This next-generation solution for Meraki SD-WAN integration with Cisco Secure Connect introduces a whole new simplified notion of connecting to a Meraki SD-WAN Traffic Acquisition cloud region. Instead of deploying a new Umbrella-SIG connector and connecting only a limited set of Meraki branches to that connector and instead of battling with the number of connector deployments to scale bandwidth horizontally, we are introducing the Meraki SD-WAN Traffic Acquisition solution which dynamically scales bandwidth per Meraki SD-WAN branch. Connecting these SD-WAN branches to Secure Connect is simplified by just selecting all branches and connecting them to the closest region.
This deployment guide outlines how to integrate your Meraki Secure SD-WAN fabric to the Secure Connect solution and manage both the Remote Worker and SD-WAN branch network connectivity and security using the Secure Connect cloud dashboard.
- Managing and Interconnecting branch to branch using Secure Connect fabric.
- Connectivity from branch to private applications deployed in remote branches or public or private clouds using the same fabric.
- Establishing connectivity between remote users and branches (with private applications) located globally.
- Inspect and secure all internet-bound traffic (both remote user and branch) from a single cloud-delivered platform.
Onboarding - Getting your Secure Connect Dashboard
To begin, you'll first need to integrate Cisco Meraki and Cisco Umbrella management together for a seamless experience. For further instructions, see Secure Connect Onboarding.
After successfully onboarding your organization to Secure Connect, to connect your remote users please follow the remote user setup guide.
Plan Before You Start
Before you start, we recommend that you read through the sections of our documentation in full and review the following information:
- The Meraki SD-WAN branches are going to be enrolled in the Secure Connect enhanced cloud acquisition traffic.
- The local network subnets of the Meraki SD-WAN branches are going to be announced to the Secure Connect.
- The Private Applications and Networks are allowed access between the Meraki SD-WAN branch networks. For more information, see Manage Firewall Policies and Creating Access Policies for Private Applications and Networks.
Enroll Meraki SD-WAN Sites to Secure Connect Regions
Integrating Meraki SD-WAN branches to Secure Connect fabric is a simple automated process that involves selecting all the Meraki branches and connecting them to available Secure Connect regions. This entire flow is completely automated and establishes a secure interconnect between Meraki SD-WAN branches, Remote Users, and Private Applications hosted behind public or private cloud connected to Secure Connect.
The following highlights the step-by-step workflow to connect Meraki SD-WAN branches to Secure Connect regions.
The Enhanced Meraki Secure SD-WAN Sites integration to Secure Connect is a more efficient solution that introduces more streamlined connectivity to Secure Connect cloud regions offering higher bandwidths, that scales dynamically (up to ~500 Mbps) per Meraki branch site.
The bandwidth allocation is dynamic per Meraki SD-WAN branch site requirement and accordingly, each site will be able to consume its respective required bandwidth. The throughput or bandwidth consumption per site through the Secure Connect SIG is directly linked to the overall Umbrella SIG's supported bandwidth.
There is no hard limit on the number of Meraki SD-WAN branch sites that can be connected to a Secure Connect Region. For example, if your organization has 200 sites that need to be connected to the US West region, we can bulk select all the 200 Sites and assign them to the US West region.
This solution is now available in all regions enabled with Secure Connect. All new Secure Connect customers will automatically have this enhanced traffic acquisition capability. For existing Secure Connect customers who haven't been migrated to this enhanced traffic acquisition capability, please reach out to your Cisco account team to have this migration done.
Start the Site-Enrollment Workflow
Meraki branch networks are known as Sites. We are introducing our next-generation SD-WAN traffic acquisition, which will terminate the Auto VPN per Meraki SD-WAN branch to their associated Secure Connect region. Enrolling Meraki SD-WAN branch sites in these regions will be through the Secure Connect Sites page.
In the Secure Connect dashboard, access the Sites page by navigating to Secure Connect > Identities & Connections > click Sites.
Connect Meraki SD-WAN Branches to Secure Connect Regions
The Meraki SD-WAN branch sites use Auto VPN to connect to the Secure Connect fabric through an intermediate SD-WAN Traffic Acquisition region. Multiple Meraki SD-WAN branch sites can connect to a desired Secure Connect Region.
- From the Sites page > click Connect Meraki Networks
- Assign region to the onboard network — from the Connect Meraki networks > select the Unassigned Meraki SD-WAN branch sites > click Assign to Region > select a specific Secure Connect region to assign to the Meraki SD-WAN branch sites.
Please note that any Meraki SD-WAN network that is configured as a hub network will not be listed under the Unassigned tab. If you would like to enroll that network to the Secure Connect fabric, the network needs to have the Site-to-Site VPN setting disabled under Security & SD-WAN > Configure > Site-to-Site VPN page.
The number of selected sites will be listed under the Assigned tab. Click Next to proceed to the Review and Confirm step.
- Review and Confirm — click Finish and Save to confirm the integration of SD-WAN sites to the selected region.
Do not refresh the page until you see the green check mark with the sites successfully configured. The successfully configured sites are listed under the Sites panel.
Select Local Networks announced to Secure Connect
- From the Sites page > click on the site name (not a checkbox) to toggle the site panel details > Local networks > click Enable or disable Meraki network subnets link. This will open the Security & SD-WAN > Configure > Site-to-Site VPN page of the selected site.
- From the Site-to-Site VPN configuration page of the site > VPN Settings > select VPN mode Enabled for the subnet(s) to be announced to Secure Connect via Auto VPN, and then click Save > Confirm Changes.
For local networks which are not Enabled to participate in VPN, their default Internet traffic will be using the local upstream WAN connection of the site instead of sending the traffic to their configured Secure Connect region. In addition, those local networks are also not able to communicate with other Secure Connect sites and the Remote Access client.
This step is to configure VPN Settings for the Meraki SD-WAN branch sites. Do NOT make any changes under the Site-to-Site VPN page of the connected Secure Connect region networks or Umbrella-SIG connector networks which are listed as the HUB networks in the Meraki dashboard as these will remove any currently configured Organization-wide settings > Non-Meraki VPN peers.
This successfully integrates all the selected Meraki SD-WAN Sites to the assigned Secure Connect SD-WAN Traffic Acquisition regions.
Due to the default Meraki Auto-VPN hub-to-hub routing design, all VPN hubs in an organization will automatically tunnel to all other hubs in an organization. This behavior changes for the Secure Connect regions, all other Meraki SD-WAN hubs in the organization outside of the Secure Connect Sites will not tunnel to Secure Connect regions and all Meraki SD-WAN hubs traffic will not have defaulted to Secure Connect.
All Meraki SD-WAN branch networks connected to Secure Connect will receive a default route to Secure Connect. This is mainly considering our unified use case of secure internet access and private access for Meraki SD-WAN integration.
To add Private-Apps behind Hubs or Branch Sites configured as Hubs to the Secure Connect Sites, the recommendation is to change the Hubs to Spokes and then connect the spoke site to the desired Secure Connect region according to the above flow.
Note: Enabling hub-to-hub routing organization-wide will enable a mesh between all the Meraki SD-WAN hubs and the Secure Connect regions. Thereby introducing a default route to Secure Connect regions for all Meraki SD-WAN hub traffic. This configuration is NOT SUPPORTED today.
Do not change any configuration for all deployed Secure Connect headend regional network HUBs. Any traffic shaping configurations in Security & SD-WAN > SD-WAN & traffic shaping page does not have any effect on the traffic passing through that Secure Connect regional HUB.
Create Access Policies for Private Applications and Networks
By default, branch-to-branch communication is blocked by the Default Private network access policy. To allow specific branch-to-branch communication, refer to Manage Firewall Policies, and Creating Access Policies for Private Applications and Network for the steps of configuring your desired Private Applications and Networks policies for your specific deployment.
Detach Meraki SD-WAN Sites from the Secure Connect Region or Change Region of Sites
- From the Secure Connect > Identities and Connections > Sites page, select the Meraki SD-WAN Sites from the Sites list to be detached from Secure Connect > click Detach Sites from Secure Connect to detach the sites from Secure Connect. Similarly, click Change Region to assign the sites to a different region.
- From the popup window > review the sites to be detached from Secure Connect > click Detach button to confirm.
- Check the Alert panel and wait for the sites to be successfully detached or configured with the green check mark.
Do not refresh the Sites page while the system is updating the sites.
Choose the Primary Data Center Priority within the connected Secure Connect Region
Secure Connect regions are built of data centers (DCs), and each region has its set of available DCs. Connecting to a particular Secure Connect region optimally appends two DCs from that region to the primary and secondary hubs to the connected branch sites.
Recommendation for deployments
The primary selected Secure Connect Region DC hub will be the active network where all the spoke traffic will be routed. The second one in the pair will become active only when the first one goes offline.
Connecting a Meraki SD-WAN spoke site to a Secure Connect region creates 2 Auto VPN tunnels to the corresponding DC pairs with primary and secondary DC hubs automatically assigned
In case of any shuffle needed for a particular site between these assigned primary/secondary DC priorities, follow the following steps:
- Go to the Meraki site network needed to have the hub priorities shuffled.
- From the Meraki site network, navigate to Security & SD-WAN > Site-to-Site VPN > Hubs section > click and move up/down the four arrows object moving icon under the Actions column to shuffle the hub priorities.
- Click Save to confirm the changes.
Removing the above Secure Connect-<Regional DC> hubs from the Site-to-Site VPN page will cause inconsistencies in the Sites page. The simplest and the right way to remove a Meraki SD-WAN branch network (spoke) from a region is to go to the Sites page > select the particular Meraki branch site > detach from the region. See Detach Meraki SD-WAN Sites from Secure Connect Region or Change Region of Sites for more information.
After successfully connecting Meraki SD-WAN branch sites and establishing Auto VPN connection to Secure Connect regions, this completes the integration of the Meraki SD-WAN branch networks to the Secure Connect fabric.
All Meraki SD-WAN branch sites on-boarded to Secure Connect can be monitored from the Secure Connect > Identities & Connections > Sites page for any connectivity issues.
- On the Sites page, just hovering over the connectivity bar on any one of the sites from the list of all the on-boarded networks will give complete details including the date and time on the connectivity status of that particular branch site.
- Clicking on any one of the on-boarded Meraki SD-WAN branch sites will display a side drawer for that site. This side drawer will give the following details:
- The Meraki MX device information for that Site and a navigation link to the Security & SD-WAN > Monitor > Appliance Status page for any device-based configuration, status, and troubleshooting information.
- The list of Local Networks with the associated subnets and a navigation link to the Security & SD-WAN > Configure > Site-to-Site VPN page, where you can choose which subnets need to have VPN enabled and traffic passing through the Auto VPN tunnel.
- Information on the Secure Connect region and its connectivity status.
Some times, the Meraki devices (MS/MR/MV) connected to the MX will experience Meraki Cloud communication connectivity loss. This might cause them to fetch their configuration from the Meraki Cloud or result in loss of MV stream. In this case, please navigate to Security and SDWAN > Traffic Shaping page of the impacted network's MX device. Configure the VPN exclusion rules with following CIDRs excluded from the Full tunnel VPN.
Meraki Cloud Communication:
Meraki MV Camera Streaming Proxy
Cisco Umbrella DNS