Cisco Secure Connect Foundation Meraki SD-WAN Integration
Overview
The Cisco Secure Connect Foundation is a SASE package that allows Meraki SD-WAN customers to integrate with a cloud-based security layer provided by Cisco Umbrella. The Solution Overview document outlines the use cases and details the Secure Connect packages. The Foundation package is designed for customers who want to enhance their cloud security without adding a cloud RAVPN (Remote Access VPN) or ZTNA (Zero Trust Network Access). It also serves as an upgrade path for customers currently using the Meraki Umbrella SD-WAN Connector or SIG (Secure Internet Gateway).
After purchasing the Secure Connect Foundation package, our existing customers can delete their legacy connectors, then onboard to Secure Connect, and follow a quick UI-based procedure to enroll their MX branches into Secure Connect with our enhanced head-end. The updated cloud infrastructure offers improved performance, with support for up to 500Mbps, and allows for the implementation of cloud firewall policies across the network.
Onboarding - Getting your Secure Connect Dashboard
Once the license for Secure Connect Foundation had been applied to your Umbrella org, an email is sent to your administrator account. That email looks like below and full instructions can be found in our Secure Connect Onboarding documents.
- For customers who are linking the Meraki org with a brand new Umbrella org, the automatic API key and secret generation and exchange will be attempted first. If automatic API exchange fails, customer will need to follow the manual generation of the API keys and secrets and then populate those into Meraki dashboard. Secure Connect will be available on your Meraki Dashboard's left navigation tab.
For existing Meraki Umbrella SD-WAN Connector customer who have already linked their Management API Key and Secret, the automatic provisioning will definitely FAIL requiring you to Click On > Manually Provision link
- This will require you to generate 2 NEW LEGACY API KEY and SECRET in your existing Umbrella org :
- Network Devices
- Reporting Credentials
- After entering both the Network Devices and Reporting credentials, the Management API KEY and SECRET will update automatically. After clicking on FINISH. Secure Connect will be available on your Meraki Dashboard's left navigation tab.
Data Center Availability
Since we are introducing both internet access and secure branch to branch interconnect capabilities with Secure Connect, there will be a progressive data center availability for the secure SD-WAN branch to branch interconnect. Please review the Data Center document to learn about the latest on the Internet Access and Private (secure branch-to-branch) access capabilities.
The Enhanced Head-end is a more efficient solution that introduces more streamlined connectivity to Secure Connect Cloud Regions with capabilities of both Internet & Private Accesss, offering higher bandwidths, that scales dynamically (up to ~500 Mbps) per Meraki branch site.
The bandwidth allocation is dynamic per Meraki SD-WAN branch site requirement and accordingly, each site will be able to consume its respective required bandwidth. The throughput or bandwidth consumption per site through the Secure Connect SIG is directly linked to the overall Umbrella SIG's supported bandwidth.
There is no hard limit on the number of Meraki SD-WAN branch sites that can be connected to a Secure Connect Region. For example, if your organization has 200 sites that need to be connected to the US West region, we can bulk select all the 200 Sites and assign them to the US West region.
Currently, all Secure Connect Foundation customers will have the Enhanced Head-end enabled automatically.
Connecting Meraki SD-WAN Sites to Secure Connect
After successfully onboarding Secure Connect to your Meraki dashboard, you are ready to start enrolling sites into the cloud fabric. It is as simple as selecting sites and regions and letting the dashboard do the rest. The Sites page will show progress of your provisioning request and let you know when your Meraki SD-WAN networks are enrolled into the Secure Connect fabric.
Click on Secure Connect > Identities & Connections > Sites.
The Sites UI allows the user to add sites (MX networks) to Regions and enroll those into the Secure Connect fabric. Below is the list of the current regions available world-wide.
A set of Cisco Umbrella data centers do not offer the enhanced head-end, however, those DCs have ability to enroll sites into Cloud Hubs. In your Meraki dashboard you can review which DCs offer only the Cloud Hubs (see an example below).
Once enrolled into Secure Connect Region, an MX that had the Site-to-Site VPN turned off will become a Spoke to the Secure Connect fabric. Futher, each MX subnet that has VPN enabled will be advertised into the fabric and be reachable by all other MX sites and remote access users. Those MX sites that get enrolled into Cloud Hub will only support the Secure Internet use case.
Re-assign Meraki SD-WAN Sites to Different Regions
After successfully connecting Meraki SD-WAN Sites to Secure Connect regions, the user will have the flexibility to quickly shift sites from one region to another.
Re-assigning a Site from one region to another is very simple, Go to Secure Connect > Identities & Connections > Sites and Select a Site or bulk select all the Sites that needs to be re-assigned and Click on > Change Region or Cloud Hub
Select the new region where we want to move a Site OR bulk of Sites.
Note: We can move Sites from Cloud Hubs to Regions and vice versa. Note that Cloud Hubs only support Secure Internet use case, and Site moving from a Region to a Cloud Hub will loose interconnect with other branch sites.
Removing a Site from a Region or Cloud Hub (Detaching a Site from Secure Connect)
Similar to enrolling a site, users can unenroll (detach) a site (MX network) from the Secure Connect fabric. When detaching sites from Cisco Secure Connect, you can detach both Cloud Hub and Region types of sites at the same time.
Go to Secure Connect > Identities & Connections > Sites page. From the list of Meraki SD-WAN Sites Click on > The Site to be Detached > On the top right corner Select Detach Site from Secure Connect.
A window will pop up asking for a confirmation to detach the selected Site or Sites from Secure Connect. Upon confirming Sites will be detached. Please follow the progress of your deprovisioning task.
Removing the Cloud Hub from Secure Connect
When the last Sites is unenrolled from the Cloud Hub, that Cloud Hub will be automatically removed. This means that the user are not required to manually remove any Cloud Hubs.
However, the user does have ability to delete a Cloud Hub which has Sites attached to it. This action will also remove the Sites from the Cloud Hub, before removing the Cloud Hub.
A confirmation window will pop up and after confirming, the Cloud Hub and its all associated Sites will be removed from Secure Connect.
Sizing Considerations for Cloud Hubs (Internet Access Only DCs)
The total number of Cloud Hub deployments allowed per organization is directly mapped to the number of networks in the organization. Organizations with <=20 Networks (MX deployed sites) can have 1 deployment and accordingly the number of Cloud Hub deployment limit increases for every additional 20 networks. For larger organizations beyond 400 networks, the limit on number of deployment is set to 20 deployments. Please reach out to your SEs if you require additional deployments.
Choose the Primary Data Center Priority within the connected Secure Connect Region
Secure Connect regions are built of data centers (DCs), and each region has its set of available DCs. Connecting to a particular Secure Connect region optimally appends two DCs from that region to the primary and secondary hubs to the connected branch sites.
Recommendation for deployments
The primary selected Secure Connect Region DC hub will be the active network where all the spoke traffic will be routed. The second one in the pair will become active only when the first one goes offline.
Connecting a Meraki SD-WAN spoke site to a Secure Connect region creates 2 Auto VPN tunnels to the corresponding DC pairs with primary and secondary DC hubs automatically assigned
In case of any shuffle needed for a particular site between these assigned primary/secondary DC priorities, follow the following steps:
- Go to the Meraki site network needed to have the hub priorities shuffled.
- From the Meraki site network, navigate to Security & SD-WAN > Configure > Site-to-Site VPN > Hubs section > click and move up/down the four arrows object moving icon under the Actions column to shuffle the hub priorities.
- Click Save to confirm the changes.
If you have more than 2 regions configured here as Hubs, DO NOT change the DC pairings associated per regions i.e. If US West is chosen to be the DC regions while connecting SD-WAN branch A to Secure Connect then the primary and secondary should be only between US West region DCs (Los Angeles and Palo Alto)
Removing the above Secure Connect-<Regional DC> hubs from the Site-to-Site VPN page will cause inconsistencies in the Sites page. The simplest and the right way to remove a Meraki SD-WAN branch network (spoke) from a region is to go to the Secure Connect > Identities & Connections > Sites page > select the particular Meraki branch site > detach from the region.
Configuring Security Policies
Secure Connect allows Foundation customers to configure, control, and manage all their Cisco Umbrella security policies. Cloud Firewall rules can govern both Internet and Private communication within the cloud fabric. DNS, Web, and other Cisco Umbrella policies are only related to Internet-based traffic. Please review the policy documents for more details.