Cisco Meraki, you have ghasted my flab

PatrickFarrell · 2025-04-02T19:10:24.661Z

It’s 2025 and you still only support single DES 56 for SNMPv3 monitoring? Really?

Confirmed here they are working on AES. Hey it’s only 2025, no rush.

Re: Switch SNMPv3 settings changed to AES128 without warning

Support have told me this: "To clarify why you witnessed a change between AES and DES is due to a backend maintenance change was introduced which caused this issue, which caused your organisation configuration which was set to AES to override your...

<>

Also here:

community.meraki.com – 13 Mar 25

“Network Wide > General > SNMPv3 Privacy Mode” Option to be Temporarily...

Oops! We let you have a peek before it was ready. In the past few months we have been working hard to allow customers to switch their SNMPv3 encryption setting to AES128. We recently discovered that we accidentally made a preview of that...

Why not AES256 at this point? Some Cisco switches are 256, Nexus 9Ks though are 128.

PatrickFarrell · 2025-04-02T19:25:09.960Z

Guess what doesn’t support DES anymore? RHEL 9. So I can’t poll it from there or even snmpwalk it.

PatrickFarrell · 2025-04-02T19:49:20.156Z

A DES key was broken in 22 hours by the EFF in 1999. Anyone want to guess how many micro seconds it would take with a modern GPU now?

HulkSmash · 2025-04-02T20:31:49.341Z

Half that time maybe less.

PatrickFarrell · 2025-04-02T20:33:13.882Z

I would guess more or less instantly.

sparkfist · 2025-04-02T21:05:36.601Z

Here I was thinking that Cisco Meraki was a good service. Time to start looking for another vendor.

titusovermyer · 2025-04-02T21:20:00.006Z

Meraki is notoriously, always gimping their devices compared to what they put in the full Cisco suite. Even the Small Business line doesn’t get all the features.

PatrickFarrell · 2025-04-02T22:26:26.569Z

I keep waiting for someone to post, no sir, you are misinformed, go here click here, and that’s where you’ll find it, but the employee post stating they are still working on it sealed the deal.

DES should have been dead a decade ago.

kevinhsieh · 2025-04-03T15:50:40.770Z

Cisco Meraki has always been a toy compared to actual enterprise gear. Do their firewalls even support advertising routes via OSPF? Last I checked there was zero BGP support.

PatrickFarrell · 2025-04-03T16:02:26.836Z

There’s a difference between not supporting a protocol and security malfeasance. I consider only supporting DES to be exactly that.

edrubin1718 · 2025-04-08T16:42:17.782Z

I’m glad we use HPE/Aruba for the vast majority of clients, the one Meraki we dealt with was a PITA to manage

somedude2 · 2025-04-08T18:34:29.174Z

PatrickFarrell:

DES key was broken in 22 hours by the EFF in 1999

Well, they were using distributed.net, so 100,000 computers helped out. The key rate was 245 billlion keys per second, and there was a touch of luck, they only searched 22% of the keys to hit the right one.

Having noted that, modern GPU’s have clock speeds 20x faster than cpu’s in 1999 and thousands of cores, not just one.

So, yeah, a day …

Scary bit: Every hacker can use their own GPU..

wslrav · 2025-04-22T10:39:03.766Z

Using Ruckus at multiple sites. Would recommend.

PatrickFarrell · 2025-04-22T13:51:13.003Z

Wasn’t my choice in this case. And yes I know you can monitor these in the Meraki portal. Was trying to add them to Zabbix for some basic monitoring along with everything else and discovered that security nonsense.