Free Cisco Meraki AP

[Mikey]

Meraki is very nice, but so expensive. I don't really understand who the intended market is:

- I don't think enterprises are interested in "cloud managed" network devices.
- Small businesses can't afford e.g. £800 for a switch when you can get a Smart HP switch for a quarter of that (and no ongoing cost). Or under £300 for Cisco's latest small business AC Wifi access point, vs £1000 for the Meraki MR34.

That plus extremely high ongoing support costs (you have to pay Meraki for the rest of your life or you lose the ability to manage the devices).

I don't get it.

I do agree re it being a tie due to having to maintain subscription. We also looked at Aerohive originally too, what I do like about Meraki and some of the others is the Layer 7

 

[oli356]

I've listened in on a couple of the entry webinars now, having heard about Meraki - I still had no idea what they did.

The word I use to describe what I saw is "cool". Everything just looked so simple to do and so detailed.. hoping I can get some free stuff

 

[Oh Ed not again.]

Yeah I've just reregistered for another, for research purposes.

 

[Caged]

Meraki is very nice, but so expensive. I don't really understand who the intended market is:

- I don't think enterprises are interested in "cloud managed" network devices.
- Small businesses can't afford e.g. £800 for a switch when you can get a Smart HP switch for a quarter of that (and no ongoing cost). Or under £300 for Cisco's latest small business AC Wifi access point, vs £1000 for the Meraki MR34.

That plus extremely high ongoing support costs (you have to pay Meraki for the rest of your life or you lose the ability to manage the devices).

I don't get it.

Lots of enterprises are interested in cloud managed networking - e.g. if you were the IT manager for a chain of retail stores you can just ship boxes to site and get a local IT company to plug them in. No messing around, no VPN for remote access etc. No actual data leaves the local network, there is no security issue here.

Small businesses could afford an £800 switch if they required it, but many of them don't need the feature set. There is a vast difference between an HP smart switch and the Meraki / Aerohive stuff.

Support costs are part and parcel of enterprise IT, and you get a lot more than just a hardware warranty.

They are expensive, you're right. But you really can't compare them to a Cisco Small Business access point or an HP web managed switch. In certain situations where you're looking at putting a person on a plane to set up a remote location they can often be a much cheaper option.

 

[TheKnat]

Had the MR12 running for a while, decided to add a Z1 firewall to the mix as well.

Quite impressed really and the ease of adding new rules to it and performing monitoring what its up to it great.

Was a bit worried that its only meant to be able to handle 50Mb/s of throughput, but it managed fine on my BT Infinity line and hit 70+Mb/s, which is the same as every other option I've tried.

 

[Caged]

I've not been impressed with their security appliances the more I've used them.

Port translation on 1:1 NAT rules is missing for example, and that's pretty inexcusable.

 

[masterk]

I've not been impressed with their security appliances the more I've used them.

Port translation on 1:1 NAT rules is missing for example, and that's pretty inexcusable.

The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the outside interface at port 2121.

hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121

 

[Caged]

What's that in relation to

 

[masterk]

That's the command to do what you said cisco security appliances couldn't do.... I am presuming you are using asa's on 8.4+?

Unless you were talking about a meraki firewall?

 

[Caged]

I was talking about the thread topic, yes.

 

[masterk]

I was talking about the thread topic, yes.

That's an AP not a security appliance?

 

[Caged]

And then the Z1 was mentioned, which is a branch UTM/AP, and I mentioned that Meraki's other security appliances hadn't impressed me. I'm not sure where ASAs came into the mix.

 

[masterk]

And then the Z1 was mentioned, which is a branch UTM/AP, and I mentioned that Meraki's other security appliances hadn't impressed me. I'm not sure where ASAs came into the mix.

Curse my skim reading!

 

[Caged]

Anyone who is comfortable with an ASA or Catalyst (and has a team of people who are equally qualified) and can guarantee either timely physical access to the device or has enough out-of-band access in place isn't buying Meraki products.

 

[TheKnat]

Anyone who is comfortable with an ASA or Catalyst (and has a team of people who are equally qualified) and can guarantee either timely physical access to the device or has enough out-of-band access in place isn't buying Meraki products.

Not exactly true. There are some examples where you want to be able to remotely monitor devices and usage whilst not allowing them anywhere near the live network.

For example, at my previous employer we deployed Aerohive APs using their cloud management platform (essentially the same sort of thing as Meraki, just worse ). The reason for this was purely for security reasons where we could have no chance of there be access of any kind between the wireless network and our normal LAN. This was went so far that even internal employees using the wireless connection then had to establish a VPN connection to gain access to internal resources.

We had plenty of skilled Cisco people in house, plenty of physical access to the equipment, yet we couldn't easily have visibility of the devices themselves without going down the cloud managed route. Now extend this out to 100+ sites over a 3,500+ km^2 area and going for a cloud managed solution starts to seem like the only option.

 

[Caged]

I'm confused, because most APs support the management VLAN being totally different to the one that traffic from the SSIDs runs over. How you choose to route that VLAN is up to you, there's nothing specific there that means a Meraki / Aerohive device has to be the one to do it.

Aerohive radios used to be a lot better than whatever Meraki uses, I'm not sure if Meraki have improved with the MR16.

 

[TheKnat]

I admit its a niche usage case, but we were not allowed to even have the access points plugged into the same switches that were uses for live data. It was quite ridiculous really, but it was a case where logical and physical separation was needed.

 

[Mikey]

I admit its a niche usage case, but we were not allowed to even have the access points plugged into the same switches that were uses for live data. It was quite ridiculous really, but it was a case where logical and physical separation was needed.

I've worked in these environments too and others where it's fine to create "DMZ" VLANs.

Personally I wouldn't run DMZ VLANs, I'd run a separate switch, but it's all down to individual budgets and so forth.

I've been told by pentesters that you can bleed data between VLANs.

 

[Oh Ed not again.]

Cisco just sent me an MR18, was expecting an MR12 but got this instead. Sweet.

 

[Mikey]

I just need to get our vat number - we use cisco at mo with WLC and it's OK, but that's more to do with a crap config