Meraki Equipment Opinion

B

Burner27

Supreme [H]ardness
Joined
Oct 23, 2000
Messages
6,716
Hey all,

I started another thread regarding pfSense vs Sophos vs Meraki which has brought up an interesting question for me. I would like to get anyone's/everyone's opinion on Meraki gear. What your experience has been. Do you feel comfortable with cloud management? Do you feel it is a secure device? Does it perform well? Do you think it is better/worse than open source routers? Or anything else you might want to say about it. I dont want to talk about their absurd licensing scheme or if you dont keep a current license your devices become bricks--I already know that part.

So.......Fire AWAY!!!!

and thanks!
 
Last edited:
Hi Burner27 -

I'm quite experienced in Meraki and can offer some information. I think this is a fair question, and I hope it leads to valuable discussion to help inform your decision/opinion. I think open-source routers and a closed source enterprise platform both have their places within specific markets, or company sizes. Additionally, the business use-cases will factor in.

With that being said, a cloud-based approach is amazing for the customers it works for, but it doesn't work for all. Additionally, it depends on which platforms we are talking about. Do you want to discuss their MX (Security Gateways), MS (switches), or APs? VoIP phones or cameras? I'll assume you're talking about MX appliances since you are looking vs. Sophos or pfSense. The management of the appliances is essentially all done through dashboard, meaning, their "cloud management interface". This means that the management VLAN membership for the device(s) will need outbound access. So your security restrictions will start there. Do you want them to be on a VLAN that has unfettered WAN access? I always recommend people to create a VLAN for this management and give it ONLY the access dashboard needs:

https://documentation.meraki.com/zG..._Topics/Firewall_Rules_for_Cloud_Connectivity

Additionaly, Meraki is flat out awesome with the SD-WAN and VPN solution they offer. It's incredibly simple to setup and manage. There are lots of aspects to weigh here. If we are just talking for home use, I can't fathom shelling out the dough because I don't have a use for most of the stuff they offer for my home internet/wireless.

However, if I'm getting free gear:
https://meraki.cisco.com/tc/freeap
https://meraki.cisco.com/tc/freeswitch
Click to expand...
then I would definitely use it. I have 2x MS-220P switches, an MX64, MR33, and an MR30H for access points.

If I'm running a consulting business and I'm reselling gear and I have limited manpower to replace equipment and skillsets and want to easily manage all the customer's devices, or give them access for visibility, quick swap and replacements, etc... Meraki is hard to beat.

I'm curious to hear what others will write up in response as well, so I'll open the discussion for others so we can have a bit more dialogue.
 
I don't have an issue with cloud managed, what i don't like is if you lose access to your admin portal, your screwed. This is trouble for the MSP industry with clients moving around to different providers.

As far as the equipment, I love their switches, easy to config and manage. AP's and firewalls can be a bit wonky but are solid hardware typically.

There are some limitations like no pvst but that will likely come soon.
 
k1pp3r said:
There are some limitations like no pvst but that will likely come soon.
Click to expand...

Very true, but convergence should still occur in a timely fashion. MSTP is also not supported.

upload_2017-7-11_15-13-53.png
 
k1pp3r said:
It does, put sometimes people want to get into creative routing for individual vlans.
Click to expand...

Can you give an example where this limitation has played out? Trying to wrap my head around why STP and routing would be related based off what I'm picturing in my head.
 
Cmustang87: I got a free MX64 w/3yr Advanced Security license on it. Work will pay for re-upping that license when it expires. My initial thoughts centered around security. With the onslaught of emerging threats nowadays, does pfSense have what it takes to combat that? Same question to Meraki as well. Equipment wise-Meraki doesn't tell you what their hardware is comprised of. I will primarily be using it at home to become familiar with it as we are deploying these for several clients. It helps to know the product you recommend. I also received an MR33 w/3yr license for attending another webinar. I like free stuff....

The only thing I am not happy about is I am capped. I pay for 300/20 service, but the MX64 limits me to 250/20. With pfSense, I easily get 350/24 service. May not seem noticeable on uploads but downloads take a big hit. I knew that going into this by using the Meraki, but it always sticks in the back of my mind. I guess what I am asking (opinion poll) is 'would you sacrifice 100Mbps download by using the Meraki?"
 
Last edited:
Burner27 - Sounds like you got a nice starting set of Meraki equipment to work with, but you'll have to decide if the loss of internet throughput is worth the convenience. If you would be fine at 250/20Mbps, then there's no shame in calling your ISP and downgrading to save some money, otherwise you will just be overspending for bandwidth you can't process. The Meraki 250Mbps throughput is only if in passthrough. If it is operating in NAT mode (most likely true at home :)) you are limited to 200Mbps: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf

I'm not really a tinkerer when it comes to my home perimeter firewall, so Meraki is a good choice for me. However, I also don't need more than 200Mbps of service - I only pay for the lowest fiber in my area 80/20, even though I can get gigabit. If you want more speed and you like tons of "nerd knobs", you can't go wrong with a pfSense. However, you'll need to be ready to do the work and research in the event you need to change something, or add/remove rules, etc. on the open-source. The cost of running the hardware is also a consideration.

I honestly think it comes down to personal preference for the house. But, for a business, I would recommend Meraki 50 to 1 over an open-source platform.
 
Cmustang87 said:
Burner27 - Sounds like you got a nice starting set of Meraki equipment to work with, but you'll have to decide if the loss of internet throughput is worth the convenience. If you would be fine at 250/20Mbps, then there's no shame in calling your ISP and downgrading to save some money, otherwise you will just be overspending for bandwidth you can't process. The Meraki 250Mbps throughput is only if in passthrough. If it is operating in NAT mode (most likely true at home :)) you are limited to 200Mbps: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf

I'm not really a tinkerer when it comes to my home perimeter firewall, so Meraki is a good choice for me. However, I also don't need more than 200Mbps of service - I only pay for the lowest fiber in my area 80/20, even though I can get gigabit. If you want more speed and you like tons of "nerd knobs", you can't go wrong with a pfSense. However, you'll need to be ready to do the work and research in the event you need to change something, or add/remove rules, etc. on the open-source. The cost of running the hardware is also a consideration.

I honestly think it comes down to personal preference for the house. But, for a business, I would recommend Meraki 50 to 1 over an open-source platform.
Click to expand...


I have played with pfSense for years and I do, on occasion, have to google things to find out how to do them. So I am not against doing that. In terms of power, the Meraki uses ~10w of power according to their specs. The pfsense box I have averages ~35w, so yeah there is an electrical savings as well. The machine I built for pfSense, although it is way overkill, is made from high end parts (my thinking was to make it overkill to handle any additional features I want to turn on and not get bogged down) If the pfsense box is still able to handle modern threats (I am assuming since you didnt say otherwise that it is) I will use that instead. In my household, there are a lot of family members that are 'bandwidth hogs' and since i work from home i too need the ability to do my job without getting interfered with. I do thank you for your expertise and advice on this.
 
Last edited:
Yea, I forgot to ask what you meant by modern threats, I assume you mean like IDS/IPS and gateway antivirus/malware?
 
Cmustang87 said:
Yea, I forgot to ask what you meant by modern threats, I assume you mean like IDS/IPS and gateway antivirus/malware?
Click to expand...
yes exactly. I think pfsense does IDS/IPS (not sure if i would need that at home). I dont think it does gateway AV/Malware. I know Sophos does both and I think Meraki does Malware/IDS/IPS--correct me if I am wrong there.
 
Meraki uses Snort for their IPS engine, and the rest of the Meraki features you will have since you have Advanced Security:

upload_2017-7-12_10-2-38.png
 
See -- something I overlooked......LOL Thanks for that! I dont see HAVP as a package though.
 
Last edited:
I'm not a pfSense expert, hopefully someone else can help there - but I don't think you'll see any pop their heads in a Meraki equipment thread! :D
 
Cmustang87 said:
I'm not a pfSense expert, hopefully someone else can help there - but I don't think you'll see any pop their heads in a Meraki equipment thread! :D
Click to expand...
It is actually something different now. I saw it in the included packages. Good now.
 
This is the pfSense box:

I7-6700K
Gigabyte GA-Z170N Gaming 5 mobo
16GB DDR4-2400
256GB Intel 6 m.2 SSD
Intel Pro1000PT dual NIC
 
So yeah, I think either of those boxes is a waste of resources. I will just suck it up and use the Meraki. My electric bill will probably thank me too.
 
You must log in or register to reply here.
Back
Top