Skip to main content

 

Cisco Meraki Documentation

Cisco Secure Connect Sites - Meraki SD-WAN Integration

Overview

Meraki SD-WAN branches can easily integrate with the Secure Connect cloud fabric using the Sites page. 

clipboard_e2f20b581d9f243849a9d81fe533fd02e.png

The UI guides the user to perform multiple provisioning requests and review real-time alerts on their progress and success. 

The process involves the following:

  • Select SD-WAN networks under Sites UI, group them into desired regions, and click Finish to provision. 
  • The cloud fabric now performs a set of actions before it can enroll branches using Auto-VPN
  • Secure Connect deploys the new and necessary Hub devices and networks in the organization
  • Cloud hubs that had already been deployed are simply reused for additional sites being enrolled
  • Each region requires primary (active) and secondary (backup) Hubs to be deployed for resiliency
  • The sites can then use Auto-VPN and attach to their selected region that is part of the global cloud fabric

Having all Sites provisioning tasks successfully completed, tunnels are established allowing routes to propagate to the new spokes.  Sites page can then be used to check what branches are enrolled in what regions and their status information.  Clicking on the 'Site name' pulls up a right drawer with site information.  Below is an example with MX spokes enrolled in two types of Secure Connect tunnels: Region and Cloud Hub.  

clipboard_ebb4e76af5043032e912f3a2ffe918749.png

Site Enrollment

There are two main options for connecting networks or sites to Secure Connect Data Centers:

sites.jpg

1. Region (Cloud hub devices deployed are referred to as Enhanced Head-End) is available in regions with Secure Connect Complete services:

  • Is the preferred method offering quick enrollment, and speed of up to 500 Mbps per tunnel.
  • Enables branch-to-branch connectivity (East/West interconnect) as well as secure internet access for branch users.
  • Sites can be added by clicking the "Add Sites" button, which allows the selection of MX networks to be assigned to a region.
  • The cloud fabric provisions each hub device with a platform type CPSC-HUB, and adds it to a new network and name prefixed with "Secure Connect-<DC name>."  
  • Region hub devices with no associated branches will have their networks cleaned up after the last branch is unenrolled
  • Hub devices will remain listed in your Organization > Configure > Inventory page, for re-use in future provisioning tasks

2. Cloud Hub in regions with Secure Connect Foundation services:

  • This legacy method is only required for branches where the nearest region only supports Foundation services.
  • Branches connected to Cloud Hubs can only support the internet access use case.  East/West internet use case is not supported.
  • Connecting via Cloud Hubs involves two steps: use "Configure Cloud Hubs" button to provision and name the Hub in the nearest region and then use "Add Sites" button to enroll the sites to that Hub.
  • The associated hub device platform type is UMB-SIG, and its network name is postfixed "<custom hub name>-<DC name>".
  • The hub network can be deleted using Configure Cloud Hubs button in Sites page.

Organizations holding a Foundation license should enroll in the nearest Complete Region whenever possible. If the closest region is Foundation-only, Cloud Hubs need to be set up in advance. 

The status of Auto VPN tunnels should always be verified on the Meraki Dashboard only. Navigating to Umbrella Dashboard Secure Connect > Identities & Connections > Network Tunnels will report Auto VPN tunnels with the status as "Unestablished," which should be ignored.

Understanding the Data Center Regions

Secure Connect Data Center Regions are designated Complete and Foundation capable.

  • Regions that are not yet Complete capable (indicated as TBD for Complete but have Foundation) will require Cloud Hubs to be set up beforehand for branches to enroll in Secure Connect. Branches in these regions lack the East/West Private Access interconnect but can utilize internet access through Secure Connect. 
  • Complete-capable regions provide a seamless, one-click process to auto-provision the enhanced  head-end and connect selected branches. These regions support both internet and private access for attached branches and remote workers with policy controls in the Cloud Firewall.

Guidelines on Maximum Number of SD-WAN Sites per Secure Connect Region

A Meraki organization has upper limits on the number of SD-WAN sites that can be enrolled in a Secure Connect region. These limits had been validated under ideal lab conditions and should be used as guidance for large-scale deployments.  If you organizations has not completed the platform optimization described in the hub integration document, please contact support before proceeding.

Upper Limits by Deployment Method

When using templates for enrolled sites only in Spoke mode:

  • A region can enroll up to 2,500 spokes across 5 or more templates.
  • For optimal performance, each spoke should advertise no more than 20 route prefixes via iBGP. These prefixes can include local subnets, static routes, or externally learned routes.
  • Cloud hubs can operate reliably within these limits.
  • Templates help stabilize the onboarding process and allow a higher limit.

When Not Using Templates for enrolled sites only in Spoke mode:

  • The recommended maximum is 1,000 spokes per region.
  • Sites should be enrolled in batches of 200 or fewer spokes, allowing each batch to fully complete provisioning in the Sites UI before proceeding to the next.
  • For optimal performance, each spoke is also constrained to no more than 20 route prefixes via iBGP into the cloud fabric.

 

When enrolling sites only in Hub mode:

  • The recommended maximum is 60 hubs per organization / region.
  • The hub hardware platform maximum limits need to support the total routes advertised from the cloud fabric and any external peers.

These guidelines are intended to ensure stable operation and optimal performance for large-scale deployments. Please contact support if your use case is not covered above.  Guidelines for the maximum number of SD-WAN sites when enrolling both spokes and hubs in Secure Connect are still under validation and will be published once finalized. 

Plan Before You Start 

Before beginning the enrollment process, it is important to familiarize yourself with the following points:  

  • The Meraki SD-WAN branches enrolled in any Complete regions use the Secure Connect enhanced head-end.  Cloud Hubs are used for regions that are Foundation-only.
  • The VPN-enabled subnets within the local networks of the branches will be announced to Secure Connect.
  • Secure Connect will provide a default route (0.0.0.0/0) to the Meraki SPOKE sites linked to the enhanced cloud head-end.
  • Cloud firewall will govern communication between the Meraki SD-WAN branch networks, Private Applications and Networks, and the Internet.
  • For additional details, refer to documents on  Manage Firewall Policies, Creating Access Policies for Private Applications and Networks, and Migrating to Secure Connect.

Cloud On-Ramp

By using the described two options to enroll Meraki SD-WAN branches, users no longer need or have available the Cloud OnRamp method available under Organization > Configure > Cloud On-Ramp.

 

For additional information and detailed configuration steps, see the Cisco Secure Connect Foundation Meraki SD-WAN Integration article.