Deciding between SD-WAN vendors can be one of the most complex choices an organization makes in their journey to a resilient, sustainable, secure and efficient wide area network. So far in CDW’s SD-WAN Vendor Overview blog series, we have shared introductions to both Cisco SD-WAN and Silver Peak SD-WAN.

Learn how CDW can assist you with your SD-WAN needs by reading this white paper.

While the introduction to different vendors is important, I’ve also written extensively about some of the key tenets of SD-WAN, the vendor selection process and items to consider when deploying SD-WAN solutions. All of these previous publications take a “vendor agnostic” lens to the SD-WAN discussion and highlight key concepts that will apply to any vendor your organization may be considering.

These blogs are linked below for convenience:

Before we get started, it’s important to note that even though Meraki SD-WAN shares the Cisco logo, it’s a different solution than Cisco SD-WAN, powered by Viptela, which was discussed in a previous blog.

Solution Overview: Meraki

Meraki SD-WAN is a viable contender in the SD-WAN space, but Meraki takes a different approach to their value proposition than providers such as Cisco (Viptela) or Silver Peak, which we’ll refer to as “pure-play” providers. Meraki places a significant emphasis on their full platform capabilities (switching, wireless, SD-WAN, security cameras and more) and the management of those components from a singular dashboard interface. From the SD-WAN perspective, organizations seeking a simpler approach to rapid deployment, template-based infrastructure, should pay close attention to Cisco Meraki’s product lineup.

Meraki provides enterprises with a fully cloud-managed, vendor-hosted system that can extend beyond SD-WAN and provide a complete platform of security and SD-WAN appliances, switching, wireless, endpoint management and video surveillance components. In addition to the full-platform capabilities of the Meraki solution, enterprises are also presented with the ability to perform complex analytics and customer interfacing through the use of APIs, near-field marketing tools and network-augmented customer experiences, with a lower overall cost of ownership than any other SD-WAN vendor.

Credit: Meraki

Solution Elements and Terminology

Meraki cloud dashboard: The Meraki cloud dashboard is a vendor-hosted, centralized management system providing full control over the entire portfolio of Meraki products. In addition to orchestration of the overall Meraki solution, the cloud dashboard can also provide services to Meraki equipment and systems such as cloud-hosted RADIUS, video analytics and custom reporting.

Meraki MX security appliance: The Meraki MX security appliance is the endpoint of the Meraki SD-WAN solution. MX appliances are available in a wide variety of sizes to accommodate remote teleworkers, small branch offices and large campus environments. MX appliances are also available as virtual appliances within the Azure and AWS marketplaces and can be leveraged for private-cloud connectivity.

Meraki MX Platform

Meraki AutoVPN: By leveraging their cloud managed dashboard for orchestration, Meraki has developed a simple-to-deploy site-to-site VPN solution coined AutoVPN. Meraki AutoVPN allows for dynamic creation of Layer 3 IPsec tunnels in just two clicks within the Meraki dashboard with automatically brokered and configured VPN parameters. MX appliances configured for AutoVPN can self-heal in the event of WAN outage when they have access to multiple transport circuits, creating a dynamic and resilient VPN solution for simplified deployments.

AutoVPN

Key Solution Features

The sections that follow outline a subset of the key features, capabilities and benefits of the Cisco Meraki SD-WAN platform in additional detail.

Simplified Deployment and Management

Cisco Meraki, as an organization, strives to provide a simplified user experience across the entirety of the platform for management, analysis and configuration of devices. Meraki MX security appliances can be deployed in as little as three clicks within the Meraki dashboard and provide automated and dynamic configuration of site-to-site VPN connectivity and resiliency. This simplification through cloud management and device templatization allows for rapid, scalable and consistent deployment of remote sites across global organizations.

In addition to simplified user experience, Meraki also allows for a great amount of flexibility for reporting, analysis and distribution of information to stakeholders across the organization. Through webhooks, API automation or front-end dashboard reporting, critical information can be accessed and provided at a moment’s notice, all of which is stored securely on Meraki-hosted cloud servers.

Full-Platform Capabilities

Unique among SD-WAN vendors, Meraki provides enterprises the ability to purchase, configure, manage and maintain a full platform of products across the organization from a single pane of glass management dashboard.

Full platform capability

In addition to the MX security and SD-WAN appliances, Meraki also offers MS series switches, MR series access points, Systems Manager (SM) mobility manager and Meraki Vision (MV) security cameras. Utilizing the full Meraki platform allows for consistency in configuration, management, access and capability across the enterprise, in addition to seamless integration between product lines, all orchestrated by the Meraki cloud dashboard.

Teleworker and Small Branch Integrated Wireless Options

The Meraki SD-WAN solution considers not only the fabric across the enterprise, but also considers the work-from-home users or small satellite branches that typically do not participate in a large SD-WAN overlay. The Meraki MX-CW series devices offer integrated LTE cellular backup and small branch wireless connectivity—both, in some cases.

In addition to these small branch MX appliances, Meraki also provides a Z-series appliance that is designed specifically with teleworkers in mind. These appliances have a small desktop form factor and provide local wired and wireless connectivity and access for a remote user into the enterprise SD-WAN fabric via Meraki AutoVPN. These Meraki MX/Z appliances are full-featured security and SD-WAN appliances with a low-cost point-of-entry.

Integration of Next-Generation Security Features

Meraki MX security and SD-WAN appliances offer on-box advanced security features such as Cisco’s Advanced Malware Protection (AMP), Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). This integration of advanced security features, enabled via license selection, provides an enterprise with a full-featured set of security capabilities across the organization from the branch edge to the enterprise edge. Meraki’s Security Center, accessed via the cloud dashboard, provides an administrator with easy to understand contextual visibility into security threats and vectors across the organization.

Cisco AMP is powered by Cisco Talos threat intelligence to provide Meraki security appliances with up-to-date malware telemetry from more than 250 full-time threat researchers, 4 global data centers, more than 100 threat intelligence partners and millions of telemetry agents.

Cisco’s Intrusion Detection and Prevention (IDS/IPS) systems are powered by Snort and provide an easy-to-manage ruleset geared towards user connectivity, a balanced approach to connectivity and security, or a preference to security as opposed to connectivity. Administrators also hold the capability to whitelist certain Snort patterns in order to fine-tune the security policy to meet the organization’s needs.

NextGen Security

In addition to the Talos- and Snort-powered feature sets above, MX appliances also provide a full-featured Layer 3 firewall, a Layer 7 firewall that provides application layer traffic policing and geo-based firewall features, and a content filtering suite. The combined power of these security features allows an enterprise to apply end-to-end security policies across the organization rapidly and consistently across the organization.

Strengths and Areas for Improvement

As an organization supporting multiple infrastructure partners, CDW has spent a significant amount of time designing, deploying and testing Meraki-based SD-WAN solutions. As with any solution, there will always be caveats, “gotchas” or other potential roadblocks that arise during early testing and deployment. These caveats are not always identified in vendor-generated documentation and can cause significant problems for any solution when discovered mid-deployment. Through CDW’s variety of field experiences, our engineers have been able to identify, react to and document these caveats to ensure our customers are able to design and deploy Meraki networks with confidence in their decisions and designs. Below, I will discuss some of the platform’s greatest strengths, as well as some areas for improvement within the solution.

Strengths

The strengths identified here are by no means an exhaustive list. Many of these items have been discussed in greater detail earlier. however, these features really shine within the Meraki architecture and deserve an extra round of applause.

  1. AutoVPN: Meraki’s AutoVPN system works beautifully between Meraki MX appliances. This seamless orchestration of VPN connectivity requiring minimal configuration provides a quick-to-deploy but reliable solution with a great option for interconnecting sites.
  2. Full stack: Meraki’s product portfolio provides organizations with the majority of network infrastructure components needed to fully optimize, secure and monitor traffic and activity within the organization. Paired with the Meraki dashboard, this single point of orchestration brings a compelling advantage to the platform.
  3. Analytics: We could have written an entire blog about what Meraki is doing with Insights. Insights applies across most of the company’s product line, but many of the WAN Insights are extremely valuable and provide actionable information in an easily accessible manner.
  4. Enhanced CPE security: With many customers moving to cloud-based security solutions via a secure access service edge (SASE) architecture, the requirement for branch edge security devices is changing. However, there are still organizations looking for increased security at the enterprise branch edge. Meraki can provide this via its on-box security set.

Areas for Improvement

As with the strengths noted above, this list is not exhaustive. However, gathered from the experiences of our engineers in the field, we feel that the feature gaps noted below have resulted in the most significant difficulties for customers.

Full routing support: While Meraki provides some limited integration with standards-based routing protocols (OSPF & BGP) this interaction is not a full routing adjacency. Before placing Meraki MXs into an environment that requires dynamic routing, these features must be carefully analyzed and considered. In general, our engineers have found that in most deployments a significant amount of static routing is required for full integration with existing routing domains.

WAN multicast support: Based on the underlying architecture of the AutoVPN tunnels, multicast traffic cannot transit Meraki WAN interfaces or AutoVPN fabrics.

IPv6: At the time of writing, IPv6 is not supported on the MX platform at all, including the ability to transport it over AutoVPN.

Private transports/L2 transports: While Meraki SD-WAN does support private transports, like MPLS, each WAN port on an MX requires internet connectivity to dashboard, so you will need to ensure your underlay routing can provide that connectivity. If that connectivity to the internet is lost, the transport will become unusable, even if the transport itself is functioning properly.

It’s CDW’s strong recommendation to avoid attempts to run Meraki SD-WAN over a Layer 2 WAN transport such as Metro-Ethernet or VPLS. By nature, Meraki MX appliances require a gateway to be set on their WAN interfaces. With Layer 2 transports not providing a gateway for the edge devices that are connected, the MX is forced to use a user-defined gateway (typically another MX or CPE router at a head end location). Unfortunately, a backup default gateway cannot be set on an MX WAN port, resulting in a transport failure if this CPE device serving as the gateway falls offline or becomes otherwise unreachable, even if the transport is still available.

Conclusion

We like what Meraki is doing with their platform to solve real business problems for our customers, holistically, across the entire stack. Their SD-WAN solution could be a good fit for customers looking for a full-stack solution, assuming the items we have in areas for improvement are not major blockers. We are excited to see how this solution evolves over the years as the market continues to morph and grow.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.