So I am trying to figure out something my IT department told me today that makes no sense to me. In a discussion about using our intranet to facilitate secondary or tertiary communications in the unlikely event we lose all of our external communication services. I was told that our Cisco switches and APs would cease to function, in any capacity, should we lose both our primary and secondary internet connections. Seeing as this is an entirely Cisco/Muraki network with cloud based management across the entirety of our domestic locations, understood that the Muraki SDN component wouldn’t work but it didn’t make sense for our switches to stop functioning entirely with the loose of our internet connection so I pushed the issues to make sure I understood what was being said and was again told that in the event that we lose internet connectivity that our entire intranet ceases to function and the switches will no longer pass data along our internal network. If this is the case it seems like poor hardware selection, and it makes no sense that Cisco would build layer 2 switches to function like this. Can anyone confirm what I was told?
I think to unravel this discussion you will need to clarify what cease to function means and what functionality you would expect to work in the event of a loss of all of our external communication services.
Examples:
- Basic internal network infrastructure (e.g. DNS to resolve internal resources)
- Access to internal resources (AD, LDAP) for authentication/authorization to internal services
- Access to internal file shares
- etc.
I would expect that enterprise gear would generally allow all local services to continue to function locally, but cloud based management would prevent any reconfiguration (e.g. to reroute internet traffic) until the internet issue is resolved. Maybe that is what the IT department is referring to?
Maybe significant parts of the IT infrastructure have been outsourced to the cloud (AD?) and would be unavailable in the event of internet loss.
Perhaps (tho unlikely) they run a Zero Trust model, where internet access is required to varify each action, whether internal or external, and the system Fails Closed with no internet for checking with the policy machines at head office?
Caution:
Below is not guaranteed fact, but things I have heard that have prevented me from considering Meraki, as a long time Cisco network.
I’m not sure what switches you have that are branded Cisco, but if they’re the meraki variants then it is possible they will stop if they can’t contact the licensing portal to verify you paid support.
I haven’t personally experienced this, but I have heard horror stories (basically people running out of support and then the meraki equipment basically turns off!), and this is why meraki is blacklisted in my environment.
I’m not sure but potentially Cisco have re-branded some Meraki gear as “Cisco” badged at the low end of their product stack post-acquisition.
edit:
following may help
Connect a Meraki Switch Locally | Stratus Information Systems.
If hooked to an SSM on-premise, then you get a grace period, after that, features will be trimmed down to base.
Well, you see, no company went bust due to licensing-errors, and neither has a country or have there been any lives lost. So it is fine until it someday gets someone killed, at which point things will change.
But yes, the state of Enshitification of Tech has gone so far that a properly configured and secured network will just shut down due to a licensing error.
Edit: Except for a few, most networking-stuff has always-online requirements.
Everything you need to know about Cisco is right here:
https://meraki.cisco.com/product-collateral/cisco-meraki-for-government/?file
NONE of their products are NDAA/TAA compliant out of the box, and are widely deployed in hostile nations. We know an explicit term of purchase eligibility by the CCP is access to the source code and defeatable encryption.
To properly secure your device you need:
Eligible customers
Cisco Meraki for Government is available to entities meeting the following criteria:
• U.S. federal, state, and local government agencies
• U.S. educational institutions
• Holders of U.S. government contracts, provided they have valid commercial
and government entity (CAGE) codes
• U.S. civilian entities possessing a federal mandate, where self-attestation is
required for verification
which entitles you to:
Security
Security is top of mind for our public sector offering, and we have included some
important features to keep your networks safe:
• Maintain FedRAMP, data center SOC 2 Type 2, and data center ISO
2700K
• No customer data passes through the Meraki government platform
• Telemetry data stays on U.S. soil
• FIPS 140-2 validated cryptography for data at rest and data in transit
• All external communications are secured using TLS 1.2 and 1.3
• Continuously monitored
• Session management
• 99.99% uptime SLA only upon receiving marketplace authorized
designation
• 24/7 support by U.S. persons on U.S. soil
These devices receive a signed firmware update when added to the .gov dashboard that is inaccessible to the layman. That firmware constitutes:
Articles that are “substantially transformed” in the U.S. or a designated country into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was transformed.
Long story short: don’t trust it
which sucks because we all know Cisco as infrastructure ready, but at some point they began playing both sides and cannot be trusted.
That said, this does explain ALL 6000+ vulnerabilities researchers keep finding across the Cisco range:
You know it is good when it is export restricted.
A layer 2 switch that can’t do switch things without an internet connection is a poorly designed piece of kit that should never make it to market. But I get what you are saying, and there is a reason my intranet has no such licensing agreements and or requirements.