Long before “cloud” was a buzzword, Meraki applied this winning architecture to WLANs.
Price: From $150 per AP (one year)
Pros: Fast deployment, rich traffic controls, app-layer visibility, no-cost extras.
Cons: Some simplification at the expense of flexibility, limited RF debug.
When most vendors were building beefier hardware controllers, Meraki refined its multi-tenant hosted controller service, routinely rolling out new features at no extra cost. This low TCO "out of sight, out of mind" tactic helped Meraki land over 18,000 customers, from SMBs and hotels to universities and distributed enterprises.
During Wi-Fi Planet’s test drive, we found Meraki’s Enterprise Cloud Controller quietly competent, with expanding depth and scalability.
Leveraging the cloud
Meraki sells a range of cloud-managed routers and Wi-Fi access points (APs), from the indoor single-radio MR12 to the outdoor triple-radio MR58. For this review, we tested three APs: an MR16 (MSRP $649), an MR24 (MSRP $1199) and an MR66 (MSRP $1299).
According to Meraki’s coverage calculator, the MR16’s dual 2x2 MIMO radios and internal antennas deliver 100 Mbps over 22 feet (2.4 GHz). Painting a 20K square foot office with Wi-Fi this way would require 28 MR16’s -- a fairly dense deployment.
Big brother MR24 uses 3x3 MIMO to boost max data rate from 600 to 900 Mbps, while the MR66 is ruggedized for outdoor or industrial indoor use. All three support clients in both bands simultaneously, using band-steering to nudge 5 GHz-capable devices out of the 2.4 GHz “junk band.”
Every Meraki AP and router must be managed by Meraki’s Cloud Controller, a 3x redundant service, hosted in physically-secured, geographically-diverse SAS70 type II certified data centers. Two services are available: Pro Controller (max two SSIDs) and Enterprise Controller (up to 15 SSIDs). Enterprise also piles on advanced features such as traffic analysis, application firewall, auto-channel management and rogue detection.
We tested Enterprise Controller, priced from $150 per AP (one year) to $450 per AP (five years). Cloud Controller is multi-tenant; any given customer can use it to control up to 1000 networks, each containing up to 2500 APs.
One huge cloud benefit is rapid activation -- in this case, avoiding controller installation. Meraki APs are plug-and-play: just connect power and 100/1000 Ethernet (we used 802.3af PoE). Upon power-up, each AP gets an IP via DHCP and reaches out to Meraki’s Cloud Controller connecting over the Internet on documented ports that pass easily through most firewalls.
Back at the Cloud Controller, WLAN administration occurs over SSL from any Web browser. We found Meraki’s dashboard clean and responsive with few plug-in requirements or pop-ups or deeply-nested menus. To get started, we just supplied the name of our network (i.e., site) and an order number. All APs on that order became instantly manageable.
We then dragged our APs onto an imported floor plan image, supplemented by a supplied Google map for our network’s street address. Within minutes, we could visualize our small network (below). Populating a large distributed WLAN this way would take longer, but couldn’t be much easier; unless Meraki imported WLAN planner output or understood 3D relationships. However, a Configuration Sync panel can be used to selectively clone another network’s SSIDs.
Whenever an AP connects to the Cloud Controller, it receives current settings (and firmware if necessary). Unlike many other-vendor APs, Meraki APs cannot be managed via CLI. Each AP does have an unsecured webpage that local clients can use to view their own real-time channel utilization, signal strength and throughput (handy for trouble-shooting). Although admins can use that page to set static IPs, all other commands (including reboot) must be invoked remotely from the Cloud Controller.
In fact, the Controller focuses on making Meraki network configuration very easy. All SSIDs appear on a single overview panel. Drill-down settings may be configured per SSID, broken into Access Control, Firewall, Traffic Shaping, Users, Groups, and Splash Page panels.
For example, choose an SSID and click Access Control to select a security policy (open, WEP, WPA2-PSK, etc.), then click Users to select who will be allowed to connect to that SSID.
Unlike many policy managers, Cloud Controller is not big on reusable objects or inheritance. With few noteworthy exceptions, most settings are WYSIWYG; many are accompanied by mouse-over definitions. This results in a fairly intuitive GUI, but it also makes it tough to compare or maintain complex Firewall or Group policies across several SSIDs.
Beyond SSIDs, very little network or radio configuration is required or supported. For example, Enterprise Cloud Controller auto-assigns the least-noisy channel to each AP. Manual assignment is an option, but sets all APs to the same channels (rarely desirable at multi-AP sites).
Band selection and 11b protection can be set per SSID, but not per-AP. And you won’t find 802.11n MCS or SGI or 40 GHz bonding or MPDU aggregation options since Meraki’s Controller just tries to maximize throughput to each client based on that device’s supported capabilities. Many admins will appreciate this simplicity, but some may find it inflexible or insufficiently transparent.
Crafting advanced SSID policies
Most of the features described thus far are found in Pro. Where Enterprise Cloud Controller starts to shine is advanced policy creation, monitoring, and analysis. For small offices that need only WEP or WPA2-PSK security and WMM priority, Pro is plenty. Large organizations with diverse populations and applications may need Enterprise Cloud Controller to strengthen security, leverage infrastructure, deliver analytical insight, and enable diagnostics.
For example, Cloud Controller can apply layer 3/4 stateful packet inspection rules to each SSID, but Enterprise Cloud Controller can also apply layer 7 rules selected from a growing list of finger printed applications, including HTTP-encapsulated video/music, VoIP, email, software updates, P2P, or specified Web servers. Each app category can be further filtered; for example, to differentiate between Gmail and POP/IMAP. Bandwidth limits and DSCP / VLAN tags can also be applied to classify and shape traffic per-app category for each SSID (below).
When more granular filtering or shaping is needed, Group policies can override SSID policies. For example, we let our admin Group bypass SSID bandwidth limits, app block rules, and captive portal pages applied to other users.
This begs the question: How does Enterprise Cloud Controller determine which users belong to each Group? The answer: Group policies can only be applied to users granted access by MAC ACL or by 802.1X authentication against a customer’s RADIUS server configured to return a group attribute.
In short, admins can use Enterprise Cloud Controller to assert fine-grained layer 2 - 7 controls integrating with customer network elements like VLAN trunks and RADIUS servers. For simplicity, Meraki offers alternatives such as hosted RADIUS, a customizable captive portal with “guest ambassador” visitor management, and a portal-based connect-time check to ensure each client is running anti-virus. This is all included in Enterprise Cloud Controller at no extra cost.
Advanced options such as these have helped Meraki’s Enterprise Cloud Controller move up the food chain to address larger business needs. As Wi-Fi grows more pervasive, even mid-sized businesses can benefit from many of these options, especially app-layer controls. But it can be tough to keep simple tasks simple while supporting complex policies. In our opinion, Meraki’s dashboard is still easy to navigate, but beginning to exhibit feature-creep clutter.
Keeping an eye on your WLAN
Configuring a network is only part of the battle; on-going maintenance and trouble-shooting are where admins often spend the bulk of their time. To reduce total cost of ownership (TCO), Meraki has been steadily expanding Enterprise Cloud Controller to deliver deeper and broader insight and tools.
Starting from any network (site) map, admins can drill down into clicked APs or Clients, or select one from searchable lists. Using the APs panel, admins can eyeball current channels, usage, client counts, or export a snapshot to XML. Using the Clients panel, admins can see each client’s state, AP, and SSID, MAC/IP, device type, label, usage, and (802.1X EAP phase 1) identity. But there’s more lurking under these covers:
- As a cloud service, Meraki does not have immediate access to AP-recorded stats. But admins can click on “Live Updates” to refresh displayed data once per minute.
- Drilling into a single AP brings up a set of “Live Tools,” accompanied by continually-updated near-real-time display of AP LAN port traffic, RF channel utilization, and more.
- Hovering over each Client highlights that device’s activity on an SSID traffic usage graph, plotted over the past two hours, day, week, or month. (Custom range would be nice!)
- Scroll through pie charts to the right of that graph gives usage per Application, Port, HTTP server, or customizable IP/URL bucket. Just click on any chart to view usage detail.
These panels all display data for a selected network and one or all SSIDs. During our test drive, they helped us spot unexpected applications, bandwidth hogs, and an occasional surprise visitor on a guest or open test SSID. However, jumping from graphs into traffic logs was abrupt. There, we had to sift through DNS queries to understand application activity. Organizations with many networks might wish for roll-up data or an easy way to compare network usage.
Debugging RF issues is the only time we really yearned for more detail. Searchable/filterable AP logs enumerate authentication and association events, but do not supply PHY/MAC details like Information Elements or RSSI that might indicate why an association could not be formed. Instead, we had to break out a WLAN analyzer to trouble-shoot low-level RF issues.
Fortunately, Meraki has been expanding in this area, adding the afore-mentioned AP Live Tools. Here, admins can instruct each AP to relay real-time RF and throughput metrics, visualize spectral graphs, and ping or traceroute troubled clients. When all else fails, admins can use this panel to reboot an AP, but we saw no way to forcibly disconnect one cranky client.
Understanding your airspace
One of our favorite Enterprise Cloud Controller panels is the Summary Report, which can be emailed on-demand or scheduled (HTML or text format). This report delivers analytics for a selected network, including top APs, Clients, Apps, and Operating Systems (by % client and % usage), along with per-SSID usage. Here again, a custom date range would be a nice addition, but what we liked the most was using this report to spot areas needing investigation, while making it easy to drill directly into affected AP or Client details.
For example, Cloud Controller provides another “Live Tool” with which to Ping an individual Client. Other near-real-time data that can be displayed for Clients include channel, signal strength (last and range), ping loss and latency, and triangulated location, plotted on a floor plan (below).
In our experience, the accuracy of Cloud Controller’s estimated locations varied from decent for recently-stationary Clients to poor for highly-mobile Clients. (We note this intriguing feature is still labeled beta.) Meraki also collaborates with partners such as Ekahau to enable non-Wi-Fi asset tag tracking. In addition, Meraki offers a free Java WiFi Mapper tool which can be run on any Wi-Fi client with a browser, letting someone walk an office while measuring signal strength to generate heat maps. While this is not a WLAN planner, it can be handy to validate coverage from a particular client’s perspective.
Finally, Cloud Controller offers Rogue AP detection, using opportunistic, daily or on-demand channel scans to spot non-Meraki APs and their SSIDs, channels, and MAC addresses (including Ethernet where connected to the same LAN). This cannot be used to plot a rogue’s location or observe client connections, but we used it to supplement Cloud Controller’s auto-channel assignment. Specifically, the Radio Settings panel includes a Channel Planning Report, which details current assignments (spread to minimize interference), along with a count of Rogue APs during the past 24 hours. This can be helpful to understand a rogue’s impact on a network.
The bottom line
Enterprise Cloud Controller adjusts channels and transmit power to avoid interference, but does not appear to be otherwise intimately involved in real-time AP control. According to Meraki, not only does the Controller stay out of the data path, but most control functions survive loss of Controller connectivity, including firewall and traffic shaping, 802.1X authentication, AP roaming, and teleworker VPN tunneling (not tested). Of course, management functions such as configuration, diagnostics, and stat collection are unavailable when the Controller is unreachable.
Meraki SLAs promise 99.9% uptime for the hosted service itself. Throughout our review, Meraki technical support was exceptionally responsive; often fixing a reported bug within days and installing new firmware without action from us. This transparency will appeal to many customers, but some enterprises require tighter change control and auditing. To that end, Meraki recently added configuration change audit logs and alerts, along with read-only accounts, stronger password policies, and SMS one time passcode authentication for admins. All of these tweaks are intended to woo IT trust, essential for any hosted management service.
During the course of our test drive, Meraki’s Enterprise Cloud Controller was not always perfect, and it did not always let us tune RF parameters. But our densely-deployed APs delivered sound connectivity, managed from a responsive dashboard that made reconfiguration easy and usage readily visible. We think this kind of low-cost fuss-free cloud-managed approach will appeal to many businesses. However, policy flexibility and scalability, along with the usual IT outsourcing concerns, could be barriers for some larger enterprises.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. An avid fan of wireless mobility and regular contributor to Wi-Fi Planet, Lisa has reviewed, deployed, and tested 802.11 enterprise, SMB and consumer electronic devices, software and services for over a decade.