Home > Architectures and Best Practices > Cisco Meraki Best Practices at Scale > Cloud Architecture at Scale > Understanding Meraki Cloud Architecture

Understanding Meraki Cloud Architecture

The Cisco Meraki cloud-managed platform is the backbone to the highly available, secure and efficient Meraki solution, which enables instant onboarding access to all features inside the Meraki dashboard. Key components enabling this architecture include Cisco Meraki data centers, cloud communication between the devices and Meraki backend, and security solutions within the product and within the infrastructure.

Data Centers

Cisco Meraki has multiple data centers located around the world, enabling high availability local data containment for data sovereignty in sensitive countries and regions, and high speed connections to facilitate reliable cloud management communication.

 

Each region (North America, EMEA, APAC) has, at minimum, a matched pair of geographical data centers where any endpoint’s primary Meraki server will be located. The table below details which data centers are used by their respective geographic regions.


image71.png

 

 

North America

EMEA

APAC

China

San Diego

     

Dallas

     

Frankfurt

 

   

Munich

 

   

Sydney

   

 

Singapore

   

 

Shanghai

     

Tianjin

     

Cloud Infrastructure Technology

Meraki leverages data containers (Meraki servers) which are secure, multi tenant UCS servers that can contain up to 1000 customers each. Data among customers is fully segregated and all sensitive data is encrypted at rest on these servers.

Data Storage

The Meraki data centers contain active Meraki device configuration data and historical network usage data.  These data centers house multiple compute servers which are where customers’ network data are contained.   

 

data_storage.png

Device Configurations

Device configurations are stored as a container in the Meraki backend and sit in a stable state. When a device configuration is changed by an administrator, the container is updated and then pushed to the device the container is associated to. Because the container is updated in the cloud and then pushed, a network device container can be configured offline and then devices pull down the most recent configuration whenever they connect to the internet.

 

device_configurations.png

Network Usage Data Retention

Meraki keeps network data such as application usage, configuration changes and event logs within the backend system. All data is kept in perpetuity, though data stored within the last 30 days is more readily accessible from the Meraki dashboard. Meraki uses a proprietary database system to build up easily searchable and referenceable data.  

 

network_usage.png

Segregated Customer Assets

Meraki keeps any uploaded assets such as custom floor plans, splash logos and IVR menus/voicemail greetings.  These are items which customers upload to the Meraki system which are leveraged within the Meraki dashboard for that specific customer and therefore are segmented securely.

 

segregated_assets.png

High Availability Infrastructure           

Meraki enables high availability (HA) in multiple ways to ensure high serviceability to our customers.  Network connections through our data centers are high bandwidth and highly resilient. Shared HA structure ensures data are available in case of a localized failure and our data center backup architecture ensures your data are always available in the case of a catastrophic failure.                       

Network Connection High Availability

Meraki utilizes multiple high speed connections out of our data centers and constantly monitors the connections for integrity.  Meraki network connectivity tests DNS reachability to determine integrity and failover to secondary links in the case of a degraded link.

Meraki Server High Availability

A single device connects to multiple Meraki servers at the same time, making sure all data are kept up-to-date in case there is need for a failover.  This secondary Meraki server connection verifies device configuration integrity and historical network usage data in the case of a Meraki server failure.

 

server_high_availability.png

Data Center Backup High Availability

Meraki keeps active customers’ data in a primary and secondary data center (DC) which is synced in real time. In the case of a DC failure, the primary DC will flip over to the secondary data center with the most recent configuration stored. Customers’ data are also stored off site at a tertiary backup each night in the event of a catastrophic data center failure.

 

image86.png

Data Privacy and Compliance

Overview

Connecting to a cloud solution entails storing specific data in the cloud for easy use and access. To maintain integrity and security, a cloud infrastructure must take into account the sensitivity and compliance rules of that data.  Specific industries and geographies have laws to protect user data which Meraki addresses through our cloud infrastructure.

PCI

Cisco Meraki provides a comprehensive solution to ensure a PCI compliant wireless environment held to the strict standards of a Level 1 PCI audit (the most rigorous audit level). Cisco Meraki’s rich security feature set addresses all of the PCI Data Security Standards, helping customers to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, and monitor network security.

EU & GDPR

The Cisco Meraki technical architecture and its internal administrative and procedural safeguards assist customers with the design and deployment of cloud-based networking solutions that comply with EU data privacy regulations, even in the absence of the US-EU Safe Harbor Framework.

GDPR

The European Union General Data Protection Regulation (GDPR) brings long-anticipated consistency to the data protection landscape in Europe. GDPR embodies the well-recognized privacy principles of transparency, fairness, and accountability. Cisco Meraki is committed to helping our customers and partners by protecting and respecting personal data, no matter where it comes from or where it flows. To read more about Meraki and GDPR please read our GDPR Overview and EU Privacy and Data Protection Compliance page.

China

In order to comply with Chinese law and to accommodate for certain technical challenges, there are some differences between the normal dashboard and the China dashboard experience. Customers can select the China region when creating new dashboard organizations, if appropriate.

 

In order to comply with Chinese cybersecurity law, Cisco Meraki prohibits the application of “Advanced Security” licenses to organizations that reside in the China service region.

 

it is strongly advised that Meraki users take action to ensure that their Meraki devices in mainland China are placed onto Meraki's China Service / Dashboard.

 

If you are looking to expand your Meraki instance to mainland China, please engage with the local Meraki China team to learn about the nuances and intricacies of regulations and privacy. Read more information at: meraki.cn  

Device and Cloud Communication

Network and Management Data Segregation

Cisco Meraki’s “out of band” control plane separates network management data from user data. Management data (e.g. configuration, statistics, monitoring, etc.) flows from Cisco Meraki devices (wireless access points, switches and security appliances) to the Cisco Meraki cloud over a secure internet connection. User data (web browsing, internal applications, etc.) do not flow through the cloud, and instead flow directly to their destination on the LAN or across the WAN.

 

image63.png

Security Connectivity

Meraki leverages a lightweight encrypted IPsec tunnel using SHA and AES encryption while management data is in transit.  Within the tunnel itself, Meraki leverages HTTPS and Protocol Buffers for a secure and efficient solution, limited to 1 kbps per device when the device is not being actively managed.

 

image102.png

Cloud Management Architecture/Communication

The Meraki hardware device acts as the server/receiver as the Meraki cloud initiates calls to the devices for data collection and configuration deployment. Because the cloud infrastructure is the initiator, configurations can be executed before the devices are online, or even physically deployed. Once the device receives the configuration specifics from the Meraki cloud, the configuration settings are stored locally on the device until an administrator initiates a change. Meraki uses an event-driven RPC engine for devices to communicate to the Meraki dashboard and for Meraki servers to send (configuration, firmware etc) and receive (Client, application, etc) data.

 

image133.png

 

Because the configuration is stored locally in the event of cloud connectivity loss (which is most commonly caused by a local ISP or connection failure), the device still runs with its last known configuration until cloud connectivity is restored

 

Note that only management data is sent to the Meraki cloud, and WAN data is routed normally.

 

image48.png

Security Embedded in Architecture

Security as a Design Philosophy

Security is pivotal in the execution of a cloud-hosted solution. Meraki considers security a key tenet of the design philosophy and incorporates security into the devices, the infrastructure access and into business operations.

 

Security as a design philosophy includes securing all components in the solution, the infrastructure, the process and the people.  

Data Security

The data service is powered by a multi-tier data storage architecture. It is designed to store different types of data in a highly redundant and scalable fashion.

 

There are three major types of data types stored by Cisco Meraki:

  1. Network configuration data - includes network settings and configurations made by customers in the Meraki Dashboard

  2. Network analytics data - includes client, traffic and location analytics data, providing visualizations and network insights into traffic and foot patterns across customer sites

  3. Customer uploaded assets - includes any uploaded assets, such as custom floorplans, splash logos and IVR menus / voicemail greetings

Communication Security

Communication between devices must be encrypted and secure to prevent man-in-the-middle attacks which can see sensitive information like passwords. Meraki’s communication security between the device and cloud infrastructure leverages SHA and AES encryption to make sure all data is secure in transit.

 

communication_security.png

Device Security

Meraki leverages secure technology such as secure boot, software signature signing and hardware trust anchor as part of the Cisco Secure Development lifecycle to maintain hardware and software integrity.

Operations Security

To better secure operations behind the curtain, the Cisco Meraki cloud’s staff operations includes personnel security and infrastructure security.   

 

Access for Meraki personnel is only given to users with a business need to access, leveraging PKI and two factor authentication to verify identity.  This user access is audited monthly to remove unnecessary access.

 

Physical infrastructure access is secured through 24/7 video surveillance, daily vulnerability testing performed by McAfee, and quarterly application & server penetration testing by the Cisco Infosec team. Additionally, our data center infrastructure is SSAE-16, SAS 70 Type II, and/or ISO 27001 Certified.

Programmability

API Technology Overview


The Cisco Meraki Dashboard API is a modern, RESTful API using HTTPS for transport and JSON for object serialization. The API provides control of the Meraki solution in a programmable way. The Meraki API platform functions within the Meraki system scalably and without constraints.

 

Programmability enhances access and execution of Meraki solutions by allowing control of Meraki devices outside the scope of the Meraki dashboard’s visual interface.  This allows a customer, partner or service provider to build up their own best practices for deployment, management and troubleshooting, by leveraging the programmability endpoints of the Meraki platform. By providing open API accessibility, Meraki leverages the power of the cloud platform on an even deeper level to create more efficient and powerful solutions. Through the Meraki API, users are given the ability to create their own automation and deployment solutions.

 

API keys are tied to a specific user through the Meraki platform.  If a individual has administrative access to multiple Meraki organizations a single key can configure and control those multiple organizations. Meraki currently supports 300 calls per minute per organization.

 

API_technology.png

Integration through APIs

APIs are powerful tools expanding the Meraki platform and accelerating integrations with other technologies. Through APIs, 3rd party businesses and partners have built their own solutions to enhance the native power of the Meraki platform.  Examples and solutions can be found at create.meraki.io

 

APIs also assist in creating deep technical integrations across other Cisco platforms, including seamless integration into Cisco DNA Center and security integrations with Umbrella and AMP through Cisco Security Connector.  

 

This continued and focused investment in APIs and integrations helps meet the needs for massive customer deployments, developers, and hybrid customers, among others.

 

The Meraki API platform also provides a wireless scanning solution outside the scope of the dashboard. The Scanning API delivers data from the Meraki cloud, by detecting nearby Wi-Fi clients (associated and non-associated) and Bluetooth Low Energy (BLE) devices. The detected elements are exported via an HTTP POST of JSON data to a specified destination server. The raw data are aggregated from all access points within a dashboard network, and are sent directly from the cloud to an organization's data warehouse or business intelligence center. The JSON posts occur frequently, typically batched every minute for each wireless access point.

 

image111.png

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 7099

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community