Customer Experience June 2020 - Meraki SD-WAN

Cisco SD-WAN
powered by Meraki
Francisco Tello – Consulting Systems Engineer
May 2020
Today Applications are Moving to Multiple Clouds
Devices & Things

DC/Private Cloud
Campus & Branch Users WAN

SaaS
Mobile Users
IaaS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet Connectivity Becomes Business Critical
Campus
X2-5
DC/Private Cloud
Branches X100+ Exposure to cyber threats
Inconsistent user experience

SaaS
Increasing complexity
Mobile
Users
X1000s
IaaS
More users, things and applications, everywhere

The Meraki Platform
A Complete Cloud-Managed IT Portfolio from a Single Pane of Glass
MR MS MX MG
Wireless Access Ethernet Security & SD-WAN Cellular
Points Switches Appliances Gateways
MI SM MV
Insight Endpoint Smart
[Application & WAN] Management Cameras
Cisco SD-WAN powered by Meraki
M-Tunnels
AutoVPN
HQ
Public
MPLS
Cloud
Internet LTE
Branch Home Office/

Teleworker
Control and Management Plane Transport Independent VPN Overlay Application Performance and QoS
Automation Automation Automation
How does it work?
Zero Touch Provisioning 1
Device is claimed into a
network from the Meraki
Dashboard
Meraki Dashboard
Configuration is applied
to constructs called 1 After secure boot with
Networks or Network Trustworthy Systems and
Templates and is only 2 getting DHCP, device
tied to a device when reaches out to Dashboard
using certificate in its TAM
the device is assigned to Admin chip
the network
All configurations can be m- tunnel

Dashboard verifies boot,
performed well before AES-256 3 identity, bi-directionally
having any physical SH A-256 authenticates the
devices device, assigns it to an
2 3 4 5 organization
ZTP is the default for ANY

Meraki device, and requires After mutual
no additional components or
4 authentication, the
bootstrapping as long as the device builds M-Tunnel
device can obtain Internet to Dashboard
connectivity
Configuration and
5 firmware downloaded
over M-Tunnel
Any Meraki Device
Overlay Automation - AutoVPN
1. New MX registers with Dashboard, advertising its public
and private IP addresses, available uplinks and subnets
2. Dashboards registers the information in the VPN
registry, and propagates it ato all other MXs in the
Organization’s SD-WAN fabric
3. All MXs learn about other MXs, automatically
establishing VPN tunnels
○ Keying material is auto-generated and refreshed
by Dashboard per pair of MXs
○ Uplink IP addresses are tried first
○ Public IP addresses are tried second
4. Learned routes are auto-installed in the routing table
AutoVPN Process with Different Transports
VPN Registry
VPN
records
MXs Registry
build all
their
MXs register
Distributes
available
VPN tunnels to the
one
with the VPN
transports
information
another and
Registry • At any spoke MX you may have any
contacts
DC1
combination of two active transports
VPN
Registry • You can have a third as backup for
any spoke site via LTE
• Hub site may terminate any number of
MPLS Internet LTE
private transports plus two public
transports
Branch 1 Branch 2 Branch 3 Branch 4

Dual MPLS Internet-MPLS Dual Internet LTE
(can also be mixed with
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential other circuits)
Nicaragua Spokes Guatemala Spokes
Supported Topologies
Hub 1 Hub 2 Nicaragua Hub Guatemala Hub
DC 2 DC 1
Panama Hub Costa Rica Hub

Backup
Spoke 1 Spoke 2 Spoke 3 Spoke 4

Spokes
Panama Spokes Costa Rica Spokes

Primary Secondary
Primario Secundario
Hub and Spoke Full Mesh Hierarchical or Regional H&S
• Spoke to Spoke traffic traverses local • Direct Hub to Hub Traffic • Intra-region traffic stays within local
hub • Hub
DC Traffic traverses local Hub
• Direct Hub to Hub traffic • Resilient Redundant Paths
• Less Scalable • Inter-region traffic traverses multiple Hubs
• Highly scalable and redundant
• Each region can have backup in neighbors
Configuration Templates
Most networks carry the exact same configuration in large numbers of sites,
but it still needs to be done individually, which introduces errors and
divergence
• Auto-addressing
from specific
blocks
• AutoVPN Roles and Express your Intent once and replicate to
DC redundancy
• SD-WAN and 100s or 1000s of locations
traffic shaping Update the template → Update all sites

policies
• Group policies Reduce OpEx and errors!
• AMP, IPS, Umbrella

PoliciesFirmware
versión
• Switch and AP
configurations
That’s great! But what about Remote
Work?
Cisco Meraki SD-WAN Empowers Teleworkers Anywhere
Securely extend the Office to the
Home:
• Flexible Zero Touch Deployment with
Broadband, LTE or BOTH
• Get Enterprise-grade Secure Wireless
at Home
• Give connectivity to Personal Devices
• Use your favorite Collab endpoints
Embedded
LTE
Built-in
Wireless
Broadband
Built-in
PoE
Flexible Teleworker Deployment
MX/Z Teleworker Gateway MR Access Point ClientVPN

• Same underlying technology as Cisco • Repurpose Meraki APs as Teleworker • Basic remote work option
Meraki SD-WAN Gateways • No license required, just size headend
• Allows wired and Wireless devices • No special license or software required appropriately
• Segmentation of Personal and Corporate • Segmentation of Personal and Corporate • Full-tunnel or Split-tunnel
Traffic Traffic • Single device
• Anti-malware, IPS and Umbrella options • Wireless devices only (except MR30H) • No Bandwidth or Prioritization guarantees
available • Umbrella protection available • Additional security recommended: AMP
• Granular prioritization and rate-limiting of • Granular prioritization and rate-limiting of for Endpoints, Umbrella Roaming Client,
applications applications DUO
• Can be combined with Systems Manager
for full automation and management
Intelligent Path Control
Smart WAN Paths to Suit Your Business
Dual active VPN

Load balance your VPN traffic over two WAN
links
Policy-based Routing (PbR)

Select the preferred path for traffic based on
protocol, port, source and destination IP, or
even application
Dynamic path selection

Select the best VPN tunnel for traffic
automatically based on performance
Maximum control in Path Selection

Path Selection
Application Internet-Internet
Loss = 2%
Requirements: Latency = 190ms
Loss < 3% Jitter = 30ms
Latency < 200ms
Jitter < 50ms
Internet-MPLS MPLS-Internet
Loss = 5% Loss = 4%
Latency = 120ms Latency = 170ms
Jitter = 70ms Jitter = 30ms
MPLS-MPLS
Loss = 1%
Latency = 250ms
Jitter = 50ms
Simply Express Intent
1. Define acceptable performance thresholds 3. Choose preferred uplink and w hen fail over should occur
300 50 5
2. Select from built-in Layer-7 categories and applications
Tell the network what you want to

accomplish, not what to do and how to do it
User Application Experience
Meraki Insight – SD-WAN Assurance
Capabilities Use Case
• “Why are users experiencing slow

• Web Application Health
Office 365 acces?”
• “Why do we have 16 branches in East
• WAN Health Coast using their backup circuit?”
• “Why is voice quality poor between
• VoIP Health NY and PA?”
Drill down into

Office 365
Application
Youtube experience to the
Salesforce 93 user level
Meraki Insight – Web Application Health
MI’s homepage tells

Who should a the user which point
network admin in the network is
contact? failing and causing a
degradation
Within 2 clicks,
What evidence user can drill down to
can pinpoint the generate specific
problem source? evidence for the
network issue
Meraki Insight - WAN Health
At-a-glance health of all
MX uplinks across all
sites
• Quickly identify downed uplinks,
including cellular across all sites
• Easily monitor signal strength for

cellular uplinks across all locations
• Quickly isolate sites with

underperforming uplinks to make the
case for switching ISP or adding
cellular as failover
• Discover which sites are most reliant

on cellular as failover Monitor the health of all MX uplinks including cellular across all sites
Meraki Insight – VoIP Health
What is it?
● VoIP performance monitoring over ISP links
● SaaS or On-Prem based VoIP Applications
For Whom?
● Retail/ distributed branch
● Offices
● Multiple sites
Traditional Direct Internet Access
Branch sites accessing cloud applications over a public Internet link

✘ Removes security normally provided by the DC /
✓ Shorter route than backhauling
HQ
✓ Recommended by SaaS providers ✘ No visibility beyond the LAN

Direct Internet Access with Meraki SD-WAN
MX
HQ / DC
MX
+
M I BR A NCH
LA N WA N S ER V ER
All-in-one: Secure SD-WAN and advanced visibility

✓ MX delivers enterprise security directly at the branch
✓ Meraki Insight provides deep visibility beyond the LAN
✓ Track client experience for business critical web applications
✓ Receive real-time alerts for performance degradation
✓ Pinpoint root cause of performance issues in minutes
SD-WAN Public Cloud Extension
VNET 1 VNET 2 VPC 1 VPC 2
vMX100 Extension
• vMX100 can be deployed in

AWS VPCs or Azure VNETs
vMX100 vMX100 vMX100 vMX100
• Hassle free VPC to VNET Branch N
connectivity through AutoVPN MX
• New Services or Branches can

automatically be advertised to Branch 1
the SD-WAN fabric MX
MX
• Scalability can be improved

using AWS Transit Gateways or
Azure Gateway Transit
HQ
End-to-end Security
How SD-WAN exposes new security challenges
Internal & External Threats

Internet
IaaS/SaaS
External
NO SECURITY
• Exposure to malware & phishing due
to direct internet and cloud access
• Data breaches
BASIC/NO SECURITY
Data Center Branch/Campus
• Guest access liability
Corporate
Software Users Internal
• Untrusted access (malicious insider)
• Compliance (PCI, HIPPA, GDPR)
SD-WAN Fabric • Lateral movements (breach
propagation)
WAN Edge Device Existing Security Stack in DMZ
Deploying Cisco Meraki Security – On Network
Automation: Fullstack Templates, Single Pane of Glass: Meraki Dashboard Endpoint Security: Systems Manager gives
Configuration Clones and APIs allow error- offers consistent experience across endpoint, in-depth visibility on endpoints and delivers
free secure configuration across the stack LAN, WAN, Cloud and physical security Cisco Security agents: DUO, AMP,
AnyConnect
Deploying Cisco Meraki Security – Off Network
Automation: Fullstack Templates, Single Pane of Glass: Meraki Dashboard Endpoint Security: Systems Manager gives
Configuration Clones and APIs allow error- offers consistent experience across endpoint, in-depth visibility on endpoints and delivers
free secure configuration across the stack LAN, WAN, Cloud and physical security Cisco Security agents: DUO, AMP,
AnyConnect
Industry-Leading Security Out-of-the-Box
P O WE R E D B Y
Cisco Identity
Services Engine (ISE)
Industry-Leading
Content Filtering
MX + Umbrella: DNS Interception
Malware
C2 Callbacks
Phishing
Benefits
First line Block malware before it
hits the enterprise
Meraki MX
Contains malware
Netflow
if already inside
Proxy
Sandbox Meraki MX/Z Internet access is
faster
AV AV AV AV AV Provision globally in
HQ BRANCH ROAMING
minutes
MX + Umbrella SIG: Secure Access Service Edge
• End to End Automation

• Cisco Cloud Edge solution
TLS Decryption offload
SWG DNS NGFW CASB
•
• 250Mbps tunnel RBI DLP ZTNA VPN SD-WAN
throughput Security as a Service Networking as a Service
• One-click Presets
Available
Segmentation Automation – AD Group Policies
1
1. Branch User
authenticates to AD
HQ 2. AD Maps user to
Public Group
2 3. MX takes user’s AD
MPLS
Cloud
Internet LTE
group and maps to
Group Policy
3
Home Office/
Branch Teleworker
MX Group Policy contains
L3/4/7/VPN Firewall rules
L3/4/7/VPN Traffic Shaping rules
AMP/IPS/Umbrella Policies
Schedules (Workday/Weekends/etc)
Segmentation Automation – Sentry Policies
Express your Intent:
• “I don’t want compromised devices to use SD-
HQ WAN network”
Public
MPLS
• “Users connecting from unrecognized geo-
Cloud
fence cannot use SD-WAN network”
Internet LTE • “I want users to run the latest OS and Apps to
access the SD-WAN network”
Branch Home Office/
Teleworker
Check Device Compliance for:

MX Sentry
Assign Group Policy based Geofencing
on Compliance
Antivirus/Antispyware
MS Sentry Firewall Enabled
Block network Access if no
SM Agent
App Blacklist
MR Sentry Screen lock/Passcode Lock

Block network Access if no
SM Agent Minimum OS
Assign Group Policy based
on Compliance Mandatory Apps
Cisco Meraki SD-WAN License Tiers
Enterprise Advanced Security Secure SD-WAN Plus

Essential SD-WAN features All enterprise features plus: All advanced security features plus:
SD-WAN orchestration & basic Fully featured Advanced analytics with ML

segmentation and security unified threat management Smart SaaS optimization*
SGT Segmentation*
All I need is Auto VPN, application I connect to the internet, My business relies on apps served
performance rules and a firewall so I need UTM security as well from SaaS/IaaS/DC
Live Demo
Q&A
Thanks!

Customer Experience June 2020 - Meraki SD-WAN

Uploaded by

Copyright:

Available Formats

You might also like

Customer Experience June 2020 - Meraki SD-WAN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Customer Experience June 2020 - Meraki SD-WAN

Uploaded by

Copyright:

Available Formats

Cisco SD-WAN

Devices & Things

Campus & Branch Users WAN

Inconsistent user experience

More users, things and applications, everywhere

Branch Home Office/

All configurations can be m- tunnel

ZTP is the default for ANY

Branch 1 Branch 2 Branch 3 Branch 4

Panama Hub Costa Rica Hub

Spoke 1 Spoke 2 Spoke 3 Spoke 4

Panama Spokes Costa Rica Spokes

Hub and Spoke Full Mesh Hierarchical or Regional H&S

traffic shaping Update the template → Update all sites

• AMP, IPS, Umbrella

MX/Z Teleworker Gateway MR Access Point ClientVPN

Dual active VPN

Policy-based Routing (PbR)

Dynamic path selection

Maximum control in Path Selection

2. Select from built-in Layer-7 categories and applications

Tell the network what you want to

Capabilities Use Case

• “Why are users experiencing slow

Drill down into

MI’s homepage tells

• Easily monitor signal strength for

• Quickly isolate sites with

• Discover which sites are most reliant

Branch sites accessing cloud applications over a public Internet link

✓ Recommended by SaaS providers ✘ No visibility beyond the LAN

All-in-one: Secure SD-WAN and advanced visibility

VNET 1 VNET 2 VPC 1 VPC 2

• vMX100 can be deployed in

• Hassle free VPC to VNET Branch N

connectivity through AutoVPN MX

• New Services or Branches can

• Scalability can be improved

Internal & External Threats

• End to End Automation

• 250Mbps tunnel RBI DLP ZTNA VPN SD-WAN

throughput Security as a Service Networking as a Service

MX Group Policy contains

L3/4/7/VPN Firewall rules

L3/4/7/VPN Traffic Shaping rules

Check Device Compliance for:

MR Sentry Screen lock/Passcode Lock

Enterprise Advanced Security Secure SD-WAN Plus

SD-WAN orchestration & basic Fully featured Advanced analytics with ML

You might also like