Meraki SD-WAN.pdf

#CLUS

#CLUS
Greg Griessel, Technical Solutions Architect
[email protected]
BRKSEC-2998
Cloud Managed
Security & SD-WAN
from Cisco Meraki

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Greg Griessel
Technical Solutions Architect
Cisco Global Security Sales Organization
Cisco 13 Years +
3
About your speaker
My city is know as
EGOLI
”Place of Gold”
BRKSEC-2998

Johannesburg, South Africa

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
Webex Teams will be moderated
by the speaker until June 16, 2019.
1
2
3
4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco WebexTeams
cs.co/ciscolivebot#
5
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Agenda
•About the Meraki MX
•Security capabilities
•Sizing and Performance
•SD-WAN
•AutoVPN , Routing , Probing
•Interface Queuing , Algorithms
•Optimization , Troubleshooting
•Design Tips
•What’s new
•Meraki Product Portfolio
•Q&A
6BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
For Your Reference
7
•Some Slides are marked with the for your Reference Symbol
•These Slides contain Additional Information that is Not fully Presented , Such As Guides or
URL’s
For Your
Reference
BRKSEC-2998

About the Cisco
Meraki MX
8

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Simplifying IT with cloud management
9
•
•Wireless, switching, security, SD-WAN, communications,
EMM, and security cameras
•Integrated hardware, software, and cloud services
•
•Among Cisco’s fastest growing portfolios
•Over 140,000 unique customers
•Over 2 million Meraki network devices online
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Reliability
Security
Scalability
Future-proofing
Benefits of a cloud managed solution
10BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Bandwidth shaping
URL content filtering
Quality of Service control
Next generation firewall
AES encrypted VPN
Intrusion prevention (IPS)
Malware protection
Geo-IP firewalling
3G / 4G failover
Branch routing
WAN balancing and failover
High Availability
Intelligent path control
A complete connectivity and threat management
solution
11BRKSEC-2998

Security made
simple
1
2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Applicationaware firewalling
Based on Cisco Snort
Withover 80 categories and
over 4billioncategorized URLs
Allow or block traffic by country
Cisco AMP and Threat Grid
Software andsecurity updates
delivered from the cloud
PCI3.2 certified cloud
management backend
Ironclad security
13BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
1.5 million malware
samples / day
600 billion email
messages / day
16 billion web requests
/ day
Honeypots
Open source
communities
Internal
vulnerability discovery
Telemetry
Internet-wide
scanning
Over 250 full time
threat researchers
Millions of
telemetry agents
4 global data
centers
Over 100 threat
intelligence partners
Over 1100 threat
traps
Backed by Cisco Talosthreat intelligence
14BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Intrusion Prevention/Detection (IPS/IPS)
15
Based on Cisco Snort
3 Predefined Signature Sets:
•Connectivity -Rules from the current year and the previous two years for vulnerabilities with a CVSS score of 10
(~ 435 Rules)
•Balanced -Rules from the current year and the previous two years for vulnerabilities with a CVSS score of 9
in the following categories : Malware-CNC , Blacklist, SQL Injectionand Exploit-kit (~ 8171 Rules)
•Security -Rules from the current year and the previous three years for vulnerabilities with a CVSS score of 8
in the following categories : Malware-CNC , Blacklist, SQL Injection, Exploit-kit,App-detect (~ 8309 Rules)
Balanced Rule Set is selected by default , Signatures can be Whitelisted
https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Threat_Protection
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Automatic protection against
an ever-growing list of known
malicious files, plus malware
sandboxing with Threat Grid
Security Center makes it
easy to ensure you have the
latest information about
attacks on your network
Automatic alerting when a
downloaded file is found to
be malicious after the fact
Enable best-in-class
malware protection with just
two clicks
220 million known malicious files
407 million known clean files
1.5 millionnew incoming malware samples per day
1.6 million devices using AMP globally
3.1 billion lookup requests per day
Advanced Malware Protection for Meraki MX
16BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
AMP and TG -How does it work?
17
Unknown
Threat Score
Behavioral-Indicators
Clean
Malicious
Unknown
AMP Update
Retrospection
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
AMP Notes …
18
AMP File Inspection of Traffic ONLY
Max Inspected File Size = 5Mb, Files Above 5Mb Are NOT Inspected
Supported File Types for AMP Inspection :
•MSOLE2(.doc, .xls, .ppt)
•MS Cabinet (Microsoft compression type)
•MS EXE
•ELF (Linux executable)
•Mach-O/Unibin(OSX executable)
•Java (class/bytecode, jar, serialization)
•PDF
•ZIP (regular and spanned) , Including MS Office XML files (docx, xlsx, etc)
•EICAR(standardized test file)
•SWF (shockwave flash 6, 13, and uncompressed)
https://documentation.meraki.com/MX
Z/Content_Filtering_and_Threat_Protection/Advanced_Malware_Protection_(AMP)
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Threat Grid Integration Notes …
19
Files With Unknown AMP Verdict are Submitted to Threat Grid for Further Analysis
Max Inspected File Size = 5Mb, Files Above 5Mb Are NOT Submitted -prequalified by AMP
Prerequisites :
•AMP Inspection Enabled on MX (Advanced Security)
•Valid Threat Grid license for MX or a Threat Grid Premium license
Supported File Types for Threat Grid Inspection :
•PE executables
•DLLs PDFs
•MS Office Documents RTF, DOC, PPT(x)
https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Threat_Grid_Integration
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Threat Grid –Example Analysis
20BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Threat Grid –Dashboard (Premium)
21BRKSEC-2998

Sizing and
Performance
2
2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Medium Branch
Small Branch
*Available with wireless models
(MX64W, MX65W, MX67W, MX68W, MX68CW)
Z3C not available in Japan
Large Branch, Campus or
Concentrator
Virtual
Teleworker
Z3 Z3C
~5 users
802.11ac Wave 2 Wireless & PoE
FW throughput: 100 Mbps
CAT 3 LTE (Z3C)
MX64/65 MX67/68 MX67C/68CW
~50 users
802.11ac Wireless* & PoE
FW throughput: 250 Mbps
~50 users
802.11ac Wave 2* & PoE
FW throughput: 450 Mbps
~50 users
802.11ac Wave 2* & PoE
FW throughput: 450 Mbps
CAT 6 LTE
MX84 MX100
~200 users
FW throughput: 500 Mbps
~500 users
FW throughput: 750 Mbps
MX250 MX450
~2,000 users
FW throughput: 4 Gbps
~10,000 users
FW throughput: 6 Gbps
vMX100 for AWS & Azure
FW throughput: 750 Mbps
VPN & SD-WAN features
Meraki Security & SD-WAN Portfolio
23BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
MX Security & SD-WAN Small Branch Portfolio
24
Firewall Throughput 250 Mbps 250 Mbps 450 Mbps 450 Mbps 450 Mbps 450 Mbps
VPN Throughput 100 Mbps 100 Mbps 200 Mbps 200 Mbps 200 Mbps 200 Mbps
Wi-Fi - 802.11ac - 802.11ac Wave 2 - 802.11ac Wave 2
Embedded Cellular - - - - CAT 6 LTE CAT 6 LTE
MX64/65 MX67CMX67/68 MX67W/68W MX68CWMX64W/65W
Higher performance with embedded cellular options
North America variant:
Bands 2, 4, 5, 12, 13, 17, and
29
Worldwide variant:
Bands 1, 3, 5, 7, 8, 20, 26,
28A, 28B, 34, 38, 39, 40, 41
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Meraki MX by the numbers (May 2019)
Number ofActive MX Units (excluding Z1/Z3) 742K
Number of MXwith Advanced Security License 641K
Number of MX with AMP Enabled 373K
Number of MX with Threat Grid Enabled 6,725
Number of MX with Snort Enabled 447K
Number of MXwith Content Filtering enabled network-wide 197K
Number of MX withSD-WAN features enabled 57,700
Numberof customers with SD-WAN 17,150
Number of customers with Meraki Insight 1,100
Largest MX Organization (Number of networks) 17,725
Largest MX Customer (Number of networks) 36,100
BRKSEC-2998 25

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
MX Sizing
26
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Features that may impact Performance and Utilization
27
•IDS/IPS–Impact level HIGH
•Malware Protection -Impact Level MEDIUM
•VPN-Impact Level MEDIUM
•Web Cache (MX84+) -Impact Level MEDIUM
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Additional Considerations
28
•MX LAN traffic on the same subnet (intra-VLAN) just gets switched in hardware at line rate
(No Security Services are applied)
•MX LAN traffic across subnets (inter-VLAN) goes through Firewall, AMP, and IPS.
•IPS is unlikely to trigger since most of the signatures are designed for Inbound Services
•AMP is unlikely to see much inter-VLAN traffic because it is only checking HTTP traffic
and most malware files moving across a LAN are not going over HTTP.
BRKSEC-2998

SD-WAN

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Dual uplink ports
2 uplink support on all MX models for load balancing
and redundancy
LTE failover
USB modem support in all models with automatic
failover –C Series with built in LTE
Site to site VPN
Cloud orchestrated VPN (Meraki Auto VPN) with load
balancing and self-healing capabilities
Intelligent path
control
Policy based routing andperformance based
dynamic path selection
Branch Routing
Automatic route distribution via Auto VPN
OSPF route advertisement
BGP support
HighAvailabilityActive/passive hardwareredundancy
Traffic shaping Applicationbandwidth limiting and prioritization
Reliable, cost effective connectivity with Meraki SD-WAN
30BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-WAN Deployment Guide (CVD)
31
https://documentation.meraki.com/MX-Z/Deployment_Guides/SD-WAN_Deployment_Guide_(CVD )
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-WAN
Powered By
Full stack branch management for Lean IT
Flexible and sophisticated with secure
segmentation and advanced routing
viptela
Powered By
32BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Enterprise Firewall
Intrusion Protection System
URL Filtering
Cloud Security
with Umbrella
Cisco
Security
Integrated Security for Cisco SD-WAN
33BRKSEC-2998
Cisco SD-WAN

AutoVPN

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Security
Level 2
Security
Level 0
Traditional VPN vs AutoVPN
35
Traditional Open Standard Meraki AutoVPN
Interesting Traffic
IKE Phase One
Slower
More Secure
Faster
Less Secure
IKE Phase Two
Main mode
3 Exchanges
Aggressive
mode
1 Exchange
Peer Addressing Info
Quick mode PFS
Tunnel Established
VPN Registry
Peer addressing
Punch node
IP info port via punch
Hello
Pseudo-IKE
Looks like aggressive
1st offer IPSec SA
2nd Data
Tunnel Established
VPN Registry
Peer addressing
Punch node
IP info port via punch
Hello
IKEv2 lite
Looks like aggressive
1st offer IPSec SA
2nd Data
Tunnel Established
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Auto VPN Orchestration
36
1.A new MX registers its IP and subnets
2.The information is propagated to other
MX via the Dashboard
3.They establish VPN connection
a) With unique pre-shared keys
b) Try Uplink IP first (private link?)
c) Try Public IP second
1
New MX registers its Uplink IP,
Public IP and local subnets
2
New route is propagated to
all MX peers automatically
3
New MX establishes
site-to-site VPN connection
Subnet Uplink IP Public IP
10.0.1.0/24 10.1.1.1 184.23.135.1
10.0.2.0/24 10.1.1.2 184.23.135.2
10.0.3.0/24 10.1.1.3 184.23.135.3
VPN Registry
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
VPN Registry
37
Help ->
Firewall info
BRKSEC-2998

Routing

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
OSPFv2
39BRKSEC-2998
•VPN Concentrator Mode
•Setup:
•Hellos on WAN only

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
NAT Mode
Appeal:
Inside/outside mindset
Setup:
VLANs disabled
Hellos on LAN side
OSPFv2
40
INTERNET
Internal
Network
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
OSPFv2 Active/Active DC
41
•Seeking:
•Load balancing
•Prevent asymmetric routes
•Answer:
•Different OSPF process on each DC
•Redistribute into backbone
•Metric type change
•IP advertisement
•E.G., 10.0.0.0/16 to DC 1 and 10.1.0.0/16 to DC 2
Area 65517
Area 65215
Area 0
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
BGPv4
42
•Why?
•Gartner
•Traffic engineering
•More dynamic
Using same daemon (BIRD) as OSPF
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
BGPv4 -Dashboard
43BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
BGPv4 Bugs –Firmware 14.x Fixes…..
44BRKSEC-2998
•Dashboard
•New Route table work in progress
•Connectivity down but reachable
•eBGPonly
•AutoVPN lower AD
•Next hop negative numbers
•Routing
•Advertise BGP NLRI information with invalid next hop attribute
•Add 192.0.2.1 as a local network

Probing

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Performance probes
46BRKSEC-2998
•Each uplink send a probe across all available paths
•In this example, MX2 sends 4 probes
•The receiving MX will reply with 4 probes
•Probe: 100 byte UDP (based on protobuf) with no DSCP marking
•Default probe interval: 1 or 10 sec
•Average latency, loss and jitter is computed over the last 6 samples
•These values are computed all possible paths (max 4) per MX
MX #2
MX #1
uplink
1
uplink2
uplink
1
uplink2
1
2
3
4
101520201510
Path Latency
Current average:
15 ms
Incoming latency
value
55055…
Path Jitter
Current average:
2.5 ms
Calculated Jitter
k=
|atency
k–latency
k-1|
000000
Current average:
0%
Incoming loss (1/0)
value
Packet loss

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Protobuf
47BRKSEC-2998
•Created by Google in 2001 and used internally 2001-2008
•Made open source in 2008
•Used in all Google services, everytimeyou hit Google you hit several services running PB code
•Currently supports C++, Java, Python and JavaScript
More Info -https://blogs.cisco.com/sp/streaming-telemetry-with-google-protocol-buffers

Interface Queuing

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
10 Mbps
Traffic shaping and prioritization
LAN
Traffic
High
Normal
Low
5 Mbps
Classify traffic and
forward based on app
(L7)
Traffic Shaping and
Prioritization
L7 classifiers. The
default priority is
Normal
Traffic distribution is
proportional to the path
bandwidth ratio. In the
example above, WAN1
gets 2x packets as
WAN2
4x
2x
1
x
4x, 2x, 1x packets
are consumed
respectively from
each queue
WAN
1
WAN2
4x
2x
1
x
High
Normal
Low
Path Selection
Mux
Selection based on
L3/4 classifiers.
Unclassified traffic is
distributed based on
WAN1 / WAN2 ratio
LLQ*
* -LLQ Introduced in R13-24+
Priority Queues
Round
Robin Scheduler
WAN Uplinks
BRKSEC-2998 49

Algorithms

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-WAN Algorithm
51BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
VPN
tunnels
Example 1:
One-armed VPN concentrator at the data
center
DC MX
MPLS Internet
SPOKE MX
uplink1
uplink1 uplink2
Flow decision example –H&S
52BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
For a given flow:
1.MX DC sends first packet to SPOKE MX uplink2
•Local uplink decision: No local choice, so sending via uplink1
•Remote uplink decision: First packet, pick a tunnel (round robin)
VPN
tunnels
Example 1:
One-armed VPN concentrator at the
data center
Flow decision example –H&S
53
DC MX
MPLS Internet
SPOKE MX
uplink1
uplink1 uplink2
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
For a given flow:
1.MX DC sends first packet to SPOKE MX uplink2
•Local uplink decision: No local choice, so sending via uplink1
•Remote uplink decision: First packet, pick a tunnel (round robin)
2.SPOKE MX decides to reply through uplink1
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: No remote choice, DC has one uplink only
VPN
tunnels
Example 1:
One-armed VPN concentrator at the
data center
Flow decision example –H&S
54
DC MX
MPLS Internet
SPOKE MX
uplink1
uplink1 uplink2
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
For a given flow:
1.DC MX sends first packet to SPOKE MX uplink2
•Local uplink decision: No local choice, so sending via uplink1
•Remote uplink decision: First packet, pick a tunnel (round robin)
2.SPOKE MX decides to reply through uplink1
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: No remote choice, DC has one uplink only
3.DC MX learns spoke preference,proceeds bysending traffic to SPOKE MX uplink1.
•Local uplink decision: No local choice
•Remote uplink decision: DC registers senders remote uplink (remote uplink #1)
Notes
•PbR/ dynamic path selection don’t apply to DC MX.
VPN
tunnels
Example 1:
One-armed VPN concentrator at the data
center
Flow decision example –H&S
55
DC MX
MPLS Internet
SPOKE MX
uplink1
uplink1 uplink2
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Example 2:
Both peers are dual WAN over Broadband
MX #2
MX #1
uplink1 uplink2
uplink1 uplink2
Internet
Flow decision example –Dual Network
56BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
VPN
tunnels
MX #2
MX #1
uplink1 uplink2
uplink1 uplink2
Example 2:
Both peers are dual WAN over Broadband
Flow decision example –Dual Network
57BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
For a given flow:
1.MX2 send a packet up
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: First packet, pick a tunnel (round robin)
MX #2
MX #1
uplink1 uplink2
uplink1 uplink2
VPN
tunnels
Example 2:
Both peers are dual WAN over Broadband
Flow decision example –Dual Network
58BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
MX #2
MX #1
uplink1 uplink2
uplink1 uplink2
VPN
tunnels
For a given flow:
1.MX2 send a packet up
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: First packet, pick a tunnel (round robin)
2.MX1 replies through its uplink1 to MX2 uplink1
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: MX1 registers that the packet came from MX2 uplink1
Second packet
Example 2:
Both peers are dual WAN over Broadband
Flow decision example –Dual Network
59BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
VPN
tunnels
For a given flow:
1.MX2 send a packet up
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: First packet, pick a tunnel (round robin)
2.MX1 replies through its uplink1 to MX2 uplink1
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: MX1 registers that the packet came from MX2 uplink1
3.MX2 replies through its uplink1 to MX1 uplink1
•Local uplink decision: Based on PbR/ dynamic path selection
•Remote uplink decision: MX2 registers that the packet came from MX1 uplink1
MX #2
MX #1
uplink1 uplink2
uplink1 uplink2
Steady State
Example 2:
Both peers are dual WAN over Broadband
Flow decision example –Dual Network
60BRKSEC-2998

Troubleshooting

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Flow Table
64
•Live tool (not logged)
•Every flow decision…explained
•Which uplink?
•Why?
•Search by uplink or flow
Security appliance ->
VPN status
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Performance monitoring –WAN Health
•Between 2 peers
•For all possible paths
(min:1, max: 4)
•Latency, loss, jitter and MOS
•Identify performance issues
65BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 66
Meraki Insights -Web Application Experience
Monitor performance for apps travelling via VPN or public Internet
End-to-end visibility for SaaS application experience
Network performance analytics and troubleshooting, including the LAN, WAN, servers and domains
Accelerate IT and reduce time-to-resolution
End-to-end network intelligence at work
BRKSEC-2998

General
Design Tips

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Scale
•Many 1,000’s sites
•Routing
•Sizing & availability
Geo Differences
•Topological differences
•Local governance
•Concentrator or NAT
Integration and Migration
•Existing IP schema
•Risk reduction
•Routing
Putting It All Together
68BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Designing MX Networks for Scale
69
1.Start with the WAN architecture. Hub and spoke should be used to scale up.
2.If pure H+S, apply optimizations to org
•This reduces hub CPU load by 20-30%
•If spokes are using full tunnel VPN connectivity to hubs, you’re good
•If spokes are using split tunnel, a summary route encompassing all spoke subnets must
be advertised by the hubs if spoke-to-spoke communication is required.
3.If hubs advertise overlapping DC subnets, apply optimizationsto the org to prevent hub
route loops.
4.Refer to the sizing guide for appliance hardware. Critical elements:
•If in NAT mode (branches), client count
•If in NAT mode, consider Adv. Sec. feature throughput hit
•VPN tunnel count (client VPN counts too!)
•WAN uplink throughput
BRKSEC-2998

What’s New

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
At-a-Glance
71BRKSEC-2998
•MX 12
•Latest: 12-26-2 (Deprecated)
•MX 13
•Latest: 13-36 (GA)
•MX 14
•Latest: 14-38 (Open Beta)
•MX 15
•Latest: 15 (Closed Beta)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
MX 14:
72BRKSEC-2998
•Branched to accommodate new platforms (MX250, MX450, and Z3)
•GA for these platforms
•Routing (SD-WAN):
•4 queues for traffic processing (low, medium, high, real-time)
•Automatic mapping of EF46 to the real-time queue
•All current BGP fixes
•Security:
•IKEv2 & HMAC-SHA256 authentication for AutoVPN
•Native ThreatGrid(TG) support
•Operations:
•Split DNS (No GUI)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
MX 15:
73BRKSEC-2998
•All new feature development destined here.
•Routing
•PIM-SM Multicast over AutoVPN
•No-NAT on WAN uplinks
•Source-based routing per VLAN (no GUI)
•L3 & FQDN VPN exclusions (GUI in the works)
•More BGP fixes

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
MX 15: Security
74BRKSEC-2998
•IKEv2
•Zip files support for Threatgridinspection
•AMP inspection of ZIP file contents
•Umbrella DNS Layer Security integration

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Loss of Connectivity to the Cisco Meraki Cloud
77
Connectivity loss can occur for several reasons: your WAN connection goes down, a
Meraki data centre experiences an outage, or there is an Internet routing issue between
your site and Meraki.
•The Meraki Cloud is an out of band architecture, meaning that no client data flows
through the Cloud
•The MX will continue to Operate as as per its latest (last) valid Config Download
•The MX will Reboot every 4 hours to try re-establish Connectivity
During a Connectivity Loss sate the Following operations are not possible
•Network configuration changes will not take effect
•Usage statistics will become out of date
If a Meraki data centre experiences an outage, your network will automatically fail over to
another Meraki data centre.
Assuming you have setup email alerts, you will receive an email when a Meraki node loses
connectivity to the Cloud, allowing you to take corrective action ifnecessary.
BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Next Generation Firewall
Site-to-site and client VPN
Intelligent path control
Link bonding and failover
Bandwidth shaping and QoS
Branch routing
Web caching
Active/Passive high availability
*additional Threat Grid subscription required
All enterprise features, plus
Content filtering (with Google SafeSearchenforcement)
Cisco Advanced Malware Protection
Snort IDS/IPS
Threat Grid integration*
Geo-based firewall rules
Licensing that fits the business’ needs
79BRKSEC-2998

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
The Meraki Full Stack
80
A complete cloud managed IT portfolio
Single pane of glass management
EMM IP Telephony
(Availability in
Americas Only)
Wireless SwitchingSecurity and WAN
Security Cameras
BRKSEC-2998

Q/A ?

Complete your
online session
evaluation
•Please complete your session survey
after each session. Your feedback
is very important.
•Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
•All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog onciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKSEC-2998 82

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Continue your education
Related sessions
Walk-in
self-paced labs
Demos in the
Cisco campus
Meet the engineer
1:1 meetings
BRKSEC-2998 83

Thank you
#CLUS

#CLUS

Meraki SD-WAN.pdf

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Meraki SD-WAN.pdf

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77