This blog updates a recent blog, taking note of recently-added and/or new-to-me SD-WAN and other functionality in the Meraki products.
In particular, the Meraki firewalls support:
- Use of dual Internet connections (or Internet + MPLS) with proportional load balancing of traffic over the VPN tunnels. LTE as backup.
- Application, source or destination-specific preference as to which tunnel is used (policy-based routing)
- Application-specific SLA (latency, jitter, packet loss) specifications, so that the application (e.g. VoIP) uses a link meeting its needs (dynamic path selection)
- QoS and bandwidth management, traffic shaping
I must note I changed my opinion from that in a comment in the prior blog: Meraki now does support the main features of SD-WAN, alongside security / firewall / UTM functionality and split tunnel capability (local Internet) for the branch. Cisco AMP, Snort IDS / IPS, and ThreatGrid integration can be had with a few clicks.
The CVD covers establishing connectivity, discusses NAT traversal (if needed), etc. It also covers use of a warm spare. It then goes into getting Auto-VPN working.
You can configure split tunneling, and steer Internet one way and VPN over the other link, if you wish. The CVD goes on to show how to steer VOIP to prefer “Best for VOIP.”
It goes on to cover PbR (Policy-based Routing), with performance failover if desired.
Throughout, the feature set and the GUI exhibit the hallmark of Meraki: simplicity.
In case you were curious, the following failover information is from the Meraki CVD:
|Service||Failover Time||Failback Time|
|AutoVPN Tunnels||30-40 seconds||30-40 seconds|
|DC-DC Failover||20-30 seconds||20-30 seconds|
|Dynamic Path Selection||Up to 30 seconds||Up to 30 seconds|
|Warm Spare||30 seconds or less||30 seconds or less|
|WAN connectivity||300 seconds or less||15-30 seconds|
I’m told by Meraki personnel that most of the items are in practice significantly shorter.
Concerning performance monitoring, a MX sends probes across all possible paths on each uplink, at either 1 or 10 second intervals. Average latency, loss, jitter, and Mean Opinion Score (MOS) is computed over the last 6 samples for each path. A synthetic Mean Opinion Score (MOS) is used to decide “Best for VoIP.”
In case you haven’t looked recently, Meraki Insight provides a GUI management tool, tracking User Experience for web-based applications (internal or SaaS / cloud). NetCraftsmen has been recommending UX tools such as AppNeta and NetBeez for similar reporting. Meraki Insight is claimed to assist in troubleshooting user experience problems in a simple (Meraki!) way. While I can’t claim to have used it yet, it hits a lot of my hot buttons.
I just finished some work with an organization that provides billing, IT, and other services for doctors at about 10 locations. They’re switching to externally-provided medical record services, and initial testing reveals slowness at some locations for some users. The WAN data Xfinity provides is fairly useless. Network visibility right now is slim to none. That’s been the case in most of the smaller organizations I’ve worked with, and even can be a problem in larger ones. It’s hard to troubleshoot without data about which sites have problems, and some ability to detect high utilization, or high percentages of packet loss, errors, or discards. It looks like Meraki Insight can provide such data. Win!
You might have noticed Cisco has two SD-WAN products now. Here are the two offerings:
- Meraki for Lean-IT, management and embedded UTM security
- Viptela for Flexible and sophisticated secure segmentation and routing
I believe Meraki currently supports up to two paths. Viptela supports more. Viptela does VRF’s and routing. Meraki has firewall and UTM functionality.
I’m told Meraki’s strongest sales are within retail and small branch designs, typically with small central IT teams and many small branch sites without IT staff, “lean IT.” That extends to Meraki being cost-effective for other applications, e.g. VPN to indoor parking payment stations.
Viptela may be used for the same purposes, especially where site firewalling is not needed, perhaps because a CoLo-based regional security stack approach is being used (as I’ve written about in prior blogs).
Concerning that pay station use: note the word ‘indoor.’ Do bear in mind that both types of equipment are mostly, if not 100% intended for indoor use — for outdoors, always check any device’s temperature specs and site power reliability.
Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!
Hashtags: #CiscoChampion #TheNetCraftsmenWay #Meraki #SDWAN
Did you know that NetCraftsmen does network /datacenter / security / collaboration design / design review? Or that we have deep UC&C experts on staff, including @ucguerilla? For more information, contact us at firstname.lastname@example.org.