Meraki SD-WAN and Insight

Peter Welcher
Architect, Operations Technical Advisor

This blog updates a recent blog, taking note of recently-added and/or new-to-me SD-WAN and other functionality in the Meraki products.

In particular, the Meraki firewalls support:

  • Use of dual Internet connections (or Internet + MPLS) with proportional load balancing of traffic over the VPN tunnels. LTE as backup.
  • Application, source or destination-specific preference as to which tunnel is used (policy-based routing)
  • Application-specific SLA (latency, jitter, packet loss) specifications, so that the application (e.g. VoIP) uses a link meeting its needs (dynamic path selection)
  • QoS and bandwidth management, traffic shaping

I must note I changed my opinion from that in a comment in the prior blog: Meraki now does support the main features of SD-WAN, alongside security / firewall / UTM functionality and split tunnel capability (local Internet) for the branch. Cisco AMP, Snort IDS / IPS, and ThreatGrid integration can be had with a few clicks.


The Meraki SD-WAN Main Page provides a terse overview of the Meraki SD-WAN functionality, with how-to information in the Meraki Deployment Guide (CVD).

The CVD covers establishing connectivity, discusses NAT traversal (if needed), etc. It also covers use of a warm spare. It then goes into getting Auto-VPN working.

You can configure split tunneling, and steer Internet one way and VPN over the other link, if you wish. The CVD goes on to show how to steer VOIP to prefer “Best for VOIP.”

It goes on to cover PbR (Policy-based Routing), with performance failover if desired.

Throughout, the feature set and the GUI exhibit the hallmark of Meraki: simplicity.

In case you were curious, the following failover information is from the Meraki CVD:

Service Failover Time Failback Time
AutoVPN Tunnels 30-40 seconds 30-40 seconds
DC-DC Failover 20-30 seconds 20-30 seconds
Dynamic Path Selection Up to 30 seconds Up to 30 seconds
Warm Spare 30 seconds or less 30 seconds or less
WAN connectivity 300 seconds or less 15-30 seconds


I’m told by Meraki personnel that most of the items are in practice significantly shorter.

Concerning performance monitoring, a MX sends probes across all possible paths on each uplink, at either 1 or 10 second intervals. Average latency, loss, jitter, and Mean Opinion Score (MOS) is computed over the last 6 samples for each path. A synthetic Mean Opinion Score (MOS) is used to decide “Best for VoIP.”

Meraki Insight

In case you haven’t looked recently, Meraki Insight provides a GUI management tool, tracking User Experience for web-based applications (internal or SaaS / cloud). NetCraftsmen has been recommending UX tools such as AppNeta and NetBeez for similar reporting. Meraki Insight is claimed to assist in troubleshooting user experience problems in a simple (Meraki!) way. While I can’t claim to have used it yet, it hits a lot of my hot buttons.

I just finished some work with an organization that provides billing, IT, and other services for doctors at about 10 locations. They’re switching to externally-provided medical record services, and initial testing reveals slowness at some locations for some users. The WAN data Xfinity provides is fairly useless. Network visibility right now is slim to none. That’s been the case in most of the smaller organizations I’ve worked with, and even can be a problem in larger ones. It’s hard to troubleshoot without data about which sites have problems, and some ability to detect high utilization, or high percentages of packet loss, errors, or discards. It looks like Meraki Insight can provide such data. Win!

Product Positioning

You might have noticed Cisco has two SD-WAN products now. Here are the two offerings:

  • Meraki for Lean-IT, management and embedded UTM security
  • Viptela for Flexible and sophisticated secure segmentation and routing

I believe Meraki currently supports up to two paths. Viptela supports more. Viptela does VRF’s and routing. Meraki has firewall and UTM functionality.

I’m told Meraki’s strongest sales are within retail and small branch designs, typically with small central IT teams and many small branch sites without IT staff, “lean IT.” That extends to Meraki being cost-effective for other applications, e.g. VPN to indoor parking payment stations.

Viptela may be used for the same purposes, especially where site firewalling is not needed, perhaps because a CoLo-based regional security stack approach is being used (as I’ve written about in prior blogs).

Concerning that pay station use: note the word ‘indoor.’ Do bear in mind that both types of equipment are mostly, if not 100% intended for indoor use — for outdoors, always check any device’s temperature specs and site power reliability.


Meraki SD-WAN Blog

Nojitter Meraki SD-WAN Portfolio Blog


Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!


Hashtags: #CiscoChampion #TheNetCraftsmenWay #Meraki #SDWAN

Twitter: @pjwelcher

Disclosure Statement
Cisco Certified 20 Years

NetCraftsmen Services

Did you know that NetCraftsmen does network /datacenter / security / collaboration design / design review? Or that we have deep UC&C experts on staff, including @ucguerilla? For more information, contact us at

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.