Meraki BRKEWN 2028

BRKEWN-2028
Meraki Wireless
Under the hood
Seppi Dittli
Consulting Systems Engineer
Meraki – Alpine Region
#158 #5724
You’re in the right session
IDC believes that the Meraki cloud-managed

WLAN portfolio remains one of the primary
growth drivers for Cisco.
https://www.idc.com/getdoc.jsp?containerId=prUS43963918
BRKEWN-2028 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What this session is NOT about!
• No comparisons between Meraki and Aironet Wireless will be made
• Roadmap topics are not going to part of this session
Agenda
• Introduction
• MX Wireless
• MV Wireless
• MR Product Overview
• MR Wireless
• Location Features
• Packet Captures
• RF Profiles
• Guest Integration with ISE CWA
• MR Firmware Release 26
-
• Conclusion & Closing
Wireless on MX / Z
(Security Appliances)
For Your
Reference
Security Appliances Wireless Capabilities

Model WiFi Antenna
MX64W 802.11ac Wave 1 RP-SMA

802.11ac Wave 2 External fixed
MX68CW
LTE Cat6 Omni
Z3 802.11ac Wave 2 Internal Omni
802.11ac Wave 2
Z3C Internal Omni
LTE Cat3
Demo
For Your
Reference
MX Wireless Configuration
Up to 4 SSIDs are possible
On / Off
SSID
Where to bridge the traffic
Security Level
Hidden or not
For Your
Reference
MX – Open SSID
For Your
Reference
MX – WEP SSID
Don’t use it!

WEP is broken since
over 15 years
For Your
Reference
MX – PSK SSID
Recommended to use
“WPA2 only”
For Your
Reference
MX – 802.1x SSID
Meraki Authentication
or
your own Radius server
Recommended to use
“WPA2 only”
Advanced Features like VLAN Overwrite or dynamic Group Policy assignment

are not supported. Use Meraki MR AccessPoints for this!
MR33
MX65W
Mixing MX Wireless and MR Wireless

Don’t do it!
J L
MR33
MX65W
Mixing MX Wireless and MR Wireless MX65
Don’t do it!
J K
For Your
Reference
Links for more information
Product Homepage:
https://meraki.cisco.com/products/appliances
MX Sizing Guide:
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf
Documentation MX Wireless Settings:
https://documentation.meraki.com/MX/Wireless/MX_and_Z1_Wireless_Settings
Combine MX with other Wireless (like MR):
https://documentation.meraki.com/MX/Wireless/Adding_a_Z1_or_Wireless_MX_t
o_a_Wireless_Network_or_Mesh
Wireless on MV
(Smart Cameras)
For Your
Reference
Video Surveillance Wireless Capabilities

Model WiFi
MV12N 802.11ac Wave 2
MV12W 802.11ac Wave 2
MV12WE 802.11ac Wave 2
MV21 Not available
MV22 802.11ac Wave 2
MV71 Not available
MV72 802.11ac Wave 2
Demo
For Your
Reference
MV Wireless Configuration
3 2
For Your
Reference
For Your
Reference
For Your
Reference
For Your
Reference
MV Powering Option
Meraki MV Cameras can only be powered

by PoE
This accessory allows the installation of MV

cameras based on old analog video cabling
This can be used as well to operate MR

AccessPoints in Mesh mode MA-PWR-MV-LV
For Your
Reference
Product Homepage:
https://meraki.cisco.com/products/security-cameras
MV Wireless Configuration Guide:
https://documentation.meraki.com/MV/Installation_Guides/MV_Wireless_Configu
ration_Guide
Low Voltage Power Adapter Datasheet:
https://meraki.cisco.com/lib/pdf/meraki_datasheet_low-voltage-power-adapter.pdf
MR Hardware Overview
Meraki Wireless Access Points Overview
= Integrated BLE
All are 802.11ac Wave 2 APs (Wifi 5)

Indoor MultiGig Outdoor MultiGig
MR84
MR53E
4 SS
MR52 MR53
MR42E
3 SS
MR42
MR74
MR70
2 SS
MR30H MR20 MR33
MR E Series Smart Antennas
A Series Dipole B Series Dipole C Series Panel Omni
Omni
Ceiling Mounted APs Wall Mounted APs Cosmetic Requirements

Where I need potentially higher Rx sensitivity Keep vertical antenna orientation Hide the AP and still have coverage
D Series Downtilt Omni E Series Wide Patch F Series Stadium Sector

Directional
Wide Directional Highly Directional

low density & high ceilings high density directional coverage high density highly focused coverage areas
BRKEWN-2028 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
Product Homepage:
https://meraki.cisco.com/products/wireless
MR Best Pratices:
https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Mer
aki_Best_Practice_Design/Best_Practice_Design_-_MR_Wireless
Guest Access
Meraki Wireless Guest Access
Many options possible – too many?
Meraki Wireless Guest Access
Many options possible – too many?
Authentication-Methods
PSK - Popular, but no real authentication

Meraki Authentication – Built-In
External databases – Additional gear needed
Captive Portals
None – not recommended for Guests

Meraki Splash Page – Built-In
External Servers – Additional gear needed
Guest Access
Securing Guest Access with PSK

Guest Access via PSK
• Popular
I anyhow don’t like it.
• If you do it, you should at least
show a “click-through” splash
page with an AUP
• Very easy to configure
• APIs can simplify changing the

PSK
Change PSK via API
API • Regular change the PSK

• Adapt the SSID-Name and PSK
for events (in hospitality)
Demo
Guest Access
Using Meraki Authentication

Built-In Meraki Wireless Guest Access
• Still everything is included

• Lobby Ambassador to manage
Guest Database
• Very easy to configure
Options
Authentication Option Advantage Disadvantage
Standard Meraki Auth Complete Control Manual work for someone

No Self-Registration (Guest Ambassador)
Self-Registration Less work for Guest Guest Ambassador still needs
Admin Approval Ambassador to login to approve accounts
Self-Registration No additional work No control
Auto-Approval
Self-Registration No additional work People use whatever email-
Verification-Email Somewhat controlled address they want!
10 Min free access before
verification is enforced.
Options
Authentication Option Advantage Disadvantage
Standard Meraki Auth Complete Control Manual work for someone

No Self-Registration (Guest Ambassador)
Self-Registration Less work for Guest Guest Ambassador still needs
Admin Approval Ambassador to login to approve accounts
Self-Registration No additional work No control
Auto-Approval
Self-Registration No additional work People use whatever email-
Verification-Email Somewhat controlled address they want!
10 Min free access before
verification link is enforced.
Additional option Full control Little additional work
Distributed to guest hosts
Guest Access
Sponsored Guest Access

• Guest registers himself

• He enters the email address of
“his” sponsor
• Sponsor receives an email
with the approval link
• Sponsor just clicks on it and
guest is granted access
• Sponsor needs no access to
the dashboard
Has to be enabled by Meraki Support!

Demo
Guest Access
More advanced variants

Built-In Splashpage with external Radius
• Use your existing Radius-Server,

like a Cisco ISE
• Radius-Request will be received
from outside network
 make sure, your Firewall
allows that traffic!
ISE Central Web Access
• Use the Splashpage on ISE,

might the same you use for
existing Aironet-Networks
• Suggested to use “MAC-

Authentication” in conjunction
with ISE, which allows more
creative things.
Meraki – ISE Integration
https://community.cisco.com/t5/security-
documents/how-to-integrate-meraki-
networks-with-ise/ta-p/3618650
Other options
Other options include authentication via
• Active Directory
• Facebook
• LDAP
• 3rd Party Credentials (Google)
• SMS (Twilio)
• Captive Portal API
For Your
Reference
Captive Portal API:

https://create.meraki.io/build/#build-page-tabs-tab-2
Sponsored Guest Documentation:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsore
d_Guest
Various Splash-Page Documentation:
https://documentation.meraki.com/MR/Splash_Page
Location Features
How we do location with WiFi
RSSI-Radius
Location unprecise and

Good location precision
might jumps significantly
What is impacting the precision?
a) It’s based on Client RSSI values received by
multiple AccessPoints!
 This is the very same as what you may know since years
from the Cisco Location Engine / MSE / CMX.
Don’t mix this up with HyperLocation or FastLocate!
b) It highly depend on the location of your APs

and how many APs can see the client
 Like on Cisco Aironet the client should be seen by at
least 3 APs each in 3 quarters around the client with
reasonably good signal strength
Demo
For Your
Reference
Two built-in features using the location data

Location Heatmap Location Analytics
For Your
Reference
Background Location Heatmap

Location Heatmap is a graphical
representation of two factors:
a) the number of devices were detected during

the time period
b) how long those devices dwelled in the area
Colors Dots
Dark red areas mean either These are wireless clients.
- there were lots of devices detected Grey = not associated
or Blue = associated
- few devices stayed for a long time
Background Location Analytics
Connected - yes, this are Wireless Users
Passersby - not connected, but seen at least once
Visitors - not connected, but seen more
x = RSSI of 15 or more to be
considered visitor;
RSSI of 10 or more to maintain it
AP Location Scanning Synchronization
New method in MR 26
Software Release < MR 26
Ch2
Ch1
Ch3
Ch1
Ch2
Ch3
Ch1
Ch2
Ch3
lll lll lll
AP1
Ch3
Ch2
Ch1
Ch2
Ch1
Ch3
lll lll
AP2
Software Release >= MR 26

Ch2
Ch1
Ch3
Ch1
Ch2
Ch3
Ch1
Ch2
Ch3
lll lll lll
AP1
Ch2
Ch1
Ch3
Ch1
Ch2
Ch3
Ch1
Ch2
Ch3
lll lll lll
AP2
You want more than what Meraki has?
Use APIs!
For Your
Reference
Scanning API Documentation:

https://create.meraki.io/build/scanning-api-docs/
Documentation about Location Heatmap and Analytics:
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Location_Anal
ytics
RF Profiles
More control over your RF environment
These 3 areas might require

different RF settings due to
their quite different
Characteristics!
Demo
RX-SOP
Receive Start of Packet
RX-SOP
Receive Start of Packet
A sharp knife that is tremendously useful
But you can cut your own fingers too!
For Your
Reference
Pre-Canned RF Profile Settings

2.4 GHz 5 GHz Client
Profile Min. bitrate Band
min max min max Width Balancing
Default 11 Mbps (2.4 GHz) 5GHz
5 dBm 30 dBm 8 dBm 30 dBm Auto On
Indoor 12 Mbps (5 GHz) only
11 Mbps (2.4 GHz) 5GHz
Default Outdoor 5 dBm 30 dBm 8 dBm 30 dBm Auto On
12 Mbps (5 GHz) only
Auditorium 5 dBm 11 dBm 8 dBm 14 dBm 20MHz 24 Mbps Dual On
Class Room 8 dBm 14 dBm 11 dBm 17 dBm 20MHz 24 Mbps Dual On
Open Office 11 dBm 17 dBm 14 dBm 20 dBm 20MHz 12 Mbps Dual On

Conference
8 dBm 14 dBm 11 dBm 17 dBm 20MHz 12 Mbps Dual On
Room
Outdoors 17 dBm 23 dBm 17 dBm 23 dBm 20MHz 6 Mbps Dual On
Channels 2.4 GHz: 1, 6, 11

Channels 5 GHz: UNII-1, 2 and 2extended
(except “default outdoor” 2extended only)
For Your
Reference
Pre-Canned RF Profile Settings

2.4 GHz 5 GHz Client
Profile Min. bitrate Band
min max min max Width Balancing
Default
5 dBm 30 dBm 8 dBm
Except
30 dBm
youAuto
have 11
specific reasons
Mbps (2.4 GHz) 5GHz
On
Indoor 12 Mbps (5 GHz) only
to have this enabled TURN IT OFF!
11 Mbps (2.4 GHz) 5GHz
Default Outdoor 5 dBm 30 dBm 8 dBm 30 dBm Auto On
12 Mbps (5 GHz) only
Auditorium 5 dBm 11 dBm 8 dBm 14 dBm 20MHz 24 Mbps Dual On
Class Room 8 dBm 14 dBm 11 dBm 17 dBm 20MHz 24 Mbps Dual On
Open Office 11 dBm 17 dBm 14 dBm 20 dBm 20MHz 12 Mbps Dual On

Conference
8 dBm 14 dBm 11 dBm 17 dBm 20MHz 12 Mbps Dual On
Room
Outdoors 17 dBm 23 dBm 17 dBm 23 dBm 20MHz 6 Mbps Dual On
Channels 2.4 GHz: 1, 6, 11

Channels 5 GHz: UNII-1, 2 and 2extended
(except “default outdoor” 2extended only
For Your
Reference
RF Profiles Documentation:
https://documentation.meraki.com/MR/Radio_Settings/RF_Profiles
RX-SOP Documentation:
https://documentation.meraki.com/MR/Radio_Settings/Receive_Start_of_Packet
_(RX-SOP)
Wireless Health
Wireless Health
Simplify optimization of wireless networks by automatically isolating issues in the

Wireless Health steps to successful wireless access: AP association, network authentication, IP
address allocation, and hostname resolution through DNS
Client network associations
Metrics and anomaly detection for Wireless connection quality (latency)
Capacity (data rate)
For Your
Reference
Wireless Health Documentation:

https://documentation.meraki.com/MR/Wireless_Health
Umbrella Integration
The technology behind the integration
Meraki MR Umbrella
Secure internet gateway that
100% cloud-managed wireless
provides the first line of defense
access points
against threats on the internet
• Manage your global wireless • Protection against threats such

infrastructure from a single as malware, ransomware,&C2
dashboard. callbacks with no added
latency.
• Provides visibility into
application, device, and usage • Visibility into internet activity
statistics. across all locations and users.
• No controller hardware to • No hardware to install or
install or maintain. software to manually update.
Benefits
• Simplest way to deploy Umbrella
across a wireless network.
• Conveniently enable Umbrella
policies directly in the Meraki
dashboard. +
• Create granular policies on a per-
SSID basis or by using Meraki
group policies.
Demo
For Your
Reference
How it works
Step 1 (Umbrella dashboard) Step 2 (Meraki dashboard)
Copy API key and Secret. Input API key and secret.
For Your
Reference
How it works
Step 3 (Meraki dashboard) Step 4
Apply Umbrella policy. That’s it. Seriously, it’s that easy.
For Your
Reference
Mandatory DHCP
For Your
Reference
Mandatory DHCP
Enforce clients to use DHCP - disconnect any offending clients
For Your
Reference
Protected Ports
For Your
Reference
Meraki Protected Ports

New feature in Software Release MR26
1. Customize the port configuration for 2. Connect an MR to any MS port

Meraki APs and apply it to switches a. MS identifies MR
b. MR authenticates to MS with a certificate
c. MR is allowed access with the correct port
configuration
MS
Any other device

that plugs in will see
no change in the
MR port’s settings.
Dynamic, Secure Port Assignment
Closing
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKEWN-2028
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Meraki BRKEWN 2028

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Meraki BRKEWN 2028

Uploaded by

Copyright:

Available Formats

BRKEWN-2028

IDC believes that the Meraki cloud-managed

• Conclusion & Closing

Security Appliances Wireless Capabilities

MX64W 802.11ac Wave 1 RP-SMA

MX65W 802.11ac Wave 1 RP-SMA

MX67W 802.11ac Wave 2 RP-SMA

Don’t use it!

Advanced Features like VLAN Overwrite or dynamic Group Policy assignment

Mixing MX Wireless and MR Wireless

Mixing MX Wireless and MR Wireless MX65

Links for more information

Video Surveillance Wireless Capabilities

MV12N 802.11ac Wave 2

MV12W 802.11ac Wave 2

MV12WE 802.11ac Wave 2

MV21 Not available

MV22 802.11ac Wave 2

MV71 Not available

MV72 802.11ac Wave 2

Meraki MV Cameras can only be powered

This accessory allows the installation of MV

This can be used as well to operate MR

Links for more information

All are 802.11ac Wave 2 APs (Wifi 5)

MR30H MR20 MR33

Ceiling Mounted APs Wall Mounted APs Cosmetic Requirements

D Series Downtilt Omni E Series Wide Patch F Series Stadium Sector

Wide Directional Highly Directional

Links for more information

PSK - Popular, but no real authentication

None – not recommended for Guests

Securing Guest Access with PSK

• APIs can simplify changing the

API • Regular change the PSK

Using Meraki Authentication

• Still everything is included

Authentication Option Advantage Disadvantage

Standard Meraki Auth Complete Control Manual work for someone

Authentication Option Advantage Disadvantage

Standard Meraki Auth Complete Control Manual work for someone

Sponsored Guest Access

• Guest registers himself

Has to be enabled by Meraki Support!

More advanced variants

• Use your existing Radius-Server,

• Use the Splashpage on ISE,

• Suggested to use “MAC-

• Captive Portal API

Links for more information

Captive Portal API:

Location unprecise and

b) It highly depend on the location of your APs

Two built-in features using the location data

Background Location Heatmap

a) the number of devices were detected during

Software Release >= MR 26

Links for more information

Scanning API Documentation:

These 3 areas might require

A sharp knife that is tremendously useful

But you can cut your own fingers too!

Pre-Canned RF Profile Settings