Skip to main content
Cisco Meraki

Meraki Device-to-Cloud Connectivity - FIPS

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity. This connectivity is available as a beta feature, and is currently available on devices that meet certain firmware requirements, noted below in the section, Supported Firmware/Models.

This re-architecture utilizes the latest in tools and development practices, the result of which will improve the security, performance, management, scalability, and resiliency of Meraki's cloud infrastructure. 

For users, there are multiple benefits:

  • Simpler firewall configuration - Only requires one firewall policy: Allow access to 209.206.48.0/20 over HTTPS port 443 (for the commercial cluster).

  • Security - TLS implementation via CiscoSSL library. 

  • FIPS 140-2 validation - A validation level required for the federal market and other compliance standards.

  • Scale and performance - Overall enhanced cloud-connectivity experience.

Certifications

Please refer to Cisco's Global Government Certifications - FIPS 140 landing page, where it is available the following Cisco Meraki products certificate:

What to Expect

Actions required: Meraki devices using this device-to-cloud connectivity method will require TCP port 443 to be open on any upstream firewalls. Please note this does not mean that previously used ports (UDP ports 7734 and 7351) should be closed, as access requirements may vary by product and firmware build.

User experience: As Meraki device-to-cloud connectivity is a re-architecture of the device-cloud-server communications, very little will change in terms of the end-user interface. General usage activity, given how the device-cloud communication works, should remain the same. There are no UI components to device-to-cloud connectivity that differ from before, other than different noted open ports/protocol required for cloud connectivity on the Help > Firewall page.

How to Determine your Connection Version

Any devices running supported firmware versions or higher (listed below), will be running this device-to-cloud connectivity method by default. In the event that a device is unable to connect using this connection method (over TCP port 443), the device's firmware reverts back to the device's previously used firmware version, which will continue using the older connection method (using UDP ports 7734 and 7351).

To verify which connection your devices are using, you can refer to the Help > Firewall Rules page in your dashboard, which displays dynamically based on your network's devices and required connections. From here, you can determine which device types are using which connection. For more information on this page, see the document, Upstream Firewall Rules for Cloud Connectivity.

Supported Firmware/Models

This device-to-cloud connectivity option is currently only publicly available on MX and MR models included in the "Supported Models," list. They must also be running MX 16.4 or higher (for MX) or MR 28.1 or higher (for MR).

Supported Firmware

MX

MR 

(All Wi-Fi 6 APs only)

MS

Other lines

Public beta:

MX 16.4 or higher

Public beta:

MR 28.1 or higher

Not yet supported

Not yet supported

Technical Details

Encryption

Device-to-cloud connectivity uses TLS 1.2 with AES 256 for encryption and utilizes FIPS validated cryptography. It enforces mutual TLS and the client to use FIPS 140-2 approved algorithms.

Cloud Connectivity

Updated Meraki cloud communication 

  • Device-to-cloud connectivity now communicates via TCP port 443. This is helpful with upstream firewall configurations, as most firewalls that Meraki's devices are behind already allow connections to port 443.

  • Compared to before, this device-to-cloud connectivity method does not utilize port 7734 and 7351. This includes config, list, and firmware fetches.

Firewall rules required 

All devices utilizing this device-to-cloud connectivity method require a single firewall rule to allow Meraki cloud communication:

Allow outbound connections to destination 209.206.48.0/20 on TCP port 443
  • Was this article helpful?