BRKCRS 2103

#CLUS
Integrating the
Meraki SD-WAN
Solution with the
traditional Enterprise
network
Arul Jagadeesan – Solution Integration Architect
Kevin Wetzel – Solution Integration Architect
BRKCRS-2103
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot# BRKCRS-2103

by the speaker until June 18, 2018.
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
#CLUS BRKCRS-2103 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Introduction
• Meraki Customer Case Study
• SDWAN Considerations
• Building the SDWAN Solution
• Mapping Classic QoS to Meraki
• Operations and Support
• Conclusion
Meraki Customer Case
Study
Customer Case Study
Situation Desired Outcome
• 1000+ Independent • Reduce Risk
• LDoS & Non Standard • Foundation for consistent
performance
• Mid-cycle Refresh
• Reduce Cost-to-Serve
Silver
Current State Vision
• (4) Deployment Models • Silver
• 3925 & 800 Routers • Gold
Gold
Customer Case Study - Outcomes
• Design & Topology • Financial Model • Outcomes
• Network
• Dependents
• Carrier Topologies
• Last Mile
• Dependencies
• Faxing
• E911
• Voice Redundancy
• Multi-cast
• Network • PROs
• Dependents • 30% Savings in WAN
• Carrier Topologies costs
• Last Mile • 86% Savings in CAPEX
45% Savings in OPEX
• Dependencies •
• Faxing
• E911 • CONs
• Voice Redundancy • Added “Last Mile” costs
• Multi-cast • Depreciation Remaining
• Network • PROs • Risk Reduction
• Dependents • 30% Savings in WAN • LCM
• Carrier Topologies costs • Cost Savings

• Last Mile • 86% Savings in CAPEX • SDWAN
45% Savings in Infrastructure
Dependencies • •
•
Maintenance • Maintenance
• Faxing
• Performance
• E911
• CONs Improvements
• Voice Redundancy
• Added “Last Mile” costs • Notably happy customers
• Multi-cast
• Depreciation Remaining
Moral of the Story
• Understand the environment
• Capabilities
• Dependent
• Dependencies
• Involve teams associated with the dependencies
• Understand all costs (Direct and Indirect)

• Don’t forget to involve Finance
SDWAN Considerations
Architectural Considerations
Architecture – Service Layer Options
Data
Center
Edge
Architecture - Carrier Service Considerations
Description MPLS Tier 1 Internet Tier X Internet
Customer Traffic Contained Contained Multiple Backbones
Topology Complexity Single carrier Single carrier Gateway peering or NNIs
Type of Service Commercial Grade Commercial Grade Consumer / Commercial
Application Prioritization 5 – 6 Priority Levels Self-configurable Self-configurable

(QoS)
MTTR 2 -4 Hours 2 – 4 Hours 2 – 4 Hours / 12+ Hours
RoM Cost $$$ $$ - $$$ $ - $$
SLA’s Straight Forward Straight Forward Matrix
Architecture – Carrier Service
Tier x Internet
Data
Center
Edge
Architecture – Last Mile (Data Center Locations)
Description SONNET Ethernet
Physical Medium Fiber Fiber or Copper
Type of Service Commercial Commercial
Native HA Self Healing Self Healing
MTTR Auto Fail-over Auto Fail-over
Escalation Process Yes Yes
RoM Cost $$$$$ $$$$
Scalability Virtually Unlimited Virtually Unlimited
Monitoring/Alerting Advanced Advanced
Topology Point-to-Point Point-to-Point
User Capacity Very Large Very Large Configurable
Configurable
Architecture – Last Mile (Remote Locations)
Description T-1 4LTE DSL Cable
Physical Medium Copper Cellular Copper Fiber or Copper
Type of Service Commercial Consumer Consumer Consumer
Native HA Configurable Not Available Not Available Not Available

MTTR 2 – 4 Hours Up to 24 Hours Up to 24 Hours Up to 24 Hours
Data Escalation Yes No Possibly No

Process
Center RoM Cost $$$ $$ $ $
Edge Scalability N+1 (8) T1s Constrained Limited Moderate
Interfaces V.35/Ethernet
Topology Point-to-Point Point-to-Point Point-to-Point Multi-Point
User Capacity Large / Small / Fixed Medium / Fixed Medium /
Configurable Limitations
Architecture – Premise Equipment (Remote Locations)
• Demark location in perspective to
office
• Extended Wiring
• Carrier Service Hand-off
Data • Interfaces
Center • V.35, RS232, 449, RJ48, Ethernet
Edge • Carriers Devices
• Support of Virtual IPs (VIPs)

• Routable IPs Available
Architecture - Common Office Services
(Dependencies)
• Special Considerations
• No voice termination
• Voice HA
• e911
• Multi-cast
Data • Options
Center
• Mobility
Edge
• Cloud
• Centralized
Determining the Right SDWAN Approach
Meraki MX Viptela vEdge
Existing Meraki customer
Prizes simplicity and full stack branch management / “Lean IT” organization
Needs integrated threat management capabilities
Existing ISR 4K or vEdge Customer
Complex WAN topologies with high degree of customization
Needs end-to-end WAN segmentation across on-prem and public cloud infrastructure
SDWAN Key Capabilities
Meraki MX vEdge
Simple, cross-functional management Highly flexible and customizable
• Support for up to 3 SDWAN Connection • Support for 3 or more uplinks
• Single pane of glass management for full stack • Service chaining at L4-L7
branch infrastructure (security, WAN, switching, • TCP Optimization and WAN acceleration
wireless, and more) • Highly flexible segmentation with customizable
• Cisco Advanced Malware Protection topologies on a per-VRF basis
• Cisco Snort IPS • Multicast support over WAN
• Integrated URL filtering • VNF capabilities for gray and white-box MSP/SP offers
• Geo-IP based firewalling • IPv6 support
• Intuitive GUI-based configuration and monitoring • On-premises and private cloud management
• Support for integrating multiple VPC workloads
(OnRamp) and extending WAN segmentation into IaaS
Shared Capabilities
• Layer 3 VPN overlay for hub-and-spoke deployments • Highly scalable (10,000+ sites)
• Layer 3 and 7 policy and performance based routing • LTE failover
• Transport independence across a variety of connection types • Virtual platform for AWS / Azure
• Zero touch deployment with support for templated configurations • Public cloud management
Architecture – Network Device (HDW/SFW Capabilities)
Z1/Z3 Wireless
MX64W
MX64 / 64W
MX65W
MX65 / 65W
Z3 802.1x
vEdge 100
MX80 vMX100
MX64 / 64W
MX84
MX100
MX65 / 65W
vEdge 1000
MX400
POE
MX600 MX65 / 65W

vEdge 2000
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf
24
Building the SDWAN

Solution
Topics Covered
• SDWAN Capabilities
• MX in the Data Center
• MX in the Branch
• Traffic Flow and QoS
• Demo
SD-WAN Multiple Pathways
Transport
Load Balancing
Independence
Automatic Failover
Network Visibility
Application
Optimization Quality of Service
Policy Based Routing

Intelligent
Path Control Dynamic Path Selection
Auto VPN
Secure
Connectivity AES Encryption
MX in Data Center
Deployment Modes
Passthrough or VPN
NAT Mode
Concentrator Mode
• Firewall already exists

The MX is the Layer 7 application
• MX is VPN Concentrator
firewall in the HQ/data center.
• Dynamically advertise VPN
Routes
PoC Lab Design
SDWAN SDWAN
VPN VPN
Branch Office Branch Office
Internet connection
VPN tunnel
Internet
SDWAN SDWAN
VPN VPN
Drive 1 Drive 2 Drive 3 Drive 4
Management USB Module 1 Module 2

Reset
Reset
Bypass Bypass
Bypass Bypass i
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

WAN 1 LAN 1 WAN 2 LAN 2 10G SFP+
1 2 3 4 5 6 7 8 10G SFP+ 1 2
Drive 1 Drive 2 Drive 3 Drive 4 Drive 1 Drive 2 Drive 3 Drive 4
Management USB Module 1 Module 2 Management USB Module 1 Module 2
Reset Reset
Bypass Bypass Bypass Bypass

i i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2 WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+ 10G SFP+
Core
Primary Secondary
Data MPLS Extranet Data
Center WAN Center
Data Center Deployment Models
• NAT Mode
• NAT Mode HA
• VPN Concentrator Mode
(One Armed)
• VPN Concentrator Mode
(One Armed-HA)
DC Deployment – NAT Mode
Internet
• One Ethernet connection (WAN)
to Upstream Network and one
Ethernet (LAN) to Downstream
MX600 Network
VPN Traffic sent and received on

Reset
Bypass Bypass
i
•
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
WAN interface
• Decrypted Traffic sent and
received on LAN interface
Layer 3
Distribution
DC Deployment – NAT Mode (HA)
Internet • WAN Interfaces
• Same IP subnet on WAN Interfaces
• The virtual IP address (VIP) is shared by both the
primary and warm spare
LAN Interfaces

Reset
Bypass Bypass
Reset i
Bypass Bypass
i
•
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
MX600 MX600
• Appliance IPs in any configured VLANs
• VIPs are not required
• Failure Detection
• WAN Failover
• DNS, ICMP & ARP Tests
Layer 3
Distribution • LAN Failover
• VRRP is used for sharing health information and detect failure
DC Deployment – VPN Concentrator (One Armed)
• Single Ethernet connection to

Internet
Upstream Network
• All Traffic sent and received on
one interface
Recommended configuration for
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
•
MX600
Firewall MX appliances serving as VPN
termination points into the
datacenter
• One-armed concentrators MX
Layer 3
Distribution
appliances should always be
deployed behind an edge firewall
DC Deployment – VPN Concentrator (One Armed – HA)
• WAN Interfaces
Internet
• Same IP subnet on WAN Interfaces
Primary • The virtual IP address (VIP) is shared by
i
Drive 1
Management
Bypass
Drive 2
USB
Bypass
Reset
Drive 3
Module 1
Drive 4
Module 2
both the primary and warm spare
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
MX600
• LAN Interfaces
Warm Standby
Firewall
Drive 1
Management
Drive 2
USB
Drive 3
Module 1
Drive 4
Module 2
• Make sure MXs are not connected directly
via their LAN ports
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
MX600
• Failure Detection
• VRRP is used for sharing health information
and detect failure
Layer 3 • Failover < 30 seconds
Distribution
Meraki SD-WAN Hub Topology
Internet MPLS
MPLS Auto VPN Tunnel

INET Auto VPN Tunnel
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
MX600
• The IP address of the one-armed
MX terminates both AutoVPNs
• The MPLS network must be

reachable from the MX network
VPN Aggregation Topology (Logical)
BGP
Internet
default
MX600
Internet Management USB Module 1 Module 2
Primary
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
(VPN concentrator mode)

ASA Firewall pair
VRRP
(active/standby) Drive 1 Drive 2 Drive 3 Drive 4
Reset
Bypass Bypass
i
Internet
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8
Warm Standby
10G SFP+ 1 2

MX600
BGP
Layer 3
Distribution
VPN Aggregation Topology (Physical)
Internet
Link to active device
Link to standby device
MX600
Internet Layer Drive 1
Management
Drive 2
USB
Drive 3
Module 1
Drive 4
Module 2
Internet
i
WAN 1
Bypass
LAN 1 WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Primary
5 6 7 8 10G SFP+ 1 2
Firewall
(pair)
Reset
Bypass Bypass
i
Internet WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 10G SFP+ 1 2
Warm Standby
MX600 (VPN concentrator mode)
Layer 3
Distribution
Demo DC 1 ARM HA
Addressing and VLANs (Data Center 1)
Warm Spare (Data Center 1)
Active Appliance Status Summary (Data Center 1)
Active Appliance Status Uplink (Data Center 1)
Passive Appliance Status Summary (Data Center 1)
Passive Appliance Status Uplink (Data Center 1)
Routing
Cloud Maintains Dynamic Table to track all MX
Auto VPN Dashboard dynamically pushes subnets
Subnets stored in separate, static routing table
MX in Pass Through Mode (Concentrator)

OSPF Advertises Auto VPN Subnets
One-Armed VPN (Concentrator)

BGP iBGP over AutoVPN
eBGP to Data Center
OSPF
BRKCRS-2103
OSPF
• Pass Through VPN
concentrator mode only
• Not available on MX devices
operating in NAT mode
• Only advertise routes with
OSPF; MX will not learn OSPF
routes
One Armed Concentrator - OSPF
• Pass Through VPN concentrator mode only
• Not available on MX devices operating in NAT mode
• Only advertise routes with OSPF; MX will not learn OSPF routes
Inbound Data Flow (OSPF)
Internet Enable
Enable OSPF OSPF
OSPF Neighbor
10.100.30.3 Drive 1
Management
Drive 2
USB
Drive 3
Module 1
Drive 4
Module 2
Primary
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+

default
ASA Firewall 10.100.30.254 Drive 1 Drive 2 Drive 3 Drive 4
(OSPF learned i
Management
WAN 1
Bypass
LAN 1
USB
WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Module 1
5 6 7 8 10G SFP+
Module 2
Warm Standby 1 2
routes to (VPN concentrator mode)
10.1.1.0/24 remote
Auto VPN Sites)
Branch Distribution layer Data

(OSPF learned routes to remote sites) Center
Encrypted Flow
Cleartext Flow
Outbound Data Flow (OSPF)
Internet Enable
Enable OSPF OSPF
OSPF Neighbor
10.100.30.3 Drive 1 Drive 2 Drive 3 Drive 4
Primary
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+

default
(OSPF learned i
Management
WAN 1
Bypass
LAN 1
USB
WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Module 1
5 6 7 8 10G SFP+
Module 2
Warm Standby 1 2
10.1.1.0/24 remote
Sites)
Branch
Distribution layer
(OSPF learned routes to remote sites) Data
Center
Encrypted Flow
Cleartext Flow
One Armed Concentrator - OSPF
MX Configuration Layer 3 Router Configuration
router ospf 1
router-id 10.100.30.254
10.100.30.3
log-adjacency-changes
area 100 authentication message-digest
network 10.100.30.0 0.0.0.255 area 100
One Armed Concentrator – OSPF
MX Configuration
Enable OSPF
10.100.30.3 The OSPF Router ID that the MX will use to identify itself
to neighbors
The OSPF Area ID that the MX will use when sending
route advertisements
(Defaults to 1) The route cost attached to all OSPF routes advertised from
the MX.
(Defaults to 10) How frequently the MX will send OSPF Hello packets
in seconds.
(Defaults to 40) How long the MX will wait (in seconds) to see Hello packets
from a particular OSPF neighbor before considering that neighbor inactive
MD5 hashing will be used to authenticate potential OSPF neighbors.
The MD5 key number and passphrase
BGP
One Armed Concentrator - BGP
• Pass Through VPN concentrator mode only
• Not available on MX devices operating in NAT mode
• iBGP across Organization (Meraki)
• eBGP to the Data Center Devices
Inbound Data Flow - BGP
Internet Enable
Enable
eBGP BGP
BGP
Primary
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+

default
(BGP learned i
Management
WAN 1
Bypass
LAN 1
USB
WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Module 1
5 6 7 8 10G SFP+
Module 2
Warm Standby 1 2
10.1.1.0/24 remote
Auto VPN Sites)
Distribution layer
Branch Data
(BGP learned routes to remote
sites) Center
Encrypted Flow
Cleartext Flow
Outbound Data Flow - BGP
Internet Enable
Enable
eBGP
eBGP eBGP
Primary
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+

default
(BGP learned i
Management
WAN 1
Bypass
LAN 1
USB
WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Module 1
5 6 7 8 10G SFP+
Module 2
Warm Standby 1 2
10.1.1.0/24 remote
Sites)
Branch
Distribution layer
(BGP learned routes to remote sites) Data
Center
Encrypted Flow
Cleartext Flow
One Armed Concentrator - BGP
MX Configuration Layer 3 Router Configuration
router bgp 65513

no synchronization
bgp log-neighbor-changes
network 10.10.10.0 mask 255.255.255.0
network 10.100.30.0 mask 255.255.255.0
timers bgp 15 45
neighbor 10.100.30.3 remote-as 65512
no auto-summary
Demo BGP
BGP Configuration (Data Center 1)
MX Configuration
Enable BGP
Organization Wide VPN BGP Autonomous System

Number
eBGP Autonomous System

Number
eBGP Neighbor IP Address
L3 Router Configuration
router bgp 65513

no synchronization
network 10.10.10.0 mask 255.255.255.0
network 10.100.30.0 mask 255.255.255.0
no auto-summary
L3 Router BGP Neighbors

DC1-FW-IL-SJC-01#sh ip bgp summary
BGP router identifier 10.10.10.10, local AS number 65513
BGP table version is 4, main routing table version 4
3 network entries using 396 bytes of memory
4 path entries using 208 bytes of memory
4/2 BGP path/bestpath attribute entries using 672 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1356 total bytes of memory
BGP activity 22/19 prefixes, 30/26 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.100.30.3 4 65512 9934 8621 4 0 0 6d00h 1
10.100.30.13 4 65512 9951 8638 4 0 0 6d00h 1
DC1-FW-IL-SJC-01#
L3 Router Routing Table
DC1-FW-IL-SJC-01#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 24.159.208.241 to network 0.0.0.0
24.0.0.0/29 is subnetted, 1 subnets

C 24.159.208.240 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 3 subnets
C 10.10.10.0 is directly connected, Loopback1
B 10.1.1.0 [20/0] via 10.100.30.3, 6d00h
C 10.100.30.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 24.159.208.241
DC1-FW-IL-SJC-01#
Branch Design
Branch Design
• Dual WAN Links
• Single SD-WAN Topology
• Highly Available SD-WAN Topology
• SD-WAN Requirements
Dual WAN Links
Internet + 4G SDWAN Hybrid SDWAN Dual Internet
Data Center Data Center Data Center


Reset Management USB Module 1 Module 2

Bypass Bypass
i
Reset
Reset
Bypass Bypass
i Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+ WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 10G SFP+ 1 2
Internet
Internet 4G MPLS Internet Internet
Internet
Branch Branch Branch

Active – Active
Primary with Backup Link Active - Active Load Balancing
No Load Balancing Load Balancing Best Price/Performance
Least dependence on SPs
SD-WAN Deployment Models
• Single SD-WAN Topology
• HA Single SD-WAN Topology
• SD-WAN Branch Requirements
Single SD-WAN Topology - Branch

Internet
MPLS INET Auto VPN Tunnel
Devices High Availability: None
Links: Active/Active
Highly Available SD-WAN Topology - Branch

Internet INET Auto VPN Tunnel
MPLS
Devices High Availability: Yes
Links: Active/Active
Meraki SD-WAN Branch Requirements
• Each WAN interface must have
Internet
reachability to the address of
MPLS
each SD-WAN hub
• Each WAN interface must have
reachability to Meraki
dashboard (This means the MPLS
network must have access to Internet
either directly or through the hub site)
Initializing Auto VPN Registration
Auto VPN
Auto VPN Simple
Auto-provisioning IPsec Branch to Headquarters
VPN
Branch to Branch
Data Center
Cloud Enabled
Automatically
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
configured VPN IKE and IPSEC

Internet Internet
Parameters Branch to Branch
Split and Full Tunnel

Flexible tunneling,
topology, and security Hub/Spoke & Fully Mesh
Branch
policies Built in Firewall
Auto VPN Registry Successful
Demo Auto VPN
Data Center Auto VPN
SDWAN SDWAN
VPN VPN
Internet connection
VPN tunnel
Internet
SDWAN SDWAN
VPN VPN

Reset
Reset
Bypass Bypass
Bypass Bypass i
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

1 2 3 4 5 6 7 8 10G SFP+ 1 2


Reset
Reset
Bypass Bypass
i
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
Core
Primary Secondary
Data Data
MPLS Extranet
Center WAN Center
Auto VPN Configuration (Data Center 1)
Branch Auto VPN
SDWAN SDWAN
VPN VPN
Internet connection
VPN tunnel
Internet
SDWAN SDWAN
VPN VPN

Reset
Reset
Bypass Bypass
Bypass Bypass i
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

1 2 3 4 5 6 7 8 10G SFP+ 1 2


Reset
Reset
Bypass Bypass
i
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
Core
Primary Secondary
Center WAN Center
Auto VPN Configuration (BRANCH)
Auto VPN Configuration (BRANCH)
Monitoring Auto VPN (BRANCH)
Monitoring Auto VPN Subnets (BRANCH)
Monitoring Auto VPN (Data Center 1)
Auto VPN Registry Unsuccessful
%SEC-6-IPACCESSLOGP: list LAN-ACL denied udp 10.100.30.1(45803) -> 199.231.78.148(9350), 1 packet
Demo DC Traffic Flows
Traffic Flow Between Branch and Data Center
SDWAN SDWAN
VPN VPN
Internet connection
VPN tunnel
Internet
SDWAN SDWAN
VPN VPN

Reset
Reset
Bypass Bypass
Bypass Bypass i
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

1 2 3 4 5 6 7 8 10G SFP+ 1 2


Reset
Reset
Bypass Bypass
i
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
Core
Primary Secondary
Center WAN Center
BGP Configuration (DC 1 and DC 2 are Up)
Primary DC MX VRRP = 10.100.30.3

L3 Router Configuration Secondary DC MX VRRP = 10.100.30.13
router bgp 65513

no synchronization
network 10.10.10.0 mask 255.255.255.0
network 10.100.30.0 mask 255.255.255.0
neighbor 10.100.30.3 remote-as 65512 Primary Data Center MX VPN Concentrator
neighbor 10.100.30.13 remote-as 65512 Secondary Data Center MX VPN Concentrator
no auto-summary
BGP Outputs (DC 1 and DC 2 are Up)
L3 Router BGP Neighbors

Primary DC MX VRRP = 10.100.30.3
DC1-FW-IL-SJC-01#sh ip bgp summary Secondary DC MX VRRP = 10.100.30.13
BGP router identifier 10.10.10.10, local AS number 65513
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1356 total bytes of memory
BGP activity 22/19 prefixes, 30/26 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.100.30.3 4 65512 9934 8621 4 0 0 6d00h 1
10.100.30.13 4 65512 9951 8638 4 0 0 6d00h 1
DC1-FW-IL-SJC-01#
BGP Outputs (DC 1 and DC 2 are Up)
L3 Router BGP Table Branch Subnet = 10.1.1.0

Data Center Subnet = 10.10.10.0
DC1-FW-IL-SJC-01#sh ip bgp
BGP table version is 4, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale Secondary Data Center
Origin codes: i - IGP, e - EGP, ? - incomplete MX VPN Concentrator
Network Next Hop Metric LocPrf Weight Path
* 10.1.1.0/24 10.100.30.13 0 65512 65512 i
*> 10.100.30.3 0 65512 i
*> 10.10.10.0/24 0.0.0.0 0 32768 i
*> 10.100.30.0/24 0.0.0.0 0 32768 i
DC1-FW-IL-SJC-01# Primary Data Center
MX VPN Concentrator
(PREFERRED)
DC to Branch Reachability via Primary Path
Branch Subnet = 10.1.1.0

DC1-FW-IL-SJC-01#ping 10.1.1.254 source 10.10.10.10 Data Center Subnet = 10.10.10.0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/75/80 ms
DC1-FW-IL-SJC-01#
DC1-FW-IL-SJC-01#traceroute 10.1.1.254 source 10.10.10.10

Tracing the route to 10.1.1.254
1 10.100.30.1 0 msec 0 msec 4 msec
Branch to DC Reachability via Primary Path
Branch to Data Center Reachability
Branch Subnet = 10.1.1.0

Demo Meraki HA and DC Failover
Primary MX Failure
SDWAN SDWAN
VPN VPN
Internet connection
VPN tunnel
Internet
SDWAN SDWAN
VPN VPN
X

Reset
Reset
Bypass Bypass
Bypass Bypass i
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

1 2 3 4 5 6 7 8 10G SFP+ 1 2


Reset
Reset
Bypass Bypass
i
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
Core
Primary Secondary
Center WAN Center
Data Center 1 Failure
SDWAN SDWAN
VPN VPN
Internet connection
VPN tunnel
Internet
SDWAN SDWAN
VPN VPN
X
Reset
Reset
Bypass Bypass
Bypass Bypass i
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

1 2 3 4 5 6 7 8 10G SFP+ 1 2


Reset
Reset
Bypass Bypass
i
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2
10G SFP+
Core
Primary Secondary
Center WAN Center
BGP Outputs (DC 1 is Down and DC 2 is Up)
DC1-FW-IL-SJC-01#sh ip bgp summary Primary DC MX VRRP = 10.100.30.3
BGP router identifier 10.10.10.10, local AS number 65513 Secondary DC MX VRRP = 10.100.30.13
0 BGP filter-list cache entries using 0 bytes of memory Primary Data Center
BGP using 1140 total bytes of memory MX VPN Concentrator
BGP activity 25/22 prefixes, 36/33 paths, scan interval 60 secs (DOWN)
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down

State/PfxRcd
10.100.30.3 4 65512 10375 9017 0 0 0 00:05:39 Active
10.100.30.13 4 65512 10423 9051 7 0 0 00:09:41 1
Secondary Data Center
MX VPN Concentrator
(PREFERRED)
BGP Outputs (DC 1 is Down and DC 2 is Up)
L3 Router BGP Table Branch Subnet = 10.1.1.0

DC1-FW-IL-SJC-01#sh ip bgp
BGP table version is 7, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, Secondary Data Center
r RIB-failure, S Stale MX VPN Concentrator
Origin codes: i - IGP, e - EGP, ? - incomplete
(PREFERRED)
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 10.100.30.13 0 65512 65512 i
*> 10.10.10.0/24 0.0.0.0 0 32768 i
*> 10.100.30.0/24 0.0.0.0 0 32768 i
DC to Branch Reachability via Secondary Path
DC1-FW-IL-SJC-01#ping 10.1.1.254 source 10.10.10.10 repeat 500 Branch Subnet = 10.1.1.0
Sending 500, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!......... Primary Data Center MX VPN Concentrator is DOWN.
...................................................................... And traffic is converging to Secondary Data Center.
..................................!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Traffic successfully converged to Secondary Data Center
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Success rate is 77 percent (387/500), round-trip min/avg/max = 64/77/224 ms
DC1-FW-IL-SJC-01#Traceroute 10.1.1.254 source 10.10.10.10

Tracing the route to 10.1.1.254
1 10.100.30.11 4 msec 0 msec 0 msec
Primary Data Center Down
Branch to DC Reachability via Secondary Path
Traffic Flow and QoS
Traffic Flow
• MX Load Balancing
• MX Flow Preference
• MX VPN Traffic and Custom Performance Classes
MX Load Balancing
Data
Center
Services
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
Data i
Management
WAN 1
Bypass
LAN 1
USB
WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Module 1
5 6 7 8 10G SFP+
Module 2
1 2
Center
Internet
WAN 1 WAN 2
Branch
MX Flow Preferences
Data
Center
Services
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
Data i
Management
WAN 1
Bypass
LAN 1
USB
WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Module 1
5 6 7 8 10G SFP+
Module 2
1 2
Center
Internet
WAN 1 WAN 2
Branch
MX VPN Traffic and Custom Performance Classes
Data
Center
Services
Reset
Bypass Bypass
i
WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

10G SFP+
Data i
Management
WAN 1
Bypass
LAN 1
USB
WAN 2
Bypass
Reset
LAN 2 1 2 3 4
Module 1
5 6 7 8 10G SFP+
Module 2
1 2
Center
Internet
WAN 1 WAN 2
Branch
QoS
• QoS Framework Advancement
• Mapping a 5 Class Framework to Meraki
• Applying QoS on Meraki
Mapping to a Meraki 3 Queue Framework
Meraki Traffic Shaping - Uplink Configuration
• WAN 1 Simple
• Synchronous Uplink & Downlink
• WAN 1 Detail
• Asynchronous Uplink & Downlink
• Enter you uplink and downlink
speeds in their respective fields
Path = Organization > Network > Appliance > Traffic Shaping
Meraki Traffic Shaping - Uplink Statistics
• Uplink Statistics
• 8.8.8.8 Default
• Unable to modify default
• Uplink Statistics
• Maximum of 3 destination
• Must be Public IPs available to MX
• Must respond to ICMP
Path = Appliance > Traffic Shaping
Meraki Traffic Shaping – Historical Data
• Historical Data
• Last 2 Hours
• Day
• Week
• Month
• Changing Connectivity
• Latency
• Loss
Path = Appliance > Application Status > [Uplink]
Global Bandwidth Limits
• Limit users bandwidth
• Slide Rule 50 Kbs - Unlimited
• Enable SpeedBurst
• 10 Second bandwidth burst
• Returned to limit
• Better Web Performance
• Limit Large Data Transfers
Meraki Article ID 1931
Meraki Traffic Shaping Rules
• Create the Rule
• Select an Expressions
• Expressions equate to
TCP/UDP Ports
• Multiple Expressions
equates to a Definition
• Set bandwidth limits
Applying DSCP Value
• Select the traffic “Priority”
• Select the DSCP tag
desired
• “Bandwidth Limit” Option
• Select “Priority”
Creating a Custom Expression
• Additional Network Ports
Telnet (SSH) 22 NTP 123
Telnet 23 SNMP Agents 161
DNS Queries 53 SNMP Servers 162
DHCP 67
• Well Known TCP/UDP Ports
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_num
bers#Well-known_ports
Meraki Article ID 4366
Attempting to Squelch
• Select Expression
• Choose Limit
• Place in “Low” Priority
Demo QoS
Moving to Traffic Shaping Screen Window
• From the Main screen of an MX
security appliance
1. Select “Traffic shaping”
Moving to Create a New Rule Screen Window
• From the Traffic Shaping
Screen
1. Select “Create A New Rule”
Creating a Rule Definition
1. Click on “Add +”
2. Select category
1
3. Select one or more
expressions
3
Choosing Bandwidth
1. Choose the Bandwidth Limit
Type
2. Choose bandwidth limit
Changing DSCP
1. Click on DSCP Tagging
2. Select DSCP value desired
3. Save your changes
Custom Expression - Port
1. Click on “Add+”
2. Enter port number in box
3. IE “123”
4. Click on “Add Expression”
button to complete
Custom Expression - Website
2. Enter URL in box
3. IE “Cisco.com”
button to complete
Custom Expression – Network/Port
2. Enter network:port in box
3. IE “10.1.24.0:80”
button to complete
Operations and Support
Configuring a Static Address on the Meraki
• High Level Steps of the
process
• Share with the audience that
there are hidden slides
Accessing the Device
• Meraki device cannot be connected to the • Open browser “setup.meraki.com”

network • Following screen appears
• Connect laptop into port 1 of Meraki device • Click on “Configure”
• Laptop cannot be connected to a network in
any manner.
Entering the Configuration Screen
• Enter Serial number in User Name • Screen will change

• Case sensitive
• Scroll down to configure the Uplink with a
• Include dash ( - ) separators Static IP
• No “password”
Configuring the Static IP and associated
information
• Change IP Assignment to “TATIC” • Add Static IP information

• Address
• Network
• Gateway
• DNS Servers
• Click on Appliance Status • Click on Uplink
• Select Static IP
• Add IP address
• Add DNS information
Organization - Configure
• Organization Settings • Configuration Synch
• Administrators
• License Information
• Bulk Network Creator
• Create a Network
• Inventory
Organization Settings
• Password Expiration
• User Passwords
• Strong Passwords
• Account Lockout
• Idle Timeout
• Two-factor authentication
• Login IP Ranges
Path = Organization > Settings
Article ID: 6259

Organization Settings (Cont’d)
• Administration
• Privacy
• SNMP
• Threat Grid
• Dashboard API Access
Path = Organization > Settings
Article ID: 6259

Administrators
• Set Organization Administrator privileges

• Able to set exceptions on devices
Path = Organization > Administrators
Article ID: 1759

License Info Page
• Organization license status - OK, Warning, License
Required
• License Co-term date - The date all licenses applied to

the Organization expire
• MX Advanced Security status - Not Activated, Enabled
• Systems Manager licensing status - None, Legacy, Free

100, Paid/Enterprise
• License limit - Maximum number of devices currently

licensed, per hardware model *
• Current device count - Current count of active devices,

per hardware model *
• License history of the Organization - All current active and

expired licenses
Path = Organization > License Info
Article ID: 6295

Create a Network
• Creating a Network
• Default Meraki configuration
• Bind to template
• Clone from existing network
• Deleting a Network
• Additional Resources
Path = Organization > Create Network
Article ID: 1684

Bulk Network Creation
• Source configuration
• Default: New networks will use the default,
initial Dashboard configuration.
• Copy settings from <network name>: New
networks will use the same configuration as
the selected network.
• Bind to template <template name>: New
networks will be bound to an existing
template.
• CSV import: Upload a .csv file
Network name Serial Network tags Name Tags Address Notes Static IP Netmask Gateway DNS1 DNS2 VLAN
Store - 1 QXXX-XXXX-XXX1 west tag1 AP - 1 rainbow 1600 Pennsylvania Oval office 5.5.5.1 255.255.255.0 5.5.5.254 5.5.5.253 5.5.5.252 5
Store - 1 QXXX-XXXX-XXX2 west tag1 AP - 2 rainbow 1600 Pennsylvania Situation room 5.5.5.2 255.255.255.0 5.5.5.254 5.5.5.253 5.5.5.252 5
Store - 2 QXXX-XXXX-XXX3 west tag3 AP - 3 rainbow 1600 Pennsylvania Panic room 5.5.5.3 255.255.255.0 5.5.5.254 5.5.5.253 5.5.5.252 5
Path = Organization > Bulk network creation
Article ID: 3810

Inventory
• Search on
• MAC address
• Serial number
• Network name
• Model number
• Order number
Path = Organization > Inventory
Article ID: 1760

Configuration Synch
• Traffic Shaping
• Only Traffic Shaping Rules
• Cannot be performed with a
combined network
• Select Networks
• Click on Copy
Path = Organization > Configuration Synch
Article ID: 1506

Demo Configuration Sync
Navigation to Configuration Sync
Navigate to Configuration sync
Selecting Sync Source
Landing Page
Settings available to sync
Select Source
Traffic Rule update to a single device
Updated Traffic Shaping Rule
Data Centers are now out of sync
Selecting Sync Destination
Target Network
Inconsistency
Sync Configuration
Click Copy
Traffic Shaping Synchronized
Organization - Monitor
• Change Log
• Login Attempts
• Firmware Upgrade Status
• Configuring Network Firmware Upgrades
• Configuration Templates
Change Log
• Tracking of changes to the Network within the Organization

• 14 Months in the EU and 2 Years in the rest of the world
• Search Capabilities
Path = Organization > Change Log
Article ID: 6282

Login Attempts
• Displays historical login attempts
• Source IP
• Geo-Location
• Type
• Status
• Time Stamp
Path = Organization > Login Attempts
Article ID: 6283

Managing Firmware as an Organization Admin
• Most recent changes
• Release notes
• Release Features
• Bug Fixes
• Security Fixes
• Known issues
• Upgrades can be scheduled up

to a month in advance
Path = Organization > Firmware Upgrades
Article ID: 5922

Managing Firmware as a Network Admin
• Network Administrator Credentials
• Greyed out schedule fields represents latest firmware loaded
Setting Time Zone
Article ID: 1553
Path = Network-wide > General
Article ID: 5922

Configuration Templates
• Manage multiple devices with a
single configuration
• Sites part of a template can have
exceptions called “Overrides”
• Not all setting can be changed to
sites bound to a template
Path = Organization > Configuration Templates
Article ID: 1768

Demo Creating Templates
Selecting Configuration Templates
• Click on Organization
• Click on Configuration Templates
Creating a New Template
• Select Create New from drop-down
window
• Initial window
Create a Template Name
• Create a Template Name • Select an existing network as the
template
• Bind to select existing network
• Build one from scratch
• Close to build from scratch
Saving Template
• Returns to prior screen

• Save Changes
• Template Appears with no bound networks.
View All Networks
Template appears in side frame navigation
Newly created template “EST W@H”

appears as part of “View all networks”
Setting the Time Zone
Select
General
Eastern Time Zone in USA
Configuring Addresses and VLANs
Select the Template
Select Security Appliance

Select Addressing and VLANs
Enabling Custom Addresses
Select Enable from drop-down box
Select Add a Local VLAN Template
Creating a Unique Subnet Template
Select Unique
Creating Auto Generated Addresses
VLAN Name
Select Subnet Mask
Creating Auto Generated Addresses
Change Network from 8 to 16
VLAN ID Save Changes
Addresses are auto generated when

network is bound to template
Unique Subnetting Created
Both the original and Unique configurations exist
Delete the old configuration
Reserving and IP Range in DHCP
Select DHCP
Select DHCP
Reserving a Range of IP Addresses
Available IP Addresses
within the range (1 – 254)
Reserved IP range for all subnets in the template

- First address is taken for MX
Reserved 2nd through 4th IP

address for Ptr, Fax & Phone.
Save Changes
Network Q-BR Prior to Bind – Address & VLANs
Default VLAN and Addressing
Subnet 192.168.128.0/24 / MX IP 192.168.128.1
Network Q-BR Prior to Bind - DHCP
No Reserved IP range
Navigating to Bind a Network to the Template
Navigate to Configuration templates
Window with Template opens
Click on Template
Bind Network “Q-BR” to “EST W@H” Template
Widow opens to enable binding
a network to the template
Select Network to Bind to Template
Q-BR Address & VLANs post Bind
• Q-BR now has a 10.10.95.0/24 Subnet

• The MX IP is 10.10.95.1 – the first IP address in the range
Q-BR Reserved Addresses post Bind
• Q-BR now has Reserved IP Ranges

• First IP is 10.10.95.2
• Last IP is 10.10.95.4
Navigating to unbind a Network from a Template
Navigate to Configuration templates
Window with Template opens
Click on Template
Navigating to unbind a Network from a Template
Click Unbind
Check box for network
Window pops up 2nd Window pops up
Click OK Click Close
Save Changes
Q-BR after Un-Bind – Address & VLANs
Returns to Default VLAN

and Addressing
Subnet 192.168.128.0/24 / MX IP 192.168.128.1
Q-BR after Un-Bind - DHCP
Returns to No
Reserved IP range
Local Overrides
Security
• Access Control
• Splash Page
• Content Filtering
• Threat Protection
• Advanced Malware Protection
• Intrusion Detection and Prevention
• Event Log
Access Control
Network Access
Network Access Control
Captive Portal Strength
Walled Garden
Controller
Disconnection Behavior
Access Control Configuration – Direct Access
• Access Control
• Select VLAN
Target VLAN
• Network Access
• Splash Page
• Network Access Control
No Splash Page
• Captive Portal Strength
• Walled Garden
• Controller Disconnection
Behavior
Path = Security Appliance > Configure > Access Control
Article ID: 4364

Splash Page Target VLAN
• Message
• Splash Logo No Option for Splash Page
• Splash Language
• Splash Behavior
• Splash Frequency
• Where should users
go after splash
page?
Path = Security Appliance > Configure > Splash Page
Article ID: 4365

Access Control Configuration – Click Through
• Access Control Target VLAN
• Select VLAN
• Network Access Splash Page

• Splash Page
• Walled Garden
Behavior
Splash Page
• Message
• Splash Logo
• Splash Language
• Splash Behavior
go after splash
page?
Access Control Configuration – Sign On
• Access Control Target VLAN
• Select VLAN
• Network Access
• Splash Page Sign-On
• Walled Garden
Behavior
Access Control Configuration – Facebook Wi-Fi
• Access Control
• Select VLAN
• Network Access
• Splash Page
Create Page
• Walled Garden
Behavior
Splash Page
• Message
• Splash Logo
• Splash Language
Splash Page Settings on
• Splash Behavior Facebook Wi-Fi
go after splash
page?
Demo Access Control
Content Filtering
Identity Based
Filtering Policies
Scalable database with

SafeSearch integration
Automatic, cloud-based
signature updates
Content Filtering
• Category Filtering
• Blocked Website Categories
• URL Category List Size
• Search Filtering
• Web Search Filtering
• Restricted YouTube Content
• URL Blocking
• Blocked URL Patterns
• Whitelisted URL Patterns
Path = Security Appliance > Configure > Content Filtering
Article ID: 4170

Event Log - 1
• Using the Event Log

• Filtering the Event Log by
• Client or Cisco Meraki
Device
• Date and Time
• Event Type
Path = Security Appliance > Monitor > Security Center
Article ID: 1965

Event Log - 2
Client Status
Article ID: 2033

Demo Content Filtering
Intrusion Prevention and Detection
Deployment Modes
Detection Prevention
Ruleset
Connectivity Balanced Security
Intrusion, Detection and Prevention Modes
• Mode
• Whitelist URLs
• Whitelist Files
Path = Security Appliance > Configure > Threat Protection
Intrusion, Detection and Prevention Ruleset
• Connectivity
• Balanced
• Security
Advanced Malware Protection (AMP)
• Mode
• Whitelist URLs
• Whitelist Files
Article ID: 4056

Demo IPS and AMP
Make a Wish – For a Cisco Coffee Mug
When working with Meraki, what does it mean to

“make a wish”
I wish this page would….

….Request a feature on a page within the portal
Where do we go from here?
• Beta
• Expansion Topics
#CLUS BRKCRS-2103 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Coming soon to an MX near you
Configure PIM routing over Auto VPN for
PIM - SM multicast communication between clients and a
multicast source with IGMP.
Allows configurations where traffic egressing the
No-NAT WAN interface will maintain the private source
address.
Allows specified traffic to exit an MX locally, as
VPN Exclusions opposed to getting full-tunneled, when a default
Auto VPN route is configured.
Traffic can be re-routed based on its source IP

Source – based routing
address without regard for the destination IP.
Umbrella Integration on MX devices will apply unique policies per VLAN.

the MX The MX will intercept all DNS lookups with policy
applied and forward these to Umbrella.
IKEV2 for non-Meraki IKEV2 will be supported for both non-Meraki and
VPN Client VPN on the MX.
Expansion Topics
• Umbrella – DNS
• Multicast
• Meraki vMX (Amazon, Azure)
• API Integration
• DNA Center
• ISE
#CLUS BRKCRS-2103 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
208
Thank you
#CLUS
#CLUS
Voice Bandwidth Links & Tools
• Voice Bandwidth Table
http://www.cisco.com/c/en/us/support/docs/voice/voice-quality/7934-bwidth-consume.html
• Voice CODEC Bandwidth Calculator

https://cway.cisco.com/tools/vccalc/
• High-Density Packet Voice Digital Signal Processor Modules

http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/2800-3800-high-density-packet-voice-
digital-signal-processor/prod_qas0900aecd8016c6ad.html
• PVDM Calculator
http://www.cisco.com/web/applicat/dsprecal/dsp_calc.html
• Voice TCP & UDP Port information for CUCM

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usage-
guide-90/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90_chapter_01.html#CUCM_TP_P019EF1A_00
Meraki using the backup connection method
Meraki using the primary connection method

BRKCRS 2103

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BRKCRS 2103

Caricato da

Copyright:

Formati disponibili

#CLUS

Webex Teams will be moderated cs.co/ciscolivebot# BRKCRS-2103

Give us your feedback to be entered

• Carrier Topologies costs • Cost Savings

• Involve teams associated with the dependencies

• Understand all costs (Direct and Indirect)

Customer Traffic Contained Contained Multiple Backbones

Topology Complexity Single carrier Single carrier Gateway peering or NNIs

Type of Service Commercial Grade Commercial Grade Consumer / Commercial

Application Prioritization 5 – 6 Priority Levels Self-configurable Self-configurable

RoM Cost $$$ $$ - $$$ $ - $$

SLA’s Straight Forward Straight Forward Matrix

Native HA Configurable Not Available Not Available Not Available

Data Escalation Yes No Possibly No

• Support of Virtual IPs (VIPs)

Meraki MX Viptela vEdge

Existing Meraki customer

Needs integrated threat management capabilities

Existing ISR 4K or vEdge Customer

Complex WAN topologies with high degree of customization

MX600 MX65 / 65W

Building the SDWAN

• MX in the Data Center

• Traffic Flow and QoS

Policy Based Routing

• Firewall already exists

Branch Office Branch Office

Management USB Module 1 Module 2

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

Drive 1 Drive 2 Drive 3 Drive 4 Drive 1 Drive 2 Drive 3 Drive 4

Management USB Module 1 Module 2 Management USB Module 1 Module 2

Bypass Bypass Bypass Bypass

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2 WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

VPN Traffic sent and received on

Management USB Module 1 Module 2

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

• Single Ethernet connection to

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

MPLS Auto VPN Tunnel

Drive 1 Drive 2 Drive 3 Drive 4

Management USB Module 1 Module 2

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

Drive 1 Drive 2 Drive 3 Drive 4

Management USB Module 1 Module 2

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

• The MPLS network must be

Internet Management USB Module 1 Module 2

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

(VPN concentrator mode)

Management USB Module 1 Module 2

(VPN concentrator mode)

(VPN concentrator mode)

Management USB Module 1 Module 2

Internet WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 10G SFP+ 1 2

Auto VPN Dashboard dynamically pushes subnets

Subnets stored in separate, static routing table

MX in Pass Through Mode (Concentrator)

One-Armed VPN (Concentrator)

eBGP to Data Center

WAN 1 LAN 1 WAN 2 LAN 2 1 2 3 4 5 6 7 8 1 2

(VPN concentrator mode)

routes to (VPN concentrator mode)