Organizations are shifting their network landscape by moving on-prem applications to the public or private cloud. Previously all traffic was back-hauled through data centers, but now almost 80% of traffic is routed directly to the internet. Securing a network edge has always been complex and with this change in network infrastructure, it became even more difficult to manage and secure an entire organization.
Secure Access Service Edge (SASE) is the convergence of Network as a Service and Security as a Service within a unified cloud delivered platform. Cisco+Secure Connect is Cisco’s unified SASE solution with an integrated Remote access capabilities, cloud managed network delivered through the Cisco Meraki cloud and centralized cloud managed security powered by Cisco Umbrella. This unified full stack SASE solution is one of its kind that delivers a complete end to end control, connectivity, security and policy management of remote users, branches and private applications.
This deployment guide outlines how to integrate your Meraki Secure SD-WAN fabric to the Cisco+Secure Connect solution and manage both the remote worker and SD-WAN branch network connectivity and security using the Cisco+Secure Connect cloud dashboard.
Managing and Interconnecting branch to branch using Cisco+ Secure Connect fabric.
Connectivity from branch to private applications deployed in remote branches or public or private clouds using the same fabric.
Establishing connectivity between remote users and branches (with private applications) located globally.
Inspect and secure all internet bound traffic (both remote user and branch) from a single cloud delivered platform
Onboarding - Getting your Cisco+ Secure Connect Dashboard
In order to begin, you'll first need to integrate Cisco Meraki and Cisco Umbrella management together for a seamless experience. For further instructions, see Cisco+ Secure Connect Onboarding
Deploying your Cloud Hubs and Enrolling your Sites
After successfully onboarding your organization to Cisco+ Secure Connect, to connect your remote users please follow the remote user setup guide.
Integrating Meraki SD-WAN branches to Cisco+ Secure Connect fabric is a simple automated process that requires the deployment of Cloud Hubs in geo-friendly Data Center pairs and then establish Auto VPN from branch networks to the Cloud hubs. This entire flow is completely automated and establishes an interconnect between Meraki SD-WAN branches, Remote Users and the entire fabric secured by Cisco Umbrella.
The following highlights the step by step workflow to deploy your Meraki Umbrella SD-WAN Cloud Hubs using the Cisco+ Secure Connect dashboard and then connecting your Meraki SD-WAN branches to these connector hubs deploying in the Umbrella cloud.
Starting the Site-Enrollment work-flow
Click the Sites Secure Connect → Under Monitor → Sites
Meraki branch networks are known as “Sites” and the Meraki Umbrella SD-WAN Connector hubs deployed in Cisco Umbrella cloud are known as “Cloud Hubs”.
Configure Meraki Cloud Hubs - Step 1
The Meraki SD-WAN branch sites Auto VPN to Cisco+ Secure Connect fabric through an intermediate “Cloud Hub”. Multiple Meraki SD-WAN branch sites can connect to a primary/secondary Cloud Hub pair deployed in desired DC regions.
Click on > Configure Meraki cloud Hubs
Adding your first “CloudHub” connector. Click on > Add your First Cloud Hub
Name your Cloud Hub and choose the required DC region pair from the drop down.
To deploy additional Cloud Hubs, Click on > Add Cloud Hub and Save Changes after choosing your DCs and Cloud Hub name.
Every organization with 20 Meraki SD-WAN branch networks or less are allowed 1 Cloud Hub deployment (i.e. 1 CloudHub each in a specific DC region pair). Successively for every additional 20 Meraki SD-WAN branch networks an additional deployment is allowed. The maximum number of Cloud Hubs allowed for an organization is 20 Cloud Hub deployments. Adding additional Cloud Hubs will require further evaluation and approvals, please reach out to your SE counterpart or Support for additional deployments.
Option to delete your CloudHub deployment - Click on the dotted line icon and choose “Delete Cloud Hub”. For existing CloudHubs click on Save Changes to delete them.
This completes the configuration of Meraki Cloud Hubs sections, now moving to the final step in the workflow which is Connecting Meraki Networks to your configured Cloud Hub.
Connecting Meraki SD-WAN Branch Networks - Step 2
Click on > Connect Meraki Networks to integrate your Meraki SD-WAN branch networks to Cisco+ Secure Connect and connect as sites to the deployed Cloud Hubs.
Selecting Meraki SD-WAN branch networks and connecting them to required Cloud Hubs
Scroll down to the Meraki Networks section (this lists all the Meraki SD-WAN branch networks configured as Spokes and in Off state). Search and select all the networks that need to be connected to a particular Cloud Hub.
Click on > "Assign Networks to Cloud Hub" and from the drop down list select the Cloud Hub that you want to connect all the selected branch networks.
After selecting the Cloud Hub from the "Assign Networks to Cloud Hub" drop down, all the selected networks are automatically added to the selected Cloud Hub.
Repeat the same step to search and select other networks and connect them to a different Cloud Hub deployment.
Due to the default Meraki Auto-VPN hub to hub routing design, all VPN hubs in an organization will automatically tunnel to all other hubs in an organization. This behavior changes for the Cloud Hubs, when Cloud Hubs are deployed, all other hubs in the organization outside of the Secure Connect Sites will not tunnel to SIG and all hub traffic will not be defaulted to Umbrella-SIG.
To Add Private-Apps behind Hubs or Branch Sites configured as Hubs to the Secure Connect Sites, the recommendation is to change the Hubs to Spokes and then select the Branches according to the above flow or else please reach out to your SE counterpart or Support to enable Hub to Hub routing organization wide.
We have the provision to re-assign networks from on Cloud Hub to another and also the option to remove networks from a Cloud Hub association.
Just select the networks you want to re-assign and then Click on > Reassign networks drop down and choose the Cloud Hub you want to move the network to and automatically the network gets moved to the selected Cloud Hub.
Just select the networks you want to remove from the Cloud Hub association and then Click on > Reassign networks drop down > Remove from Cloud Hub and automatically the network gets removed from the selected Cloud Hub.
Choosing your primary Cloud Hub from the DC pair for the selected Meraki Branch networks associated with that particular Cloud Hub
In a particular Cloud Hub (for ex: HQ Site or Branch Site) section, Select all the networks or the required networks and in the Primary CloudHub column choose from the drop down which DC location you want to choose as your primary hub where all traffic is routed, the other location will automatically be your secondary hub which will be the automatic failover hub incase the primary goes down or is out of rotation.
Recommendation for deployments
The primary selected Cloud hub will be the active network where all the spoke traffic will be routed. The second one in the pair will become active only when the first one goes offline.
Adding 1 Cloud hub to a spoke creates 2 tunnels to the corresponding DC pairs with Primary Cloud Hub as the one that is chosen and the automatically the secondary location becomes the Secondary Cloud Hub.
Both Cloud Hub networks part of a DC pair( Ex: Los Angeles and Palo Alto connectors) are active-active deployments.
Consider for example an organization with 200 Branches (spokes). if we attach 100 branches with LA Cloud Hub as primary and automatically Palo Alto Cloud Hub becomes secondary hub. Then attach the other 100 branches with Palo Alto Cloud Hub as primary and LA as secondary Cloud Hub. Then we are using up a total of 100 tunnels in Los Angeles and 100 tunnels in Palo Alto, when Los Angeles goes down then Palo Alto will service the traffic of the entire 200 tunnels.
For larger branches based on the above example, please make sure to load-balance your branches keeping in mind the sizing considerations of UMB-SIG connectors.
After reviewing the entire deployments and network selections, Click on > Review and Confirm.
Once you Click on > Add Meraki networks as Secure Connect sites,
This completes the Step 2 and the entire workflow of integrating your Meraki SD-WAN Branches to Cisco+ Secure Connect.
Sites Overview and Monitoring
After successfully deploying all the Cloud Hubs and establishing Auto VPN connection from Meraki SD-WAN branch networks to the Cloud Hubs, this completes integration of the Meraki SD-WAN branch networks to the Cisco+ Secure Connect fabric. The sites page will list all the Meraki SD-WAN branch Sites onboarded to the Cisco+ Secure Connect fabric and all the deployed Cloud Hubs.
Addition of New Cloud Hubs or Deletion of existing Cloud Hubs
For any addition or deletion Cloud hubs, on top right of the Sites page click on "Connect Meraki Networks" > from the drop down choose "Manage Cloud Hubs". This will navigate back to the Cloud Hubs page where we can delete or add Cloud Hubs in the same way it was previously done.
Addition or Removal of Meraki Networks
Adding new Meraki SD-WAN branch networks or re-arranging or removal of existing branch networks can be done navigating from the Sites page - on the top right click on "Connect Meraki Networks" > from the drop down choose "Meraki Networks". This will navigate back to the Sites Enrollment page where we can, add new Meraki Networks to existing Cloud Hubs, reassign Meraki networks between Cloud Hubs and toggle between Primary/Secondary DC hubs.
All Meraki SD-WAN branch sites onboarded to Cisco+ Secure Connect can be monitored from the Sites page for any connectivity issues. On the Sites page, just hovering over the connectivity bar on any one of the site from the list of all the onboarded networks will give complete details (including date and time) on the connectivity status of that particular branch site.
Clicking on any one of the onboarded SD-WAN branch Site will display a side bar for that particular site. This side bar will give the following details:
- The Meraki MX device info for that particular Site and a navigation to the "Applicance Status" page for any device based configuration, status and troubleshooting information.
- The list of Local Networks with associated subnets and a link to navigate to the Site-to-Site page, where we can choose which subnets needs to have VPN enabled and traffic passing through the Auto VPN tunnel
- Information of the Cloud Hub pair to which the Site is connected with primary and secondary in order.