Organizations are shifting their network landscape by moving on-prem applications to the public or private cloud. Previously all traffic was backhauled through data centers, but now almost 80% of traffic is routed directly to the internet. Securing a network edge has always been complex and with this change in network infrastructure, it became even more difficult to manage and secure an entire organization.
Secure Access Service Edge (SASE) is the convergence of Network as a Service and Security as a Service within a unified cloud delivered platform. Cisco+Secure Connect is Cisco’s unified SASE solution with an integrated Remote access capability, cloud managed network delivered through the Cisco Meraki cloud and centralized cloud managed security powered by Cisco Umbrella. This unified full stack SASE solution is one of its kind that delivers a complete end to end control, connectivity, security and policy management of remote users, branches, and private applications.
This deployment guide outlines how to integrate your Meraki Secure SD-WAN fabric to the Cisco+Secure Connect solution and manage both the remote worker and SD-WAN branch network connectivity and security using the Cisco+ Secure Connect cloud dashboard.
1. Managing and Interconnecting branch to branch using Cisco+ Secure Connect fabric.
2. Connectivity from branch to private applications deployed in remote branches or public or private clouds using the same fabric.
3. Establishing connectivity between remote users and branches (with private applications) located globally.
4. Inspect and secure all internet bound traffic (both remote user and branch) from a single cloud delivered platform
Onboarding - Getting your Cisco+ Secure Connect Dashboard
To begin, you'll first need to integrate Cisco Meraki and Cisco Umbrella management together for a seamless experience. For further instructions, see Cisco+ Secure Connect Onboarding
Enrolling Meraki SDWAN Sites to Cisco+ Secure Connect Regions
After successfully onboarding your organization to Cisco+ Secure Connect, to connect your remote users please follow the remote user setup guide.
Integrating Meraki SD-WAN branches to Cisco+ Secure Connect fabric is a simple automated process that involves selecting all the Meraki branches and connecting them to available Cisco+ Secure Connect regions. This entire flow is completely automated and establishes a secure interconnect between Meraki SD-WAN branches, Remote Users, Private Applications hosted behind public or private cloud connected to Cisco+ Secure Connect.
The following highlights the step-by-step workflow to connect Meraki SDWAN branches to Cisco+ Secure Connect regions.
The Enhanced Meraki Secure SDWAN Sites intergation to Cisco+ Secure Connect is a more efficient solution that introduces more streamlined connectivity to Cisco+ Secure Connect cloud regions offering higher bandwidths, that scales dynamically (upto ~500Mbps) per Meraki branch site. This is solution is in beta and currently available with Cisco+ Secure Connect, to enable it explicitly on your Cisco+ Secure Connect org please reach out to Secure Connect support or the associated account/sales team.
Starting the Site-Enrollment workflow
Click on Secure Connect → Under Monitor → Sites
Meraki branch networks are known as “Sites”. We are introducing our nextgen SDWAN traffic acquisition, which will terminate the AutoVPN per Meraki SDWAN branch to their associated Cisco+ Secure Connect region. Enrolling Meraki SDWAN branches to these regions will be through the ‘Sites’.
Connecting Meraki SDWAN Branches to Cisco+ Secure Connect Regions
This nextgen solution for Meraki SDWAN integration with Cisco+ Secure Connect introduces a whole new simplified notion of connecting to a SDWAN Traffic Acquisition cloud region. Instead of deploying new connector and connecting only a limited set of Meraki branches to that connector and instead of battling with number of connector deployments to scale bandwidth horizontally, we are introducing the Meraki SDWAN Traffic Acquistion solution which dynamically scales bandwidth per Meraki SDWAN branch and connecting these SDWAN branches to Cisco+ Secure Connect is simplified by just selecting all branches and connecting them to the closest region.
Click on > Connect Meraki Networks
The Meraki SD-WAN branch sites Auto VPN to Cisco+ Secure Connect fabric through an intermediate SDWAN Traffic Acquisition region. Multiple Meraki SD-WAN branch sites can connect to a desired Cisco+ Secure Connect Region.
Next Step > Select all the Meraki SDWAN networks to assign to a Cisco+ Secure Connect region from the list of available networks.
Choose the region from the drop down that best geo-fits to the selected networks; Click on > Assign to Region > Select Region
After clicking Next -> Observe all selected regions will move from Unassigned to Assigned tab.
There is no hard limit on the number of Meraki SDWAN sites that can be connected to a Cisco+ Secure Connect Region. For example: If your organization has 200 Meraki SDWAN sites that needs to be connected to US West region, we can bulk select all the 200 Sites and assign them to the US West region.
The bandwidth allocation is dynamic per Meraki SDWAN site requirement and accordingly each site will be able consume their respective required bandwidth. The throughput or bandwidth consumption per site through the Cisco+ Secure Connect SIG is directly linked to the overall Umbrella SIG supported BW.
After clicking Next -> Click on Finish and Save to Confirm the integration of SDWAN sites to the chosen regions
After clicking Finish and Save -> The Alerts window shows the progress
Do not refresh the page until you see a green check mark with Sites successfully configured state.
This successfully integrates all the selected Meraki SDWAN Sites to the assigned Cisco+ Secure Connect SDWAN Traffic Acquisition regions.
Option to detach your assigned Meraki SDWAN Site from a Cisco+ Secure Connect Region
Meraki SDWAN sites that are already assigned to a region can be detached from the Cisco+ Secure Connect region.
Go to the Sites Page > Select the Meraki SDWAN Sites from list that needs to be detached from Cisco+ Secure Connect > Click on ‘Detach Sites from Secure Connect’ > Confirm Detach in the confirmation pop up.
Similarly, to move already assigned sites from one region to another use the same above flow but instead of ‘Detach’ > Click on ‘Change Region’ and from the drop down select the required region.
This completes the Sites enrollment to Cisco+ Secure Connect regions and detachment of Sites from those regions.
Due to the default Meraki Auto-VPN hub to hub routing design, all VPN hubs in an organization will automatically tunnel to all other hubs in an organization. This behavior changes for the Cisco+ Secure Connect regions, all other Meraki hubs in the organization outside of the Secure Connect Sites will not tunnel to Cisco+ Secure Connect regions and all Meraki hub traffic will not be defaulted to Cisco+ Secure Connect.
To Add Private-Apps behind Hubs or Branch Sites configured as Hubs to the Secure Connect Sites, the recommendation is to change the Hubs to Spokes and then connect the spoke site to the desired Cisco+ Secure Connect region according to the above flow or else please reach out to your SE counterpart or Support to enable Hub to Hub routing organization wide.
Note: Enabling hub to hub routing organization wide will enable a mesh between all the Meraki hubs and the Cisco+ Secure Connect regions. Thereby introducing a default route to Cisco+ Secure Connect regions for all Meraki Hub traffic.
Choosing your primary data center priority within the connected Cisco+ Secure Connect region
Cisco+ Secure Connect regions are built of datacenters, each region has their set of available DCs. Connecting to a particular Secure Connect (SC) region optimally appends 2 DCs from that region to the as primary and secondary hubs to connected branches.
In case of any shuffle needed for a particular site between these assigned primary/secondary DC priorities.
Select the Meraki site network > Go to Security & SDWAN -> Site-to-Site VPN -> Change the assigned Secure Connect <DC> hub priority.
Removing above Secure Connect-<Regional DC> hubs from the Site-to-Site VPN page will cause inconsistencies in the Sites page. The simplest and the right way to remove a Meraki SDWAN branch network (spoke) from a region is to go to Sites > Select the particular branch network > detach from the region.
Recommendation for deployments
The primary selected Cisco+ Secure Connect Region DC hub will be the active network where all the spoke traffic will be routed. The second one in the pair will become active only when the first one goes offline.
Connecting a Meraki SDWAN spoke site to a Cisco+ Secure Connect region creates 2 Auto VPN tunnels to the corresponding DC pairs with primary and secondary DC hubs automatically assigned
After successfully connecting Meraki SDWAN branch sites and establishing Auto VPN connection to Secure Connect regions, this completes integration of the Meraki SD-WAN branch networks to the Cisco+ Secure Connect fabric.
All Meraki SD-WAN branch sites onboarded to Cisco+ Secure Connect can be monitored from the Sites page for any connectivity issues. On the Sites page, just hovering over the connectivity bar on any one of the site from the list of all the onboarded networks will give complete details (including date and time) on the connectivity status of that particular branch site.
Click on each Site > Observe the Side Drawer for that Site pop up
Clicking on any one of the onboarded SD-WAN branch Site will display a side bar for that site. This side bar will give the following details:
- The Meraki MX device info for that Site and a navigation to the "Appliance Status" page for any device-based configuration, status and troubleshooting information.
- The list of Local Networks with associated subnets and a link to navigate to the Site-to-Site page, where we can choose which subnets needs to have VPN enabled and traffic passing through the Auto VPN tunnel
- Information of the Cisco+ Secure Connect region and its connectivity status.