Cisco Meraki Loses Customer Data in Engineering Gaffe

Cisco has admitted to losing customer data during a configuration change its enginners applied to its Meraki cloud managed IT service. From a report: Specific data uploaded to Cisco Meraki before 11:20 am PT last Thursday was deleted after engineers created an erroneous policy in a configuration change to its US object storage service, Cisco admitted on Friday. The company did say that the issue has been fixed, and while the error will not affect network operations in most cases, it admitted the faulty policy "but will be an inconvenience as some of your data may have been lost." Cisco hasn't said how many of its 140,000+ Meraki customers have been affected. The deleted data includes custom floor plans, logos, enterprise apps and voicemail greetings found on users' dashboard, systems manager and phones. The engineering team was working over the weekend to find out whether the data can be recovered and potentially build tools so that customers can find out what data has been lost.

No backups?

[Archon]

For the $ they charge they can't afford backups?

Re:No backups?

[jellomizer]

From the sound of it, Once people tell what is missing they can get it restored. But I figure it is hard for them to do a mass fix, because on how much the data is being used. Sure I bet Cisco could had done something better. But what do you expect when you purchase a big company to do this type of work.

Re: No backups?

I would guess that based on the specific nature of the report, they restored a backup/checkpoint from that date ... probably after backing up the corrupted data which they will try to recover what was lost from.

Though maybe I'm reading it differently than you.

Of course, Meraki is doomed to be a clusterfuck because they are cloud based.

The real thing problem of course is probably that they don't keep a transaction log they could simply replay.

Re:No backups?

For anything important that you're not willing to lose: if you don't back up your own data *before* you upload it to the cloud, you assume a risk. Sure it would be nice if Cisco or any other cloud provider keeps backups because these things happen. But no one cares about your data as much as you do. If you act like you care about it, then events like this amount to a minor inconvenience.

Shit happens. Plan for it.

Re:No backups?

[jellomizer]

The problem is too many people out side of IT, don't have the skills to backup the data. Even just copying the files onto a separate drive, is often witch craft to them, yes even in 2017.

Re:No backups?

[Junta]

Note that a lot of these services seemingly intentionally make it hard to have offline backups. For example, doing graphical type work in an editor in their webapp, no option to save or export.

I don't know about Cisco's, but generally speaking, the name of the game is to lock the users in to assure recurring revenue, and portable data is counter to that goal.

Re:No backups?

[dschnur]

There is no way to backup Meraki configuration data. It's a tool they intentionally lock users out of.

Re:No backups?

There are no tools to export this data, or, really, much of any data in Meraki's tools. No API access to your data, no "export," no "backup"...

The best you can expect is to beg them for this until they tell you either "this isn't a bug, it is a feature request, gtfo" for a bug report or for a feature request.

In other words, if you aren't documenting this info as you add it, and if you aren't willing to re-add it (by hand) at a moment's notice, then your data is at risk, and they offer you no tools to manage your own risk.

Re:No backups?

[Archon]

In my experience: this.

Cloud is bad?

[Infiniti2000]

The article reads like a "cloud is bad" point of view because it brings up two unrelated issues from March and July. The last two paragraphs in this article are non sequiturs and should be stricken.

Re:Cloud is bad?

[jellomizer]

I see cloud services like air travel. Statically it is the safest way to go. However when there is a problem it is a really big deal. Then you combine putting your data in someone else hand, creates all kinds of fear.

However, the real problem that I see, is people using cloud services where they really shouldn't be doing so. If you have the money for a data center and the data you are working with is very customized for your company. Going with a cloud solution usually brings more pain then reward.

However for a lot of small businesses or services that run just like everyone else cloud makes sense.

Re:Cloud is bad?

I see cloud services like air travel. Statically it is the safest way to go. However when there is a problem it is a really big deal. Then you combine putting your data in someone else hand, creates all kinds of fear.

However, the real problem that I see, is people using cloud services where they really shouldn't be doing so. If you have the money for a data center and the data you are working with is very customized for your company. Going with a cloud solution usually brings more pain then reward.

However for a lot of small businesses or services that run just like everyone else cloud makes sense.

Ah this old myth, "Flying is very safe, until there is a problem, then everyone dies" is simply not true.
The truth is, you have a 95% chance of surviving an aircraft crash. Even ignoring all but the most serious crashes, you still have a 76% chance of surviving.

Re:Cloud is bad?

Of course, if you look at high altitude massive decompressions caused by structural failure (either intentional or not) then it becomes 100%. But crash landings and/or takeoffs are much more common than that.

Re: Cloud is bad?

Cloud is not bad. Cisco Cloud is what's bad. What do you expect from a company whose core is competency is routers?

What's a 'Cisco Meraki'?

What's a 'Cisco Meraki'? What's a 'cloud managed IT service'? Can we get these described with real words, and not marketing babble?

Re:What's a 'Cisco Meraki'?

[Oswald+McWeany]

What's a 'Cisco Meraki'? What's a 'cloud managed IT service'? Can we get these described with real words, and not marketing babble?

I don't know, my eyes read it as "Cisco Meerkat" for a split second when I first read the headline.

That's why you don't trust members of the mongoose family to look after your data.

Re:What's a 'Cisco Meraki'?

[TWX]

Meraki is a product-line of Cisco's. Saying, "Cisco Meraki," is like saying, "Chevrolet Impala."

"Cloud-managed IT service," is a bit oversimplified but not greatly so for anyone that knows how Meraki products work. Imagine all of your managed switches, routers, WAPs, etc connecting not to your own infrastructure for centralized management, but to Cisco's infrastructure for remote-centralized management. You log in to Cisco's Meraki website and do your config changes there through a GUI instead of SSHing or otherwise consoling-in to a switch locally or using something like Prime running on your own servers.

"Cloud-managed IT service," is also not especially strong marketing-speak when you consider the definition of "cloud" as someone else's server, as we've been using the term for the better part of a decade on Slashdot and elsewhere. Given how many different disparate IT functions Meraki can potentially do, "IT service," as in network infrastructure aspects of IT, is probably the furthest one can nail it down.

Either way though, if you've been paying attention to Cisco's products then you probably have some inkling of what the Meraki product-line does or how it works.

Re: What's a 'Cisco Meraki'?

Jesus Christ... Why the hell would I want to manage my local devices by going through some remote third-party website instead of just connecting to thr devices themselves?!

Re: What's a 'Cisco Meraki'?

Why would I want to individually connect to 100s or 1000s of devices individually to manage them?

IT groups implementing Meraki don't have or want the overhead of maintaining a central controller on their own infrastructure. Its all about choice, in some circumstances a centralized cloud controller makes a lot of sense and Cisco provides other solutions for other circumstances.

Re:What's a 'Cisco Meraki'?

[bev_tech_rob]

What's a 'Cisco Meraki'? What's a 'cloud managed IT service'? Can we get these described with real words, and not marketing babble?

If you don't know what that name means, it means you are not in the IT field and it shouldn't concern you.

Re: What's a 'Cisco Meraki'?

If you're managing fleets of wifi aps across large enterprise or retail customers having consolidated management (cloud or otherwise) is way more powerful than connecting to the devices themselves. Other vendors have similar, or allow you to run your own manager that the devices contact for provisioning, but Cisco's is all cloud.

Re: What's a 'Cisco Meraki'?

Jesus Christ... Why the hell would I want to manage my local devices by going through some remote third-party website instead of just connecting to thr devices themselves?!

Because you're a PHB type who knows nothing about technology yet you get to make these choices. And you view IT as an annoying expense to be minimized as much as possible. And you're impressed by slick marketing from a big name like Cisco. And you decided to pull rank when the few IT staff you do have tried to tell you this was a bad idea.

At least that's how these things usually happen.

Re:What's a 'Cisco Meraki'?

That's why you don't trust members of the mongoose family to look after your data.

Unless of course your data is under attack from snakes. Then a mongoose is exactly what you want.

It's all about the threat model.

Re: What's a 'Cisco Meraki'?

[aaarrrgggh]

Because it is grossly over priced that way!

Re: What's a 'Cisco Meraki'?

[buchanmilne]

"Other vendors have similar, or allow you to run your own manager that the devices contact for provisioning, but Cisco's is all cloud."

I believe it is more correctly "Cisco's Meraki product line is all cloud", as last I checked (granted, that was a year ago) Cisco is still developing, selling and supporting their more traditional Wireless LAN Controller product (that they had since before they aqcuired Meraki) for their AiroNet APs running the "managed" (default these days) version of the firmware. IIRC WLC came in appliance, virtual appliance, and feature licence (depoyable on on some routers) options.

Re: What's a 'Cisco Meraki'?

[TWX]

If Meraki would allow one to go either way, either Cisco-hosted management or else locally-hosted management, I would be much more inclined to consider them, but since there is no locally-hosted management option I can't justify them in an enterprise setting.

Re: What's a 'Cisco Meraki'?

[TWX]

Non-Meraki solutions aren't going anywhere at all. Unfortunately Prime sucks when it comes to anything beyond WAPs.

We have about 2600 managed switches and perhaps 6000 WAPs, and Prime just bogs, regardless of how much hardware we throw at it. It's so bad that I'm about ready to try to take the switches out entirely and figure out some other solution for them.

What's not to love?

Are you loving the Cloud yet? I know I am! Of course, I know enough to keep my data where it belongs: on my gear, under my control.

Re:What's not to love?

[__aaclcg7560]

I moved my data off the cloud to my file server at home over a year ago. Much of my data doesn't need to live 24/7 on the Internet.

Re:What's not to love?

A wise and useful thing you've just said.

Re:What's not to love?

Are you loving the Cloud yet? I know I am! Of course, I know enough to keep my data where it belongs: on my gear, under my control.

Yes but it is amusing to watch all of the fools who witness multiple failures, all of the same basic easy-to-understand nature, and still refuse to take the lesson.

Humans are strange creatures.

Re:What's not to love?

Another useless personal anecdote from Slashdot's resident clown. Also, another recycled comment - I remember this comment being posted before, almost word-for-word. Creimer, use your magic python skills to find us the original, will you?

Also:

Much of my data doesn't need to live 24/7 on the Internet.

But you've moved ALL of your data, or so you claim. Including that portion of your data that DOES need to live 24/7 on the internet. How's that working out for you?

Re:What's not to love?

[__aaclcg7560]

Also, another recycled comment - I remember this comment being posted before, almost word-for-word.

I don't see you complaining about Slashdot reposting the same kind of story, sometimes two or three times in the same day.

Re: What's not to love?

Go eat a cock burger asshole.

Re: What's not to love?

[__aaclcg7560]

Go eat a cock burger asshole.

Have some Spam-flavored Macadamia Nuts with your whine.

Someone Else's Server

[TWX]

And this is what happens when you entrust your data to someone else's server.

I have exactly one meraki switch that's slated for replacement, I got it very cheap, but had I realized exactly what was entailed in using it I would never have bought it in the first place. I guess I like having entirely local control for my network infrastructure. Even if I can't afford Catalyst, those Linksys-derived SG-series small business switches would probably be better than Meraki if only so that I don't have to pay a subscription just to keep frames forwarding.

Re:Someone Else's Server

Subscriptions are the way of the future, my friend. Recurring revenue streams and all that. Brought to you by your friendly neighborhood MBA.

Re: Someone Else's Server

Get a mikrotik

Re:Someone Else's Server

Subscriptions are the way of the future, my friend

Only if you jump on the bandwagon.

Re:Someone Else's Server

[thegarbz]

And this is what happens when you entrust your data to someone else's server.

That's not a given. To generalise for the vast majority of the industry: In most cases someone else is far better and managing my data than I am.

Re:Someone Else's Server

[tlhIngan]

Our IT department went with Meraki security appliances, with great gusto, after I got one free from the Cisco demo.

The reason for it? It saves us a lot of time - and it survives in the oddest of places. Basically we use them for our satellite offices where there is no IT guy - we just tell them to unpack it, plug it in, and away it goes - we configure them to VPN into our Meraki firewalls and when they plug it in, it creates the tunnel and everyone's happy. We have ours in a warm spare arrangement - the main one goes down, the backup takes over with zero effort - the configurations are synced between the two automatically.

Maybe the biggest issue was when their content filters got messed up (it basically hashes every file transferred and determines if it's a clean file or malware) which resulted in a few of us needing to have it disabled (it interfered with datasheets), all our IT guy did was log in with his phone and set the user on the special group created for the purpose and it was fixed in minutes. Saves him from having to VPN into the network, get to the admin panel and configure it there.

Yes, it's subscription and it sucks. But out IT guy likes it a lot - it was far more featureful than the ASA we had, and when we started configuring a regular firewall appliance and service plans, the price didn't come out all much cheaper.

For some IT setups, the traditional model doesn't work - Meraki works great if the remote locations won't have dedicatee IT teams. Think things like retail stores where you might have an internet connection - a head office can send them a Meraki firewall, wifi and phone system and the store employees only needs to plug it in - the gear automatically gets the latest configuration files and auto-provisions itself.

Re:Someone Else's Server

[sabbede]

What if your infrastructure isn't local? Mine is spread across dozens of offices scattered around a major metropolitan area. Rolling out Merakis has made my job easier by several orders of magnitude.

Re:Someone Else's Server

[TWX]

I have a hundred sites across a metro area. There are three of us that deal with racking, configuring, and maintaining switches, about 2600 switches in perhaps a thousand IDFs and cabinets. So far it hasn't required a whole lot of hands-on and we trust the desktop techs to handle limited patching when they call-in.

Re:Someone Else's Server

[sabbede]

Ah. Our networking department is me, and there are three other people in the IT department. We all do desktop/end-user support as well, so I'm stretched a bit thin. If your company has the resources for the staff and management hardware to do everything locally, more power to you. Mine does not, and the Merakis make my job doable. I know some companies have people who manage servers, others who handle SCCM, more for networking, etc. In mine, that's all me.

Re:Someone Else's Server

[TWX]

Makes sense. We support about 70,000 users, and the department has around 60 total employees. Networking is rather thinly staffed though, compared to the rest.

this should be no problem.

Anyone effected by this need only restore from their last local daily back up.

You are making local backups, right? You're not trusting some "cloud storage" company with the only copy of mission critical data, right? I'm sure you aren't, because that wouldn't be foolhardy.

So restore from your most recent local nightly. Problem solved.

In my case

[moofo]

They lost the floor plans graphics as well as the Captive portal Splash Pages HTML files.

Took me half an hour to fix. TBH, it's not so bad, the new templates for the splash pages look more modern .

The only cloud provider I need

is a McDonnell Douglas F-15E. (Sorry, I'm never going to call it Boeing.)

Re:The only cloud provider I need

You living in the '70s, friend. And this ain't no '70s show, buddy.

50 years ago ...

the moon was there for the taking.

50 years later ...

Cisco can fuck anything up, at will, at any time, and brag about it.

This saddens me.

Im fully capable of losing my own data.

[coolmoe2]

But I appreciate the help.

But seriously that is one of the problems with cloud providers is accountability if something does go wrong. There was a pretty bad outage on amazons s3 services due to an employee fuckup as well. At least when companies ran their own servers the outage would generally only affect that one company instead of hundreds or thousands.

Just my .02

Re:Im fully capable of losing my own data.

[Junta]

At least when companies ran their own servers the outage would generally only affect that one company instead of hundreds or thousands.

For some business folk, this is an advantage. If all your competitor's are down too, great! If you are an IT manager and it's the vendor's fault, again great!

Sadly, many folks don't care as much about an outage or data loss as they care about who gets blamed.

Re:Im fully capable of losing my own data.

Sadly, many folks don't care as much about an outage or data loss as they care about who gets blamed.

You can thank American corporate culture for that. In most workplaces it's not about understanding what caused a mistake so it can be fixed and a lesson learned. It's about throwing someone under the bus. Naturally this creates a strong incentive to make sure that person isn't you.

My experience with Meraki. Hint: 0 *'s

[dschnur]

A little while ago, I inherited a network form a-person-who-called-him-self-an-admin-but-was-clueless.

He had started replacing old campus switches with Meraki units. Meraki is a marketing company that is owned by Cisco. Meraki hardware runs Linux, but they've locked it down to the point of uselessness. They prey on those in the business who have no idea what they are doing by offering a "Simple" solution. They are worth staying away from for many reasons, some of which I'll list here:

A. Technical support with NO tools to provide support.
    4 support calls to Meraki.
    0 successful solutions.
    1 actual bug.
    1 email back with a link to a PDF of an advertising spec sheet.
    1 "Make a Wish" button.
    1 "lesson in Pcap" from a person who had no idea how to interpret the results.

B. No support for critical protocols.
    - CDP, nope.
    - LLDP, somewhat. If it fails, then they have you run Pcap. Silly since I know what's being sent to the switch and know how to diagnose what is going through my network. I needed to know what the switch was doing with the data once it got there.
    - 802.1s (MSTP), not at all. In fact, I had an "engineer" tell me that He would be "surprised if I had an actual use case to implement it." I responded by pasting a URL to the help section of Cisco's mainline web site back to him explaining its' uses and how to set it up on actual Cisco hardware.

C. Near complete lack of any ability whatsoever to debug what the switch was doing.
  - Their solution. You must not need what you are asking for. Did I mention Pcap?

D: A Faustian contract.
  - No better way to put it. The switches run Linux, but if you don't pay them they stop working at the end of the contract.
  - It's near impossible to actually predict when your devices will expire because of the complexity of the contract.
    - They provide an online "calculator" to help you figure out why a ten year support contract on a switch is actually only 9 months long.

D. Greasy sales people.
I received an email from them the other month telling me that Cisco was going to make them double all their prices, but "If I acted now..."

End game.

My response was simple. "It's ok, we're upgrading to Dell."

Their response, "Sorry to hear that, if there's anything we can do..."

Me, "Tell me about your upgrade program to mainline Cisco hardware."

Meraki, "We don't have a program like that."

Me, "It's ok, Dell does."

(Well, it might not, but I *had* to tell them that.)

We scrapped the last bit of Meraki equipment last week. Seems like it might have been pretty good timing on our part.

  _Dan

Re:My experience with Meraki. Hint: 0 *'s

I can pretty much echo Dan's experience.

They once pushed a patch to a customers Meraki switches which cause packet loss for their phone system (it was a call centre).
I asked for the release notes to see the known issues, and bug fixes. No dice, "we don't offer release notes", it's all secret and you are not to know.

They refused to accept their patches did anything to cause the problem.
Again they pcap'd data and said all was fine, but would provide no diagnostic as to what the switches were actually doing.
Asked them to roll back to previous version, they refused. I forced them to escalate and I ended up speaking with the head of Europe for their support.
I had to wait for the Californians to wake up so he could have a conference call to authorise a roll back.
They refused to roll back because they don't support said version anymore, and have no reports of any such issues with the new firmware.

2 weeks and the customer was pissed they refused to do anything to fix it. Swapped out with HP, and guess what, phones working fine.

I'll never, ever recommend Meraki. Utter shit support service.

Yet another reason to stay away from Cisco

you haven't already forgotten that all their hardware and services were compromised by NSA and CIA, did you? Do you have anything that should not be leaked to American competitors? Then don't use Cisco.

SG series small business switches are fantastic

[zerofoo]

We run a bunch of SG500s and they are fantastic. Cisco has stated that these are not linksys derived. They cut that company loose quite a while ago. All of their small business line is now designed and engineered by Cisco engineers.

The switches are very similar in operation to the Catalyst line - but without some features like VTP - and they come with lifetime replacement warranties.

For a small school like us they are a great way to run Cisco without paying a ton for smartnet.

Re:SG series small business switches are fantastic

[TWX]

You don't need smartnet for Catalyst 2960 or 3560 either. You also don't need it for 3850 L3 switches including the 10G models. They all have limited lifetime warranty.

We're looking to replace our ME3600X and 4500X models with 3850 models to get away from smartnet, I can justify it that even keeping three or four on the shelf for immediate-swapout I'll still save us money.

Re:My experience with Meraki. Hint: 0 *'s

[weave]

It's near impossible to actually predict when your devices will expire because of the complexity of the contract.

I'll let the other bits of your rant go but this one is not true. It's pretty straight forward. Go into Organization -> License Info and it says right there the date when everything expires. And since everything co-terminates, your entire infrastructure goes tits up at the same time.

Re:My experience with Meraki. Hint: 0 *'s

[dschnur]

True that. I should have ranted more clearly.

I really meant that part of my message to be about budgeting for the care and feeding of Meraki devices.

If you purchase a license for 10 switches, the clock starts ticking when you buy the license, not when you activate the switches.

If you activate "claim" only 9 switches, the clock still counts 10

Remove a device, the clock is still ticking as if you had ten.

If then you were to buy five more licenses for a completely different (Let's say less expensive) product, then it would be averaged in to the 10 (not 8) switches you currently have on-line.

Say those five licenses were for one year use of an access point and the ten were for more expensive switches.

You could find your one year for the access points chewed down to a few months or less because of the way they do things.

It's really next to impossible to budget for their product without using their on-line calculator. Add their price doubling on top of that... I wish their users the best of luck!

The red dude downstairs could learn a few things from their legal department.

loan offer

LOAN OFFER

Good day Sir/Madam,
Getting a loan from berryjamesloan Investments Company is 100% assured and the legitimacy of the transaction is 100% Guaranteed. email:
berryjamesloanfirm@hotmail.com Legitimate loan have always There was a huge problem for people with financial problem and need a solution. Question credit and

collateral
are sometimes clients are always worried about When seeking a loan from a legitimate lender.
Our services include in the following:
Debt consolidation*
second mortgage*
Business loans*
Personal Loans*
International credits*
Student loans*
Family credit*
For more details go to purchase loan, contact us Please respond immediately to this email:berryjamesloanfirm@hotmail.com Please note that the credit is issued

in the amount of 3% interest, kindly get back to us now, if You are interested.

Re:My experience with Meraki. Hint: 0 *'s

[weave]

Oh yeah, I agree. I just activated a switch with a 6 year (one year free) license and my end date for all my equipment went forward by a whopping one week. And yeah, it sat in the box for two months before I could get to it -- and I did notice the license started at purchase date.

Then again, I like it because it forces my employer's hand. Too often in the past they've let service contracts expire despite my pleading because they say they are comfortable with the risks, then when a failure happens they hold ME responsible because they say I didn't adequately explain the risk allegedly. If I try to show evidence I did, then I'm seen as making excuses and not being a problem solver.

There's no grey area with Meraki. You don't pay, it stops working. Period.

Also, I'm not in a big shop. I do it all so I'm truly a jack of all trades, master of none. I've had regular Cisco kit in the past and I swear that shit is way more complicated to make work than it really has to be. I don't want to have to be a CCIE just to make my network work. I just want it to work.

Like I currently have a Cisco UCS 560 phone system that I need to replace -- but I'm certainly not getting Meraki MC now. So I've learned THAT lesson at least! :-)

Meh, not really bothered. Still love my Merakis.

[sabbede]

We lost three floorplan images. Well, not really lost because there are multiple copies floating around, including those on my laptop. I haven't even bothered to re-upload them yet.

I don't get the criticisms I'm seeing. They don't match my experience in any respect. There are a few things that are lacking or need improvement, but when isn't that the case? If there's a perfect product out there, I've never seen or heard of it.