Intent Based Access Networks

powered by Cisco Meraki

Francisco Tello – Consulting Systems Engineer
June 2020
 IT admins have many problems

Securing Different Deploying Various Running Different

Types of Users Devices Applications
Employees, contractors, short- Company owned, BYOD, IoT Critical business tools, custom
term guests devices apps, consumer apps

2
 They have networks that are

Error-prone In need of Limited by

because of frequent legacy
CLI upgrades infrastructure

Unsecure and Stressed by Vulnerable to

have rigid demands malicious
management from WiFi - 6 cyber attacks
and IoT
And these problems are everywhere

Financial Higher Ed Healthcare Government

Services

Manufacturin Retail Enterprise High Tech

g

4
Determining OpEx in Network Operations and
Management
• Number of devices and ports under management
• Each device has to be: provisioned, monitored, audited, insured and backed up
• Number of management points
• “Controller-based architectures are designed to provide central points of control
through which entire networks can be managed, reducing the number of
administrative touch points in the network.” (1)
• Better visibility / More agility / Easier Integration
• Amount of integration points
• Switching + Wireless / Switching + Wireless + WAN
• Number of management models
1) https://www.datacenterknowledge.com/archives/2014/02/24/5-major-drivers-opex-enterprise-network
C97-740150-02 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
 Network Architecture Evolution

LAN Architecture Wireless Architecture WAN Architecture

SW SW AP AP Branch 1 Branch 2

MPLS
SW SW AP AP Branch 3 Branch 4

SW SW AP AP Branch 5 Branch 6

Autonomous, Independent Devices

C97-740150-02 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
 Network Architecture Evolution

LAN Architecture Wireless Architecture WAN Architecture

SW SW AP AP Branch 1 Branch 2

MPLS
O
SW SW AP AP Branch 3 WWW Branch 4

SW SW AP AP Branch 5 Branch 6

Virtualized
Management SNMP WLC Controller every
Controller
SD-WAN?
Plane “Single Panes of Glass” WLC “X” APs
WLC
C97-740150-02 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
 Network Architecture Evolution

LAN Architecture Wireless Architecture SD-WAN Architecture

SW SW AP AP Branch 1 Branch 2

WWW
MPLS+
SW SW AP AP Branch 3 WWW Branch 4

SW SW AP AP Branch 5 Branch 6

Dashboard Dashboard
Meraki Meraki
C97-740150-02 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Network Architecture Evolution

Unified Architecture

SW SW AP AP Branch 1 Branch 2

WWW
MPLS+
SW SW AP AP Branch 3 WWW Branch 4

SW SW AP AP Branch 5 Branch 6

Dashboard
Meraki
C97-740150-02 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
 The Meraki Platform
A Complete Cloud-Managed IT Portfolio from a Single Pane of Glass

MR MS MX MG
Wireless Access Ethernet Security & SD-WAN Cellular
Points Switches Appliances Gateways

MI SM MV
Insight Endpoint Smart
[Application & WAN] Management Cameras
 Built on top of the most battle-tested cloud networking
solution

12+ years of experience 500k customers served Proven solution in 20,000+

scaling the cloud globally site deployments

C97-740150-02 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Why customers choose Meraki for Wired Access
Intuitive, centralized management
• All Meraki devices are configured through a single-pane-of-glass
• No training or complex command line script required
• Visualize and manage all switch ports on the Meraki dashboard
with Virtual Stacking

Easiest to deploy, manage, and configure

• Zero-touch provisioning for multi-site deployment
• Customizable Templates and Meraki APIs for automated site setups
• Seamless firmware updates from the cloud

Industry-leading visibility
• User, application, and device analytics
• Network-wide monitoring and alerts to reduce response times
• Remote packet capture and other diagnostics tools

A complete solution out of the box:

No extra hardware, software, or complexity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential No SW/HW compatibility matrices
No need to get rid of your old Switch when the cloud controllerIntroduction
upgrades to Cloud-Managed Switching
Automation and Simplification Use
Cases

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Meraki Access Benefits
Zero Touch Provisioning
and Configuration Virtual Stacking Staged Upgrades Fullstack Visibility and
Templates Assurance

• Quickly deploy branches in a • Configure 1000s of ports in • End to end troubleshooting

few clicks one single command • Upgrade 100s of and diagnostics
• Replicate golden • Use tags to identify relevant switches in steps to • No need for Visio diagrams
configurations across ports and report and alert on minimize downtime that go out of date one week
hundreds of switches them after you make them

A complete solution out of the box:

No extra hardware, software, or complexity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential No SW/HW compatibility matrices

No need to get rid of your old Switch when the cloud controller upgrades
Simplified Assurance

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Introducing Meraki Health

EASY TO USE AND RIGHT DATA, RIGHT TIME,

UNDERSTAND FULL STACK ASSURANCE
RIGHT VIEW
Even if the problem area is Having the right data and Finding issues takes time. The
known, understanding the context available is key to Meraki platform now makes it
issue is key and should be troubleshooting easy to identify problem areas.
easy

© 2020
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meraki Health, Full Stack Assurance
10%

100%
100%

100%

80%

© 2020
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Policy and Security Automation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Meraki SecureConnect
BETWEEN MR + MS DEVICES
On MS210 and above
On MR 802.11ac Wave 2 and 802.11ax APs

Automated switch port protection

and configuration between MR and
MS MR
• Security using Cisco’s publicly trusted PKI
• EAP-TLS based client and server authentication
• Only MRs in the same organization are authorized

• Port configuration automation

• Less possible configuration error
• Set it and forget it
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 SecureConnect: How does it work?

MS authorizes
MR requests port based on
MR connected certificate from configured
to MS Cisco PKI profile

1 2 3 4 5

MS permits MR
Meraki authenticates
dashboard with acquired
connection for certificate
MR

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Securing the Network
can be Hard
Securing various network
devices is manual and difficult

C97-740150-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
1
Securing the
Application Layer
can be Complicated
Malicious cyber-attacks are
evolving

C97-740150-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
2
Securing the devices
and users adds to the
complexity
IOT devices don't support
802.1x and BYOD policies
stress security postures

C97-740150-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3
Too Many Obstacles
for Comprehensive
Security
Everything is manual and done
through

multiple dashboards

Security rules are not scalable

“Just slap in a firewall”

C97-740150-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
4
The Perimeter is
evolving into
micro-perimeters
Customers need a security
posture and a framework that
works across the whole network

C97-740150-00 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
5
Introducing Adaptive Policy
Policy decoupled from IP addressing delivers scale and consistency
organization-wide, simply

Internal
Services

IoT
IT Admins Employees
Devices

Infrastructure Available for MS390 family

Devices And all WiFi5 Wave 2 and WiFi 6
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APs
What are Scalable Group Tags (SGT)?

Dest MAC Src MAC 802.1Q CMD ETYPE PAYLOAD

CMD SGT option Other

Version Length SGT
EtherType Type Options

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flexible Tag Assignment
LAB VLAN
10.10.10.0/24

Adaptive Policy Tags can be applied in

many different ways:
• Statically assigned to a switch port
• Wired IOT Sensors
• Static assignment per SSID
• Guest Users
• Dynamic assignment via RADIUS
• Wired & Wireless 802.1X

• Static IP to SGT Mapping

• Last resort to map traffic to an SGT
• Uses firewall objects as source for mapping
• Release w/ firewall object public beta

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
One Consistent Policy Across All Sites
M
SRC | DST Employee IoT IoT Server
Employee
IoT
IoT Server

M
M

M
Policy & Groups are configured in dashboard and pushed to
Adaptive Policy nodes like any other Meraki configuration change

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Live Demo