Professional Documents
Culture Documents
Customer Experience June 2020 - Meraki SD-WAN
Customer Experience June 2020 - Meraki SD-WAN
Customer Experience June 2020 - Meraki SD-WAN
powered by Meraki
Francisco Tello – Consulting Systems Engineer
May 2020
Today Applications are Moving to Multiple Clouds
Mobile Users
IaaS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet Connectivity Becomes Business Critical
Campus
X2-5
DC/Private Cloud
Branches X100+ Exposure to cyber threats
Increasing complexity
Mobile
Users
X1000s
IaaS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MR MS MX MG
Wireless Access Ethernet Security & SD-WAN Cellular
Points Switches Appliances Gateways
MI SM MV
Insight Endpoint Smart
[Application & WAN] Management Cameras
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN powered by Meraki
M-Tunnels
AutoVPN
HQ
Public
MPLS
Cloud
Internet LTE
Control and Management Plane Transport Independent VPN Overlay Application Performance and QoS
Automation Automation Automation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How does it work?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero Touch Provisioning 1
Device is claimed into a
network from the Meraki
Dashboard
Meraki Dashboard
Configuration is applied
to constructs called 1 After secure boot with
Networks or Network Trustworthy Systems and
Templates and is only 2 getting DHCP, device
tied to a device when reaches out to Dashboard
using certificate in its TAM
the device is assigned to Admin chip
the network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Any Meraki Device
Overlay Automation - AutoVPN
1. New MX registers with Dashboard, advertising its public
and private IP addresses, available uplinks and subnets
2. Dashboards registers the information in the VPN
registry, and propagates it ato all other MXs in the
Organization’s SD-WAN fabric
3. All MXs learn about other MXs, automatically
establishing VPN tunnels
○ Keying material is auto-generated and refreshed
by Dashboard per pair of MXs
○ Uplink IP addresses are tried first
○ Public IP addresses are tried second
4. Learned routes are auto-installed in the routing table
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AutoVPN Process with Different Transports
VPN Registry
VPN
records
MXs Registry
build all
their
MXs register
Distributes
available
VPN tunnels to the
one
with the VPN
transports
information
another and
Registry • At any spoke MX you may have any
contacts
DC1
combination of two active transports
VPN
Registry • You can have a third as backup for
any spoke site via LTE
• Hub site may terminate any number of
MPLS Internet LTE
private transports plus two public
transports
Supported Topologies
Hub 1 Hub 2 Nicaragua Hub Guatemala Hub
DC 2 DC 1
Primario Secundario
• Spoke to Spoke traffic traverses local • Direct Hub to Hub Traffic • Intra-region traffic stays within local
hub • Hub
DC Traffic traverses local Hub
• Direct Hub to Hub traffic • Resilient Redundant Paths
• Less Scalable • Inter-region traffic traverses multiple Hubs
• Highly scalable and redundant
• Each region can have backup in neighbors
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuration Templates
Most networks carry the exact same configuration in large numbers of sites,
but it still needs to be done individually, which introduces errors and
divergence
• Auto-addressing
from specific
blocks
• AutoVPN Roles and Express your Intent once and replicate to
DC redundancy
• SD-WAN and 100s or 1000s of locations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
That’s great! But what about Remote
Work?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Meraki SD-WAN Empowers Teleworkers Anywhere
Securely extend the Office to the
Home:
• Flexible Zero Touch Deployment with
Broadband, LTE or BOTH
• Get Enterprise-grade Secure Wireless
at Home
• Give connectivity to Personal Devices
• Use your favorite Collab endpoints
Embedded
LTE
Built-in
Wireless
Broadband
Built-in
PoE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flexible Teleworker Deployment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Smart WAN Paths to Suit Your Business
Internet-MPLS MPLS-Internet
Loss = 5% Loss = 4%
Latency = 120ms Latency = 170ms
Jitter = 70ms Jitter = 30ms
MPLS-MPLS
Loss = 1%
Latency = 250ms
Jitter = 50ms
Simply Express Intent
1. Define acceptable performance thresholds 3. Choose preferred uplink and w hen fail over should occur
300 50 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meraki Insight – SD-WAN Assurance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meraki Insight – Web Application Health
Within 2 clicks,
What evidence user can drill down to
can pinpoint the generate specific
problem source? evidence for the
network issue
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meraki Insight - WAN Health
At-a-glance health of all
MX uplinks across all
sites
• Quickly identify downed uplinks,
including cellular across all sites
What is it?
● VoIP performance monitoring over ISP links
● SaaS or On-Prem based VoIP Applications
For Whom?
● Retail/ distributed branch
● Offices
● Multiple sites
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Traditional Direct Internet Access
MX
HQ / DC
MX
+
M I BR A NCH
LA N WA N S ER V ER
vMX100 Extension
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
End-to-end Security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How SD-WAN exposes new security challenges
BASIC/NO SECURITY
Data Center Branch/Campus
• Guest access liability
Corporate
Software Users Internal
• Untrusted access (malicious insider)
• Compliance (PCI, HIPPA, GDPR)
SD-WAN Fabric • Lateral movements (breach
propagation)
WAN Edge Device Existing Security Stack in DMZ
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deploying Cisco Meraki Security – On Network
Automation: Fullstack Templates, Single Pane of Glass: Meraki Dashboard Endpoint Security: Systems Manager gives
Configuration Clones and APIs allow error- offers consistent experience across endpoint, in-depth visibility on endpoints and delivers
free secure configuration across the stack LAN, WAN, Cloud and physical security Cisco Security agents: DUO, AMP,
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AnyConnect
Deploying Cisco Meraki Security – Off Network
Automation: Fullstack Templates, Single Pane of Glass: Meraki Dashboard Endpoint Security: Systems Manager gives
Configuration Clones and APIs allow error- offers consistent experience across endpoint, in-depth visibility on endpoints and delivers
free secure configuration across the stack LAN, WAN, Cloud and physical security Cisco Security agents: DUO, AMP,
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AnyConnect
Industry-Leading Security Out-of-the-Box
P O WE R E D B Y
Cisco Identity
Services Engine (ISE)
Industry-Leading
Content Filtering
MX + Umbrella: DNS Interception
Malware
C2 Callbacks
Phishing
Benefits
First line Block malware before it
hits the enterprise
Meraki MX
Contains malware
Netflow
if already inside
Proxy
Sandbox Meraki MX/Z Internet access is
faster
AV AV AV AV AV Provision globally in
HQ BRANCH ROAMING
minutes
MX + Umbrella SIG: Secure Access Service Edge
• One-click Presets
Available
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Segmentation Automation – AD Group Policies
1
1. Branch User
authenticates to AD
HQ 2. AD Maps user to
Public Group
2 3. MX takes user’s AD
MPLS
Cloud
Internet LTE
group and maps to
Group Policy
3
Home Office/
Branch Teleworker
AMP/IPS/Umbrella Policies
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Schedules (Workday/Weekends/etc)
Segmentation Automation – Sentry Policies
Express your Intent:
• “I don’t want compromised devices to use SD-
HQ WAN network”
Public
MPLS
• “Users connecting from unrecognized geo-
Cloud
fence cannot use SD-WAN network”
Internet LTE • “I want users to run the latest OS and Apps to
access the SD-WAN network”
Branch Home Office/
Teleworker
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Meraki SD-WAN License Tiers
All I need is Auto VPN, application I connect to the internet, My business relies on apps served
performance rules and a firewall so I need UTM security as well from SaaS/IaaS/DC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Live Demo
Q&A
Thanks!