Tuesday, February 4, 2014

Cisco Meraki Z1 Review




1)Intro
2)Features
3)Setup
4)Wireless configuration
5)Throughput tests (Wireless/Wired)
6)Closing Notes

Intro: The Meraki Z1 is a enterprise level teleworker gateway security appliance that is a full featured enterprise router/firewall that is affordable for small to medium businesses to deploy to teleworkers/remote staff, has lots of features, is cloud managed so it can be controlled and administrated from any computer with an internet connection.

Features: The Z1 features the following:


1) Stateful firewall supporting 5 concurrent users @ 50Mbps
2) Layer 7 firewall controls with tons of site blocking presets to help block against P2P, sports, social media, video streaming sites and more as well as custom hostnames and expressions.
3) 4 wired Gigabit LAN ports
4) 3 x 3.dBi (2.4 Ghz) and 3x4dBi (5 Ghz)  dual band internal dipole antennas with 30dBm output power
5) Up to 4 WLAN SSIDs with configurable VLANs for each one providing more security then standard guest networks
6) Dual band 2.4Ghz and 5Ghz operation with 3 x 3 MIMO connectivity at up to 450Mbps
7) Full VLAN configuration that’s easy to do and you can easily define firewall and bandwidth shaping policies to each one. 
8) Per port VLAN
9) Full and extremely detailed traffic shaping (QoS) and firewall controls
10) Full client connectivity details and monitoring. You can even see what websites or applications the client has used in real time. You can even check signal strength and the Operating System of each client. 
11) Network wide bandwidth monitoring. You can see how much bandwidth all clients in the network are using as well as the WAN interface. 
12) Fixed and DHCP client address assignments
13) Cellular 3G/4G failover via the USB port with seperate firewall and traffic shaping
14) Fully customizable user/group policies so you can configure SSIDs to use Meraki authentication instead of WPA2 keys. 
15) With group policies you can define per-user limits such as firewall rules, traffic shaping, etc. 
16) Self configuring site-to-site VPN
17) WAN uplink selection based on traffic type
18) Automatic firmware upgrades
19) Price is the same as a high end consumer router but you get enterprise level features
20) And lots more


Setup: The Meraki Z1 was very easy to setup and you can actually configure it before you even get it! When you order one you are given a claim code. You would then create an account on meraki.com and then when you add the device to the inventory you enter the claim code and you can dive right in and configure your network before the Z1 arrives and all you gotta do is plug it right in and it configures itself! Very nice!

1) It took a while for it to configure itself over the WAN. It took about 10 minutes  which was longer then then MX60W and it restarted itself a few times.
2) There is only one status LED so it’s hard to determine link status by looking at the Z1 
3) It had no issues with our cable modem connection and configured itself well.
4) Since the setup was pre-done over the cloud our network picked right back up and there was no delay in accessing our stuff due to having to redo IP configs.
5) Setting up stuff like guest networks is different then consumer class routers. Those are done by creating VLANs so this was done later and not before the router arrived. I did create an SSID before the rotuer arrived though so some clients can connect right away. 


Let's take a look at the really helpful status page that tells us all our connected client status as well as total WAN bandwidth on one handy screen:
(Please click images to enlarge)





Let's take a look at the really helpful Traffic report page that tells us what uses the most traffic on the network:



This area you can hunt down rouge access points where people use to steal logins, and other data masquerading as one of your access points. From this screen you can take action against this:





Wireless Configuration: The Z1 has a very different wireless configuration then consumer class routers. Guest networks are handled by creating a VLAN for the Guest SSID. Go to “Configure>Addressing and VLANs>”enable VLANS>Apply changes> Then I would title it “Guests” and then assign it a different IP range and subnet. I configured mine to 10.0.0.0/24 so it gets the 10.0.0.x IP range and the appliance address should be inputted as 10.0.0.1.  Then you would go to “Wireless settings” > enable the 2nd SSID and assign the VLAN ID to the “Guests” one> Apply settings. This is how you isolate the guest SSID from the main one to prevent guests from accessing your internal LAN. 

Step one: Creating the Guest policy:
(Please click images to enlarge)



Step two: Create the VLAN:


Step three: Assign VLAN to Guest SSID:




   
The Z1 supports WPA/WPA2 and supports PSK and Enterprise authentication types that can be different for each SSID. Selecting “Enterprise” allows you to use Meraki Authentication, which allows you to define a username and password rather then a static key, allowing for more fine control over your wireless network. User based controls allow you to define limits PER USER so that if let’s say, they get fired, you just delete thier user account and not have to change the ENTIRE NETWORK’S encryption key! To create the user you would go to Configure>Users>Add New User>and then configure to your needs.


One thing I do wish the Z1 had was seperate SSIDs for the 5Ghz band and the 2.4Ghz band. It's a pain to get clients to connect to the 5Ghz network. I have to mess with adapter settings since windows does not list them seperatly. 


Throughput Tests: (Wireless)

 I will be using LAN Speed test for the throughput tests and PRTG to generate the graphs. It also is a comprehensive enterprise level network monitoring software and it can record uptime, transfer rates, errors, etc. 

Test environment: (Set 1)

Specs of Building: This is going through about 32 ft through 2 walls, a solid all-wood dresser, and a chimney. The room has plaster walls in some places. 

Specs of server :(my machine in the same room as theZ1): Intel i5 3570K/16GB Corsair XMS3 DDR3 1600 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Realtek GBE NIC

Specs of client: (remote machine in other room): AGNXAndrakon/AMD Phenom 9650/4GB Corsair XMS2 DDR2 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Amped Wireless ACA1 USB WLAN connection:USB3 via a PCI-Express addon card.


5Ghz 802.11n mode: Channel 161 -64dBm

LAN speed test: 25 stream 6GB file: 8Mbytes/sec or 64Mbits/sec



 2.4 GHz 802.11n mode: Channel 11 -72dBm

Sensor Note: I created a separate 2.4Ghz sensor on PRTG to differentiate the two frequencies and also keep track of them separately. 

LAN speed test: 25 stream 6GB file: 7Mbytes/sec or 56Mbits/sec



 Test environment: (Set 2)

Specs of Building Test Run 1: 16Ft away thru a wood door hallway right outside the office where the Z1 is located. 

Specs of server (my machine in the same room as theZ1): Intel i5 3570K/16GB Corsair XMS3 DDR3 1600 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Realtek GBE NIC

Specs of client: Toshiba/AMD A8 APU-4500M/6GB DDR3/ATI Radeon HD 7640G/600GB HDD/Windows 7 Home Premium 64 bit SP1/WLAN connection via a Realtek RTL8188CE PCI-E card

2.4 GHz 802.11n mode: Channel 11 -55dBm

LAN speed test: 25 stream 6GB file: 6Mbytes/sec or 48Mbits/sec







Throughput tests (Wired):

Specs of server: (my machine in the same room as theZ1): Intel i5 3570K/16GB Corsair XMS3 DDR3 1600 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Realtek GBE NIC

Specs of client: GrumpyCat/AMD Phenom 9550/4GB DDR2 RAM/500GB SSHD /Nvidia Geforce 8800GT/Windows 8.1 Enterprise 64 bit /NVIDIA nForce Networking Controller

LAN speed test: 25 stream 6GB file: 110Mbyes/sec or 880Mbits/sec




 Conclusion: 

The Meraki Z1 Security Appliance is highly recommended for a branch office with high connectivity demands and it has a great level of control. Excellent stability, great throughput, and set it and forget it controls. The price is high, however the reliability and ease of controls and peace of mind you get is worth every penny of the cost keeping in mind you don’t need to know commands, be a high level network engineer, or sacrifice control.  Price is the same as a high end consumer router but you get enterprise level features



Pros:
Ø Ease of setup from pre-configuring online to plugging in
Ø Decent performance throughput 
Ø Pretty good wireless transmitter power
Ø Excellent management software
Ø Very robust security controls and options
Ø Cloud configurability anywhere
Ø 3G/4G failover via USB dongle

Cons:
Ø No external antennas
Ø Not enough status LEDs to indicate activity 


Rating: 9.8/10 
Recommended: Yes