"UniFi is the revolutionary Wi-Fi system that combines Enterprise performance, unlimited scalability, a central management controller and disruptive pricing." That's the pitch thrown by Ubiquiti Networks right off the homepage for their popular UniFi line of wireless access point products. In many respects, that statement is right on the money.
But as the old adage goes, sometimes you truly do get what you pay for. And when it comes to UniFi, that tends to be my feeling more and more, seeing the gotchas we have had to deal with. We've continued to choose their access points, primarily in situations where cost is a large factor for our end customer. Who wouldn't want Enterprise level features at a Linksys level price?
I give Ubiquiti more than a decent ounce of credit for its altruistic intentions in the wireless market. They've spent the better part of the last five years trying to offer up an alternative to the big boys of commercial Wi-Fi -- the Ciscos, the Ruckus, the Arubas, etc -- in the form of their UniFi line of products. With their entry level access point, the UniFi Standard (UAP) coming in at under $100 USD out the door, it's hard not to notice them when shopping for your next wireless system upgrade.
When it comes to hardware build quality and aesthetics, their access points are absolutely top notch. The flying-saucer-like design choice of their Standard, LR, and Pro series units looks super cool, especially with the added visual flare of the ring LED that adorns their inner sphere. Their included mounting bracket is easy to install on walls or ceilings, and the access point itself merely "twists" into place to secure for final usage.
I cannot forget to mention that the pure wireless prowess of these units, especially from the UniFi Pro which has become a certain favorite of ours, is simply amazing. At the low price point these little saucers command, the coverage area we can blanket with just a few APs is astonishing. And once configured, they rarely ever need reboots in production -- we have had numerous offices running for 8-10 months or longer between firmware upgrades without a single call from clients about W-iFi downtime.
But design and Wi-Fi power of the hardware itself is about where the fun with UniFi starts and stops.
One of my biggest qualms are with the way UniFi handles administration of its access points with the much-touted software controller that is included at no extra cost. While the new version 4 of the interface is quite clean, it's still riddled by a nasty legacy requirement: Java.
For the longest time, the UniFi controller refused to work properly with Java 8 on any systems I tried to administer from, and I had to keep clients held back on the bug-ridden Java 7 just to maintain working functionality with UniFi. OK, not a dealbreaker, but a pain in the rear. Not to mention the number of times the controller software will crash on loading, with only a reboot fixing the issue. The UniFi forums are full of threads like this discussing workarounds to the endless Java issues.
The software controller woes don't end there. For some new installs, the controller would refuse to "adopt" UniFi units at a client site -- forcing us to go through a careful tango of hardware resets, attempted re-adoptions, and countless manual adoption commands. After trial and tribulation, most units would then connect to the controller, with still some refusing, and ending up being considered DOA duds.
My distaste for the UniFi controller further extends into situations where you have UniFi boxes deployed at numerous branch offices, with control being rendered from a single controller. While Ubiquiti claims clean inter-subnet connectivity at standard layer 3, real world functionality of this feature is much more of a hit and miss affair -- more often than not, on the miss side.
Initial adoption between branches can be time consuming and experimental, and even when connected, units will show up as disconnected for periods of time even though you have a clean site to site tunnel which has experienced zero drops.
Another little "gotcha" that Ubiquiti doesn't advertise heavily, and which is complained about on forums regularly like here and here, is the fact that their cheapest Standard units don't use regular (now standard) 48v PoE. Thinking of deploying 10 or more of their cheapest APs on your campus using existing PoE switches? Not going to happen. You'll need to rig up a less-than-favorable daisy chain of special 24v adapters that Ubiquiti includes with their APs -- one per AP.
Ubiquiti of course offers their own special switches that can post 24v PoE, the ToughSwitch line, but this is little consolation for those that have invested in their own switch hardware already. And I see little excuse for them forcing this on shops, since their Pro and AC level units use standard 48v PoE. A nudged play on their part to get people to buy more expensive APs, or just a technical limitation they had to implement? Take your pick.
I'm not here to deride Ubiquiti on what is otherwise a fantastic piece of hardware. Their end to end execution, however, is where they suffer, but they aren't alone in failing to deliver a well-rounded solution on all fronts.
The common theme I see in the Wi-Fi industry over the last decade or so is that you have rarely been able to get a product that satisfies all of the usual "wants" from business-grade Wi-Fi hardware:
- Good price.
- Easy-to-use management system.
- Great radio hardware and coverage.
- Quality technical support.
- Consistent firmware/software updates.
And therein lies my issue with most of the common vendors in the game. Ubiquiti offers great pricing and hardware, but has a software-based controller with numerous issues and offers zero phone support. Cisco's Aironet line has great hardware and tech support, but comes straddled with expensive hardware controller requirements and complex management and setup. Ruckus sits in a similar arena as Cisco, with some premium pricing to match.
Since our focus is primarily the small-midsize business customers we support, we've been on the prowl for decently priced gear, that comes with rock solid support, ease of management, and ideally gets rid of the need for hardware controllers -- not only due to the added cost, but also the requisite replacement and maintenance costs that go along with such controllers.
Not all hope is lost. Luckily, we found a product line that meets nearly all of our needs.
Enter Meraki
Last year, we grew quite fond of a company called Meraki for their excellent hardware firewalls. To be fair, Meraki isn't its own company anymore -- it's a subsidiary of Cisco now, with some well-to-do rumors saying that Meraki's gear will one day replace all of Cisco's current first-party networking gear. I went so far as to pen a lengthy review of why we standardized on their MX/Z1 line of firewall devices.
After battling with similar hits and misses on the firewall side, toying with the likes of ASAs, Sonicwalls, Fireboxes, and other brands, I found a fresh start with what Meraki offered in firewalls. Competitive price points, in extremely well built hardware packages, with top notch all-American 24/7 phone support when issues arose.
As a growing managed services provider (MSP), our company decided to standardize on Meraki across the board with regards to routers and firewalls. If a customer wishes to use us for managed support, they're either installing a Meraki firewall, or paying a premium for us to support the other guys' gear. That's just how heavily we trust their stuff for the clients who likewise entrust us for IT system uptime and support.
While we had been using Ubiquiti's UniFi access points for a few years already, biting our tongues about the less-than-desirable Java-based software controller, we weren't content with the solution for our most critical client Wi-Fi needs.
Meraki actually offered a webinar with a free (now extinct) MR12 access point, and since then we got hooked on the Meraki magic, as we call it. We used the unit to provide our own office with Wi-Fi until we moved late last year into our current space, and upgraded to the beefy entry-level MR18 access point. The WAP is pretty centrally mounted in our squarish 1300 sq ft office and provides stellar dual-band coverage for our space.
We even decided to pit the Unifi Pro AP against the MR18 and for all intents and purposes, coverage and speed levels were neck and neck. Seeing as the Unifi Pro was a known quantity for us in terms of coverage and stability, this was great to see that Meraki's MR18 was as good as what Ubiquiti was offering us for some time already.
In terms of hardware selection, Meraki offers a competitive set of (6) distinct options that are not overbearing (unlike Engenius, which at any given time has over a dozen access points available) but offers enough choice given the scenario you are installing into.
Our go-to units tend to be the MR18 (802.11a/b/g/n with dual band 2.4/5GHz) or the MR32 (802.11a/b/g/n/ac/bluetooth with dual band 2.4/5GHz). The MR18 is the most cost effective option from Meraki, with the MR32 being installed in situations where AC future proofing is a requirement.
Both WAPs perform similarly in terms of coverage area per unit, with the MR32 having double the potential bandwidth if the right requirements are met on the client side. I wrote at length about the concept of high-bandwidth Wi-Fi and other related topics in a piece on Wi-Fi best practices from last month.
I will note that for some situations, where we are replacing a client's firewall with a Meraki device anyway, we sometimes opt for the Wi-Fi-enabled versions of their routers. The full-size option most SMBs we work with tend to go with an MX64W in such cases, or for very small (or home) offices, the Z1 has been the little champ that could.
I personally use a Meraki Z1 in my own home condo, and have no issues with coverage -- but it definitely cannot compete on par with the beastly radios in a unit such as the MR18. It's about half as powerful as far as coverage goes in my unscientific estimates.
Meraki = No More Hardware Controllers
If you're coming from the lands of Cisco Aironet, Ruckus, Aruba, or any of the other competitors to Meraki (other than Unifi or Aerohive) then you will be quite familiar with the concept of the hardware controller. It's an expensive device, usually starting at $1000 on its own plus licensing, that sits in your network to perform one function: tell your WAPs what they should be doing.
In the era of ever-pervasive connections to the wider web, why in 2015 should we consider this the gold standard of Wi-Fi system control? While the likes of UniFi prefer to rely on a pudgy locally-installed software controller, Meraki has built a cloud-based infrastructure to provide command and control for its MR line of access points.
Meraki ditched the flawed concept of hardware controllers, and instead unified its entire management platform under a single, web-based cloud dashboard. It doesn't cost any extra, doesn't require you to pin up any servers of your own, and it's constantly updated and maintained by the experts.
For all the cloud-detractors out there, don't point your "I distrust the cloud" wands at this solution unless you've tried it. The number of times I haven't been able to access my Meraki dashboard in the last year I can count on one hand -- and even these times were brief, with no on-premise networking gear being affected.
When the cloud dashboard has issues or goes down for maintenance, all of the connected devices which rely on it go into locally-managed mode which only affects management functions related to making changes or running reports. It's a quite ingenious design that leverages the power of the cloud, but is fully prepared for times when internet access may fall out for periods.
This leads into another neat aspect of the Meraki cloud controller system: all of the devices under the Meraki flag are controlled in a single, unified dashboard. If you're like our company, with a Meraki firewall and access point(s), then you have one single place to log into to manage all aspects of your network.
Add in switches or their MDM Systems Manager platform, and your management overhead doesn't increase any. You just get extra tabs on your dashboard to jump between.
So think about what we used to do back in the day to manage all the pieces of a growing business network. Your firewalls all had local interfaces which had to be dialed into for management -- like the Java-reliant ASDM for your Cisco ASAs. Switches all had a command line or hideous web-based interface. Wi-Fi access points may have had a hardware controller or separate software controller, like UniFi offers.
Meraki tosses that nasty, bungled mess out the window in favor of one interface with seamless oversight across all aspects with just a few clicks of the mouse. Need to put a wrench on nefarious visitors on the guest Wi-Fi? You can find out what services they have been abusing and create policies to filter that particular traffic out, and further create bandwidth limits on the guest SSID -- all from the same dashboard in a matter of minutes.
Tasks like the above, which would have taken numerous interfaces and sequences to resolve, are child's play on the Meraki dashboard. Things that used to take potentially hours to implement and test can now be done in mere minutes. For our clients and my company, time is money, and I'm no longer losing both to handle menial tasks.
Firmware Updates are Automatic and Hands-Off
In my Meraki firewall review from months ago, I discussed at length the security problem that the networking industry exacerbates with the way they handle firmware updates. That is, firmware is either an afterthought entirely or a chore to update -- and many times, plagued by both issues.
Only half a year ago, hacking team Lizard Squad exemplified why it's critical that we take firmware updates seriously with the network gear we deploy in the wild. To their credit, they took advantage of legions of home (and some business class) routers with their DDoS attack tool and wreaked havoc on the large Xbox Live and PlayStation Networks on Xmas Day 2014.
In plain terms, that little Linksys or Cisco in your home or office closet could very well have been an unknowing compatriot in Lizard Squad's botnet of compromised attack routers. It doesn't take an expert to figure out that this may have been just the tip of the iceberg. Why can't other devices, like WAPs, be next? It's naive to think they can't.
Meraki has an update model which should be applauded in my eyes. They take the responsibility away from the end-user, which likely will not have the ability or patience to perform timely updates, and brings this back onto the vendor's back. The cloud controller network that provides maintenance and configuration capability for their WAPs is the same one which automates the update process.
The only thing you have to choose is your update schedule. No worrying about different .rom or .rox files or whatever. The WAPs download their newer firmware, as released, and update according to your predefined schedule.
If you wish to play with beta firmware, there's a channel you can opt to be on right within your dashboard. We do this for our own office MR18 and firewall, but naturally, choose to have all clients on the stable release channel.
What's That Meraki Magic You Speak Of?
In my previous piece covering Wi-Fi best practices, I dug into many of the value-adds that make managing Meraki Wi-Fi networks so clean and simple. But I'll touch on some of the most important things which can be accomplished out of the box on these access points.
One of the very first things we setup for nearly every new Meraki Wi-Fi installation is traffic shaping for the purpose of bandwidth throttling. Think about it: your visitors rarely need as much bandwidth for their Facebook and YouTube browsing, compared to your internal staff. Why not ensure they aren't using larger pieces of the pie than they should be entitled to? Traffic shaping allows you to set per-SSID bandwidth controls (with manual overrides per client, or sets of clients) as needed.
I can use the same configuration page to then also apply QoS policies for things like VoIP so that voice traffic can always have the fastest lanes compared to other, less critical traffic. Remember, changes made here are applied to all access points in a single save -- I don't have to configure each individual WAP, like I had to back when we used Engenius access points at client sites years back.
Some organizations, especially those who offer storefront guest Wi-Fi for their patrons, may want to shut down their Wi-Fi SSIDs at night or on weekends when no one should be accessing them. Instead of having to manually shut down their Wi-Fi, Meraki offers integrated SSID scheduling which can do this for you according to predefined schedules. It's a great way to secure your network infrastructure during off-hours.
For large and complex guest Wi-Fi networks, like one we recently installed for a big banquet hall, Meraki offers integrated NAT DHCP service that offers up near endless addresses on the 10.0.0.0/8 subnet. This means we don't have to worry about providing addresses to these visitors, further removing stress from internal DHCP servers and giving that responsibility to the Meraki cloud.
Another neat item which helps keep the 2.4GHz spectrum open for those devices which need it is Meraki's Band Steering functionality. For WAPs that are on dual band operation, which is pretty much any standalone current Meraki WAP for sale, they will force 5GHz-capable clients to that band and keep the 2.4GHz channels open for older devices. For highly congested scenarios with large client counts, this is key for keeping Wi-Fi operational and in optimal condition for the biggest number of users.
For offices where the highest levels of security must be maintained, such as HIPAA scenarios, VLAN separation between SSIDs is also an easy function to configure right on the dashboard. In combination with firewall rules, 100% segmentation between sets of subnets can be achieved across different SSIDs off the same access points.
Some techs don't have the best experience with knowing how to properly channel map their Wi-Fi deployment between WAPs, and therefore Meraki allows you to use the dirt-simple Auto RF functionality in their dashboard. Meraki WAPs in a given network will constantly scan across all available channels and re-configure their channels of choice based on surrounding circumstances. This means that WAPs will not only optimize for usage based on internal interference within your organization, but more importantly, for external interface outside of your wall which you rarely have much control over.
You can find dozens of other interesting value-added features which come as part of the standard Meraki software package on the official MR datasheet. I've only touched on the most common ones which we are frequently deploying in the wild.
Simple, Uniform Licensing
One of the other aspects about Meraki which I love is the simple per-device licensing model they employ. There are no separate licenses for WAPs, hardware controllers, or support. It's a single license that gets applied to any WAP you purchase, what they call the Enterprise License.
Before you ask, yes, the license is required for the life of the unit. If you choose a three year license and want to use the WAP past the third year, you need to re-up your license. But this model makes perfect sense, because this single license entitles you to all of the following:
- 24/7 American based engineering support. I didn't call this merely customer support, as some companies offer, with escalation to engineers only when warranted. If my experiences are representative, every call into Meraki support connects you with an engineer on the first go-around. This means that you are immediately speaking to someone who can solve even the most complex issues with large rollouts. We take advantage of Meraki support all the time because these guys/gals do an awesome job. It's by far one of the best support centers I've dealt with from a vendor. When you call in, you're asked for your name, email, and customer number -- and that's it. Your ticket gets tacked into your same cloud dashboard which you can easily track, re-open, etc.
- Cloud Dashboard access. I went into detail about the power of the cloud dashboard above, and this value-add actually comes as part of the Enterprise License. You can read about its prowess above, but remember, this always-on, always-up-to-date service is supported and maintained by Meraki and not by your own IT support. One less detail to keep up and running or worry about.
- Next day advanced hardware replacement warranty. If an access point (or any Meraki hardware device) dies while licensed, Meraki will ship a replacement via next day air at no cost to you, no questions asked.
- Automated firmware updates. I mentioned this already, but it's an important distinction between how other companies handle firmware updates. Set it and FORGET it when it comes to updates. While Ronco famously made this a tagline in the States, Meraki has taken this concept to a new level which I truly appreciate in every way. And for those curious, no, I have not had a single client device get fried or otherwise experience issues from these automated updates.
You have the option of getting 1, 3, 5, 7, or 10 year licensing for your devices, with increased discounts per-year as you move up the license line, naturally. As a practical matter, and a balancing act when it comes to client budgets, we usually choose 3 or 5 year licensing for our clients.
Since their licensing is the same across the entire MR line of access points, this means you can easily upgrade to newer models down the road and NOT lose your licensing. You can merely disassociate the older models from the dashboard and add in the new ones, and the system will automatically assign the licensing to the new devices.
Licensing doesn't have to be tied to serial numbers; Meraki merely cares that the # of access points in your account matches the # of access points assigned by your paid licensing. Straightforward and simple in my eyes.
Packaged With An Attention to Detail
I'm not one to go into the finer points of product packaging in the usual way that endless "unboxing" reviews prefer to. I care much more about the functional design and operation of a product then how nicely it fits into a box.
But this is one instance where I wanted to point out something that differentiates Meraki from the crowd. They have an immaculate attention to detail when it comes to their hardware packaging, as seen below:
(Image Source: YouTube)
Why does this even matter? Because for anyone that has been on the installing end of Wi-Fi access points, they know that the hardware and accessories bundled with a WAP can turn a 30 minute install into a multi-hour affair quite quickly. I had to mount a new MR18 for a healthcare client who is expanding an office just last week, and I was quickly reminded of how Meraki considers their experience premium from start to finish -- literally.
The necessary hardware for mounting your WAPs on walls, ceilings, in wood or plaster, and even on suspending ceiling braces, is all included in every WAP you purchase. No second guessing on whether you will be able to mount your new WAP on the material and position of your choosing.
While not shown specifically, all of the Meraki access points I have encountered are also bundled with premium backplates that are used as the actual brackets which the WAPs are slid onto. This makes mounting/unmounting of WAPs for maintenance or other needs easier, and also reduces damage that unevenly installed mounting screws do on your expensive gear.
I think some people call this "Apple level boxing" of product. Yes, it meets that standard.
Where Meraki Can Improve
While excellent in most areas, Meraki has room to grow and fix some issues. No vendor is without its downfalls.
Just like I mentioned in my MX firewall review earlier this year, Meraki is guilty of imposing some of the most arcane purchasing procedures for product that I have ever seen. Simply put, all of their gear has to be shipped directly from their main warehouse in California for US-based purchases. Unlike other gear that I can purchase at a moment's notice for clients from suppliers like CDW or Ingram Micro, Meraki imposes hyper-mediated policies that surround gathering information up front on end-customer information, prior to any gear shipping out.
This leads to either dealing with near week long lead time for any gear necessary, or paying for expensive two day or next day air for time sensitive needs. In today's market of being able to procure nearly any product under the sun from a bevy of supplier warehouses, many local to us in Chicago, this is the most painful part of dealing with Meraki product purchasing. In many cases, for emergencies where older gear needs to be changed out same-day, we cannot go with Meraki even in cases where the customer would have wanted to.
Another gotcha which is a part of the Meraki world is the fact that any gear which loses licensed status, over a 30 day grace period, ceases to function. Some may see this as a downside of moving into a cloud-managed era, but it does not bother me that much. There is a lot of value-add that goes into what Meraki offers, in terms of support, cloud management, and updates, and this isn't an endless bucket of benefits you can get with a one time payment. I just want to make sure potential buyers are aware of this before chastising Meraki on the flipside when they refuse to re-up their licensing.
Meraki was featured in a case study as part of Issue 4, Volume 27 of the International Legal Technology Association Magazine. (Image Source: ILTA)
A minor complaint which I have at their general MR product line is that they don't have an AC-enabled offering inside any device lower than the MR32. Seeing as Meraki is a premium product to begin with, it would be nice to see the MR18 (or a similar-class entrant) offer 802.11AC to keep pace with what Ubiquiti now offers at lower pricing with its UniFi AC WAP. In a year or so, it will be inexcusable to not have AC across the entire line of WAPs they offer.
And finally, for those who may be commingling Wi-Fi broadcasts from Wi-Fi-enabled routers (like the Z1 or MX64W) and Meraki's true standalone WAPs in a single network, the current state of affairs is far from an ideal situation. We have one such client, a talent agency, which has an MX60W and an MR12 at their headquarters, and the way in which Wi-Fi oversight is managed between the devices is far too rigid. It's almost as if Meraki never intended situations where Wi-Fi-enabled routers and WAPs shared the same space. This needs to improve so that management of these signals can be unified with the same feature set across all Wi-Fi-enabled devices Meraki makes.
Closing Words
At the beginning of this piece, I had a wish list which covered all of the things that I was yearning for in a great Wi-Fi solution. How does Meraki stack up against these line items?
- Good price: Yes.
- Easy-to-use management system: Heck yes.
- Great radio hardware and coverage: Heck yes.
- Quality technical support: The best.
- Consistent firmware/software updates: Yes.
The vendor isn't without its flaws, as I mentioned in the previous section. But I'll give them a fighting chance to make it right in those areas since they hit a home run in so many other respects. From a best in class cloud management system, to effortless automated patching, to high quality hardware that ranks up there with the household names we already know of like Cisco Aironet and HP and Ruckus.
To be completely honest, I was tired of solutions that only gave us 80% of what we wanted. Great hardware and coverage but buggy, Java-based software controllers. Or, excellent price points but hardware controller requirements and a lack of vendor support. Mix and match whatever recipe you wish; we've seen all possible combinations out in the wild.
Meraki offers up a truly enterprise class solution under a single umbrella which integrates seamlessly with its other network device pillars, like routers/firewalls and switches. As such, building complex, multi-branch networks that can be easily managed isn't an oxymoron any longer. It's quite easy to accomplish, and we manage such networks with ease on a daily basis now without the sweating associated with overseeing competing vendors' network gear.
We've been standardizing our managed services (MSP) customer networks under the Meraki flag for over a year now, and will continue to centralize on their solutions until someone can do it better at the same price point.
The future of software defined networking is clearly seated in the power of the cloud -- a cloud Meraki's been busy paving as a roadmap for the rest of the competition.
Derrick Wlodarz is an IT Specialist who owns Park Ridge, IL (USA) based technology consulting & service company FireLogic, with over eight+ years of IT experience in the private and public sectors. He holds numerous technical credentials from Microsoft, Google, and CompTIA and specializes in consulting customers on growing hot technologies such as Office 365, Google Apps, cloud-hosted VoIP, among others. Derrick is an active member of CompTIA's Subject Matter Expert Technical Advisory Council that shapes the future of CompTIA exams across the world. You can reach him at derrick at wlodarz dot net.