trends in the industry overall as cloud platforms are maturing and businesses are increasingly prioritizing agility-through-simplicity in a digital first economy.

Cisco MX SD-WAN Connectivity Models

As I consult with companies and organizations ready to deploy a cloud managed MX WAN infrastructure, I’m constantly tasked with helping them understand the different connectivity models available and the appropriate deployment methodologies. With the WAN connectivity options evolving faster than ever, it’s important to know what options are available and more importantly help map business requirements to the end design.