Cisco Secure Connect Sites - Meraki SD-WAN Integration
Overview
Meraki SD-WAN branches can easily integrate with the Secure Connect cloud fabric using the Sites page.
The UI guides the user to perform multiple provisioning requests and review real-time alerts on their progress and success.
The process involves the following:
- Select SD-WAN networks, group them into desired regions and click Finish to provision.
- The cloud fabric now performs a set of actions before it can enroll branches using Auto-VPN
- Secure Connect deploys the new and necessary Hub devices and networks in the organization
- Each region requires primary (active) and secondary (backup) Hubs to be deployed for resiliency
- The branches are then scheduled to use Auto-VPN and attach to their selected region
Having all Sites provisioning tasks successfully completed, tunnels are established allowing routes to propagate to the new spokes. Sites page can then be used to check what branches are enrolled in what regions and their status information. Below is an example with MX spokes enrolled in two types of Secure Connect regions: Region and Cloud Hub.
Site Enrollment
There are two main options for connecting networks or sites to Secure Connect Data Centers:
1. Region (Hub devices deployed are referred to as Enhanced Head-End) is available in regions with Secure Connect Complete services:
- Is the preferred method offering quick enrollment, and speed of up to 500 Mbps per tunnel.
- Enables branch-to-branch connectivity (East/West interconnect) as well as secure internet access for branch users.
- Sites can be added by clicking the "Add Sites" button, which allows the selection of MX networks to be assigned to a region.
- The cloud fabric provisions each hub device with a platform type CPSC-HUB, and adds it to a new network and name prefixed with "Secure Connect-<DC name>."
- Region hub devices with no associated branches will have their networks cleaned up after the last branch is unenrolled
- Hub devices will remain listed in your Organization > Configure > Inventory page, for re-use in future provisioning tasks
2. Cloud Hub in regions with Secure Connect Foundation services:
- This legacy method is only required for branches where the nearest region only supports Foundation services.
- Branches connected to Cloud Hubs can only support the internet access use case. East/West internet use case is not supported.
- Connecting via Cloud Hubs involves two steps: use "Configure Cloud Hubs" button to provision and name the Hub in the nearest region and then use "Add Sites" button to enroll the sites to that Hub.
- The associated hub device platform type is UMB-SIG, and its network name is postfixed "<custom hub name>-<DC name>".
- The hub network can be deleted using Configure Cloud Hubs button in Sites page.
Organizations holding a Foundation license should enroll in the nearest Complete Region whenever possible. If the closest region is Foundation-only, Cloud Hubs need to be set up in advance.
Understanding the Data Center Regions
Secure Connect Data Center Regions are designated Complete and Foundation capable.
- Regions that are not yet Complete capable (indicated as TBD for Complete but have Foundation) will require Cloud Hubs to be set up beforehand for branches to enroll in Secure Connect. Branches in these regions lack the East/West Private Access interconnect but can utilize internet access through Secure Connect.
- Complete-capable regions provide a seamless, one-click process to auto-provision the enhanced head-end and connect selected branches. These regions support both internet and private access for attached branches and remote workers with policy controls in the Cloud Firewall.
Plan Before You Start
Before beginning the enrollment process, it is important to familiarize yourself with the following points:
- The Meraki SD-WAN branches enrolled in any Complete regions use the Secure Connect enhanced head-end. Cloud Hubs are used for regions that are Foundation-only.
- The VPN-enabled subnets within the local networks of the branches will be announced to Secure Connect.
- Secure Connect will provide a default route (0.0.0.0/0) to the Meraki SPOKE sites linked to the enhanced cloud head-end.
- Cloud firewall will govern communication between the Meraki SD-WAN branch networks, Private Applications and Networks, and the Internet.
- For additional details, refer to document on Manage Firewall Policies and Creating Access Policies for Private Applications and Networks.
Cloud On-Ramp
By using the described two options to enroll Meraki SD-WAN branches, users no longer need or have available the Cloud OnRamp method available under Organization > Configure > Cloud On-Ramp.
Enroll Meraki SD-WAN Sites to Secure Connect Regions
Integrating Meraki SD-WAN branches to Secure Connect fabric is a simple automated process that involves selecting all the Meraki branches and connecting them to available Secure Connect regions. This entire flow is completely automated and establishes a secure interconnect between Meraki SD-WAN branches, Remote Users, and Private Applications hosted behind public or private cloud connected to Secure Connect.
The following highlights the step-by-step workflow to connect Meraki SD-WAN branches to Secure Connect regions
Click on Secure Connect > Identities & Connections > Sites
Connect Meraki SD-WAN Branches to Secure Connect Regions
The Meraki SD-WAN branch sites use Auto VPN to connect to the Secure Connect fabric through an intermediate SD-WAN Traffic Acquisition region. Multiple Meraki SD-WAN branch sites can connect to a desired Secure Connect Region.
From the Sites page > click Connect Meraki Networks
Existing Meraki Umbrella SD-WAN Connector migrating to Secure Connect Foundation with previous deployments will be able to view their existing Sites connected to Internet Access regions (a.k.a Cloud Hub regions).
If there exists previous UMB-SIG connector HUB deployments as part of the SIGRaki solution that have been already deployed in the regions which support the enhanced secure connect head-end (Internet & Private access regions) can be deleted and those branches can be connected to the Internet & Private Access regions.
Assign Meraki SD-WAN sites to Secure Connect regions — from the Add Sites > select the Unassigned Meraki SD-WAN branch sites > click Assign to Region > select a specific Secure Connect region to assign to the Meraki SD-WAN branch sites.
This list of networks will have all the Meraki SD-WAN sites part of the organization. This will list both SPOKE and HUB networks and the user experience is the same to connect them to Secure Connect.
Cisco Secure Connect supports the integration of Meraki HUB sites, to understand more about the supported use cases and designs click on this guide. If you do not see your HUB networks part of the list please reach out to Secure Connect support to enable this feature.
First select all the Meraki branch sites that are closest to Internet and Private App Access Regions which connects to the enhanced cloud head-end and then click on > the correspond Internet & Private App region.
Click on > Next and then Finish & Save.
If there already exists Cloud Hub deployments in the Internet Access only regions and you wish to connect additional networks then after successfully deploying the first set of selected networks - Select all the Meraki branch sites that needs to be connected to a particular existing Cloud Hub deployment and then Click on > the particular Cloud Hub from the drop down.
Click on > Next and then Finish & Save
If connecting for the first time to a Internet & Private App access region, please wait and DO NOT REFRESH the page until a 'Site Successfully Configured' alert is shown.
The regions where the enhanced Secure Connect headend is NOT available are under the Internet Access Only regions. This will follow the Cloud Hub connector deployment model:
If there are networks already connected to the enhanced cloud headend regions but there are additional networks to connect to Internet Access only Cloud Hub regions then Click on > Configure Cloud Hubs to create a new Cloud Hub.
Select the Internet Access only preferred region from the drop down and give the Cloud Hub connector a name. Click on > Save to deploy the Cloud Hub in the region.
Please wait till the deployment process is complete and you are navigated to the next window.
Then Click on > Add Site Select the Meraki SDWAN networks that needs to be attached to the newly created Cloud Hub and click on the Cloud Hub region from the drop down.
All selected networks (which includes both the networks connected to the Region with enhanced cloud headend and networks connecting to the Cloud Hubs) will move to the Assigned tab and all unselected networks will stay in the Unassigned tab.
Click on Next > Review the Sites that needs to be added to the selected Cloud Hub. Click on > Finish & Save.
Re-assign Meraki SD-WAN Sites to Different Regions
After successfully connecting Meraki SD-WAN Sites to Secure Connect regions. Now, we have the flexibility to shift sites from one region to another based on their need and usecase.
Re-assigning a Site from one region to another is very simple, Go to Secure Connect > Identities & Connections > Sites and Select a Site or bulk select all the Sites that needs to be re-assigned and Click on > Change Region or Cloud Hub
Select the new region where we want to move a Site OR bulk of Sites.
We can move Sites from Internet access only regions to the enhanced cloud headend regions offering both Internet and Secure Branch to Branch interconnect.
Detaching a Site from a Region (Enhanced Head-End) or Cloud Hub
For any reason if there is a need to remove a particular Meraki SD-WAN site from Secure Connect, there is an option to detach a Site from Secure Connect.
We can only detach one set of Sites at a time i.e. for every single detach operation it can be only either a bulk select of all Internet Access only or a single Cloud Hub associated detach or Internet & Private Access single Region associated detach
Go to Secure Connect > Identities & Connections > Sites page. From the list of Meraki SD-WAN Sites Click on > The Site to be Detached > On the top right corner Select Detach Site from Secure Connect.
A window will pop up asking for a confirmation to detach the selected Site or Sites from Secure Connect. Upon confirming Sites will be detached.
Removing an entire Cloud Hub from Secure Connect
If there is a need to remove an entire Cloud Hub (Internet Access only regions) from Secure Connect, then Go to Secure Connect > Identities & Connections > Sites > Click on > Configure Cloud Hub
A new window will pop up to Manage Cloud Hubs > From the list of Cloud Hubs find the Cloud Hub that needs to be deleted.
There will be … (dotted) line beside that Cloud Hub, Click On > The dotted line > Select Remove Cloud Hub
A confirmation window will pop up and after confirming, the Cloud Hub and its all associated Sites will be removed from Secure Connect.
Select Local Networks announced to Secure Connect
- From the Sites page > click on the site name (not a checkbox) to toggle the site panel details > Local networks > click Enable or disable Meraki network subnets link. This will open the Security & SD-WAN > Configure > Site-to-Site VPN page of the selected site.
- From the Site-to-Site VPN configuration page of the site > VPN Settings > select VPN mode Enabled for the subnet(s) to be announced to Secure Connect via Auto VPN, and then click Save > Confirm Changes.
For local networks which are not Enabled to participate in VPN, their default Internet traffic will be using the local upstream WAN connection of the site instead of sending the traffic to their configured Secure Connect region. In addition, those local networks are also not able to communicate with other Secure Connect sites and the Remote Access client.
This step is to configure VPN Settings for the Meraki SD-WAN branch sites. Do NOT make any changes under the Site-to-Site VPN page of the connected Secure Connect region networks or Umbrella-SIG connector networks which are listed as the HUB networks in the Meraki dashboard as these will remove any currently configured Organization-wide settings > Non-Meraki VPN peers.
Choose the Branch Preferred Data Center within a Region
Secure Connect regions are built of data centers (DCs), and each region has its set of available DCs. Connecting to a particular Secure Connect region optimally appends two DCs from that region to the primary and secondary hubs to the connected branch sites.
Recommendation for deployments
The primary selected Secure Connect Region DC hub will be the active network where all the spoke traffic will be routed. The second one in the pair will become active only when the first one goes offline.
Connecting a Meraki SD-WAN spoke site to a Secure Connect region creates 2 Auto VPN tunnels to the corresponding DC pairs with primary and secondary DC hubs automatically assigned
In case of any shuffle needed for a particular site between these assigned primary/secondary DC priorities, follow the following steps:
- Go to the Meraki site network needed to have the hub priorities shuffled.
- From the Meraki site network, navigate to Security & SD-WAN > Site-to-Site VPN > Hubs section > click and move up/down the four arrows object moving icon under the Actions column to shuffle the hub priorities.
- Click Save to confirm the changes.
Please make sure to have the HUB priorities are always paired with the same region DCs and DO NOT mix and match DCs from different regions.
Removing the above Secure Connect-<Regional DC> hubs from the Site-to-Site VPN page will cause inconsistencies in the Sites page. The simplest and the right way to remove a Meraki SD-WAN branch network (spoke) from a region is to go to the Sites page > select the particular Meraki branch site > detach from the region. See Detach Meraki SD-WAN Sites from Secure Connect Region or Change Region of Sites for more information.
Sites Monitoring
After successfully connecting Meraki SD-WAN branch sites and establishing Auto VPN connection to Secure Connect regions, this completes the integration of the Meraki SD-WAN branch networks to the Secure Connect fabric.
All Meraki SD-WAN branch sites on-boarded to Secure Connect can be monitored from the Secure Connect > Identities & Connections > Sites page for any connectivity issues.
- On the Sites page, just hovering over the connectivity bar on any one of the sites from the list of all the on-boarded networks will give complete details including the date and time on the connectivity status of that particular branch site.
- Clicking on any one of the on-boarded Meraki SD-WAN branch sites will display a side drawer for that site. This side drawer will give the following details:
- The Meraki MX device information for that Site and a navigation link to the Security & SD-WAN > Monitor > Appliance Status page for any device-based configuration, status, and troubleshooting information.
- The list of Local Networks with the associated subnets and a navigation link to the Security & SD-WAN > Configure > Site-to-Site VPN page, where you can choose which subnets need to have VPN enabled and traffic passing through the Auto VPN tunnel.
- Information on the Secure Connect region and its connectivity status.
If you have Meraki devices (MS/MR/MV) connected to the MX, please follow this best practice, to avoid any issues related to their Meraki Dashboard Cloud communication. I.e., Devices could show problems fetching their configuration from the Meraki Cloud or result in loss of MV stream. To resolve such issues, please navigate to Security and SDWAN > Traffic Shaping page of the impacted network's MX device. Configure the VPN exclusion rules with the following CIDRs to use the Internet breakout (be excluded from the Full tunnel VPN).
Meraki Cloud Communication:
Meraki MV Camera Streaming Proxy
• 3.210.175.34/32",
Cisco Umbrella DNS