Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect Sites - Meraki SD-WAN Integration

  1. Last updated
  2. Save as PDF

Overview

Meraki SD-WAN branches can easily integrate with the Secure Connect cloud fabric using the Sites page. 

clipboard_e2f20b581d9f243849a9d81fe533fd02e.png

The UI guides the user to perform multiple provisioning requests and review real-time alerts on their progress and success. 

The process involves the following:

  • Select SD-WAN networks under Sites UI, group them into desired regions, and click Finish to provision. 
  • The cloud fabric now performs a set of actions before it can enroll branches using Auto-VPN
  • Secure Connect deploys the new and necessary Hub devices and networks in the organization
  • Each region requires primary (active) and secondary (backup) Hubs to be deployed for resiliency
  • The branches are then use Auto-VPN and attach to their selected region of the global cloud fabric

Having all Sites provisioning tasks successfully completed, tunnels are established allowing routes to propagate to the new spokes.  Sites page can then be used to check what branches are enrolled in what regions and their status information.  Below is an example with MX spokes enrolled in two types of Secure Connect tunnels: Region and Cloud Hub.  

clipboard_ebb4e76af5043032e912f3a2ffe918749.png

Site Enrollment

There are two main options for connecting networks or sites to Secure Connect Data Centers:

sites.jpg

1. Region (Hub devices deployed are referred to as Enhanced Head-End) is available in regions with Secure Connect Complete services:

  • Is the preferred method offering quick enrollment, and speed of up to 500 Mbps per tunnel.
  • Enables branch-to-branch connectivity (East/West interconnect) as well as secure internet access for branch users.
  • Sites can be added by clicking the "Add Sites" button, which allows the selection of MX networks to be assigned to a region.
  • The cloud fabric provisions each hub device with a platform type CPSC-HUB, and adds it to a new network and name prefixed with "Secure Connect-<DC name>."  
  • Region hub devices with no associated branches will have their networks cleaned up after the last branch is unenrolled
  • Hub devices will remain listed in your Organization > Configure > Inventory page, for re-use in future provisioning tasks

2. Cloud Hub in regions with Secure Connect Foundation services:

  • This legacy method is only required for branches where the nearest region only supports Foundation services.
  • Branches connected to Cloud Hubs can only support the internet access use case.  East/West internet use case is not supported.
  • Connecting via Cloud Hubs involves two steps: use "Configure Cloud Hubs" button to provision and name the Hub in the nearest region and then use "Add Sites" button to enroll the sites to that Hub.
  • The associated hub device platform type is UMB-SIG, and its network name is postfixed "<custom hub name>-<DC name>".
  • The hub network can be deleted using Configure Cloud Hubs button in Sites page.

Organizations holding a Foundation license should enroll in the nearest Complete Region whenever possible. If the closest region is Foundation-only, Cloud Hubs need to be set up in advance.

Understanding the Data Center Regions

Secure Connect Data Center Regions are designated Complete and Foundation capable.

  • Regions that are not yet Complete capable (indicated as TBD for Complete but have Foundation) will require Cloud Hubs to be set up beforehand for branches to enroll in Secure Connect. Branches in these regions lack the East/West Private Access interconnect but can utilize internet access through Secure Connect. 
  • Complete-capable regions provide a seamless, one-click process to auto-provision the enhanced  head-end and connect selected branches. These regions support both internet and private access for attached branches and remote workers with policy controls in the Cloud Firewall.

Plan Before You Start 

Before beginning the enrollment process, it is important to familiarize yourself with the following points:

  • The Meraki SD-WAN branches enrolled in any Complete regions use the Secure Connect enhanced head-end.  Cloud Hubs are used for regions that are Foundation-only.
  • The VPN-enabled subnets within the local networks of the branches will be announced to Secure Connect.
  • Secure Connect will provide a default route (0.0.0.0/0) to the Meraki SPOKE sites linked to the enhanced cloud head-end.
  • Cloud firewall will govern communication between the Meraki SD-WAN branch networks, Private Applications and Networks, and the Internet.
  • For additional details, refer to documents on  Manage Firewall Policies, Creating Access Policies for Private Applications and Networks, and Migrating to Secure Connect.

Cloud On-Ramp

By using the described two options to enroll Meraki SD-WAN branches, users no longer need or have available the Cloud OnRamp method available under Organization > Configure > Cloud On-Ramp.

 

For additional information and detailed configuration steps, see the Cisco Secure Connect Foundation Meraki SD-WAN Integration article.