What is our primary use case?
Meraki MX is great for WAN networking, e.g., when you have multiple ISPs at the one site or you have a large network that expands across a large physical area, like across a state or county. You use it to have a seamless VPN that you are not managing on devices or if you have a client VPN that needs to be easily integrated into the firewalls.
Our use case is anywhere from a 10-person company to a full-level enterprise, like a 1000-person company. You can use Meraki MX at any sort of level. They have different models, including for home use for remote workers.
We only sell Meraki. As we get new clients, we switch them over to Meraki. A requirement that we have: If you are a recurring client, then you need to have Meraki MX because it is where we get our ISP data from. We are going to grow. We actively manage 40 organizations on a day-to-day basis as well as another 40 organizations/companies where we work with one-offs. Overall, close to 70 clients will have Meraki devices.
We are a managed services provider (MSP). I have it at my house. Then, at our headquarters, we have an MX100.
Meraki doesn't have any on-prem stuff for software. We have a local portal for their network stuff, but they are exclusively managed online through a cloud portal.
We are using Hosted ESA.
How has it helped my organization?
Meraki makes it easy to be secure and know where the holes are to fix them. We have been fixing anything that we have ever found for 20 years. We keep up-to-date with firmware upgrades. We just try to stay on top of everything for security, like maintaining updates and getting rid of old systems. I feel like we're on top of it. We are a mature organization in that regard; we are like a spry, almost middle-aged man.
They are integrating with SecureX and have some built-in security alerts that work with Cisco AMP for antivirus. They give us visibility where they need to and don't overstep. I like it when Meraki MX focuses on routing and what a firewall traditionally is, like antivirus and anti-malware. I don't know how much more Meraki MX needs to be doing with that. I understand they are a firewall, but firewalls are for routing, not for base layer.
I check something in Talos normally seven times a day. When I am working a normal day, I get new IPs or domains to review. Talos also feeds directly into Perch, AMP, and so many things. We rely heavily on Talos. I know they feed into Meraki MX as well. So, Talos is wonderful, and we could not do our job without them.
Meraki has always made our security posture better. It has always given us more visibility in general. It has also made the ease of access to secure our network easier. For example, if you compare learning the Meraki certificate to the Cisco CCNA certificate, the Meraki certificate is about a third of the difficulty of the CCNA cert. So, the barrier to entry to manage Merakis is lower in IT than the barrier to entry to manage Cisco ASAs. The learning curve matches that.
What is most valuable?
The site-to-site VPN is really good. It keeps us going when we expand clients. We can just say, "Wherever you are, we can put you behind the same firewall or pipe your traffic somewhere. It is very easy to set up."
The web console for managing everything keeps everything on Meraki and keeps us from going somewhere else. It is why I think a lot of people like Meraki. Comparing it to SonicWall or even a different Cisco firewall, like traditional ASAs, managing Meraki is a thousand times easier because of fluidity. You don't have to rebuild a table just to change one rule. It's much more readable for a human. All of that ASA stuff and command line are great when you know how to use command line and worked on it for five years. However, if we are trying to train new people who are more used to a GUI on Windows, then Meraki will be a lot easier for everyone to learn, and even for salespeople to get data from it. It's better for the human environment and the human part of all of this.
Webex and Meraki kind of work together. That is the whole layering thing. WebEx is for your team collaboration. We use analytical data from WebEx Control Hub and Meraki to figure out issues with calls. We have to route it the right way, then figure out if the ISPs are giving us packet loss. Almost anything goes out to the Internet 100 percent works with Meraki because you have to troubleshoot the ISP, and Meraki is how you do that.
Meraki MX integrates stuff fairly well. We get the data we want out of it.
What needs improvement?
There is not a lot of configurability for the notifications and alerts in Meraki. There are a lot of alerts to choose from, but no matter how you set them up, they are spam.
When we do API integrations with Meraki, they have always been hard as well as tedious to build. The data that we want out of the API integrations has been only recently available. Six months ago, it was hard to get someone to build something correctly or useful with Meraki APIs. Recently, they have made more data available on the API, but it is just a start. They need to do more.
There needs to be some improvement on the client VPN. They have been promising AnyConnect for years. Right now, they have only a handful of their device list able to support AnyConnect for the client VPN. So, the client VPN and API are where they need to refine stuff. Non-Meraki VPN clients are a problem where you have to share a whole subnet and more than one IP, which is not ideal.
For three years, we have heard that they have been working on AnyConnect. Only within the last year have seen possible betas on limited sets of devices for AnyConnect. It has become hard to believe, "We will see this in six months." They are working on it, but we need this already, which is a problem.
We use several automation tools, but almost nothing does automation with Meraki the way that we want. We are currently working with Solarwinds MSP/NCentral and possibly Symmetric to get more of an API management tool. As an MSP, I set up SAML certificates that are all the same across our 80 organizations in Meraki. That lets us manage them all from one console, which is great, but we still need to go make changes individually. So, we are trying to get to where we have an automated tool that can make changes for multiple organizations or firewall settings at the same time.
We use Meraki MX for harmonizing policies and enforcement across heterogeneous networks, but it is tedious. If you have four sites and all of them are behind their own firewall, then none of them are piping the Internet back to the same central site. They all are branch networks, but have their own access to the Internet. Anytime you change one branch's MX, then you have to do the same change on every MX manually. There is no replicated change between MXs.
For how long have I used the solution?
I have been using the solution Meraki firewall since day one of working with Liberty Technology, which has been almost three years. Liberty Technology has been using Meraki for closer to 20 years.
What do I think about the stability of the solution?
Client VPN is the only unstable thing that we have found.
When we need to do re-audit firmware updates for a bunch of clients, that takes 10 people. Day-to-day, zero to one person maintains it.
What do I think about the scalability of the solution?
It is very scalable.
For active security, we have about 15 to 30 security tools, like XDRs and firewalls. There are a lot of things that we need secured. We have physical doors, email, networking equipment, phones, and Windows devices, like physical machines. If you just go down the list of hosts, those take different types of security, like hosts for VMs. So, if you layer that, then you have layers of security where these are your base layer. Then, on top of that, you start layering on authentication protocols, like your domain controllers, authentication, LDAP, or wherever you want to have your directory live. We have a few places where our directory can live and switch between. There are different security setups depending on what we want to fallback to or actively use.
Everyone accessing Meraki is either IT personnel or serving an IT personnel goal. There are also some salespeople who go over inventory, billing, and procurement on the sales side. Anyone in security and working on the network in general can access Meraki. Anywhere in-between the IT director and the IT to our line can access Meraki to do something in it. There are different thresholds in which those people do different things. Tier 1 will just go look and make sure something is connected. Tier 3 will go make sure that things are set up correctly and change things if needed. Engineering will look at an issue if it gets escalated beyond that. That is your normal, typical IT stuff.
How are customer service and technical support?
Most of the time, the technical support works out. One in seven times, I will get a tech working the case where I close the ticket, then reopen it. Every once in a while, you are just going to run into someone who doesn't know what is going on or they don't have enough sense to escalate it. Both of those situations are concerning when we run into them. It doesn't happen too much with Meraki. Sometimes, it is a language issue or you get someone who is in the wrong mindset to fix your issue. If you have an extremely urgent issue, you don't want them to be like, "Hey, I don't know. I don't feel confident." Or, the person already said something, then is double guessing themselves. However, this is not the norm.
We were looking at CDO for a while. I don't really know what happened there, but the talks stopped all of a sudden, which isn't uncommon for us with Cisco. We will be looking at a product, then they won't get back to us or I won't hear about it again.
Which solution did I use previously and why did I switch?
A medical provider had a terrible network going in. We swapped out all their old solutions: Fortinet switches and SonicWall Firewall routers. Sonic Firewall routers' user interface feels as if, with anything you do, that you could be lost at the next second. You don't feel like it is stable. It is very clunky and slow. So, we switched that out, and instantly saw, "We have loops here and bad traffic going this way." We started getting analytics on how we needed to route the network better and where we needed to put actual physical drops. They had a cable between two switches that should have been an aggregate cable or aggregate port, and it wasn't. It was just an Ethernet cable that was piping about a half or third of their organization's network, which was terrible.
A big deal with Meraki MX is phone systems. If you have to maintain a phone system with Cisco ASA, it is a lot harder than maintaining it with a Meraki switch due to the malleability of the Meraki switch, firewall, and router. Because you got to communicate with the phone gateway, and that all comes back on the Meraki firewall.
Usually, the military uses Palo Alto. I might have used Palo Alto at a different job, not this one. My experience with Palo Alto will be similar to any Cisco ASA device. The GUI is not there. You have to do everything with command line as well as rebuild Access tables. That is the only way to modify those things, which is not fun. It is not something that anyone wants to learn or go do. It always has that extra level of effort. Meraki MX removed that.
Maintaining firewalls will never be joyful, but Meraki has made the quality of life for someone who has to maintain a firewall much better.
How was the initial setup?
The initial setup is straightforward. When we are rolling stuff out, it is always fine. When we have redundancy or multiple networks to configure, that takes time and is tedious. However, the setup itself is not complex. There is plenty of documentation on it.
There are two schools of thought on implementation strategy:
- We clone out from a very similar organization, then try to mirror it and switch the hardware, e.g., the actual inventory in the organization.
- We build a new org from the ground up, if it's a small organization, then we just throw Meraki in, and we are good. I find it is easy. There is a standard practice that we are developing. It is so easy that once you have done it once, then you can train someone the first time that they do it. It wouldn't be something you would need documentation to reference, because of how simple it is. It takes one to three hours to set up. If it is a larger organization, then we will take three hours and refine things. If it is one site, then it is about an hour, just to make sure we are not screwing anything up.
What about the implementation team?
For Meraki MX, it takes just one person to set it up. If we are training someone, then it takes two people.
What was our ROI?
The ROI comes from when we switch out phone systems. If you had an AT&T phone system, but switched out to your own Meraki gear and phones, then you would see a giant bill reduction getting off that AT&T contract. This includes your ISP and phones because you don't know what is hidden in that contract.
Anytime you are working on a very large, physically-wide network, like statewide or countywide, you want it for bandwidth data, unless you have unlimited bandwidth.
What's my experience with pricing, setup cost, and licensing?
Like any Cisco product, the license is really expensive for small business clients. It needs to be cheaper. If you look it up, you might go, "That doesn't make any sense."
If you want good security, this solution is what you need. It is worth it, even though it is expensive. I do think they should really look at making cheaper options, and not making people who already have the hardware find new hardware to get a cheaper option.
Which other solutions did I evaluate?
We are always evaluating new products, and this includes MFA. There are multiple types of MFA that we employ for different services. It's not like everything uses every product. It is that there are layers, like your email is probably behind five to six layers of security or different products that you don't even know about.
I have very little experience with Fortinet. Fortinet has almost like a home network GUI, where you don't have a consolidating console for your whole organization. Fortinet does not have a solid cloud console. Meraki's cloud console and interface are just so sleek, and they work. I know where to get the data out of the solution now. It saves everyone time and makes them feel better when looking at something. Meraki has already won the race, but I feel like they have kind of stagnated. They just need to keep going, making every bit of data that they have accessible within one API call or having very clear directions of what to do to get that data. That is not there anymore. It used to be. They were going in that direction, then they stopped. Meraki is good and has a better GUI than anyone else, but they need to get more data visibility in there.
What other advice do I have?
Duo Security integration is fantastic and really shines, but that is really on the Duo Security team for putting it altogether. Cisco AMP integration is lackluster where it is doing it, but we don't see a lot of what it's doing.
When you use Meraki with an XDR, then you get a lot of good data that way. When you have options to get Meraki for port mirroring with a good XDR, then you will get a lot of data. So, its integration is very good. However, your base insights from Meraki will not come from Meraki itself. You have to integrate Meraki MX with an XDR or Stealthwatch NetFlow analysis. Meraki MX struggles to give you the alerts for data it already has.
Meraki is very future-proof. They are ahead of the curve, but they have slowed down. So, they might average out to where some people will catch up. However, they are so far ahead on where I believe people are going that it is hard to see sometimes.
The ease of use and learning curve are a big deal because you will always have turnover in IT that you have to deal with. The best thing you can do is make something easier for newer people to get into, maybe not some of the more complex things that you can do with Meraki. The big lesson learnt: I don't have to spend days training someone up in Meraki. They can do it pretty quickly in a day themselves.
I would rate this solution as a nine out of 10.
Which version of this solution are you currently using?
MX64 and Z1