Christian Aid Meraki Network in Numbers

Here’s some details about our global Meraki network:

2 models of office (soon to be 3)

We have a variety of different sized offices and, since we use donated money, a responsibility to spend it wisely.  So we opted to go with two models.  One for larger offices, and one for smaller offices.

Large office

The large offices have between 10 and 50 staff, and are often spread over quite a large area, and sometimes multiple floors.  For these offices we chose the MX80 Security Appliance, with one or two MR16 Access Points.

Small office

A small office is anything greater than 1 and less than 10.  For these offices we opted for a MX60W Security Appliance which combines the functionality of a Security Appliance with a wifi radio.

Emergency/micro office

I’ve recently been looking with interest at the Z1 teleworker gateway, which has all the functionality of the MX60W, but at a lower price, and more compact.  I’ll be shipping off our first Z1 to our office in Tacloban, Philippines later this month.  Given the cost and compact nature, I hope we can keep some of these in reserve for emergency response – they will make setting up a secure working environment in situations like Nepal much faster and easier.

27 offices in 26 developing countries

Christian Aid Meraki Networks

Some networks are combined in the above map – there are three networks in DR Congo for example. Offices in Kathmandu, Nepal, Managua, Nicaragua and Tacloban, Philippines are yet to come online.

7 offices in UK

UK Meraki offices Aug 3 2015

This will increase to cover a total of 18 offices, including our offices in Dublin, Ireland and Madrid, Spain.

1.06 TB transferred by over 4000 clients in the last week

Clearly we have a lot of people visiting our offices.  We don’t have nearly that many staff!

72 devices deployed

  • 1 MR12 Access Point (our first device, given free by Meraki to get us hooked – it worked)
  • 18 MR16 Access Points
  • 16 MR18 Access Points
  • 16 MX60W Security Appliances with WiFi
  • 13 MX80 Security Appliances
  • 1 MX100 Security Appliance (at HQ as the VPN hub)
  • 1 MX64W Security Appliance with WiFi
  • 2 MX64 Security Appliances (no WiFi)
  • 1 Z1 Teleworker Gateway – waiting to be shipped to Tacloban, Philippines.
Advertisements

My Meraki Journey

One of the things I’ve enjoyed most in the last couple of years in my job has been rolling out and using Cisco Meraki networking equipment across the 29 offices Christian Aid has in the developing world.

The whole experience of learning about the devices and service, designing our implementation, rolling out, and then supporting and using Meraki daily has been fun, which hasn’t been something I’ve found myself saying about other projects I’ve worked on such as SharePoint or Cisco ASAs. Meraki just hasn’t been as challenging, but in a good way – I’ve managed to achieve so much without increasing blood pressure or tearing any hair out on the way. I have had to put my technical knowledge and skills to use for sure, but in a more graceful way that has just been more…pleasant.

In upcoming posts I want to share what I have done with Meraki, because I think that anyone who wants to achieve the same things with their network can do it most easily with Meraki and should consider it.

In posts over the next couple of weeks I’ll be covering the following things:

  • Global VPN
  • Standardised WiFi networks
  • Mobile Device Management
  • Bandwidth Management
  • Sharing networks and internet connections with other organisations and the public

I hope you are interested on coming along with me for some of the journey.

Running Windows Remote Server Admin Tools with a different account

Using a separate admin account is common on the Unix world. At Christian Aid we adopted separate admin accounts for staff in the ICT Services teams to give increased security.

One annoying thing about this is that Windows tools based in MMC don’t easily run as a different user AND with elevated permissions (confusingly referred to as Run as Administrator in the UI). We had been working around this by remoting to a server and then running the tools from there while logged in with an admin account.

That’s a bit of a pain though, right? It would be much better to just run the tools locally as the admin user.  It can be done by editing the shortcut to each item in Administrative Tools like this:

runas.exe /user:DOMAIN\adminuser "cmd /c Start /B app.mmc"

Obviously adjust DOMAIN\adminuser as appropriate.

Putting the whole “normal” run command behind a cmd is necessary for some applications that require additional flags, and works for those that don’t too.

Here is a list of commands that work on my copy of Windows 7:

  • Administrative Center: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dsac.exe"
    This requires Run as administrator. If it isn’t ticked, nothing will happen.
  • Domains and Trusts: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B %SystemRoot%\system32\domain.msc"
  • Sites and Services: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dssite.msc"
  • Users and Computers: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dsa.msc"
  • DNS: runas.exe /user:DOMAIN\adminuser "cmd /c Start /B dnsmgmt.msc /s"
  • Group Policy Management: runas.exe /user:DOMAIN\adminuser "cmd  /c Start /B gpmc.msc"

Use this approach for any application that needs to both run as a different user (and always the same user) and/or run with elevated privileges.

/savecred security hole

Anyone using this can add a /savecred flag to the runas command, which allows storage of credentials.  The first time you use a shortcut like this, you’ll get asked for the users password in a command window.  The /savecred flag means they will get stored in Windows Credential Manager, and you won’t need to add them all the time.  That’s convenient, but it does mean if the computer and Windows account is compromised, an attacker is a click away from your admin interfaces!

Pioneer A4 speaker WiFi tweaks

I have a Pioneer A4 Airplay speaker connected by WiFi to a Technicolor TG582n router. After playing around with configuration settings as described on npr.me.uk I managed to disconnect the A4 speaker from the WiFi network.

So I decided to experiment with different combinations of settings to see if I could find which work.

  • STBC – with this enabled, the connection does work – initially I thought it didn’t but was able to get it working with the A4 next to the router.
  • CDD – with this enabled, the connection does work.  This provides better coverage, so worth using.
  • AMSDU – with this enabled the connection does work.
  • SGI – with this enabled the connection does work.

After systematically turning each thing on at a time, I found all the settings work after all, so it must have been something else that stopped the connection.  At least I now know.

I don’t think I benefit at all by using any of these settings for listening to music, but in theory they should improve performance for other wifi clients such as laptops and smartphones.  A good discussion of most of the techniques enabled by the functions can be found at Veriwave.

A better view for To-Do list in Outlook 2010

The default To-Do list in Outlook 2010 – the list at the right next to your mail/calendar etc. – shows all flagged messages and all uncompleted tasks.

I make extensive use of the Task feature in Outlook to set myself future reminders to do things, and I don’t need to see those task until a week before I need to do them.

I thought I was going to have to get into DASL language to get this functionality, but thankfully the filtering in Outlook 2010 is quite intelligent, and automatically uses OR when you add filters on the same field.

So to get what I want I changed the view for the To-Do list by right clicking on the column header in the To-Do list and selecting View Settings…

Then I clicked on Filter… and switched to the Advanced Tab.

The Date Completed and Flag Completed fields were already set to “does not exist” which is what I want in order to show all tasks that haven’t got any start or due date.

Now I added the following three filters:

  • Start date – in the next 7 days
  • Start date – does not exist
  • Start date – on or before – today

The filter automatically recognises that I want to display all tasks for which any of the above are true.  This is confirmed by looking in the SQL tab at the DASL query:

(
    "http://schemas.microsoft.com/mapi/id/{00062003-0000-0000-C000-000000000046}/810f0040" IS NULL   
          AND 
    "http://schemas.microsoft.com/mapi/proptag/0x10910040" IS NULL 
          AND 
    (
          %next7days("http://schemas.microsoft.com/mapi/id/{00062003-0000-0000-C000-000000000046}/81040040")%
              OR 
          "http://schemas.microsoft.com/mapi/id/{00062003-0000-0000-C000-000000000046}/81040040" IS NULL 
              OR 
          "http://schemas.microsoft.com/mapi/id/{00062003-0000-0000-C000-000000000046}/81040040" > 'Today'
    )
)

You can copy and paste the above DASL query into the SQL tab to quickly set this view, but you will lose the ability to edit the view through the Advanced tab, so if you want to make any further adjustments do your editing in the Advanced tab.

If you have any suggestions to improve this further, please add a comment below to share.