When I first heard about Meraki years ago, one of the coolest features I saw that the access points supported was automagic Mesh Routing. I was a little more naive back then so I didn’t pay it much attention, and technically speaking it is still a cool feature. However, with it being a feature, one would think that it could be disabled, but I found out that it can’t be disabled. Ever…apparently. Now this might not seem like a big deal (and maybe it isn’t), but I’m a stickler for how I want my wireless to operate.

Follow me along on this quick adventure of how I discovered this, and why I don’t like it. ^_^

I was in the middle of deploying a new site with some fresh MR32 access points. I had setup a simple Open SSID for quick access, and configured the SSID with Band-Steering enabled.

This site is in the middle of nowhere, and nothing else is around from a wireless perspective. I then noticed something unusual on my Windows 10 laptop, two hidden SSID’s, one with security and the other Open. I thought “that’s strange”, because my access point is the only one powered on for miles around.

I know that when you enable Band-Steering, the Meraki access points will tweak the 2.4GHz Beacon frames so that they show up as hidden. This is one of the methods Meraki does to persuade dual-band clients to connect to the 5GHz radio. I’m not particularly a fan of this, but meh.

So I’m expecting to see the ‘Hidden Network’ that has Open authentication, but I was not expecting to see this ‘Hidden Network’ that is Secured.

So of course, I’m naturally curious as a kitten as to what the hell this is. I fired up a second MR32 so I could test to see what was going on. I changed my Open SSID to PSK to see what affect it had. The Open Hidden Network changed to a Secured one. I can’t seem to find any rhyme or reason to when or how the Mesh Routing SSID becomes visible, because testing this in my lab I was unable to duplicate these findings. My best guess it is is firmware based.

I setup a new SSID called TEST and made that Open Auth.

I have both SSID’s set to have 12Mbps as the lowest Mandatory Basic data rate. I fired up inSSIDer to get a quick view of what is happening. I see TEST on channels 1/48, and my other SSID on channels 11/149.

The problem I see is that inSSIDer is detecting 5 SSID’s, instead of the 3 I was expecting. What is worse, is that those 2 extra unknown SSID’s are using the lowest possible data rates per band (1Mbps, and 6Mbps). This surely can’t be coming from my access points, because I have the mandatory basic rate set to 12Mbps.

I checked the radio MAC addresses of the 1Mbps and 6Mbps Hidden SSID’s, and low and behold they match that second MR32 that I have the TEST SSID running on. How can this be !!!!!! RAWR

Want to make this situation even worse?

IT’S USING WEP Encryption !!!

I thought maybe inSSIDer was messing up, so I double check on my NetScout G2, but alas, the facts don’t lie.

So…something is going on here. Time to call Meraki support to try and find out.

In all seriousness though, the support line at Meraki is actually phenomenal, and I’ve never had any issues reaching out to them.  =)

The information I got back from Meraki, is that the HIDDEN WEP SSID is the Mesh Routing between the access points, and it by default sends at 1Mbps for 2.4GHz and 6Mbps for 5GHz, to ensure it can go as far as possible. As to why it is using WEP encryption, I could not get a straight answer. They did claim that this was a ‘new thing’ that just came out with their latest firmware version, so when I had them rollback to the previous build, I did not see any of this.

The Meraki engineer told me that they have a hidden GUI feature where I can turn off this Mesh feature, which was perfect. I have no use for any AP being in repeater mode, as they are all cabled, and I have no use for 1Mbps existing anywhere in my world.

He enabled the feature for me and told me to go to Network-wide>Configure>General and I should see it under Device Configuration. And boom, there is it.

I quickly set it to Disabled, and went back to my sniffing to ensure it worked. This is where my heart gets broken. I still see those 1Mbps frames. I call Meraki back and as it turns out, this Meshing feature will only disable the access points going into repeater mode, and it does not actually stop them from sending out their 1Mbps WEP Hidden special Mesh Routing nonsense.

So I’m stuck with it. There isn’t anything I can do to disable this, because it’s somehow built into the firmware’s firmware, which cannot be undone. They gave me something along the lines of, “No matter how hard the wind howls, the mountain cannot bow to it”.

So since there is nothing I can do, I was at least curious to see how much unnecessary overhead this is going to be giving me. I fire up Savvius Omnipeek to take a gander.

The only two frames I see are Beacon frames sent every 102.4ms (as usual), and SNAP Header broadcast frames sent at random intervals with no apparent pattern and no real data to digest (roughly 30 frames every minute). I asked Meraki what it was about, but they said the details are top secret and cannot share them. All they could tell me was that the Meraki Mesh Routing was based on RoofNET.

So since its basically mostly only sending Beacons, what I do know is based on my hero Andrew Von Nagy’s SSID Overhead calculator, we are looking at a single SSID at 1Mbps and its basically a complete and unnecessary waste of my airtime (see what I did there?), that I can’t do jack diddly squat about.

I hope that one day Meraki will give us the power to disable this.

If you feel I’ve gotten anything wrong with this post, please by all means feel free to educate me.

 

**UPDATE as of 5/23/2017**

Not sure when the change happened, but Meraki appears to have heard our cries and disabling MESHING actually now does indeed kill all MESHING communications. Hurray !

Thanks!

-Nolan