The "Meraki" way?

--chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
I have the opportunity to start a transition from our current switching lineup (HP & Aruba) and go to whatever I pick (Cisco). Through our re-seller I have been put in touch with Cisco sales to discuss price breaks and other sales'y stuff.

The Cisco rep suggested I look at Meraki, I said "sure why not" and went through the typical 1 hour long demo of product with an engineer (btw, anyone else think its weird they do demo's on their production San Fran campus?...I could have been recording and dumping all the data to the net for nefarious purposes).

Long story Long, I was asking about debug commands and error logging (a big gripe I have with HP, its virtually non-existent) and meraki's response was pretty much "why worry about debug commands (that they don't have) when it SIMPLY WORKS".

Even though I am only 4-5 years into IT I feel like I am being a stubbon ol' fool for "clinging" to the CLI (and its debug commands) when something as slick and shiny as Meraki is available.

I see the benefits offered by a single interface for switches (Cloud Controller), I appreciate that. But I don't want to give up the nitty gritty detail that can be obtained from the CLI for that one benefit.


Am I missing the boat here? Is this where the future will be for access/distro layer of networking?


Comments

  • mataimatai Member Posts: 232 ■■■□□□□□□□
    I love me some Meraki
    Current: ​CISM, CISA, CISSP, SSCP, GCIH, GCWN, C|EH, VCP5-DCV, VCP5-DT, CCNA Sec, CCNA R&S, CCENT, NPP, CASP, CSA+, Security+, Linux+, Network+, Project+, A+, ITIL v3 F, MCSA Server 2012 (70-410, 70-411, 74-409), 98-349, 98-361, 1D0-610, 1D0-541, 1D0-520
    In Progress: ​Not sure...
  • Fulcrum45Fulcrum45 Member Posts: 615 ■■■■■□□□□□
    I'm not familiar with Meraki but no, I don't think there's anything wrong with wanting to look under the hood- mainly because it's needed sometimes. I'm sure if you called in for support they would have some way to debug it on their end. Unless of course the whole idea is to make you dependent on them for support which wouldn't surprise me.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    I am going to be getting Meraki switch to demo, as a possible replacement for our corporate office access switches.

    They seem like cool devices.
  • J_86J_86 Member Posts: 262 ■■□□□□□□□□
    That's pretty typical of most sales, "our product is the best, no bugs" blah. blah. Meraki is more GUI focused then IOS or Aurba SwitchOS.

    What line of Aruba/HPE switches are you running? There are plenty of dbug commands available.
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAMod Posts: 4,133 Mod
    --chris-- wrote: »
    The Cisco rep suggested I look at Meraki, I said "sure why not" and went through the typical 1 hour long demo of product with an engineer (btw, anyone else think its weird they do demo's on their production San Fran campus?...I could have been recording and dumping all the data to the net for nefarious purposes).

    LoL. You definitely weren't recording for sure. If you had, you would have noticed it was a read-only account so they couldn't have made any production-altering decisions and the section thing you would have noticed is that they're redacting the certain information even as they're browsing through the dashboard. This is a screenshot of the Meraki Corp Network:
    18582652_928827727255720_348600675270901852_n.jpg?oh=f0c5df9fd871390ca7494589b8ac72cd&oe=597496EE


    See the blurred parts? No matter what screen they browsed to, you wouldn't have been able to find out certain information because it would have been blurred. They do that for all these demo accounts where they are demoing production. :)
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • OctalDumpOctalDump Member Posts: 1,722
    I think this is a general 'problem' for cloud services. There's a level of abstraction that keeps some of the stuff under the hood and out of view. You give up some control so that you can also give up some headaches. I guess then what matters is SLAs and contract management and all that fun stuff to ensure that you get the service you need and fast enough responses when things break.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    LoL. You definitely weren't recording for sure. If you had, you would have noticed it was a read-only account so they couldn't have made any production-altering decisions and the section thing you would have noticed is that they're redacting the certain information even as they're browsing through the dashboard. This is a screenshot of the Meraki Corp Network:
    18582652_928827727255720_348600675270901852_n.jpg?oh=f0c5df9fd871390ca7494589b8ac72cd&oe=597496EE


    See the blurred parts? No matter what screen they browsed to, you wouldn't have been able to find out certain information because it would have been blurred. They do that for all these demo accounts where they are demoing production. :)

    Huh, TIL. The blurring is done only for these "sales" demos or for all Read only accounts in meraki?

    I did see some of the blurring, but I thought it was all hostnames? While I believe what you say, what I saw was very detailed (details I am "compelled" to send in encrypted messages if they are transmitted).


  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    OctalDump wrote: »
    I think this is a general 'problem' for cloud services. There's a level of abstraction that keeps some of the stuff under the hood and out of view. You give up some control so that you can also give up some headaches. I guess then what matters is SLAs and contract management and all that fun stuff to ensure that you get the service you need and fast enough responses when things break.

    So this might be the angle I missing. I am off-loading certain problems to Meraki?


  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAMod Posts: 4,133 Mod
    --chris-- wrote: »
    Huh, TIL. The blurring is done only for these "sales" demos or for all Read only accounts in meraki?

    I did see some of the blurring, but I thought it was all hostnames? While I believe what you say, what I saw was very detailed (details I am "compelled" to send in encrypted messages if they are transmitted).

    It's only for demo accounts :)

    What I posted is the same demo site you were demoed. We all have access to the Meraki corporate office system for demo purposes. They limit us from seeing certain things or making any changes to the system so while it allows us to look like we're configuring, we can never commit the change or actually do anything with it. Hostnames weren't going to be blurred but the URLS they went to and public IPs were. We don't really care if you can see things like what private IP they used or the MAC address but we don't want to share certain proprietary things so anything at risk is blurred :) You couldn't have done any damage
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • ande0255ande0255 Banned Posts: 1,178
    I don't ever see them giving up the CLI to the device as Octal said being the trade off with cloud services, really the packet capture onboard the dashboard can help troubleshoot most issues, but there are some nuts and bolts that Meraki keeps under the hood.

    The nice thing about support other than the fact its evolved a lot since Cisco's first acquirement of them, in terms of professionalism and network knowledge, and they are not afraid to RMA a device that appears to be faulting whereas other vendors will make you bend over backwards and smooch your own ass hole to get a replacement unit out of them.

    Good choice for ease of deployment and maintenance, I love getting a Meraki ticket cause its generally so easy to troubleshoot, however I think they could reeeeeeally use an actual Client for their Client VPN so when a company roles it out to 50 remote users I'm not configuring 50 Network Adapaters.

    The fact they are rolling out phone and camera systems before they created an actual client for their VPN is mind blowing to me, and beware, there is some compatibility issues of completing Phase 2 on site-to-site VPN's (encap / decap) that I've just never gotten answers from Meraki from.

    I think they eventually went to an AWS platform to do site-to-site, which then they ran into the limitation of only being able to advertise 2 subnets over the VPN back to AWS per tunnel - That was a fun issue to work through without Meraki helping what so ever :)

    I'm all for IOS if you can afford support contracts and / or staff to troubleshoot high level issues competently, otherwise I think Meraki is a decent way to go, though its a shame I see VAR's and MSP's shoving this stuff down customers throats until the world of networking will live on GUI and not a CLI.

    That will be a sad day.
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    It's only for demo accounts :)

    What I posted is the same demo site you were demoed. We all have access to the Meraki corporate office system for demo purposes. They limit us from seeing certain things or making any changes to the system so while it allows us to look like we're configuring, we can never commit the change or actually do anything with it. Hostnames weren't going to be blurred but the URLS they went to and public IPs were. We don't really care if you can see things like what private IP they used or the MAC address but we don't want to share certain proprietary things so anything at risk is blurred :) You couldn't have done any damage

    Roger that. I get it now.


  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    ande0255 wrote: »
    I don't ever see them giving up the CLI to the device as Octal said being the trade off with cloud services, really the packet capture onboard the dashboard can help troubleshoot most issues, but there are some nuts and bolts that Meraki keeps under the hood.

    The nice thing about support other than the fact its evolved a lot since Cisco's first acquirement of them, in terms of professionalism and network knowledge, and they are not afraid to RMA a device that appears to be faulting whereas other vendors will make you bend over backwards and smooch your own ass hole to get a replacement unit out of them.

    Good choice for ease of deployment and maintenance, I love getting a Meraki ticket cause its generally so easy to troubleshoot, however I think they could reeeeeeally use an actual Client for their Client VPN so when a company roles it out to 50 remote users I'm not configuring 50 Network Adapaters.

    The fact they are rolling out phone and camera systems before they created an actual client for their VPN is mind blowing to me, and beware, there is some compatibility issues of completing Phase 2 on site-to-site VPN's (encap / decap) that I've just never gotten answers from Meraki from.

    I think they eventually went to an AWS platform to do site-to-site, which then they ran into the limitation of only being able to advertise 2 subnets over the VPN back to AWS per tunnel - That was a fun issue to work through without Meraki helping what so ever :)

    I'm all for IOS if you can afford support contracts and / or staff to troubleshoot high level issues competently, otherwise I think Meraki is a decent way to go, though its a shame I see VAR's and MSP's shoving this stuff down customers throats until the world of networking will live on GUI and not a CLI.

    That will be a sad day.

    Its funny, the sales pitch started with that line..."SAY GOODBYE TO THE CLI".

    My hopes are this thread isn't anti-meraki, I really value the input from people who have used them which is why I made this thread. I am becoming vendor agnostic, I really don't care what sticker it has as long as it works (and gets supported properly when it doesn't). If I could role out potatoes at a branch for PC's and they worked great I would.

    With that said, back to the reps and emails...time to get pricing.


  • SteveLavoieSteveLavoie Member Posts: 943 ■■■■■■■■□□
    Remember with Meraki, if you stop paying your subscription. You will not be able to change configuration on your device... I dont feel that it is honest... that why as a reseller we don't like to sell Meraki (at least not our first choice). Sure sales guy like it... easy mandatory sales.. but from a technical point of view I find it dishonest.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,915 Mod
    I will preface this comment by saying that I do not like Meraki's model at all so I would most likely never buy their devices. Dishonest means untruthful and/or intentionally deceitful. How in the world is their model dishonest? They never said you could buy their products, stop paying renewals, and use them until the end of time. In multiple places they specify:
    If you chose not to renew, you will no longer be able to manage your devices via the Meraki cloud, and your Meraki network devices will cease to function. This means that you will no longer be able to configure or make changes to your Meraki network equipment, and your Meraki network products will no longer allow traffic to pass to the Internet

    Calling this model dishonest is just not fair.
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    cyberguypr wrote: »
    I will preface this comment by saying that I do not like Meraki's model at all so I would most likely never buy their devices. Dishonest means untruthful and/or intentionally deceitful. How in the world is their model dishonest? They never said you could buy their products, stop paying renewals, and use them until the end of time. In multiple places they specify:


    Calling this model dishonest is just not fair.

    Flip side to that: In my 120 minutes of discussion with Meraki neither the sales guy nor engineer brought that up even when I asked probing, open ended questions about what the licensing and support "is".

    I only found that out when I was talking to CDW about the renewal process.


  • cyberguyprcyberguypr Senior Member Mod Posts: 6,915 Mod
    Fair point. This stresses the importance of due diligence.
  • jmasterj206jmasterj206 Member Posts: 471
    I would agree with what ande0255 said. We are mostly a Meraki shop and the wireless and switching has been great, but the security appliance has been a nightmare. We ended up having to put a Cisco ASA in as well for Client VPN and Site to Site VPN. If you use their Client VPN and have to abide by PCI DSS you will fail your audit due to using aggressive mode IKE. Also their Site to Site VPN isn't great unless you are going to another Meraki device. We do a lot of third party VPN's and you can't just allow one or many IP's through and VPN tunnel. You have to allow the whole subnet through the VPN tunnel where the host resides then filter it on your end. The issue being the other side of the tunnel has to allow the full subnet as well or the negotiation fails. When you are dealing with large organizations with many subnets in use this is a no go. Don't even ask about NATing through VPN tunnels. I think my frustration has been them pumping out all these new products, but they haven't fixed some of the basic requirements on the MX appliances.


    https://documentation.meraki.com/MX-Z/Client_VPN/Security_audit_failed_due_to_aggressive_mode_IKE
    WGU grad
  • joshuamurphy75joshuamurphy75 Senior Member Member Posts: 162 ■■■□□□□□□□
    I think the sales pitch of "Say goodbye to the CLI" would scare away most customers.
  • snokerpokersnokerpoker Member Posts: 661 ■■■■□□□□□□
    Another thing to consider is Meraki automatically pushes firmware upgrades. You have no control over it. This has caused downtime on several occasions with a client of mine who uses their wireless products.

    I used to work with a different client and had the same PCI issues and VPN issues as folks referenced above.

    I'd stick with the Cisco Catalyst line of switches.
  • routergodsroutergods Member Posts: 66 ■■□□□□□□□□
    Another thing to consider is Meraki automatically pushes firmware upgrades.

    This is false... you can delay the firmware upgrade or schedule as you wish. You can also contact support to place a firmware hold on your devices (for retail environments under "blackout" config periods like Christmas)

  • ande0255ande0255 Banned Posts: 1,178
    I like the concept of ease of use, but when their slogan is "Say goodbye to the CLI", they mean you say goodbye to it - Not them.

    To me it's like buying a car that completely drives itself, no steering wheel or brakes, but the dealer promises that just makes the commute easier.

    I am not anti-meraki cause its easy to deal with troubleshooting them, but only to a point before your waiting anywhere from 30 seconds to 30 minutes for a nice Meraki support rep to assist you.

    I have no real problem with them aside from said L2L Tunnel issues and complete lack of VPN Client (What???), however I prefer CLI / IOS / TAC support any day of the week if its within budget.

    If its not, Meraki isn't a bad choice, just not the best choice.

    Keep in mind you can also just order MR's for wireless, and keep your network Core 2960 switch stacks and ISR Routers or next-gen ASA's - You don't need to sign your entire network away to Meraki.
  • hurricane1091hurricane1091 Member Posts: 918 ■■■■□□□□□□
    Meraki is junk. Switches always reporting false warnings and the APs constantly have issues. Terrible support too.
  • kohr-ahkohr-ah Member Posts: 1,277
    I'd stick with the Aruba wireless myself and just replace HP switching hardware.
    I've never had any major issues with Aruba wireless except their support as of recent and that has been a minor issue at most.
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    Great feedback in here, thanks everyone.

    I ended up abandoning the Meraki estimate, great hardware/interface but it simply does not fit this organizations needs. Right now its neck and neck with Cisco and Aruba, very little price difference...I am meeting later today to discuss with mgmt.


Sign In or Register to comment.