Meraki Capabilities Understanding

Solved
Rohit_Gupta
Conversationalist

Meraki Capabilities Understanding

  1. Number of Supported signatures for Application Recognition
  2. Does Meraki support DIA for SaaS based traffic(O365, Salesforce) from local exit standpoint while rest of internet traffic should exit from DC
  3. Can LTE interface alone can be used for Signalling to Meraki Cloud while we operate Two MPLS WAN Links simultaneously
  4. Is full mesh topology a default feature for VPN tunnels or needs to be configured manually
1 Accepted Solution
AjitKumar
Head in the Cloud

Hi Rohit,

 

Let me try replying you. However my answers can be wrong.

 

1. Number of Supported signatures for Application Recognition

 

The Layer 7 Application database is constantly updated. 

 

Following is the excerpt from Meraki website.

 

"The Cisco Meraki cloud-based application signature database is constantly updated to identify new and changing applications, without requiring the administrator to download and install software updates. The Cisco Meraki cloud-based architecture continually learns based on activity from Cisco Meraki's thousands of customers and millions of users, increasing the accuracy and precision of application fingerprints."

 

2. Does Meraki support DIA for SaaS based traffic(O365, Salesforce) from local exit standpoint while rest of internet traffic should exit from DC

 

I understand this shall be challenging.

Perhaps there is a similar conversation going on with @PhilipDAth. Check the following Link

https://community.meraki.com/t5/Security-SD-WAN/Meraki-local-break-out-for-office-365/m-p/30010

 

3. Can LTE interface alone can be used for Signalling to Meraki Cloud while we operate Two MPLS WAN Links simultaneously

I understand LTE comes in use when your Internet 1 and Internet 2 Interface links are down.

 

4.Is full mesh topology a default feature for VPN tunnels or needs to be configured manually

I believe you need to define this for on your sites.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

View solution in original post

4 Replies 4
AjitKumar
Head in the Cloud

Hi Rohit,

 

Let me try replying you. However my answers can be wrong.

 

1. Number of Supported signatures for Application Recognition

 

The Layer 7 Application database is constantly updated. 

 

Following is the excerpt from Meraki website.

 

"The Cisco Meraki cloud-based application signature database is constantly updated to identify new and changing applications, without requiring the administrator to download and install software updates. The Cisco Meraki cloud-based architecture continually learns based on activity from Cisco Meraki's thousands of customers and millions of users, increasing the accuracy and precision of application fingerprints."

 

2. Does Meraki support DIA for SaaS based traffic(O365, Salesforce) from local exit standpoint while rest of internet traffic should exit from DC

 

I understand this shall be challenging.

Perhaps there is a similar conversation going on with @PhilipDAth. Check the following Link

https://community.meraki.com/t5/Security-SD-WAN/Meraki-local-break-out-for-office-365/m-p/30010

 

3. Can LTE interface alone can be used for Signalling to Meraki Cloud while we operate Two MPLS WAN Links simultaneously

I understand LTE comes in use when your Internet 1 and Internet 2 Interface links are down.

 

4.Is full mesh topology a default feature for VPN tunnels or needs to be configured manually

I believe you need to define this for on your sites.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

Thank you for the clarification and references @AjitKumar

 

I just have couple of questions here, pardon me if I might ask stupid question. I would be happy to read up any reference you might point me towards.

 

For Second Question below:

Traditionally application aware routing works is:

  1. Identification: Traffic coming from LAN gets matched against the "application database"
  2. Application Policy Matching: Once application is matched, it is determined that what SLAs (Loss, Latency. Jitter) are applied to this flow. This is then matched against the BFD parameters
  3. Forwarding: Forwarding of the traffic to specific interface which matches such parameters. Once forwarded, encapsulation happens and the packet is on its way

I was wondering would there not be the way, just to Identify the traffic using application db and define next hop interface, irrespective of the SLA or encapsulation?

 

 

For third question below:

I would use 3 interfaces, 2 MPLS and 1 LTE. MPLS would make VPN tunnel to DC and forward the traffic, LTE would be used to make a connection to the Meraki controller on cloud. Nothing else, esp no forwarding of traffic. I am looking at this because I have read that Meraki box would need a direct access to internet to work.

Hi Rohit,

Greetings.
Your questions are not stupid at all perhaps they are helping me to learn new things.

Let me try answering them. Again my answers can be wrong.

For Question 2
I understand the Traffic Routing is more or less similar to the process you described with Meraki too.

However if you establish a FULL Tunnel between the Branch and DC all of the traffic including internet will reach to DC. Hence No Local Break out.


In case you establish a SPLIT Tunnel all the internet traffic will breakout locally. I believe it will be challenging to select L7 traffic and redirect rest all other traffic to DC.

For Question 3
The Link terminated on Interface 1 and Interface 2 shall be treated as Internet Links and will be used for Meraki Cloud Management Traffic. I do not see an option of selecting 3rd Link (LTE) for Meraki Management Traffic unless Link 1 and 2 fail.

 

Your queries are pointing towards SD WAN feature of Meraki. Hence very quickly (We have Dussehra going on)  I could search the following documentation. I am not sure if they are relevant. Also you may watch "Fady Sharobeem" Youtube videos on MX Deep Dive.


https://documentation.meraki.com/MX/Deployment_Guides/SD-WAN_Deployment_Guide_(CVD)
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

 

I hope you are an existing Meraki User. If not you may try a demo.
https://meraki.cisco.com/lp/free-demo

Have a nice day.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
Guru
Conversationalist

Hi Rohit,

 

I will just add for question 2 & 3 rest are already answered by Arijit ---

 

2- At the moment there is no ready made object for routing or Firewall for cloud based application like O365. Traffic for whatever subnet you declare from Datacenter site will go to there and rest will leave on Internet locally. To allow just O365 traffic you need to write firewall rules for all Microsoft IPs and URLs and update them regularly

3- Management traffic will leave through WAN1 or WAN2. It will only go through LTE when other links are down

Get notified when there are additional replies to this discussion.