Thank you to Chintan Patel for his invaluable expertise and insights on the topic of Meraki MDU design. He was instrumental in giving me the inspiration to write this blog.
In a previous blog article, I discussed the growing demand for wireless network deployments in the expanding MDU market and why now is the perfect time for MSPs to enhance their managed services offerings to address this market. Due to numerous questions and requests for more information, I’ll address many of these in a part two by summarizing how Cisco Meraki approaches these issues by providing a more technical overview of its implementation.
For MSPs, choosing the right network platform is crucial for several notable reasons. The ideal solution should be operationally efficient, reducing the complexity and costs of managing multiple individualized networks. It should also provide a superior customer experience by enabling seamless roaming capability, robust security, and optimized performance. A quality and reliable service offering typically improves customer stickiness, fostering long-term relationships and reducing churn. Additionally, the right platform further enables opportunities for managed services growth, enabling MSPs to offer additional services, from advanced security solutions, to smart home integrations, and more. Lastly, with a more holistic approach, MSPs can meet the current demands of the MDU market while positioning themselves for sustained growth and profitability.
Without further ado, let’s delve into the details.
Let’s Start Off with the Technical Problem Statement
Personal devices such as smartphones (iPhones and Android phones), tablets, Apple TVs, Chromecast devices, Google Home, Amazon Alexa, video game consoles (like Microsoft Xboxes and Sony PlayStations), and Sonos Music Players use discovery protocols like Bonjour, mDNS, uPNP, and DLNA to easily find and connect to other devices on the same network. However, in a shared network infrastructure (e.g. the users sharing the same network subnet), this seamless experience quickly deteriorates as too many devices are discovered, raising privacy and security concerns.
How can I ensure User A doesn’t see User B’s devices? How do I keep my devices secure and private from others? How can I make the network behave like a private home network?
Cisco Meraki feature Wireless Private Networks / Wi-Fi Personal Networks (WPNs)
A Wireless Private Network or Wi-Fi Personal Network (WPN) is a dedicated, virtualized network construct that operates over a shared physical network but provides users with a secure and private connection. By segmenting the network into individualized, isolated virtual networks, a WPN ensures that each user’s data and devices remains confidential and protected from other users on the same shared infrastructure. This approach mitigates the privacy and security issues commonly associated with shared networks, allowing for seamless connectivity experiences without the risk of unauthorized device discovery or data breaches. WPNs are particularly effective in environments like MDUs, where numerous users share the same network but require secure, individualized access.
How Does Cisco Meraki Implement WPN?
Cisco Meraki addresses this problem by defining WPNs, an innovative solution available only on supported MR wireless access points. WPNs segments the shared wireless network on a per-user basis using identity Pre-Shared Keys (iPSKs). This allows each user to securely connect all their devices with a unique, per-user wireless password. By leveraging iPSKs, each user on a guest wireless network can authenticate and associate their personal devices with a distinct password. The MR access points then separate guest wireless traffic into different iPSK groups using WPN ID numbers, unique identifiers within a generic UDP encapsulation header. This ensures that packets are forwarded only between devices with the same WPN IDs. As a result, users can connect their devices to a shared wireless network while maintaining privacy and security, creating a home-like experience where they can only connect and cast to their own devices.
Here are the steps required to configure WPNs for a user, presented in a straightforward workflow:
Step 1. Login: A student named Mia logs into the SplashAccess self-service portal using her university credentials. Note: SplashAccess integrates natively with major identity providers like Active Directory (AD), Azure AD, LDAP, and G Suite.
Step 2. Generate Key: Mia generates her unique Pre-Shared Key (PSK). A QR code is created, which can be used to onboard her devices. The PSK can also be viewed, updated, or printed.
Step 3. Push to Dashboard: The PSK is pushed from the SplashAccess to the Meraki Dashboard and assigned to a group policy based on settings in the SplashAccess admin portal.
Step 4. Push to APs: The pre-shared key is then pushed to the Meraki Access Points (APs) in the network.
Step 5. Connect Device: Mia uses the PSK generated in Step 2 to connect her laptop to the SSID named “Dorm.”
Step 6. Assign WPN Group: Mia’s laptop is assigned to WPN group 100, and traffic from her laptop is tagged with WPN ID 100.
All user devices using the same password to connect will automatically be part of the same WPN, ensuring that the users will only discover their personal devices when searching for services on the network.
For detailed, step-by-step instructions on enabling WPNs on the Meraki Dashboard, please refer to this technical document.
Leveraging Meraki Group Policies alongside WPNs
In a typical MDU deployment, key functions and service settings are configured using Meraki Group Policy to ensure optimal network performance and security. These settings include bandwidth allocation to ensure fair usage among users, traffic prioritization to manage high-priority applications, and security measures such as firewall rules, content filtering, and intrusion prevention. Additionally, device management policies for devices and access controls for secure, role-based network access can be configured. These group policy settings collectively help create a robust, secure, and efficient network tailored to meet the specific needs of MDU environments.
Binding User and Identity Pre-Shared Key (iPSK) Configuration
WPNs can be configured for both small and large deployments using two main options: manually assigning WPNs/iPSKs per user or leveraging RADIUS authentication. In smaller deployments, network administrators can manually assign unique identity Pre-Shared Keys (iPSKs) to each user, ensuring secure and individualized network access. For larger deployments, RADIUS servers may be integrated to automate the assignment and management of iPSKs, streamlining the process and enabling scalable and efficient network segmentation and security. Both methods ensure each user has a secure, private connection within the shared network infrastructure.
For detailed step-by-step instructions on configuring WPN/iPSK with and without RADIUS, refer to the referenced Meraki documentation.
Solution Approach for Deploying the Shared (Physical) Network Infrastructure in MDU Settings
In-Room Deployment (Best Performance/Recommended) for Guest Rooms
For the best wired and wireless experience, deploy Access Points (APs) directly in each guest room. This setup ensures the highest signal strength and performance. In this approach, both wireless and wired network access can be addressed over a single Ethernet run, thereby saving on cabling costs. Automatically set transmit power to lower levels and configure a higher minimum bitrate to reduce co-channel contention. Utilize Auto Channel and Auto Transmit power settings for optimal performance and include hallway-based APs for seamless roaming.
In-Room and Hallway Split (Moderate Performance/Recommended)
This more cost-effective approach involves installing APs to cover multiple rooms, typically in a zig-zag pattern. This design supports most use cases while reducing the number of required APs. Set transmit power to medium and configure a moderate bitrate. Again, use Auto Channel and Auto Transmit power settings for optimal performance and include hallway-based APs for seamless roaming.
Note: For additional guidance on designing, implementing, and operating wireless networks in a hospitality environment, refer to the Cisco Validated Design (CVD) guide.
Automating the User Onboarding Workflow
Many of the steps involved in the workflow for users to create and access their WPN, as well as the initial setup required on the network administrative backend, can be automated using Meraki APIs. However, Cisco Meraki has established strong partnerships with technology vendors that integrate with various Property Management Systems and Point of Sale systems. This blog, along with the referenced Meraki documentation, highlights how Meraki marketplace solutions like SplashAccess can be used to offer user-friendly network solutions tailored specifically for various MDU deployments. Numerous pre-packaged customizations, targeting sectors such as education, retail, senior living, and other common use cases are also currently available.
Why the WPN Solution Approach is Better Technically and Operationally
Deploying multiple individualized wireless networks in an MDU setting is highly inefficient, leading to administrative complexity, higher operational costs, and technical issues such as inefficient RF spectrum usage, increased channel interference, and reduced performance. Connectivity disruptions and limited seamless roaming further degrade the user experience. In contrast, a centralized managed network platform like Cisco Meraki offers a comprehensive management system with tools for deployment, troubleshooting, and ongoing maintenance. This approach ensures optimized performance, streamlined administration, and quicker issue resolution. Additionally, the WPN feature enabled by the Cisco Meraki platform provides the best of both worlds by addressing security and privacy concerns while leveraging the benefits of a centrally managed platform. By implementing WPNs, each user enjoys a secure, private connection within the shared infrastructure. By leveraging a centralized platform, MDUs can achieve efficient, scalable, and high-performing network environments that significantly enhance the end-user experience, setting them apart from makeshift single-unit design/deployment solutions seen in other solution designs.
The Network Platform of Choice
To summarize, the Cisco Meraki platform is the ideal choice for addressing the MDU market due to its unparalleled simplicity in management and superior end-user experience. It eliminates the need for external Network Access Control (NAC) solutions and does not require device MAC registration that are required in other wireless solutions. Cisco Meraki’s approach makes making deployment, management, a streamlined experience for all involved. Additionally, with marketplace solutions like SplashAccess generally available, the integrated solution can be easily implemented, enabling quicker time to market for a seamless and comprehensive MDU experience. Together, these features make the Cisco Meraki platform the most robust, scalable, operationally efficient, and user-friendly solution available on the market.
Visit the Cisco Partner Managed Services SalesConnect page for recordings of previous MS VoE sessions, including the recording for Cisco Meraki MDU Design MS VoE session
Check out my latest blogs for insights into Managed Services opportunities for MSPs
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with #CiscoPartners on social!
Cisco Partners Facebook | @CiscoPartners X/Twitter | Cisco Partners LinkedIn
Share: