resilient wan and security for meraki mx - amazon … · site to site vpn, ips, geo ip networking...
TRANSCRIPT
Resilient WAN and Security for Distributed Networks with Cisco
Meraki MX
Daghan Altas, Director of Product Management
BRKSEC-2900
What if my firewall dies?
What if my Internet goes down?
What about DR?
What happens if I discover a threat?
How can I keep my PCI traffic isolated from guest traffic?
I need a solution that just works!
We have a small team responsible for 1000 store networks
I pay too much for MPLS!
BYOM!
How do I discover a threat?
Cost Agility Security
Bandwidth costs • MPLS costs
• Increased bandwidth demands
High cost and complexity of
network management:• Truck roles
• Zero local IT
• Difficulty with troubleshooting
CPE complexity• Management
• Configuration
New WAN architecture demands• Agility
• Migration to Metro-E
• Adoption of Internet (and DIA)
• Service creation
• Intelligent QoS
Security is more important than
ever:• Direct Internet Access to SaaS
• Guest wireless access
• BYOD
• APT protection
WAN access needs to change
Cisco Meraki MR
Wireless
LAN
Cisco Meraki MX
Security
Appliances
Cisco Meraki MS
Ethernet
Switches
Cisco Meraki SM
Mobile Device
Management
Cloud-managed networking
Cloud-managed networking architecture
Network endpoints securely
connected to the cloud
Cloud-hosted centralized
management platform
Intuitive browser-based
dashboard
Application Control
Web caching, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN, IPS, Geo IP
Networking
NAT/DHCP, 3G/4G failover,
Intelligent WAN (IWAN)
7 models scaling from teleworker and small branch to campus / datacenter
A complete Unified Threat Management solution
Why choose the Cisco Meraki MX?
Intuitive centralized management• No training, no command line
• Templates to configure at-scale
• Packet capture, built-in tools and
diagnostics
Industry-leading visibility• Fingerprints users, applications, and devices
• Network-wide monitoring and alerts
• Full stack: APs, switches, Security, MDM
Designed for distributed enterprises• Single pane of glass visibility
• Zero-touch provisioning
• Seamless updates from the cloud
• Site-to-site IPSec VPN in 3 clicks
Ironclad security
Best IPSSOURCEfire IDS / IPS,
updated every day
Content
Filtering
4+ billions URLS, updated in
real-time
Geo-based
security
Block attackers from rogue
countries
AV / anti-
phishing
Kaspersky AV, updated every
hour
PCI
compliance
PCI L1 certified cloud-based
management
Rock-solid UTM for multi-site organizations
Why Cisco Meraki MX?
• Lean IT staff; needed centralized remote management for easily-deployed UTMs (zero-touch)
• Intuitive site-to-site VPN
• HIPAA compliant
• Needed single-box solution (MX60W) for security and wireless at rehabilitation centers
• Guest hotspots provided with MX60W Wi-Fi and 3G/4G uplinks
• Largest diversified provider of post-
acute care in USA
• 2000+ locations in 46 states,
75,000+ employees
Penn Mutual saves $858K
Projects / Pain Points: • Implement a BYOD platform at 50 remote sites
• Managed Service Provider & MPLS costs
Solution:• Complete Meraki Stack: MR, MS, MX
• Phase off MPLS to Broadband
Business Outcomes:• Reduced Telco Spend by 40%
• Single platform in branch improved IT efficiency
What is IWAN?
“Intelligent WAN” (IWAN) is a collection of Cisco technologies and products that enable transport independence, intelligent path
control, application optimization, and secure connectivity for multi-site deployments.
Transport
Independence
Application
Optimization
Intelligent Path
Control
Secure
Connectivity
• IPsec overlay (Auto VPN)
• Scalable (cloud architecture)
• Traffic distribution over
multiple pathways (Internet,
cellular, MPLS)
• App visibility & control (Meraki
dashboard, group-based
policies, traffic analytics)
• Application QoS & bandwidth
optimization (Traffic shaping)
• Uplink chosen by link latency,
data loss, etc. (PfR, aka
performance-based routing)
• Uplink assigned by traffic
protocol, subnet, source,
destination, etc. (PbR, aka
policy-based routing)
• Intuitive, automatic,
scalable VPN solution to
connect remote branch
sites (Auto VPN)
Need
screenshot
Dual-active path:
• Active-active VPN - dual internet
• Active-active Internet-VPN & MPLS
• 3G/4G for backup only (no active/active
Policy-based routing:
• Dual active VPN uplinks, with automatic failover
• Allows uplinks to be intelligently utilized with traffic-steering
based on protocol, subnet, source, destination, etc.
Performance-based routing:
• Automatic failover based on loss, latency and jitter
• Ensures the best uplink is used based on performanceWAN 1
Secure VPN tunnel (active)
Latency / loss > threshold
WAN 2
Secure VPN tunnel (active)
Latency / loss < threshold
Data
New IWAN features for the Meraki MX
End goal: DC-to-DC failover and load-balancing
Internet
DC1HA PAIR
Branches connected to DC1
Active VPN Tunnel
DC2 HA PAIR
Branches connected to DC2
Active VPN Tunnel
Failover VPN TunnelFailover VPN Tunnel
Demo: Resilient WAN and security under 30 min
• HA within DC
• DC to DC failover
• WAN link failover (4G)
• Automated VPN between sites
• Full UTM features
• IPS
• Content Filtering
• AV
• L7 firewall rules
Internet
DC1:
10.0.0.0/16 DR: 10.0.0.0/16
Template:
West Template: East
10..0.10 10.2.0.10
Branch1: 10.100.0.0/24
Demo: Resilient WAN and security under 30 min
Internet
DC1: 10.0.0.0/16 DR: 10.0.0.0/16
Template: West Template: East
10.2.0.1/24 10.2.0.1/24
Branch1: 10.100.0.0/24
10.2.0.2/2410.2.0.2/24
MX64 / MX64W
• Speed
• Industry’s first 802.11ac UTM
• Dual radio
• ~3X speed of 11n wireless
• 2-3X faster than MX60 / MX60W
• Security
• UTM provides one-stop security
• IPS, content filtering, malware / anti-phishing
• Seamless, automatic updates
• PCI 3.0-certified cloud backend
SKU List Price
MX64-HW $595
LIC-MX64-ENT-3Y $600
LIC-MX64-SEC-3Y $1200
MX64W-HW $945
LIC-MX64W-ENT-3Y $650
LIC-MX64W-SEC-3Y $1300
Choosing the right MX for your environment
MX64/64W
MX80
MX100
MX400
MX600
Z1
Small branches
(~25 users)
Where Throughput
100 Mbps
Large branch
/campus
(~10,000 users)
Large branch
/campus
(~2,000 users)
Mid-size branches
(~100 users)
Mid-size branches
(~500 users)
Features
Wireless (MX60W)
Modular interface
Large Web cache (4TB)
250 MbpsLarge Web cache (1TB)
500 MbpsSFP ports
Large Web cache (1TB)
1 Gbps
2 Gbps
Modular interface
Large Web cache (1TB)
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput: 50
Mbps
All devices support 3G/4G
MX Security Appliances: Licenses
Enterprise License Advanced Security
License
Stateful firewall
Site to site VPN
Branch routing
Intelligent WAN (IWAN)
Application control
Web caching
Client VPN
`
All enterprise features, plus
Content filtering (with Google SafeSearch)
Kaspersky Anti-Virus and Anti-Phishing
SourceFire IPS / IDS
Geo-based firewall rules
Free evaluations available
• Try Cisco Meraki with no risk or commitment
• Complimentary technical assistance available
• Start trial at meraki.cisco.com/eval
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @DaghanAltas
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions