Information for Users in China
Overview
Cisco Meraki is investing significant resources into launching a China service to better serve our customers who are located in or have devices deployed in mainland China. Meraki deployed the China service in early 2018, supported exclusively by datacenters located within mainland China (“China Service”). It is strongly advised that customers with Meraki devices deployed within mainland China take steps to ensure that their devices are moved to the China Service.
Customers are able to select the China region when creating new Dashboard organizations. In order to comply with Chinese law and to accommodate for certain technical challenges, there will be some differences between the normal Dashboard and the China Dashboard experience.
Cross-border Service Availability
Prior to the launch of the China Service in early 2018, Meraki devices that are currently deployed in mainland China will communicate via cross-border connection with existing Meraki services. This communication is inherently a cross-border connection, as these Meraki devices in mainland China will be sending data to the Meraki services in North America, South America, Europe, and/or Asia depending upon the region that was selected at sign-up.
- These cross-border data connections are sometimes unstable for reasons that are beyond Meraki's control. As such, some devices located within mainland China, but that are connecting to the Meraki services in the North America, South America, Europe, or Asia region, may experience issues with connecting to the Meraki services and/or may lose connectivity to the Meraki services.
- Cross-border data connections are subject to Chinese law, which may change.
In order for users to mitigate any issues that may arise by utilizing a cross-border connection to the Meraki services, it is strongly advised that Meraki users take action to ensure that their Meraki devices in mainland China are placed onto Meraki's China Service / Dashboard.
Customer-established Cross-border Data Connections
- Meraki is a provider of tools for users to create VPN tunnels. Some uses of VPN are prohibited in China, so customers are advised to seek independent legal advice on the legality of VPN networks they intend to create or use. Any VPN that involves a cross-border connection is subject to the impact of China’s regulations and network traffic handling.
- In addition, please note that Cisco Meraki may be unable to successfully resolve issues and service interruption that arise due to China’s network condition, unexpected changes to Chinese law, and actions of Chinese regulators.
Creating Organizations in the China Service
The China Service dashboard is currently live at dashboard.meraki.cn. Users can create an account for their new China Organizations on this page.
Migrating Existing Organizations, Networks, or Devices to the China Service
Create an organization in the China Service, then manually move all devices to this new organization. All configuration settings will need to be manually recreated. Meraki Support can assist with moving licenses between these organizations by opening a support case.
NOTE: The following services and products are not supported in the China service:
- SM
- MG
- MV
- MI
Unsupported Features in China
The following features are not supported for devices that are configured in the China service:
- HTTP proxy for cloud communication
- Configuration fetch using HTTP (devices must use HTTPS for configuration fetch)
-
MX Advanced Security license: Does not offer AMP on China Dashboard. Content filtering in China is supported in both “top sites” mode as well as “full list” mode just as in other regions. See content filtering documentation for more details. In full list mode, the MX has to make a look up to a cloud-hosted database outside of China which will introduce some latency on the order of a few seconds.
Note that these services are subject to change.
Minimum Product Firmware Builds in China
Note: While the listed minimum versions are the lowest supported versions, it is recommended for all nodes to be on the latest stable beta release. This can be done using the Firmware Upgrade Manager.
In order for certain features to work as expected, the following minimum product firmware versions should be used for nodes hosted in China:
- MR: 25-9
- MX: 13-29
- MS: 9-36
Firewall Allow list Requirements for Cloud Connectivity
Please note that the standard firewall allow list requirements for cloud connectivity vary slightly for China and the requirements for cloud connectivity can be found on the Firewall info page for China.
For networks in China, Google's 8.8.8.8 targets (ICMP & UDP) for the MX connection monitor are no longer necessary, leaving just 209.206.48.0/20, which contains our ICMP connectivity target used for monitoring the connectivity status of an MX device. As such, 8.8.8.8 will not be a required ICMP destination for connectivity testing in China.
Considerations for Multinational Companies in China
You can learn more about deploying an Auto VPN connection between China and businesses outside China in our China Auto VPN article.
Integrate China Org to International Network
- Mainland China Meraki devices have to be in a separate Organization on China Dashboard (hosted on China Meraki Data Center). China Dashboard is completely separate from Global Dashboard for compliance reasons.
- At least 1 MX to be nominated as Gateway from China and non-China Organizations.
- That MX is actually very special, it is the hub MX that should be concentrating traffic from all of the spokes. This should be a high end, high capacity MX connected to a high bandwidth/reliability circuit.
- Furthermore, if spoke A in China would like to reach to spoke B in China, they would do so through the hub MX in China.
- Connect MPLS link of China organizations to MX LAN interfaces from both ends.
- Several designs are possible, it will usually be more complicated than that.
- What we essentially need is a private line connection between the two data centers.
- It can be static routes but can also be dynamic.
- Use static routes to point to China and non-China Organizations through the MPLS.
Cross Border Connection Considerations
For an enterprise to achieve a cross-border network connection:
- Option A: The enterprise can directly lease international dedicated lines from the 3 Chinese telecom carriers (China Telecom, China Mobile, China Unicom) in China, and enable VPN either with its own equipment or the telecom carrier’s VPN services to connect the corporate network.
- Option B: The enterprise can directly delegate a foreign telecom carrier with a presence in China to rent the international dedicated line (including VPN) from the 3 Chinese telecom carriers, and connect the corporate private network and equipment.
The above cross-border connection method (A or B) must be used only for internal data exchange and office use.
Current as of 3 February 2018, subject to further regulatory developments
Frequently Asked Questions
Are free trials for products available in China?
Free trials of Cisco Meraki products are not currently available in China. Customers may not claim a free trial on any Dashboard Organization set up on the Cisco Meraki China cloud. A demo loan program is available as a potential alternative - interested customers can speak with their Meraki sales rep for more information.
Are normal Meraki Admin accounts shared with China admin accounts? Can I see my China Organizations and Non-China Organizations on the same dashboard/logged into the same account?
No. The accounts created on the China dashboard are totally separate from non-China accounts and do not cross over or share any information or org membership information.