If you could ask for any MS switch feature ...

PhilipDAth
Kind of a big deal

If you could ask for any MS switch feature ...

What would you ask for?

 

Things on my list are:

  • Systems Manager support for Meraki managed certificate based 802.1x for Windows like there is on Mac 
  • VRRP between switch stacks 
  • IP SLA based static routes like on the MX (so route gets withdrawn on ping failure) 
  • Larger ACLs (limited to 128 entries at the moment) 
11 REPLIES 11
BlakeRichardson
Kind of a big deal

Re: If you could ask for any MS switch feature ...

Larger ACL's this is the one reason we didn't go with Meraki for our core routing. 

 

When you spend hugh amounts on an MS425-32 you expect it to handle more than 128 ACL's....

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
damienleick
Getting noticed

Re: If you could ask for any MS switch feature ...

Definitly :

 

PORT SECURITY like CISCO CLI. (Possibilty to allow 1 Mac adress with dynamic mac adress table)

This kind of configuration could prevent installation of unwanted Dumb switch or router by customers 

 

Example of configuration in CLI I really would like to have in Meraki :

 

interface FastEthernet0/1

switchport mode access

switchport access vlan 601
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
switchport port-security

 

Actually no feature purposed by meraki could help us to prevent unwanted network devices

 

- Stiky mac address : Not an option, to many change, no time to manage that

- 802.1x : not an option, we don't use computer in domain

- Mac address whitelist : not an option (same as the first)

 

So actually anyone who plug a dumb switch or router in meraki switch with minimum of knowledge with IP adress broke the security

PhilipDAth
Kind of a big deal

Re: If you could ask for any MS switch feature ...

You can get pretty close.

 

1.PNG

jdsilva
Kind of a big deal

Re: If you could ask for any MS switch feature ...

I'm with @damienleick. I've had a maximum MACs feature request in for over a year...

CptnCrnch
Kind of a big deal

Re: If you could ask for any MS switch feature ...

Critical fail-VLAN

Netflow export

MACSEC

VRFs at least for the bigger boxes

 

P.S.: @damienleick Port-Security doesn‘t give you any more security than not handing out IP addresses via DHCP. 😋 If you want to set the bar high enough, there‘s nothing else but proper 802.1x. That doesn‘t necessarily mean you‘ll have to use a domain.

cmr
Kind of a big deal
Kind of a big deal

Re: If you could ask for any MS switch feature ...

Better visibility of power supply states when using the models that connect to the Cisco RPS2300.  At the moment the only way of telling that it is working from either the GUI or being in front of the switch is to ... look at the lights on the RPS 🤔

 

Also the MS1xx switches should support the RPS2300

damienleick
Getting noticed

Re: If you could ask for any MS switch feature ...

Not what we want. Sticky mac doesnt release the mac learn if the computer is unplug

damienleick
Getting noticed

Re: If you could ask for any MS switch feature ...

I understand but we have more than 5000 computer and absolutly no time to use 802.1x. Port security with dynamic mac adress is very usefull and prooved in our CLI network for the last 10 years.

if the customer plug a dumb switch in our port switch and plug two computer in the dumb switch he's going to call us because nothing work correctly thanks to port security. With that we can say to him "NO" dumb switch we don't provide to you is not authorised in the network, it's a security breach.

I know it's not perfect but this little feature do the job 99% of time contrary to Meraki
GIdenJoe
Kind of a big deal

Re: If you could ask for any MS switch feature ...

- QoS priority queue
- NBAR also for better matching traffic classes in QoS policy and netflow export
- Full MSTP support
- PACL, RACL, MACACL, dACL, per user ACL (not just VACL's like we have now)
- Static etherchannel support
- Local feature debugging and status of protocols!!! (STP and STP guard states, UDLD,...)
- Trunk ports as STP edge ports
- Better control over SPAN session(s) like ingress traffic and dot1q replication

Just to name a few.

Brons2
Building a reputation

Re: If you could ask for any MS switch feature ...

You can prevent a smart switch being installed on a port by using STP Guard.

 

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Configuring_Spanning_Tree_on_Meraki_...

"If a port with BPDU Guard enabled on it receives a BPDU, the port will transition to a disabled state"

 

Of course a dumb switch could still be plugged in, but there's less you can do with a dumb switch.

 

As for 802.1x it could use any source of RADIUS.

 

I agree I would like to see a richer feature set on here, but turning them into Meraki Catalysts is not appealing to me.  We bought Meraki to get away from the Catalysts, to make our network more junior administrator friendly.  The organization doesn't want to have to hire a network engineer at every subsite.

damienleick
Getting noticed

Re: If you could ask for any MS switch feature ...

@Brons2 as i Say 802.1x is not an option for different reason

 

- computer not in domain,

- computer is not ours

- to many partner devices

 

99% of time switch are dumb in our case is STP Guard is useless.

 

I cannot imagine Meraki hasn't eaven think to protect the Network of dumb Network equipment.

 

I know Meraki is not catalyst but port security with a max 1 Mac adresse on the port an release it when the port is down do the job 99% of Time.

 

Meraki is able to learn Mac adress with sticky Mac adress security so  I'm pretty sure is not very complicated to add a task to ecrase the learn MAC adress when the port go down (Up/down on switch port are logged)

 

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.