Meraki, from zero to full stack and expansions.

Meraki, from zero to full stack and expansions.

My name is Tim Roberts, I have been in the IT field for approximately 20yrs now in various roles, from Helpdesk, application support, network, telecom and systems administrator and more. I have worked in multiple industries, from big pharma, to education, to financial and more. Currently I am the IT Network Coordinator at Environmental Products and Services of Vermont/Miller Environmental Group. Essentially emergency services on a larger scale for anything from chemical, biohazard, non-hazardous waste and more.

 

When I first started EPS of VT, the network was a ‘hot mess’, some branches were on the WAN, some correctly configured, some not, others were having to use Citrix for access to files in the central office for IT in Albany, NY. Some branches had no access other than email, but some at least had Cisco routers in place connecting into an old ASA. Most branches had a mix of consumer or really outdated wireless APs for wifi access, but nothing central or even managed.

 

We essentially are now ‘full stack’ Meraki.

 

My first big project back in the fall of 2016 was to ‘fix’ all the issues and try to make a single remote access solution by replacing the aging and about to be EOL/EOS Cisco gear. Our answer to this, was Cisco Meraki. We started in the IT side by upgrading our core routers to an HA pairing of two Meraki MX84s, along with a central access switch of an MS-320-48 and a secondary IT switch of a MS-220-8. We also added 3 MR32 APs which started off our managed wifi solution. We moved from there to the then corporate office in Syracuse, NY and added an MX65, another MS320-48 and 2 MR32 APs. This at least linked IT and corporate, from there we added to multiple other branches up and down the US’s continental east coast to replace the aging Cisco routers with more MX65s paired with MR32s, or Z series gateways. Once we had them all replaced we moved from the old ASA primary router to using the MX84s and also rolled out the VPN to all employees with laptops for remote access off prem.

 

Corporate pre-MerakiCorporate pre-MerakiCorporate post-MerakiCorporate post-Meraki

IT branch - pre MerakiIT branch - pre MerakiIT - post Meraki - phase 1IT - post Meraki - phase 1IT - post Meraki - phase 1IT - post Meraki - phase 1IT - post Meraki - phase 1IT - post Meraki - phase 1

 

About a month after the initial deployment completed, our main Citrix environment had a ransomware attack, the MX stopped the spread out to other servers thankfully due to AMP, but the Citrix environment was essentially taken down with the farm infected (old AV solution), so we used the opportunity to bring in the remaining handful of branches to the WAN and off Citrix by rapid deployment of more MX’s or Z series to those other branches.

 

Since 2016 we have had quite a few changes until recently:

  • We have used Meraki’s ability to use multiple WAN ports to add additional speed and redundancy to branches by pairing different ISP connections, as well as also deploying USB modems a few times to allow branches to remain online during ISP outages where certain sites only had one ISP available.
  • We worked up and out of the box solution to an odd situation …… used a combination of the Meraki Z3C series AND Cisco Webex Teams phones to allow essentially an “always on” mobile command center for disaster spills. They drive the command center to the spill site, and using the cellular connection of the Z3C, connect back to the network over the VPN tunnel, access files, data, apps on the network while in the field, yet also have the ability to take and makes calls from there using a Cisco Webex Teams phone with a dedicated DID and 4 digit dialing extension.
  • VIPs were able to get Z series routers for their homes to be able to connect to the single employee ‘wireless’ network so their home office becomes an extension of their branch with minimal fuss.
  • As we switched our field technicians from flip phones to smart phones, we used the Systems Manager to deploy, track, manage all of their smart phones, from adding ‘backpack files’, to pushing apps and policies, inc their ability to use the guest wifi network.
  • We consolidated all the disparate wifi networks into one single managed employee hardware network and a guest network for employee mobile devices or visitors, all centrally managed through Meraki.
  • We had to stand up a new branch that had no actual location (still were waiting on a building lease etc), so we were able to send the MX and MR for the branch, along with more Cisco Webex Teams phones to the new manager and employees so they could essentially ‘work’ out of another branch, but be on their own new network, pending an actual building.
  • Linked up the additional space in an expansion in Syracuse, NY branch, by adding a smaller MS-220 with an MR33 to give them connectivity by wired and wifi networking and running cabling back to the MS320 already in place.
  • Dropped most branches static IPs and moved to DHCP so we have cost savings at most branches where we had to pay extra for the static IPs.

IT - post Meraki - phase 2IT - post Meraki - phase 2IT - post Meraki - phase 2 expansionIT - post Meraki - phase 2 expansion

 

At the end of 2019, a couple of days prior to New Years Eve, EPS of VT was purchased by Miller Environmental Group (MEG), and Meraki came into it’s own yet again for us. MEG was a much more organized business compared to the way EPS of VT was when I started there, but MEG had old Cisco ASAs at various branches which linked back to their corporate office in Calverton, NY. The new project as of 2020 has been to link all the branches at both ‘legacy’ EPS of VT and also ‘legacy’ MEG into one new company. We put a new head end MX100 into Calverton, used it to link to the HA paired MX84’s in Albany and deployed out new MX67’s to the MEG branches, or in some cases repurposed existing MX’s and Z series (some branches consolidated) as needed. Currently, in the past two months, we have worked to link virtually every single branch in both domains together so we can now co-exist as one larger new company, all using Meraki networking. This also has given the MEG side and EPS of VT side one single platform to mesh and manage all networks, wired, wifi and otherwise.

 

EPS of VT/MEG meshEPS of VT/MEG mesh

 

Our combined network across all branches up and down the east coast now has the following list of devices:

 

1 x MX100

2 x MX84

4 x MX67

13 x MX65

1 x MX64

2 x MS320-48

2 x MS22-8

5 x Z1

3 x Z3 (2 are Z3C)

20 x MR series APs

 

There are mulitple benefits for us with having Meraki, from:

 

  • Notifications of outages of services when ISPs go down at a location, so we are able to proactively call those branches and work with them and local ISPs to mitigate the issues.
  • Ability to prioritize traffic and services using the SD-WAN capabilities.
  • Use AMP and the Security Center to track issues, even retroactively where malicious content may have bypassed the filtering initially, but is noted so we can follow up later on.
  • Manage all locations up and down the east coast from New England, down through the mid-Atlantic region all the way to Florida and Alabama, update equipment without having to go on site, even with hardware swaps.
  • Track employee network use, report anything anomolous or suspicious, or confirm work is being done and there are other possible issues like ISP bottle necks and the need to increase bandwidth at a location as their workload outgrew their existing connection.
  • Perform remote cable tests to verify dead or bad cables from the access layer switching to end users equipment.

Cisco-CS-10.pngCisco-CS-11.png

 

Our only issues over these past 4 years using it at EPS of VT/MEG, are:

  • Occasionally, Windows Updates break the VPN connection we set up, as there is no existing VPN client for Meraki, so when “Microsoft Windows” security settings for networking get patched, they override the settings you have configured for the Meraki VPN connection, and then you have to update them.
  • They added training, the CMNO, which is now the ECMS 1, is available if you sign up for a class, BUT the ECMS 2, is ONLY available at 3 or 4 specific global locations - with all the links they have to Cisco, they don’t have ‘distance’ learning for the 3 day ECMS 2 course and it’s almost invite only after sign up.
Comments
chiprs
Here to help

Nice write up Tim, excellent detail

MeredithW
Community Manager

Wow, what an excellent story @TMRoberts! Thanks so much for sharing 🙂 

van604
Getting noticed

very impressive story and successful implementation