Meraki ECMS2 Notes

I recently sat through the ECMS2 3 day training course. These notes are intended for people with a fair bit of Meraki experience as I’ve skipped over most basic things.

General

  • The meraki stacking cables are basically unbranded twinax cables, if stuck you can use generic twinax cables of the same speed
  • When you clone a network, it’ll upgrade the target network software versions to match, however, it won’t downgrade
  • merakisizing.com is a great reference for pre-sales work
  • Labs are basically the same as ECMS1 but with Systems Manager.  Probably worth skipping them all except for Systems Manager
  • Mac Auth Bypass is available on Meraki now
  • Meraki love google forms as you can make them feed into google spreadsheets (which they also love) and then from there it can run python or meraki API commands
    • This is how when you fill out your email in these meraki courses it adds you as an admin to a network without the trainers touching anything
  • Can roll back updates inside the 2 week period yourself
  • The firewall rules required for meraki help section is dynamic, ie: it only shows ports for device types you have
  • A proper Meraki cert is coming “soon” but has also been coming soon for a year.

Wireless

  • 8m is the magic number for omni APs with Meraki, any higher than that, use patch antennas.
  • Don’t use layer 3 roaming unless absolutely needed.  For example a stadium where you do a DHCP pool for each corner,  such as NE corner etc.  The instructor said he’s almost never recommended L3 roaming outside of a stadium or similar type deployment.
  • Unless you have ancient devices, min bitrate should be at least 11mbps.
  • 802.11r adaptive is mostly for ios devices, especially older ones that don’t have support for the proper 802.11r
  • Always enable speedburst if you’re shaping clients on wireless, get clients on and off the air faster.
  • Speed burst lets a client go 10x their allowed bandwidth for 10 seconds per interval, no data on what that interval is
  • Meraki like their CWNP certs in the wireless space.  Spoke about them a few times.
  • BLE settings are now called IoT settings because marketing.
  • If using a Meraki AP, you can do agentless access to push wifi access certs via registration on a HTML page, called trusted access, however it requires WPA2-Enterprise with Meraki auth (not ISE / Customer on prem RADIUS)
  • Meraki splash pages can support HTML code
  • Can now configure AP upgrades to not upgrade adjacent APs, called ‘groups’. MR26.8 or higher is the requirement
  • WLAN PCI reporting tool exists now, wireless > PCI report
  • You can PCI self-assess to provide a compliance report in the Meraki dashboard now too

Switching

  • For port channels, use a tag called ‘PO’ or ‘bonded’ so you don’t need to sort through hundreds of individual interfaces to tick 2 boxes and click aggregate.

VMX

  • The only officially supported use case for the VMX is one arm concentrator
    • One use case is to get around paying per IP for azure/AWS

MX

  • Beta MX firmware does MITM SSL inspect, however, it’s a massive CPU hit, they were talking in the ballpark of 70%.
  • Umbrella integration is only in phase 1, expect it to be heavily reworked in future “soon”
  • When using Umbrella it becomes your DNS server for whatever VLAN/SSID/ you specify
  • The malware protection on the MX with comprehensive option enabled doesn’t actually download the full list.  It just checks checksums dynamically and then caches results, so once you turn it on it will be slow for a ‘bit’.  Didn’t specify how long a bit is.
  • Apparently AMP stopped wannacry from the start, so barely any meraki customers got affected
  • There is an option for spinning up a backup VPN concentrator with a second MX but you need to contact support to enable it

MDM

  • Use the default profile instead of the apple or android profile.  The specialist profiles have different options and defaults and unless you specifically need them they are more trouble than they are worth.
  • Containerisation between work and home apps/data isn’t default for whatever reason
  • Can force apps to only work via wifi, so if no wifi it won’t work to preserve cellular data usage

Video

  • When browsing cameras locally it doesn’t go via Internet
  • When remote, video streams go via Meraki servers, so if multiple people are watching streams it only sends a single stream from the remote site to Meraki servers and then multiple streams out from there.
    • Example they used was ‘if there was theft at a remote mining site such as PNG/Brazil with crappy internet, multiple parties watching the video remotely wouldn’t overwhelm the Internet bandwidth at site.’
  • Meraki do a low voltage power adaptor to provide PoE over coax for companies with existing coax security cameras and don’t want to / can’t rerun cable.  Total solution would be Power over Coax + wireless cameras.