Meraki Will Never Be A Large Enterprise Solution

Cisco-Cloud-Networking-Meraki

Thanks to a couple of recent conversations, I thought it was time to stir the wireless pot a little. First was my retweet of an excellent DNS workaround post from Justin Cohen (@CanTechIt). One of the responses I got from wireless luminary Andrew von Nagy (@RevolutionWifi):

This echoed some of the comments that I heard from Sam Clements (@Samuel_Clements) and Blake Krone (@BlakeKrone) during this video from Cisco Live Milan in January:

During that video, you can hear Sam and Blake asking for a few features that aren’t really supported on Meraki just yet. And it all comes down to a simple issue.

Should It Just Work?

Meraki has had a very simple guiding philosophy since the very beginning. Things should be easy to configure and work without hassle for their customers. It’s something we see over and over again in technology. From Apple to Microsoft, the focus has shifted away from complexity and toward simplicity. Gone are the field of radio buttons and obscure text fields. In their place we find simple binary choics. “Do You Want To Do This Thing? YES/NO”.

Meraki believes that the more complicated configuration items confuse users and lead to support issues down the road. And in many ways they are absolutely right. If you’ve ever seen someone freeze up in front of a Coke Freestyle machine, you know how easy it is to be overwhelmed by the power of choice.

In a small business or small enterprise environment, you just need things to work. A business without a dedicated IT department doesn’t need to spend hours figuring out how to disable 802.11b data rates to increase performance. That SMB/SME market has historically been the one that Meraki sells into better than anyone else. The times are changing though.

Exceptions Are Rules?

Meraki’s acquistion by Cisco has raised their profile and provided a huge new sales force to bring their hardware and software to the masses. The software in particular is a tipping point for a lot of medium and large enterprises. Meraki makes it easy to configure and manage large access point deployments. And nine times out of ten their user interface provides everything a person could need for configuration.

Notice that was “nine times out of ten”. In an SME, that one time out of ten that something more was needed could happen once or twice in the lifetime of a deployment. In a large enterprise, that one time out of ten could happen once a month or even once a week. With a huge number of clients accessing the system for long periods of time, the statistical probability that an advanced feature will need to be configured does approach certainty quickly.

Meraki doesn’t have a way to handle these exceptions currently. They have an excellent feature request system in their “Make A Wish” feedback system, but the tipping point required for a feature to be implemented in a new release doesn’t have a way to be weighted for impact. If two hundred people ask for a feature and the average number of access points in their networks is less than five, it reflects differently than if ten people ask for a feature with an average of one thousand access points per network. It is important to realize that enterprises can scale up rapidly and they should carry a heavier weight when feature requests come in.

That’s not to say that Meraki should go the same route as Cisco Unified Communications Manager (CUCM). Several years ago, I wrote about CSCsb42763 which is a bug ID that enables a feature by typing that code into an obscure text field. It does enable the feature, but you have no idea what or how or why. In fact, if it weren’t for Google or a random call to TAC, you’d never even know about the feature. This is most definitely not the way to enable advanced features.

Making It Work For Me

Okay, the criticism part is over. Now for the constructive part. Because complaining without offering a solution is just whining.

Meraki can fix their issues with large enterprises by offering a “super config mode” to users that have been trained. It’s actually not that far away from how they validate licenses today. If you are listed as an admin on the system and you have a Meraki Master ID under your profile then you get access to the extra config mode. This would benefit both enterprise admins as well as partners that have admin accounts on customer systems.

This would also be a boon for the Meraki training program. Sure, having another piece of paper is nice. But what if all that hard work actually paid off with better configuration access to the system? Less need to call support instead of just getting slightly better access to engineers? If you can give people what they need to fix my problem without calling for support they will line up outside your door to get it.

If Meraki isn’t willing to take that giant leap just yet, another solution would be to weight the “Make A Wish” suggestions based on the number of APs covered by the user. They might even do this now. But it would be nice to know as a large enterprise end user that my feature requests are being taken under more critical advisement than a few people with less than a dozen APs. Scale matters.


Tom’s Take

Yes, the headline is a bit of clickbait. I don’t think it would have had quite the same impact if I’d titled it “How Meraki Can Fix Their Enterprise Problems”. You, the gentle reader, would have looked at the article either way. But the people that need to see this wouldn’t have cared unless it looked like the sky was falling. So I beg your forgiveness for an indulgence to get things fixed for everyone.

I use Meraki gear at home. It works. I haven’t even configured even 10% of what it’s capable of doing. But there are times when I go looking for a feature that I’ve seen on other enterprise wireless systems that’s just not there. And I know that it’s not there on purpose. Meraki does a very good job reaching the customer base that they have targeted for years. But as Cisco starts pushing their solutions further up the stack and selling Meraki into bigger and more complex environments, Meraki needs to understand how important it is to give those large enterprise users more control over their systems. Or “It Just Works” will quickly become “It Doesn’t Work For Me”.

There’s No Such Thing As Free Wireless

Wireless

If you’ve watched any of the recent Wireless Field Day presentations, you know that free wireless is a big hot button issue. The delegates believe that wireless is something akin to a public utility that should be available without reservation. But can it every really be free?

No Free Lunches

Let’s take a look at other “free” offerings you get in restaurants. If you eat at popular Mexican restaurants, you often get free tortilla chips and salsa, often called a “setup”. A large number of bars will have bowls of salty snacks waiting for patrons to enjoy between beers or other drinks. These appetizers are free so wireless should be free as well, right?

The funny thing about those “free” appetizers is that they aren’t really free. They serve as a means to an end. The salty snacks on the bar are there to make you thirsty and cause you to order more drinks to quench that thirst. The cost of offering those snacks is balanced by the amount of extra alcohol you consume. The “free” chips and salsa at the restaurant serve as much to control food costs as they do to whet your appetite. By offering cheap food up front, people are less likely to order larger food dishes that cost more to make. And if you don’t want to enjoy food from the menu, most restaurants will charge you a “nominal” fee to recoup their costs.

These “free” items serve to increase sales for the business. Business don’t mind giving things away as long as they can profit from them. The value proposition of a free service has to be balanced with some additional revenue source. In that sense, nothing is really and truly free from an altruistic point of view.

Anal(ytics) Retentive

The path to offering “free” wifi seems to be headed down the road of collecting information about users in order to offer services to recoup costs. Whether it be through a loyalty programs or social wiereless logins, companies are willing to give you access to wireless in exchange for some information about you.

The tradeoff is reasonable in the eyes of the business. They have to upgrade their infratructure to support transient guest users. It’s one thing to offer guest wireless to employees who are on the payrool and being productive. It’s something else entirely to offer it to people who will potentially use it and not your services. You have to have a way to get that investment back.

For a large percentage of the population, giving away information is something they dont’ care about. It’s something freely available on social media, right? If everyone can find out about it, might as well give it to someone in exchange for free wireless, right?

Despite what people have said as of late, the real issues with social login and data analytics have nothing to do with offering the data. Storing the data somewhere is of little consquence in the long run. So long as a compnay doesn’t attempt to use that data against you in some way then data collection is benign.

Yes, storing that data could be problematic thanks to the ever-shrinking timeline for exposing large databases inside companies. Data sitting around in a database has a siren call to companies to either do something with it or sell it to a third party in an effort to capitalize on the gold mine they are sitting on. But the idea that most people have is that won’t happen. That makes it tolerable to give away something meaningless in exchange for a necessary service.


Tom’s Take

The price of freedom is vigilance. The price of free wireless is a little less than that. Business owners need value to offer additional services. Cost with no return gives no value. Whether that value comes from increased insight into customer bases or reselling that data to someone that wants to provide analytics services to businesses is a moot point. Wireless will never truly be free so long as there is something that can be traded for its value.

Could IPv6 Drown My Wireless Network?

IPv6WiFi

By now, the transition to adopt IPv6 networks is in full swing. Registrars are running out of prefixes and new users overseas are getting v6-only allocations for new circuits. Mobile providers are going v6-only and transition mechanisms are in place to ease the migration. You can hear about some of these topics in this recent roundtable recorded at Interop last week:

One of the converstaions that I had with Ed Horley (@EHorley) during Interop opened my eyes to another problem that we will soon be facing with IPv6 and legacy technology. Only this time, it’s not because of a numbering scheme. It’s because of old hardware.

Rate Limited

Technology always marches on. Things that seemed magical to us just five years ago are now antiquated and slow. That’s the problem with the original 802.11 specification. It supported wireless data rates at a paltry 1 Mbps and 2 Mbps. When 802.11b was released, it raised the rates to 5.5 Mbps and 11 Mbps. Those faster data rates, combined with a larger coverage area, helped 802.11b become commercially successful.

Now, we have 802.11n with data rates in the hundreds of Mbps. We also have 802.11ac right around the corner with rates approaching 1 Gbps. It’s a very fast wireless world. But thanks to the need to be backwards compatible with existing technology, even those fast new 802.11n access points still support the old 1 & 2 Mbps data rates of 802.11. This is great if you happen to have a wireless device from the turn of the millenium. It’s not so great if you are a wireless engineer supporting such an installation.

Wireless LAN professionals have been talking for the past couple of years about how important it is to disable the 1, 2, and 5.5 Mbps data rates in your wireless networks. Modern equipment will only utilize those data rates when far away from the access point and modern design methodology ensures you won’t be far from an access point. Removing support for those devices forces the hardware to connect at a higher data rate and preserve the overall air quality. Even one 802.11b device connecting to your wireless network can cause the whole network to be dragged down to slow data rates. How important is it to disable these settings? Meraki’s dashboard allows you to do it with one click:

MerakiDataRates

Flood Detected

How does this all apply to IPv6? Well, it turns out that that multicast has an interesting behavior on wireless networks. It seeks out the lowest data rate to send traffic. This ensures that all recievers get the packet. I asked Matthew Gast (@MatthewSGast) of Aerohive about this recently. He said that it’s up to the controller manufacturer to decide how multicast is handled. When I gave him an inquisitive look, he admitted that many vendors leave it up to the lowest common denominator, which is usually the 1 Mbps or 2 Mbps data rate.

This isn’t generally a problem. IPv4 multicast tends to be sporadic and short-lived at best. Most controllers have mechanisms in place for dealing with this, either by converting those multicasts to unicasts or by turning off mulitcast completely. A bit of extra traffic on the low data rates isn’t noticeable.

IPv6 has a much higher usage of multicast, however. Router Advertisements (RAs) and Multicast Listener Discovery (MLD) are crictical to the operation of IPv6. So critical, in fact, that turning off Global Multicast on a Cisco wireless controller doesn’t disable RAs and MLD from happening. You must have multicast running for IPv6.

What happens when all that multicast traffic from IPv6 hits a controller with the lower data rates enable? Gridlock. Without vendor intervention the MLD and RA packets will hop down to the lowest data rate and start flooding the network. Listeners will respond on the same low data rate and drag the network down to an almost-unusable speed. You can’t turn off the multicast to fix it either.

The solution is to prevent this all in the first place. You need to turn off the 802.11b low data rates on your controller. 1 Mbps, 2 Mbps, and 5.5 Mbps should all be disabled, both as a way to prevent older, slower clients from connecting to your wireless network and to keep newer clients running IPv6 from swamping it with multicast traffic.

There may still be some older clients out there that absolutely require 802.11b data rates, like medical equipment, but the best way to deal with these problematic devices is isolation. These devices likely won’t be running IPv6 any time in the future. Isolating them onto a separate SSID running the 802.11b data rates is the best way to ensure they don’t impact your other traffic. Make sure you read up on how to safely disable data rates and do it during a testing window to ensure you don’t break everything in the world. But you’ll find your network much more healthy when you do.


Tom’s Take

Legacy technology support is critical for continued operation. We can’t just drop something because we don’t want to deal with it any more. Anyone who has ever called a technical support line feels that pain. However, when the new technology doesn’t feasably support working with older tech, it’s time to pull the plug. Whether it be 802.11b data rates or something software related, like dropping PowerPC app support in OS X, we have to keep marching forward to make new devices run at peak performance.

IPv6 has already exposed limitations of older technologies like DHCP and NAT. Wireless thankfully has a much easier way to support transitions. If you’re still running 802.11b data rates, turn them off. You’ll find your IPv6 transition will be much less painful if you do. And you can spend more time working with tech and less time trying to tread water.

 

Budgeting For Wireless With E-Rate

Wireless

After having a nice conversation with Josh Williams (@JSW_EdTech) and helping Eddie Forero (@HeyEddie) with some E-Rate issues, I’ve decided that I’m glad I don’t have to deal with it any longer. But my conversation with Josh revealed something that I wasn’t aware of with regards to the new mandate from the president that E-Rate needs to address wireless in schools.

Building On A Budget

The first exciting thing in the new rules for E-Rate modernization is that there has been an additional $1 billion injected into the Category 2 (Priority 2) items. The idea is that this additional funding can be used for purchasing wireless equipment as outlined in the above initiative. I’ve said before that E-Rate needed an overhaul to fix some of the issues with reduced funding in competition for the available funding pool. That this additional funding came through things like sunsetting VoIP funding is a bit irritating, but sometimes these things can’t be helped.

The second item that caught my attention is the new budgeting rules for Category 2 in E-Rate going forward. Now, schools are allocated $150 per student for a rolling five year period. That means the old “2 of 5″ rule for internal connections is gone. It also means you are going to have to be very careful with your planning from now on. But when it comes to wireless, that’s what has been advised by the professionals for quite a while. The maxim of “one AP per classroom” won’t fit with these new funding rules.

Let’s take an example. If your school has 1,000 students you are allocated $150,000 for Category 2 for a five year period. If you want to use this entire amount for wireless, you could use it as follows:

  1. Spend $150,000 this year on new wireless gear. You will have no extra money available in the next four years.
  2. Spend $100,000 on new wireless gear this year. You can then use the remaining $50,000 for more gear or maintenance on the existing gear in the next four years. Adding a warranty or maintenace contract to the initial cost will give you coverage on the gear over the five-year period.
  3. Spend $30,000 each year on new APs or on a managed service. This means you have less each year to spend, but you can continually add pieces.

If you student numbers increase in the five years, you gain access to additional funding. However, that’s not a guarantee. And thankfully, if you lose students you don’t have to pay back the difference.

The “D” Word“”

With the amount of money allocated to Priority 2 limited over a time period, design becomes more and more important, especially if you are building a wireless design. You can’t just throw an access point in every classroom or at every hallway intersection and call it a day. You’re going to need to invest real time and effort into making your design work.

Sometimes, that will mean paying for the work up front. Without funding. Those words strike fear into the hearts of school technology workers. I’ve seen cases where schools refused to pay for anything that wasn’t covered under E-Rate. In the case of a wireless design, that may be even harder to swallow, since the deliverable is a document that sits on a shelf, not a device that accomplishes something. If tech professionals are having a hard time buying it, you can better believe the superintendant and school boards will be even more averse.

A proper wireless design will save you money in the long term. By having someone use math and design principles to place APs instead of “best guesses”, you can reduce the number of APs in many cases while improving coverage where it’s needed instead of providing coverage for a strip of grass outside a classroom instead of the library. Better coverage means less complaints. Less hardware means less acquistion cost for your E-Rate discount percentage. Less cost means more money left in your budget for other E-Rate technology needs. Everyone wins.


Tom’s Take

I couldn’t figure out how the FCC was going to pay for all of this new wireless gear. Money doesn’t appear from nowhere. They found some of it by taking their budgeted amounts and reducing the unneeded items to make room for the things that were required. That learning process made them finally do something they should have done years ago: give the schools a real budget instead of crazy rules like “2 of 5″.

Yes, the per student budget is going to hurt smaller schools. Schools without higher headcounts are going to get much less in the coming years. But many of those smaller schools have disproportionately benefitted from E-Rate in the past 15 years. Tying the funding amounts to the actual number of users in the environment will mean the schools that need the funding will get it to improve their technology situation. And that’s something we can all agree is welcome and needed.

 

HP Is Buying Aruba. Who’s Next?

HPAruba_Networks_Logo

Sometimes all it takes is a little push. Bloomberg reported yesterday that HP is in talks to buy Aruba Networks for their wireless expertise. The deal is contingent upon some other things, and the article made sure to throw up disclaimers that it could still fall through before next week. But the people that I’ve talked to (who are not authorized to comment and wouldn’t know the official answer anyway) have all said this is a done deal. We’ll likely hear the final official confirmation on Monday afternoon, ahead of Aruba’s big Atmosphere (nee Airheads) conference.

R&D Through M&A

This is a shot in the arm for HP. Their Colubris-based AP lineup has been sorely lacking in current generation wireless technology, let alone next gen potential. The featured 802.11ac APs on their networking site are OEMed directly from Aruba. They’ve been hoping to play the OEM game for a while and see where the chips are going to fall. Buying Aruba gives them second place in the wireless market behind Cisco overnight. It also fixes the most glaring issue with Colubris – R&D. HP hasn’t really been developing their wireless portfolio. Some had even thought it was gone for good. This immediately puts them back in the conversation.

More importantly to HP, this acquisition cuts off many of their competitor’s wireless plans at the knees. Dell, Juniper, Brocade, Alcatel Lucent, and many others OEM from Aruba or have a deep partnership agreement. By wrapping up the entirety of Aruba’s business, HP has dealt a blow to the single-source vendors that are playing in the wireless market. And this is going to lead to some big changes relatively soon.

The Startup Buzz

Dell is perhaps the most impacted by this announcement. A very large portion of their wireless offerings were Aruba. They sold APs, controllers, and even ClearPass through their channels (with the names filed off, of course). Now, they are back to square one. How are they going to handle the most recent deals? What are their support options?

I little thought exercise with my friend Josh Williams (@JSW_EdTech) had a few possibilities:

  1. Dell forces HP to buyout all the support contracts for Dell/Aruba customers. That makes sense for Dell, but it will turn a lot of customers against them, especially when HP lets those customers know the reasons why.
  2. Dell agrees to release the developments they’ve done on the platform to HP in return for HP taking the support business. Quiet and clean. Which is why it likely won’t happen.
  3. Dell pays HP an exorbitant amount of money to take the support contracts. This gives HP the capital to take on all those new support contracts and gives Dell an exit to rebuild. This is probably what HP wants, but could end up sinking the deal.

Dell got burned, plain and simple. They likely could have purchased Aruba months ago and solidified the relationship. Instead, they are now looking for a new partner. However, I don’t think they are going to get burned again. Rather than shopping for a friend, they are going to be shopping for an acquisition. My money has always been on Aerohive. They have an existing relationship. The Aerohive controller-less cloud model fits Dell’s new strategies. And they would be a much cheaper pickup than Aruba. There is precedence for Dell skipping the big name and picking up a smaller company that’s a better fit. It’s a hard pill to swallow, but it gives Dell the chance to move forward with a lasting relationship.

Softwarely Defined

Brocade is a line-of-business partner of Aruba. They’ve only recently gotten involved since Motorola shut down their WLAN business. This is a good sign for them. That means they can exit from their position and not be significantly affected. It does leave them with a quandary of where to go.

The first choice would be to go back to the Motorola relationship, now in the form of Zebra Technologies. Zebra inherited quite a large portion of the WLAN space from Motorola, but they’ve been keeping rather quiet about it. Are they angling to be more of a support organization for existing installs? Or are they waiting for a big splash announcement to get back in the game? Partnering with Brocade would give them that announcement given the elevated profile Brocade has today.

Brocade’s other option would be to go down the SDN road. The plan for a while has been to embrace SDN, OpenFlow, and all things software defined. The natural target for this would be Meru Networks. Meru has been embracing SDN as well as of late. They had a nice event last year showcasing their advances in SDN. Brocade could bolster that SDN knowledge while obtaining a good wireless company that would give them the strength they need to augment their enterprise business.

Permission To Retire

The odd company out is Juniper. I’ve heard that they were involved at first in trying to acquire Aruba, but when you’re betting against HP’s pockets you will lose in the long run. Their other problem is Elliott Management, everyone’s new favorite “activist investor”.

Elliott has made no secret that they see the value in Juniper in the service provider market. As far back as last year, Elliott has been trying to get Juniper to reave off the ancillary businesses, including security, enterprise, and wireless. Juniper has officially ended sales for Trapeze-based products already. Why would Elliott let them buy another wireless company so soon after getting rid of the last one. Even as successful as Aruba is, Elliott would see it as another distraction. And when someone that active is calling the shots, you can’t go against them, lest you end up unemployed.

This is the end for Juniper’s wireless aspirations. That’s not a bad thing, necessarily. This gives them the impetus needed to focus on the service provider market. It also gives them a smaller enterprise switching portfolio to package up and sell off should that pound of flesh be necessary to sate Elliott as well. Time will tell.

Everyone Else

Any other companies with Aruba relationships are either dipping their toes in the wireless waters or don’t care enough to worry about the impact it will have. It will be an easy matter for companies like Alcatel-Lucent to go out and find a new OEM partner, likely with someone like Extreme Networks or Ruckus. Those companies are making great technology and will be happy to supply the APs that customers need. Showing off their technology will also give them great in-roads into customers that might not have been on their radar before.


Tom’s Take

It’s going to be an exciting time in the wireless space. HP’s acquisition is going to start the falling dominoes for other companies to buy into the wireless space as well. When the dust settles, there will be new number twos and number threes in the market. It also clears the middle of the space for up-and-comers to grow. Cisco is going to stay number one for a while, and HP will be number two when this deal closes. But until we see the fallout from who will be purchased and partnered with it’s tough to say who will be a clear winner. But make sure you’ve got your popcorn ready. Because this isn’t over yet. Not by a long shot.

 

NBase-ing Your Wireless Decisions

Cat5

Copper is heavy. I’m not talking about it’s atomic weight of 63 or the fact that bundles of it can sag ceiling joists. I’m talking about the fact that copper has inertia. It’s difficult to install and even more difficult to replace. Significant expense is incurred when people want to run new lines through a building. I never really understood how expensive a proposition that was until I went to work for a company that run copper lines.

Out of Mind, Out of Sight

According to a presentation that we saw at Tech Field Day Extra at Cisco Live Milan from Peter Jones at Cisco, Category 5e and 6 UTP cabling still has a significant install base in today’s organizations. That makes sense when you consider that 5e and 6 are the minimum for gigabit Ethernet. Once we hit the 1k mark with speeds, desktop bandwidth never really increased. Ten gigabit UTP Ethernet is never going to take off outside the data center. The current limitations of 10Gig over Cat 6 makes it impossible to use in a desktop connectivity situation. With a practical limit of around 50 meters, you practically have to be on top of the IDF closet to get the best speeds.

There’s another reason why desktop connectivity stalled at 1Gig. Very little data today gets transferred back and forth between desktops across the network. With the exception of some video editing or graphics work, most data is edited in place today. Rather than bringing all the data down to a desktop to make changes or edits, the data is kept in a cloud environment or on servers with ample fast storage space. The desktop computer is merely a portal to the environment instead of the massive editing workstation of the past. If you even still have a desktop at all.

The vast majority of users today don’t care how fast the wire coming out of the wall is. They care more about the speed of the wireless in the building. The shift to mobile computing – laptops, tablets, and even phones, has spurred people to spend as little time as possible anchored to a desk. Even those that want to use large monitors or docking stations with lots of peripherals prefer to connect via wireless to grab things and go to meetings or off-site jobs.

Ethernet has gone from a “must have” to an infrastructure service supporting wireless access points. Where one user in the past could have been comfortable with a single gigabit cable, that new cable is supporting tens of users via an access point. With sub-gigabit technologies like 802.11n and 802.11ac Wave 1, the need for faster connectivity is moot. Users will hit overhead caps in the protocol long before they bump into the theoretical limit for a single copper wire. But with 802.11ac Wave 2 quickly coming up on the horizon and even faster technologies being cooked up, the need for faster connectivity is no longer a pipe dream.

All Your NBase

Peter Jones is the chairman of the NBaseT Alliance. The purpose of this group is to decide on a standard for 2.5 gigabit Ethernet. Why such an odd number? Long story short: It has to do with splitting 10 gigabit PHY connections in fourths and delivering that along a single Cat 5e/6 wire. That means it can be used with existing cable plants. It means that we can deliver more power along the wire to an access point that can’t run on 802.3af power and needs 802.3at (or more). It means we don’t have to rip and replace cable plants today and incur double the costs for new technology.

NBaseT represents a good solution. By changing modulations and pumping Cat 5e and 6 to their limits, we can forestall a cable plant armageddon. IT departments don’t want to hear that more cables are needed. They’ve spent the past 5 years in a tug-of-war between people saying you need 3–4 drops per user and the faction claiming that wireless is going to change all that. The wireless faction won that argument, as this video from last year’s Aruba Airheads conference shows. The idea of totally wireless office building used to be a fantasy. Now it’s being done by a few and strongly considered by many more.

NBaseT isn’t a final solution. The driver for 2.5 Gig Ethernet isn’t going to survive the current generation of technology. Beyond 802.11ac, wireless will jump to 10 Gigabit speeds to support primary connectivity from bandwidth hungry users. Copper cabling will need to be updated to support this, as fiber can’t deliver power and is much too fragile to support some of the deployment scenarios that I’ve seen. NBaseT will get us to the exhaustion point of our current cable plants. When the successor to 802.11ac is finally ratified and enters general production, it will be time for IT departments to make the decision to rip out their old cable infrastructure and replace it with fewer wires designed to support wireless deployments, not wired users.


Tom’s Take

Peter’s talk at Tech Field Day Extra was enlightening. I’m not a fan of the proposed 25Gig Ethernet spec. I don’t see the need it’s addressing. I can see the need for 2.5Gig on the other hand. I just don’t see the future. If we can keep the cable plant going for just a couple more years, we can spend that money on better wireless coverage for our users until the next wave is ready to take us to 10Gig and beyond. Users know what 1Gig connectivity feels like, especially if they are forced down to 100Mbps or below. NBaseT gives them the ability to keep those fast speeds in 802.11ac Wave 2. Adopting this technology has benefits for the foreseeable future. At least until it’s time to move to the next best thing.

Making Your Wireless Guest Friendly

Wireless

During the recent Virtualization Field Day 4, I was located at a vendor building and jumped on their guest wireless network. There are a few things that I need to get accomplished before the magic happens at a Tech Field Day event, so I’m always on the guest network quickly. It’s only after I take care of a few website related items that I settle down into a routine of catching up on email and other items. That’s when I discovered that this particular location blocked access to IMAP on their guest network. My mail client stalled out when trying to fetch messages and clear my outbox. I could log into Gmail just fine and send and receive while I was on-site. But my workflow depends on my mail client. That made me think about guest WiFi and usability.

Be Our (Limited) Guest

Guest WiFi is a huge deal for visitors to an office. We live in a society where ever-present connectivity is necessary. Email notifications, social media updates, and the capability to look up necessary information instantly have pervaded our lives. For those of us fortunate enough to still have an unlimited cellular data plan, our connectivity craving can be satisfied by good 3G/LTE coverage. But for those devices lacking a cellular modem, or the bandwidth to exercise it, we’re forced to relay of good old 802.11a/b/g/n/ac to get online.

Most companies have moved toward a model of providing guest connectivity for visitors. This is far cry from years ago when snaking an Ethernet cable across the conference room was necessary. I can still remember the “best practice” of disabling the passthrough port on a conference room IP phone to prevent people from piggybacking onto it. Our formerly restrictive connectivity model has improved drastically. But while we can get connected, there are still some things that we limit through software.

Guest network restrictions are nothing new. Many guest networks block malicious traffic or traffic generally deemed “unwanted” in a corporate environment, such as Bittorrent or peer-to-peer file sharing protocols. Other companies take this a step further and start filtering out bandwidth consumers and the site associated with them, such as streaming Internet radio and streaming video, like YouTube and Vimeo. It’s not crucial to work (unless you need your cat videos) and most people just accept it and move on.

The third category happens, for the most part, at large companies or institutions. Protocols are blocked that might provide covert communications channels. IMAP is a good example. The popular thought is that by blocking access to mail clients, guests cannot exfiltrate data through that communications channel. Forcing users onto webmail gives the organization an extra line of defense through web filters and data loss prevention (DLP) devices that constantly look for data leakage. Another protocol that is added in this category is IPSec or SSL VPN connections. In these restrictive environments, any VPN use is generally blocked and discouraged.

Overstaying Your Welcome

Should companies police guest wireless networks for things like mail and VPN clients? That depends on what you think the purpose of a guest wireless network is for. For people like me, guest wireless is critical to the operation of my business. I need access to websites and email and occasionally things like SSH. I can only accomplish my job if I have connectivity. My preference would be to have a guest network as open as possible to my needs.

Companies, on the other hand, generally look at guest wireless connectivity as a convenience provided to guests. It’s more like the phone in the lobby by the reception desk. In most cases, that phone has very restricted dialing options. In some companies, it can only dial internal extensions or a central switchboard. In others, it has some capability to dial local numbers. Almost no one gives that phone the ability to dial long distance or international calls. To the company, giving wireless connectivity to guests serves the purpose of giving them web browsing access. Anything more is unnecessary, right?

It’s a classic standoff. How do we give the users the connectivity they need while protecting the network? Some companies create a totally alien guest network with no access to the inside and route all traffic through it. That’s almost a requirement to avoid unnecessary regulatory issues. Others use a separate WAN connection to avoid having the guest network potentially cause congestion with the company’s primary connection.

The answers to this conundrum aren’t going to come easily. But regardless of this users need to know what works and what doesn’t. Companies need to be protected against guest users doing things they aren’t supposed to. How can we meet in the middle?

A Heaping Helping of Our Hospitality

The answer lies in the hospitality industry. Specifically in those organizations that offer tiered access for their customers. Most hotels will give you the option of a free or reduced rate connection that is rate limited or has blocks in place. You can upgrade to the premium tier and unlock a faster data cap and access to things like VPN connections or even public addresses for things like video conferencing. It’s a two-tier plan that works well for the users.

Corporate wireless should follow the same plan. Users can be notified that their basic connectivity has access to web browsing and other essential items, perhaps at a rate limit to protect the corporate network. For those users (like me) that need access to faster network speeds or uncommon protocols like IMAP, you could setup a “premium” guest network that has more restrictive terms of use and perhaps gathers more information about the user before allowing them onto the network. This is also a good solution for vendors or contractors that need access to more of the network that a simple guest solution can afford them. They can use the premium tier with more restrictions and the knowledge that they will be contacted in the event of data exfiltration. You could even monitor this connection more stringently to insure nothing malicious is going on.


Tom’s Take

Guest wireless access is always going be an exercise is balance. You need to give your guests all the access you can without giving them the keys to the kingdom. Companies providing guest access need to adopt a tiered model like that of the hospitality industry to provide the connectivity needed for power users while still offering solutions that work for the majority of visitors. At the very least, companies need to notify users on the splash page / captive portal which services are disabled. This is the best way to let your guests know what’s in store for them.