Meraki Network Upgrade

We have a combination of a Meraki and Unifi network. We do Meraki firewalls at all of our multi-site campuses (which has been great). Our smaller campuses having only one or two switches get UniFi switches and AP’s. This has worked great and keeps cost down. At our two main campuses we have Meraki switches as well. This has been great for the features, support and warranty for this mission critical network. Our switches are reaching end of support soon and we have to decide if we will stay with Meraki and just get new switches or move to something else.

I’ve not purchased switches in a while but are there equivalents to Meraki offering cloud managed switches? I’d like to go with something more enterprise at our broadcast sites than Unifi.

Thanks in advance!

The Juniper/Mist cloud management story is quite excellent as well. I would probably seriously consider staying in Meraki if you’re happy with it though to not add yet another control plane.

If you want to talk seriously about Juniper/Mist, drop me a line and we can show you what it can do.

Chris

We are moving to full stack Meraki and I have a good local (Wheaton, IL) vendor that has been getting us great discounts on hardware and licenses. Let me know if you want to chat and I can tell you what we’re doing. Also, this vendor will most likely be at the Regional we’re hosting on 5/16.

Jonny

FortiNet also has amazing firewalls, switches, and APs that can be cloud managed or stacked into a single pane of glass management in the firewall GUI. We have been replacing Sonicwalls, Cisco, and Ruckus gear and moving to Fortinet stacks at all 18 of our locations, and we love it. Plus, if you don’t want to pay for continued service on the switches and APs you don’t have to and the gear won’t brick and stop working like Meraki.

Thanks for the great suggestions guys. I’m inclined to stay with Merkaki but it’s going to be a big capital purchase replace everything at once (we bought it all at once). I’ll take a look at the Juniper and FortiNet offerings. Does anyone have experience with what happens after hardware is EOL? I asked Meraki and this is the response I got:

After the End of Support Date, the device will still continue to work and connect to the Meraki cloud/dashboard if licensed. However, as newer firmware versions are released, the device will not be able to work with some of them. Also, renewing the license later on when the current license expires might not be possible. Warranty on the switch will also be terminated.

I’ve got some MS220’s at the network edge that I may roll the dice on until the next budget since they EOL a year before my license expires. The MS320 “Core” switches I’ll probably replace before the EOL in spring next year.

If anyone would like share some thoughts on when to use an L3 switch and when to use the firewall I’d be open to hearing about it. Obviously an L3 switch gives you more flexibility and capacity, but our networks without the L3 switch perform well so I’m wondering if it makes sense to do that everywhere.

Jeremy -

A few thoughts.

The fortinet product is technically good, but has a much higher operational complexity than Meraki in practice. It is still all in one place which is a huge bonus, but it is nowhere near as simple as Meraki, nor is it as helpful in a holistic troubleshooting sense. It repays that with a net-lower price, some additional capabilities, and more freedom in what your hardware can do when you’re done with it in production.

On the flip side I still continue to believe Meraki is the product to use when we are trying to build performant mid-size networks at scale with minimal administrative overhead.

Regardless which direction you go, if cost is a major issue take a deep look at your financing options. I know your Meraki rep (as in, your @cisco.com Meraki rep) can arrange Cisco-Direct financing at low APR while still keeping your dealers in the mix. I’m sure fortinet has some similar capacity as well. Additionally you can just straight up lease it using an equipment lease co. We’ve done this a lot in churches that need to spread out the cost of forklift upgrades.

As for the question of route it through a 400 series switch /vs/ through the gateway - that’s really down to if you need a gateway at all, how big your access layer is, and how much cross-vlan traffic you have.

If you have an MPLS coming in and a centralized firewall - throwing a 400 series switch in to land the MPLS and distribute the routing table might be just the ticket /vs/ using a gateway.

If you have many-hundreds of megabits of cross-vlan traffic going on (clients → server network and such) - then an L3 core switch is just the ticket.

If you have dozens of IDFs out there and need a fiber concentration switch for all of them - then maybe an L3 core should come along for the ride.

But if you need a gateway for internet/NAT/S2S VPN purposes, if you only have tens-to-low-hundreds of mb of cross-VLAN traffic, if you don’t have that many switches out there, then just roll with a gateway and move on with life.

You already having Meraki should make it possible to take a look at your per-port & per-network traffic to get a good feel for what your traffic patterns look like. If you need to dive in deeper, consider standing up something like ntopng (onprem server VM) or site24x7.com (hosted solution) to grab netflow/snmp info and logging it. This normally isn’t required - but I’ve done it a few times when I was on the edge of which direction I needed to go and needed more raw data to work with in that decision making process.

Hope this is helpful.

I think having a little higher operational complexity is a great thing. I used to use Meraki’s and couldn’t get past these two things.

#1 You never really own the gear. For instance, if you bought a Jeep and the warranty ran out, does the Jeep stop operating until you pay for an extended warranty? If it did, why did you pay all that money for the jeep, and did you ever “own” it?
#2 When we operated Meraki gear and needed access to higher-level functions, we had to call to start tickets to get further into the gear. With Fortinet, I can access higher-level functions and the CLI if needed.

Maybe all that has changed for Meraki… When we build an entire stack for a campus with FortiGate, Fortiswitches, and APs, we can have it stacked and done on the counter about an hour from the box to roll out.

Also, not sure what issues you are troubleshooting, but we haven’t hit anything yet that running Fortinet’s flow diag hasn’t been able to show us what’s up in a few minutes. I am saying this for the full stack setups. If you are running a Gate with Cisco switches and Ruckus wifi troubleshooting stinks but that is more of a complexity issue.

I also adore the much lower prices and lack of forced plans on APs and distribution level switches.

So, I still believe Fortinet is the product to use when we are trying to build really performant small, medium, and enterprise networks at scale with much lower cost and minimal admin overhead.

Sorry, Karl I could help myself, I had to defend Fortinet’s honor hahaha. Much love for you and I am just teasing. It’s funny how we all get behind a certain manufacturer for whatever reason. Hope you guys are all well and hopefully God is blessing everyone’s ministries.

All taken in good spirit I enjoy being challenged. I’m wrong all the time - and I look forward to learning where those areas are.

Neither Fortinet nor Cisco need our defense - they both stand on their own.

What I’m trying to convey is that they serve different purposes. I will also be the first to admit that my decision making is biased towards not giving energy to things which don’t need it.

Fortinet gives you more knobs to tweak - a broader range of capabilities. It just comes at the expense of demanding more attention.

I wouldn’t use Fortinet unless I had permanent network skillset on my team. Be that hired or through a vendor - the solutions pretty much demand ongoing attention. With Meraki, you don’t need it.

The total cost of ownership of either solution in a mid sized environment is relatively the same. You need all the devices supported either way, and the labor costs of the one offset the direct monetary
costs of the other.

I’m sure someone will drop a comparison in here about a ms225-48fp + 5yr service contract /vs/ FS-248E-FPOE to prove the point that the cost is half that of the meraki. But that’s not a fair comparison. To get an apples-apples you need the 248F, the forticare, the fortilan cloud, and the administrative overhead required to ensure the devices are only accessible via MFA-protected means. The cost ends up being about the same. We can do this same conversation on any of the products. It doesn’t really work out cheaper - and that’s by design.*

I concede that Fortinet gives you a lot more freedom in the hardware after you’re done with it in production - but that doesn’t necessarily matter in the context of this conversation. The organization is buying it, not you. And that organization is done with it when it leaves support either way. You can get similar resale value out of a piece of pulled Meraki as you can fortigate. So end of the day - whatever.

Let me stress that this isn’t a question of which is better. They are both good. What this is a question of is how much attention you want to dedicate to networking, if you need to do something that Meraki can’t do, and how you want to pay for the networking you need.

This concept of fitting solutions strengths to your needs extends out to all shapes and sizes. You can’t justify either of these solutions for small networks, nor large ones. Small networks are better served by solutions targeting them - a small-biz mesh system or something like MerakiGo/Omada/Unifi. Similarly, large networks are better served by solutions targeting them - full-fat cisco/HPE(Aruba)/Extreme implementations.

I don’t know what Jeremey’s requirements were when they chose Meraki the first time, nor how their environments have changed in the intervening years.

What I do know is that across tons of 5-year TCO studies, Meraki and Full-stack Fortinet have practically identical fully-burdened lifecycle costs when comparing apples to apples.

With all the above as context - to answer your two questions.

#1 - We never really own anything where the primary function is delivered via software. Whether this is good or bad is a fascinating debate that I am no stranger to. I concede that there is more flexibility with what you can do with the fortigate after you stop paying them - but it doesn’t matter in the context of an organization buying these systems. They buy them to use them, and during their use they must be supported owing to security, governance, or insurance policies. Even if fortigate doesn’t (yet) force you to buy them, your internal policy should be doing so. What happens after the gears life is over within the context of that organization is of no concern to said organization^.

#2 - You demonstrated that you had an operational requirement to do something more than Meraki could give you, so you made a change. Great. That falls perfectly within the framework of this conversation.

*Not to belabor the point - but fortinet has no desire to be cheaper than Meraki, and have assured their investors they are on a path towards improving their image, making their cloud offerings better, and meeting the price point of Meraki. You’re seeing this already with products increasing in price, and some beginning to have compulsory maintenance.
The difference being that Fortinet will maintain the illusion of affordability by making features split up across a bunch of SKUs - where no individual part is that expensive, but the whole is no cheaper than competition.

^Even if it should potentially be of concern to society. But trust me - down that road fortigate is functionally no better than Meraki.

Karl! We must meet! Or at least talk! This has been a fantastic conversation. Thank you for participating. I love hearing what other folks think through. I am sure we could jump back and forth all day!

I had a bunch of thoughts but felt like we might be stealing this convo away from the main point…

The two spots I still felt compelled to comment or ask a question about were.

I can justify Fortinet into both small and larger to small enterprise solutions. A 40f or pair of 1800fs could be used for very small and large to the small enterprise. Last I looked Fortinet has some pretty beefy firewalls some close to the million-dollar mark like the 7060e.

When referencing Fortinet you said “It comes at the expense of demanding more attention” what ongoing attention do you think it demands that you need a network engineer on your team for? we have 19 stacks and counting and we don’t have a network engineer on our team and the only attention I give the stacks is patching when needed, done mainly by volunteers on a schedule, and if site24x7 snmp or Zero Trust Security picks something up that we want to check out.

I must be missing something…So this is an honest question. What extra work os saved by Meraki?

On a different subject…do you hit the conferences? Or would you be open to a Zoom call to talk through things you are doing that you really like? Maybe we can learn something else from you. Appreciated your time and thought process.

Great points guys. I agree with both of you on different points. If you need specific advanced features, Meraki may not be fore you. I believe Meraki has a lot to offer to non-profit / churches that is beyond it’s face value. We used to have full stack Cisco, and it could do pretty much anything we wanted. But, it was very expensive and required CCNA level knowledge to make changes to our network, which meant having people on staff that could provide that or outsource it. We are a small team and supporting 11 locations was getting complicated.

With Meraki, you also have access to their excellent support. In my absence, my systems admin can call them up and get help if he doesn’t know how to fix something. With Cisco you could if you were on SmartNet, but it took longer and wasn’t as easy. Meraki can see you network and even make changes for you.

There is also the hardware support. Next day replacement and when it is replaced, I could have it delivered to a location and even have a pastor rack it up and just patch it in the same and have it fully operational in a few minutes. With Cisco (at that time) it would take a lot of pre-configuration to make that happen.

Lastly, I don’t know about your church, but at mine we don’t replace it unless its broken. That lead to mission critical network hardware that was past end of life still being in use. Having a built in expiration date on network equipment is actually a feature in my opinion, forcing us to have a current and updated network.

So, advantages I see are:

1. Ease of use
2. Advance replacement & easy deployment
3. Great Support
4. Planned obsolescence

This may not work for everyone but it has allowed us to do a lot with limited staff, stay current, and have backups support if we need it.

To get back to your original question…

I don’t have much issue with the unifi switching. The current USW-Enterprise stuff is good. If you need more than what the USW-Enterprise can give you, you really should be looking at HPE/Juniper/Cisco. All have remote management stories, and all should be comperable-ish in pricing.

I will say that I have a mid-size church we consult with that uses Meraki gateways everywhere, and meraki switching + wifi at their large sites, but historically used unifi at their small ones.

The unifi had given them no end of RF trouble, so in 2020 we set out to replace the unifi with something else that still wasn’t Meraki.

We trialed a lot of stuff, and settled on netgear insight. We use a combination of their 48 port POE switches, and the 10 port multi gig switches, with the wifi6 APs.

It’s unifi-level cheap, but far more performant than those solutions. Much better client routing and such.

It’s been a great setup - but it is super feature limited, and we really want to be back inside one dashboard. They are incredibly happy they moved off unifi, but it hasn’t taken away the wish they could go all Meraki. We probably will once we have a WiFi6e product in the MR3x series, and a multigig switch in the MS2xx series (or dare I wish for it - the MS1xx series…?)

Summing this all up:

If your split Meraki/Unifi and looking for something to replace that unifi - consider looking at Netgear for that. Or maybe keep the unifi switching (but go to the Enterprise switches) and maybe look at the MR28 AP’s - which are at least as good as the unifi ones in practice…

If you’re looking at a whole stack swap, consider Meraki /vs/ Fortinet - but make sure to price in forticare,forticloud,fortilan, and advanced feature licenses as relevant to get an apples/apples.

If you want to keep Meraki just for gateways && AutoVPN - but use something entirely different for switching and wifi everywhere - take a look at the Juniper+Mist story.