Scribd
Upload
445 views54 pages

Presentation Title Meraki SD-WAN: A Global Solution For Distributed Networks

Cisco Meraki

Uploaded by

thimotti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
445 views54 pages

Presentation Title Meraki SD-WAN: A Global Solution For Distributed Networks

Cisco Meraki

Uploaded by

thimotti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

Meraki SD-WAN: A Global

Solution for Distributed


Presentation Title Networks

Presenter Name and Title


Session ID

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Agenda
• About the MX
• Connectivity and SD-WAN
• Monitoring and visibility
• Demo
• What’s new
• Product Portfolio
• Q&A

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
About the Meraki MX

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Simplifying IT with cloud management
A complete cloud managed IT solution
Wireless, switching, security, SD-WAN,
communications, EMM, and security
cameras
Integrated hardware, software, and cloud
services

Leader in cloud managed IT


Among Cisco’s fastest growing portfolios
Over 170,000 unique customers
Over 2 million Meraki network devices
online

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Benefits of a cloud managed solution

Security

Reliability

Scalability

Future-proofing

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
A complete connectivity and threat management solution

Security Networking Application


Next generation firewall 3G / 4G failover Control
AES encrypted VPN Branch routing
Bandwidth shaping
Intrusion prevention (IPS) WAN balancing and failover
URL content filtering
Malware protection High Availability
Quality of Service control
Geo-IP firewalling Intelligent path control

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Why customers choose the Cisco Meraki MX
Powerful security that’s easy to implement
• Robust suite of Cisco Security technologies
• Intuitive GUI-based configuration
• Seamless updates from the cloud

Exceptional scalability
• Zero-touch provisioning with cloud brokered VPN
• Easy centralized management with built-in remote
troubleshooting tools
• Multi-location configuration templates

Industry-leading visibility
• Fingerprints users, applications, devices, and threats
• Monitor one location or an entire deployment
• Unified monitoring and reporting with other Cisco Meraki
technologies

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Connectivity and
SD-WAN

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Projected Costs for Legacy 3-Year WAN Run Rate
Deep dive: Penn Mutual Internet Connectivity (3 years) $2,016,000

saves $858K
Traditional T1 VPB hub-and-spoke model x 45 sites $582,000 / year
(1.544-4.632Mbps Ethernet)
WAN at HQ & DR (45Mbps x 2) $90,000 / year

Content Management (3 years) $153,000


Content filtering software $51,000 / year
Maintenance $24,750
Hardware security appliance $8,250 / year

Total Spend (3 years) $2,193,750

Projected 3-Year Costs with Meraki (Incl. Rip & Replace)

Internet Connectivity (3 years) $673,495


HQ + 37 branches (50Mbps DSL broadband) $212,040 / year
WAN Management vendor (one-time setup) $37,375

Meraki Hardware & Licensing $599,141


MX, MS, & MR x 41 branches $382,896
Content Management Included
Wireless installation (one-time setup) $62,257
26 branches wired for MR

Total Spend (3 years) $1,334,893


BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Reliable, cost effective connectivity with Meraki SD-WAN

2 uplink support on all MX models for load balancing


Dual uplink ports
and redundancy

USB modem support in all models with automatic


LTE failover
failover

Cloud orchestrated VPN (Meraki Auto VPN) with load


Site to site VPN
balancing and self-healing capabilities

Intelligent path Policy based routing and performance based dynamic


control path selection

Automatic route distribution via Auto VPN


Branch Routing OSPF route advertisement
BGP support coming soon

High Availability Active/passive hardware redundancy

Traffic shaping Application bandwidth limiting and prioritization

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Automated site-to-site VPN (Auto VPN)

Simple Create VPN tunnels between locations with easy point-and-click interface, or apply configuration
templates to enable and configure VPN at many locations at once

Automatic VPN configuration generated and deployed automatically from the cloud – create a mesh or hub-
and-spoke topology with only a few clicks

Resilient Automatically adjusts to changes in order to maintain secure connectivity during an ISP or
datacenter outage, hardware failure, or IP address update

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Auto VPN orchestration Subnet Uplink IP Public IP

10.0.1.0/24 10.1.1.1 184.23.135.1

10.0.2.0/24 10.1.1.2 184.23.135.2

10.0.3.0/24 10.1.1.3 184.23.135.3

1 New MX registers its Uplink IP, 1. A new MX registers its IP and subnets
Public IP and local subnets
2. The information is propagated to other
MX via the Dashboard
3. They establish VPN connection
a) With unique pre-shared keys
b) Try Uplink IP first (private link?)
3 New MX establishes c) Try Public IP second
site-to-site VPN connection
New route is propagated 2
to all MX peers
automatically

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Supported topologies
Full Mesh Hub-and-Spoke

Split tunnel VPN


(a.k.a DIA) ✓ ✓
Full tunnel VPN ✓ ✓
BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Multi-hub support with failover and load-balancing

Active VPN Tunnel Active VPN Tunnel


Internet
Failover VPN Tunnel Failover VPN Tunnel

HA PAIR DC1 DC2 HA PAIR

Branches connected to DC1 Branches connected to DC2

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Multiple hub-and-spoke and failover
10.0.0.0/8 10.0.0.0/8

10.100.0.0/16 10.200.0.0/16
HA PAIR DC1 DC2 HA PAIR

HQ Regional Office

Branch 1 Branch 2 Branch 3 Branch 4 Branch 5 Branch 6


10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.4.0/24 10.0.5.0/24 10.0.6.0/24

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
High availability and path redundancy
Avoid downtime and disruption
• Automatic datacenter outage detection
• Automatic failover to warm spare appliance
• Dual WAN uplinks for ISP load balancing and redundancy
• MPLS route health tracking with MPLS-to-VPN failover
• 3G/4G cellular uplink via USB modem

Reduce complexity
• VPN and route changes made automatically
• Configuration templates for configuring multiple locations
• Intuitive, centralized configuration and monitoring

Reduce costs
• HA warm spare only requires a single license
Example hub-and-spoke datacenter failover • Safely leverage low-cost broadband or LTE connections for
topology your business critical traffic

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
SD-WAN Scenario 1
“Vanilla”
• Branch office
• Two uplinks
• No load balancing
Diagram here
• Hub & Spoke VPN back to DC
• Split tunnel
• No SD-WAN configuration

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
SD-WAN Scenario 1: How does it Flow?

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
SD-WAN Scenario 2
“Vanilla with sprinkles”
• Branch office
• Two uplinks
• No load balancing
Diagram here
• Hub & Spoke VPN back to DC
• Split tunnel
PbR rules configured for VoIP traffic
○ Prefer to send VoIP traffic
across a VPN path over
secondary Internet connection

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
SD-WAN Scenario 2: How does it Flow?

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
SD-WAN Scenario 3
“Chocolate”
• Branch office
• Two uplinks
• No load balancing
Diagram here
• Hub & Spoke VPN back to DC
• Split tunnel
PbR rules for FTP traffic
○ Prefer to send FTP traffic path on
the secondary Internet connection
PfR rules also configure for VoIP traffic
○ VoIP traffic should only traverse
low latency paths
BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
SD-WAN Scenario 3: How does it Flow?

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
VPN tunnels
Flow decision examples
Example 1: MX #1
uplink1 uplink2
Both peers are dual WAN with MPLS
and Broadband
Internet
MPLS

uplink1 uplink2
MX #2

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
VPN tunnels
Flow decision examples
Example 1: MX #1
uplink1 uplink2
Both peers are dual WAN with MPLS
and Broadband

First packet
Internet
For a given flow: MPLS
1. MX2 send a packet up
• Local uplink decision: Based on PbR / dynamic path selection
uplink1 uplink2
• Remote uplink decision: Only available path MX #2

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
VPN tunnels
Flow decision examples
Example 1: MX #1
uplink1 uplink2
Both peers are dual WAN with MPLS
and Broadband

Steady State
Internet
For a given flow: MPLS
1. MX2 send a packet up
• Local uplink decision: Based on PbR / dynamic path selection
uplink1 uplink2
• Remote uplink decision: Only available path MX #2
2. MX1 replies through its uplink1 to MX2 uplink1
• Local uplink decision: Based on PbR / dynamic path selection
• Remote uplink decision: Only available path

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
VPN tunnels

Flow decision examples


Example 2: MX #1
uplink1 uplink2
Both peers are dual WAN over Broadband

Internet

uplink1 uplink2
MX #2

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
VPN tunnels

Flow decision examples


Example 2: MX #1
Both peers are dual WAN over Broadband uplink1 uplink2

For a given flow: Internet


1. MX2 send a packet up
• Local uplink decision: Based on PbR / dynamic path selection
uplink1 uplink2
• Remote uplink decision: First packet, pick a tunnel (round robin) MX #2

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
VPN tunnels

Flow decision examples


Example 2: MX #1
uplink1 uplink2
Both peers are dual WAN over Broadband

Second packet
For a given flow: Internet
1. MX2 send a packet up
• Local uplink decision: Based on PbR / dynamic path selection
uplink1 uplink2
• Remote uplink decision: First packet, pick a tunnel (round robin) MX #2
2. MX1 replies through its uplink1 to MX2 uplink1
• Local uplink decision: Based on PbR / dynamic path selection
• Remote uplink decision: MX1 registers that the packet came from MX2 uplink1

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
VPN tunnels

Flow decision examples


Example 2: MX #1
uplink1 uplink2
Both peers are dual WAN over Broadband

Steady State
For a given flow: Internet
1. MX2 send a packet up
• Local uplink decision: Based on PbR / dynamic path selection
uplink1 uplink2
• Remote uplink decision: First packet, pick a tunnel (round robin) MX #2
2. MX1 replies through its uplink1 to MX2 uplink1
• Local uplink decision: Based on PbR / dynamic path selection
• Remote uplink decision: MX1 registers that the packet came from MX2 uplink1
3. MX2 replies through its uplink1 to MX1 uplink1
• Local uplink decision: Based on PbR / dynamic path selection
• Remote uplink decision: MX2 registers that the packet came from MX1 uplink1

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Performance probes
Each uplink send a probe across all available paths
In this example, MX2 sends 4 probes
Uplink Uplink
The receiving MX will reply with 4 probes 1 2

Probe: 100 byte UDP (based on protobuf)


1 4
Default probe interval: 1 sec 2 3
Uplink Uplink
1 2
Average latency, loss and jitter is computed over the last 30 samples
(rolling 30sec average)

These values are computed from all possible paths (max 4) per MX

Path Latency
Incoming latency Current average:
value 10 15 20 20 15 10 15 ms

Path Jitter
Calculated Jitterk = Current average:
|latencyk – latencyk-1| 5 5 0 5 5 … 2.5 ms

Packet loss
Incoming loss (1/0) Current average:
value 0 0 0 0 0 0 0%

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Connections that fit your business and location needs
Broadband + MPLS Broadband + 4G Dual Broadband

Data Center Data Center Data Center

ISP A SP V ISP A ISP B ISP A ISP C


DSL Cable

Auto VPN Auto VPN Auto VPN Auto VPN Auto VPN Auto VPN
Broadband MPLS Broadband LTE Broadband Broadband

Branch Branch Branch

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
MPLS with Broadband
• Use MPLS for mission critical traffic MPLS + Broadband

• VoIP
• PoS (point of sales, a.k.a credit card traffic)
• Video / Teleconferencing Data Center

• Database traffic

• Use Broadband for everything else


Auto VPN Auto VPN
• Internet browsing Internet MPLS

• Email
• Backups, file transfers
Branch
MPLS with Broadband
• Get more out of your existing MPLS MPLS + Broadband

• Get more bandwidth with the additional


Broadband circuit Data Center

• Dual circuits mean reliability


• If one link goes down, the traffic fails Auto VPN Auto VPN
over to the other circuit Internet MPLS

Branch
Dual Broadband
Dual Broadband
• Not as reliable as MPLS

• Not as fast as MPLS either Data Center

• But in many cases, it is good enough


Auto VPN Auto VPN

Internet Internet

Branch
Dual Broadband
Dual Broadband
• More bandwidth

• Cost saving Data Center

• More reliable than a single broadband

link Auto VPN

Internet
Auto VPN

Internet

• But not as reliable as MPLS


Branch
Application-aware intelligent path control

Dual active VPN


Load balance your VPN traffic over your hybrid WAN

Policy based routing


Select the preferred path for traffic based on protocol,
port, source and destination IP, or even application

Dynamic Path Selection


Select the best VPN tunnel for traffic automatically
based on performance

The only solution to combine cutting edge SD-WAN with


industry leading security technology

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
In-depth
visibility

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Traffic monitoring and analytics

View bandwidth usage by


application or by client
Highlight an application or a client
to see their portion of total
network bandwidth
See a client’s active time for
specific applications
Easily create policies to limit
bandwidth for problematic users
or applications

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
VPN health, bandwidth, and performance monitoring

See VPN connection status


between locations
Monitor VPN bandwidth usage
Track performance of VPN
tunnels using built-in loss,
latency, jitter, and MOS voice
score reporting
Live updating log of traffic flows
and path decisions
Compare historical
performance to configured
performance policies

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Email alerts from the cloud
Fully integrated alerting - no need for
an email server
Customizable alerting – only get
emails about the things you need to
know about
Get alerts if critical network clients go
offline
Configure alerting for all Cisco
Meraki devices in one simple
interface
Send alerts to network administrators
or custom recipients

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
DEMO

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
What’s new

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Available now

Meraki vMX in Azure and AWS


By deploying virtual VPN concentrators in
Azure or AWS, MX customers can now use
AutoVPN and associated Meraki SD-WAN
functionality to create and maintain reliable
connections to services and content hosted in
their cloud environments.

Scheduled Security Center reports


Receive summaries of security events
automatically, to ensure you have the latest
security data for your network

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
MX Product Updates – Past 6 Months

BETA BETA
Threat Grid for Template support Multicast routing BGP routing
BETA
No-NAT
Meraki MX for SD-WAN (PIM-SM)

Addressing & VLANs MX Performance Client VPN


enhancements Utilization enhancements
Coming soon to an MX near you
Set SD-WAN policies using application
Layer 7 SD-WAN
definitions in addition to custom rules

BGP support allows you to distribute routes


into an AutoVPN topology and advertise
Bidirectional BGP branch routes into your extended routing
Support infrastructure, improving interoperability and
allowing you to more easily integrate AutoVPN
into your routing architecture

Get indications of MX load over time in the


Load Monitoring
summary report in Dashboard

Create firewall rules for hostnames, including


FQDN Firewall
wildcard rules.

AutoVPN Many:1 NAT NAT a subnet to a specific IP over the VPN.

SafeSearch and YouTube EDU enforcement


Updated Safesearch
using Google recommended DNS methods

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
MX Portfolio

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
MX Portfolio – Fall 2017
Teleworker Small Branch Medium Branch
New

Z1 Z3 MX64 MX65 MX84 MX100


~5 users ~50 users ~200 users ~500 users
802.11ac Wireless & PoE (Z3) 802.11ac wireless & PoE (MX65) FW throughput: 500 Mbps FW throughput: 750 Mbps
FW throughput: 50, 100 Mbps FW throughput: 250 Mbps

Large Branch, Campus or, Concentrator Virtual


New New

MX250 MX400 MX450 MX600 vMX100 for AWS & Azure


~2,000 users ~2,000 users ~10,000 users ~10,000 users VPN throughput: 500 Mbps

FW throughput: 4 Gbps FW throughput: 1 Gbps FW throughput: 6 Gbps FW throughput: 1 Gbps VPN & SD-WAN features

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Licensing that fits the business’ needs

Enterprise License Advanced Security License

Next Generation Firewall All enterprise features, plus

Site-to-site and client VPN Content filtering (with Google SafeSearch enforcement)

Intelligent path control Cisco Advanced Malware Protection

Link bonding and failover Snort IDS/IPS

Bandwidth shaping and QoS Threat Grid integration*

Branch routing Geo-based firewall rules

Web caching

Active/Passive high availability


*additional Threat Grid subscription required

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
The Meraki Full Stack

MR MX MS
Wireless Security and WAN Switching

Systems Manager MC MV
EMM IP Telephony Security Cameras

A complete cloud managed IT portfolio


Single pane of glass management

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

Cisco Spark spaces will be available cs.co/ciscolivebot#sessionID


until November 17, 2017. E.g: session ID = BRKCOL-1800

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback about the session
you just joined
Ø Complete your session surveys through the
Cisco Live mobile app:
https://www.ciscolive.com/latam/attend/attendee-info/#mobile-app (English)
https://www.ciscolive.com/latam/attend-es/attendee-info/#mobile-app (Español)

Ø or from the Session Catalog on


CiscoLive.com/latam.

Don’t forget: Cisco Live sessions will be available for


viewing on-demand after the event at
CiscoLive.com/Online

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Q&A

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Thank you

BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
BRKCRS-214 2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

You might also like