Overview

Organizations are shifting their network landscape by moving all on-prem applications to the public or private cloud. Previously all traffic was back-hauled through data centers, but now almost 80% of traffic is routed directly to the internet. Securing a network edge has always been complex and with this change in network infrastructure, it became even more difficult to manage and secure an entire organization.

Cisco Secure Connect Foundation is the unified SASE journey that customers can adopt for integrating their Meraki SD-WAN with cloud-based security stack powered by Cisco Umbrella. This deployment guide outlines how to establish an Auto VPN based integration of your Meraki MX Security and SD-WAN appliance to Secure Connect’s security cloud. Secure Connect provides a unified management of security and network infrastructure from a single pane of glass Secure Connect Dashboard, so that network administrators do not have to separately manage security settings for each SD-WAN branch. All Internet-bound traffic will be forwarded to Secure Connect fabric and protected by the Umbrella SIG stack through an Auto VPN tunnel to our nextgen SD-WAN traffic acquisition headend inside Secure Connect cloud for inspection and filtering.

Use Case

Inspect all internet-bound traffic at scale from a single cloud-delivered platform.
Managing and monitoring both network devices and their security policies from simple cloud-based solution and a single dashboard.
Network administrators want to manage the entire set of security policies for all SD-WAN branches using a single pane of glass.
Organizations want to exclude guest traffic or high bandwidth application traffic from cloud security services.
Organizations want to utilize a unified cloud-based security solution without incurring additional costs from interconnecting it to their existing Meraki network solution.
Organizations want to securely interconnect their SD-WAN branches and manage them through a unified cloud-based solution.
Organizations want to be able to dynamically scale and manage their network infrastructure through a robust SASE solution.

Licensing

Secure Connect offers the Foundation license for customers looking to secure their Meraki SD-WAN branch to internet and securely interconnect their SD-WAN branch to branch traffic through Secure Connect cloud. There are 2 options with Secure Connect Foundation license:

1. Secure Connect Foundation Essentials (includes Meraki dashboard, Umbrella SIG Essentials capabilities and secure Branch to Branch Interconnect)

2. Secure Connect Foundation Advantage (includes Meraki dashboard, Umbrella SIG Advantage capabilities and secure Branch to Branch Interconnect)

	SIG		Foundation
Features	Essentials	Advantage	Essentials	Advantage
Security Features
Secure Web Gateway	✔	✔	✔	✔
URL filtering	✔	✔	✔	✔
Secure Malware Analytics (Sandbox submissions)	500/day	unlimited	500/day	unlimited
Cloud Access Security Broker (Cloud app discovery, risk score, block)	✔	✔	✔	✔
Cloud Malware Detection	Up to 2 apps	All supported apps	Up to 2 apps	All supported apps
DNS-Layer Security	✔	✔	✔	✔
L3 / L4 Cloud-Delivered Firewall	✔	✔	✔	✔
L7 Cloud-delivered Firewall	-	✔	-	✔
Data Loss Prevention	-	✔	-	✔
Intrusion Prevention System (IPS)	-	✔	-	✔
Remote Access
Client-based Access:	-	-	10 free users*	10 free users*
SAML authentication and Built-in IdP	-	-	*	*
Granular user, app-based access policy	-	-	*	*
Posture and contextual access control and Reporting	-	-	*	*
Unified SASE
Unified in Dashboard, Security Policy and 24x7 support	-	-	✔	✔
Fabric interconnect (CNHE)	-	-	✔	✔

Secure Connect Foundation is the new capability licensing that is replacing the Meraki Umbrella SDWAN Connector solution bringing together the integration of Meraki SD-WAN branches with Secure Connect enabling Internet and Secure Branch to Branch access. This is the overview document that has links to usecase based deployment guide document.

Onboarding - Getting your Secure Connect Dashboard

To begin, you'll first need to integrate Meraki and Cisco Umbrella management together for a seamless experience. For further instructions, see Cisco Secure Connect Onboarding.

After successfully onboarding your organization to Secure Connect, to connect your remote users please follow the remote user setup guide.

Customers with an already existing Meraki and Umbrella (SIG) orgs or Brownfield Meraki Umbrella SD-WAN Connect Customers who are migrating to Secure Connect Foundation follow the below onboarding flow:

After successfully placing order for Secure Connect Foundation License, receive a Welcome Email from Secure Connect Team

Have your existing Umbrella (which you plan to link or already linked) and Meraki org opened in your browser tab. For cleaner provisioning open these in a new window.
Directly go to step 3 in the Welcome Email.
Copy the link of the "Link Secure Connect to Umbrella" step and paste it in the browser tab where you have both your Meraki and Umbrella org opened.
For Customers who have existing Meraki and Umbrella orgs but havent linked them previously through any means the API KEY and SECRET generation and sync will happen automatically. Secure Connect will be available on your Meraki Dashboard's left NAV TAB.

For Brownfiled Meraki Umbrella SD-WAN Connector customer who have already linked their Management API Key and Secret, the automatic provisioning will FAIL and you will need to Click On > Manually Provision link

This will require you to generate 2 NEW LEGACY API KEY and SECRET in your Brownfield Umbrella org :
- Network Devices
- Reporting Credentials
After entering both the Network Devices and Reporting credentials, the Management API KEY and SECRET will update automatically. After clicking on FINISH. Secure Connect will be available on your Meraki Dashboard's left NAV TAB

Data Center Availability

Since we are introducing both internet access and secure branch to branch interconnect capabilities with Secure Connect, there will be a progressive data center availability for the secure SD-WAN branch to branch interconnect. Following table show the data center availability based on Internet Access and Private (secure branch-to-branch) access capabilities:

The Enhanced Cloud Native Headend is a more efficient solution that introduces more streamlined connectivity to Secure Connect Cloud Regions with capabilities of both Internet & Private Accesss, offering higher bandwidths, that scales dynamically (up to ~500 Mbps) per Meraki branch site.

The bandwidth allocation is dynamic per Meraki SD-WAN branch site requirement and accordingly, each site will be able to consume its respective required bandwidth. The throughput or bandwidth consumption per site through the Secure Connect SIG is directly linked to the overall Umbrella SIG's supported bandwidth.

There is no hard limit on the number of Meraki SD-WAN branch sites that can be connected to a Secure Connect Region. For example, if your organization has 200 sites that need to be connected to the US West region, we can bulk select all the 200 Sites and assign them to the US West region.

This solution is now available in all US and Europe Regions enabled with Secure Connect. Please refer the Data Center availability table below:

For the time-being all greenfield and brownfield Secure Connect Foundation customers will not have the Enhanced Cloud Headend enabled automatically. Please reach out to your Cisco account team to have this migration done.

Eventually all greenfield Secure Connect Foundation customers will automatically have this enhanced traffic acquisition capability until then please reach out to support or your account team to have this Enhanced Cloud Headend enabled.

Regions	Data Center Pairs	Capability	Availability of Enhanced Cloud Headend
US West	Los Angeles & Santa Clara	Internet & Private Access	Available Now
US Central	Denver & Dallas	Internet & Private Access	Available Now
US Midwest	Chicago & Minneapolis	Internet & Private Access	Available Now
US Southeast	Atlanta & Miami	Internet & Private Access	Available Now
US Northeast	New York & Ashburn	Internet & Private Access	Available Now
Canada Central	Toronto & Vancouver	Internet Access	TBD
Europe 1	London & Frankfurt	Internet & Private Access	Available Now
Europe 2	Paris & Marseille	Internet & Private Access	Available Now
Europe 3	Copenhagen & Stockholm	Internet & Private Access	Available Now
Europe 4	Madrid & Milan	Internet & Private Access	Available Now
Asia 1	Tokyo & Singapore	Internet & Private Access	Available Now
Asia 2	Hongkong & Mumbai	Internet Access	TBD
Australia	Sydney & Melbourne	Internet Access	TBD
South Africa	Johannesburg & Cape Town	Internet Access	TBD
South America	Rio de Janeiro & Sao Paulo	Internet Access	TBD

Following is the expansion for the capabilities associated with a Data Center Region:

Internet Access (Data Center Regions) : These regions will not have the nextgen traffic acquisition headend, it will only support internet access WITHOUT East West branch security. There may or may not be connectivity for east-west branch but if east-branch works it will be with NO centralized secure connect cloud security, security has to be applied in the Meraki MX edge.

Internet Access & Private Access (Data Center Regions) : These regions will have the nextgen traffic acquistion headend. It will support both Internet Access and East-West branch to branch private access with centralized secure connect cloud security

Connecting Meraki SD-WAN Sites to Secure Connect

After successfully onboarding Secure Connect to your Meraki dashboard. Its super simple and automated to integrate your Meraki SD-WAN networks to Secure Connect fabric.

Click on Secure Connect > Identities & Connections > Sites.

There are multiple usecases based on the current stage of your integration of Meraki SD-WAN with Secure Connect. Following are the different onboarding flows according to a usecase, feel free to jump to the usecase that best describes your stage of onboarding:

1. Greenfield Secure Connect Foundation Deployment without the Nextgen Cloud Native traffic acquisition headend.

2. Brownfield Secure Connect Foundation Deployment without the Nextgen Cloud Native traffic acquisition headend.

3. Greenfield Secure Connect Foundation Deployment with the Nextgen Cloud Native traffic acquisition headed enabled.

4. Brownfield Secure Connect Foundation Deployment with the Nextgen Cloud Native traffic acquisition headed enabled.

Re-assign Meraki SD-WAN Sites to Different Regions

After successfully connecting Meraki SD-WAN Sites to Secure Connect regions. Now, we have the flexibility to shift sites from one region to another based on their need and usecase.

Re-assigning a Site from one region to another is very simple, Go to Secure Connect > Identities & Connections > Sites and Select a Site or bulk select all the Sites that needs to be re-assigned and Click on > Change Region or Cloud Hub

Select the new region where we want to move a Site OR bulk of Sites.

Note: We can move Sites from Internet access only regions to the enhanced Cloud Traffic Acquisition headend regions offering both Internet and Secure Branch to Branch access.

Removing a Site from a Region or Cloud Hub (Detaching a Site from Secure Connect)

For any reason if there is a need to remove a particular Meraki SD-WAN site from Secure Connect, there is an option to detach a Site from Secure Connect.

Note: We can only detach one set of Sites at a time i.e. for every single detach operation it can be only either a bulk select of all Internet Access only or a single Cloud Hub associated detach or Internet & Private Access single Region associated detach

Go to Secure Connect > Identities & Connections > Sites page. From the list of Meraki SD-WAN Sites Click on > The Site to be Detached > On the top right corner Select Detach Site from Secure Connect.

A window will pop up asking for a confirmation to detach the selected Site or Sites from Secure Connect. Upon confirming Sites will be detached.

Removing an entire Cloud Hub from Secure Connect

If there is a need to remove an entire Cloud Hub from Secure Connect, then Go to Secure Connect > Identities & Connections > Sites > Click on > Configure Cloud Hub

A new window will pop up to Manage Cloud Hubs > From the list of Cloud Hubs find the Cloud Hub that needs to be deleted.

There will be … (dotted) line beside that Cloud Hub, Click On > The dotted line > Select Remove Cloud Hub

A confirmation window will pop up and after confirming, the Cloud Hub and its all associated Sites will be removed from Secure Connect.

Sizing Considerations for Cloud Hubs (Internet Access Only DCs)

The total number of Cloud Hub deployments allowed per organization is directly mapped to the number of networks in the organization. Organizations with <=20 Networks (MX deployed sites) can have 1 deployment and accordingly the number of Cloud Hub deployment limit increases for every additional 20 networks. For larger organizations beyond 400 networks, the limit on number of deployment is set to 20 deployments. Please reach out to your SEs if you require additional deployments.

Enabling VPN Subnets

Choose subnets (local networks) to export over VPN on your SPOKE (Branch) Meraki MX network Go to Security & SD-WAN > Configure > Site-to-Site VPN, earmark which locally defined or available subnets are to be exported to the Auto VPN. To do this simply set the relevant subnets as ENABLED under VPN Mode and set DISABLED for the non-relevant subnets.

If you have branches servicing the same range of Local subnets, then please contact Meraki Support to enable NAT translation to ensure each subnet in the Auto VPN domain is unique.

Choose the Primary Data Center Priority within the connected Secure Connect Region

Secure Connect regions are built of data centers (DCs), and each region has its set of available DCs. Connecting to a particular Secure Connect region optimally appends two DCs from that region to the primary and secondary hubs to the connected branch sites.

Recommendation for deployments

The primary selected Secure Connect Region DC hub will be the active network where all the spoke traffic will be routed. The second one in the pair will become active only when the first one goes offline.

Connecting a Meraki SD-WAN spoke site to a Secure Connect region creates 2 Auto VPN tunnels to the corresponding DC pairs with primary and secondary DC hubs automatically assigned

In case of any shuffle needed for a particular site between these assigned primary/secondary DC priorities, follow the following steps:

Go to the Meraki site network needed to have the hub priorities shuffled.
From the Meraki site network, navigate to Security & SD-WAN > Configure > Site-to-Site VPN > Hubs section > click and move up/down the four arrows object moving icon under the Actions column to shuffle the hub priorities.
Click Save to confirm the changes.

If you have more than 2 regions configured here as Hubs, DO NOT change the DC pairings assoicated per regions i.e. If US West is chosen to be the DC regions while connecting SD-WAN branch A to Secure Connect then the primary and secondary should be only between US West region DCs (Los Angeles and Palo Alto)

Removing the above Secure Connect-<Regional DC> hubs from the Site-to-Site VPN page will cause inconsistencies in the Sites page. The simplest and the right way to remove a Meraki SD-WAN branch network (spoke) from a region is to go to the Secure Connect > Identities & Connections > Sites page > select the particular Meraki branch site > detach from the region.

Configuring Security Policies

Secure Connect introduces a cross launch based single pane of glass experience bringing together Meraki and Umbrella into a single window based simplified experience. This gives all Secure Connect foundation customers the ability to configure, control and manage all their Cisco Umbrella security policies from a single pane of glass. This enables unified control of all Secure Connect integrating Meraki SD-WAN branches with distributed enforcement of policies. Following video shows how the cross launch is in-built as part of Secure Connect enablement:

Configuring-Security-Policies.mov