Home > General Administration > Support > Information for Users in China

Information for Users in China

Overview

Cisco Meraki is investing significant resources into launching a China service to better serve our customers who are located in or have devices deployed in mainland China. Meraki deployed the China service in early 2018, supported exclusively by datacenters located within mainland China (“China Service”). It is strongly advised that customers with Meraki devices deployed within mainland China take steps to ensure that their devices are moved to the China Service.
 
Customers are able to select the China region when creating new Dashboard organizations. In order to comply with Chinese law and to accommodate for certain technical challenges, there will be some differences between the normal Dashboard and the China Dashboard experience.

Cross-border Service Availability

Prior to the launch of the China Service in early 2018, Meraki devices that are currently deployed in mainland China will communicate via cross-border connection with existing Meraki services. This communication is inherently a cross-border connection, as these Meraki devices in mainland China will be sending data to the Meraki services in North America, South America, Europe, and/or Asia depending upon the region that was selected at sign-up. 

  • These cross-border data connections are sometimes unstable for reasons that are beyond Meraki's control. As such, some devices located within mainland China, but that are connecting to the Meraki services in the North America, South America, Europe, or Asia region, may experience issues with connecting to the Meraki services and/or may lose connectivity to the Meraki services.  
  • Cross-border data connections are subject to Chinese law, which may change.

In order for users to mitigate any issues that may arise by utilizing a cross-border connection to the Meraki services, it is strongly advised that Meraki users take action to ensure that their Meraki devices in mainland China are placed onto Meraki's China Service / Dashboard.

Customer-established Cross-border Data Connections

  • Meraki is a provider of tools for users to create VPN tunnels.  Some uses of VPN are prohibited in China, so customers are advised to seek independent legal advice on the legality of VPN networks they intend to create or use. Any VPN that involves a cross-border connection is subject to the impact of China’s regulations and network traffic handling.
  • In addition, please note that Cisco Meraki may be unable able to successfully resolve issues and service interruption that arise due to China’s network condition, unexpected changes to Chinese law, and actions of Chinese regulators.

Creating Organizations in the China Service

The China Service dashboard is currently live at dashboard.meraki.cn. Users can create an account for their new China Organizations on this page.

Migrating Existing Organizations, Networks, or Devices to the China Service

Create an organization in the China Service, then manually move all devices to this new organization. All configuration settings will need to be manually recreated. Meraki Support can assist with moving licenses between these organizations by opening a support case. 

NOTE: The following services and products are not supported in the China service:

  • SM
  • MC
  • MV
  • vMX
  • MI
  • MX Advanced Security

Applying Advanced Security Licenses to Organizations in the China Service

In order to comply with Chinese cybersecurity law, Cisco Meraki prohibits the application of Advanced Security licenses to organizations that reside in the China Service. If you purchased an Advanced Security license for use within the China Service, please open a support case to have these licenses converted to Enterprise licenses.

Unsupported Features in China

The following features are not supported for devices that are configured in the China service: 

  • HTTP proxy for cloud communication
  • Configuration fetch using HTTP (devices must use HTTPS for configuration fetch)

Note that these services are subject to change. 

Minimum Product Firmware Builds in China

Note: While the listed minimum versions are the lowest supported versions, it is recommended for all nodes to be on the latest stable beta release. This can be done using the Firmware Upgrade Manager.

In order for certain features to work as expected, the following minimum product firmware versions should be used for nodes hosted in China:

  • MR: 25-9
  • MX: 13-29
  • MS: 9-36

Firewall Whitelist Requirements for Cloud Connectivity

Please note that the standard firewall whitelist requirements for cloud connectivity vary slightly for China and the requirements for cloud connectivity can be found on the Firewall info page for China.

For networks in China, Google's 8.8.8.8 targets (ICMP & UDP) for the MX connection monitor are no longer necessary, leaving just 209.206.48.0/20, which contains our ICMP connectivity target used for monitoring the connectivity status of an MX device. As such, 8.8.8.8 will not be a required ICMP destination for connectivity testing in China.
Additionally, for China, US-based backup cloud connectivity and legacy mtunnel & mtunnel-over-http addresses have been removed from the firewall whitelist page.

 

Considerations for Multinational Companies in China 

You can learn more about deploying an Auto VPN connection between China and businesses outside china in our China Auto VPN article.

Integrate China Org to International Network

China_to_International_v2.png

  • Mainland China Meraki devices have to be in a separate Organization on China Dashboard (hosted on China Meraki Data Center). China Dashboard is completely separate from Global Dashboard for compliance reasons.
  • All MXs within China Organizations MUST be licensed with Enterprise license.
  • At least 1 MX to be nominated as Gateway from China and non-China Organizations.
  • That MX is actually very special, it is the hub MX that should be concentrating traffic from all of the spokes. This should be a high end, high capacity MX connected to a high bandwidth/reliability circuit.
  • Furthermore, if spoke A in China would like to reach to spoke B in China, they would do so through the hub MX in China.
  • Connect MPLS link of China Organizations to MX LAN interfaces from both ends.
  • Several designs are possible, it will usually be more complicated than that.
  • What we essentially need is a private line connection between the two data centers.
  • It can be static routes but can also be dynamic.
  • Use static routes to point to China and non-China Organizations through the MPLS.

Cross Border Connection Considerations

For an enterprise to achieve a cross-border network connection:

  • Option A: The enterprise can directly lease international dedicated lines from the 3 Chinese telecom carriers (China Telecom, China Mobile, China Unicom) in China, and enable VPN either with its own equipment or the telecom carrier’s VPN services to connect the corporate network. 
  • Option B: The enterprise can directly delegate a foreign telecom carrier with a presence in China to rent the international dedicated line (including VPN) from the 3 Chinese telecom carriers, and connect the corporate private network and equipment.

The above cross-border connection method (A or B) must be used only for internal data exchange and office use.

Current as of 3 February 2018, subject to further regulatory developments

Frequently Asked Questions 

Why did Meraki stop selling the Advanced Security license in Mainland China?

In June 2017, the Chinese government instituted a cybersecurity law which introduced new regulations and requirements concerning network security protocols. The MX, if sold with an Advanced Security license, would likely be classified as a network security protocol. Therefore, Cisco Meraki has chosen to halt the sale of Advanced Security licenses. Cisco Meraki is investigating the requirements of the Chinese cybersecurity law and will consider introducing the Advanced Security license in the future. However, there is no timeline for when the Advanced Security license will be made available in China. 

What about the Advanced Security licenses already sold to Mainland China?

Features of the Advanced Security license rely on resources of servers that are located outside of mainland China, which requires cross-border data transmission. Cross-border data transmission is subject to regulatory controls/restrictions. Cisco Meraki will do its best to support users; however, Cisco Meraki cannot assure customers that they will get the same user experience in mainland China due to factors beyond our control. 

Are free trials for products available in China?

Free trials of Cisco Meraki products are not currently available in China. Customers may not claim a free trial on any Dashboard Organization set up on the Cisco Meraki China cloud.

Why am I receiving an error when applying a license to an organization in China? 

In order to comply with Chinese cybersecurity law, Cisco Meraki prohibits the application of Advanced Security licenses to organizations that reside in the China Cloud. If attempting to apply an Advanced Security license to an organization that is located within the China Cloud, please contact Meraki Support and open a support case. The Meraki Support team will convert any Advanced Security licenses to an Enterprise license so that it can be applied to the organization.

Are normal Meraki Admin accounts shared with China admin accounts? Can I see my China Organizations and Non-China Organizations on the same dashboard/logged into the same account?

No. The accounts created on the China dashboard are totally separate from non-China accounts and do not cross over or share any information or org membership information.

Last modified

Tags

Classifications

This page has no classifications.

Other Languages

Explore the Product

Click to Learn More

Article ID

ID: 6115

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community