Hello, I was wondering if I can get some advice on my company’s network topology plan. (Attached)
|MX84 Cloud managed Router||1|
|MX64W Router + Wireless||5|
|MX84 - 3yr Adv License||1|
|MX64W - 3yr Adv License||5|
|MS225-24 - 3yr License||2|
|MR52 WAP - 3yr License||4|
With regard to Amazon AWS - you would be better off using the Cisco Meraki vMX100. The advantage with this is it allows all sites to automatically build a connection to Amazon and your HQ. This does not use the Amazon VPC VPN system so you don't need to pay per connection.
You don't mention how many users are in the satellite offices. I don't like using the built in WiFi unless the site is very small. The standalone access points have considerably more functionality than the built in access points. In offices I most typically use MR42's. The MR42 is a 3x3 MIMO radio (versus the MR33 which is 2x2). The MR52 requires you either have an MGig port or channel two ports together to get maximum performance.
I particularly like using the MX65 because it has a pair of PoE ports - perfect for powering a couple of access points.
What you you want to avoid doing is using an MX with a built in access point and a standalone access point. The configs are completely different. Avoid this config. Using exclusively one or the other.
Thanks for the reply.
Each remote sites have less than 15 people so I hope the MX64W could handle the load well.
How is the software VPN client for remote users (with Windows or Mac) outside of office? I have heard some concerns on software VPN client for Meraki firewall.
HI @hinewwiner - currently there is no VPN client for Meraki (including the Cisco AnyConnect client). You use the native OS VPN functionality. See here for setup instructions: https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration
I agree with @PhilipDAth that you would be better off using the vMX100 to accomplish what you've laid out. I also second his recommendation of purchasing standalone MR devices for each office where you want wireless. I don't think you'll need an MR52/3 level device unless you are going for significant density and throughput. We typically deploy the MR33 or MR42 in most cases.
Looking at your design, I have the following suggestions:
1) As PhillipDAth write use the vMX100 in the AWS. You will ned to pay for the license, of course, but also for the server itself. You can take a look at this document. It explains in detail what you need:
2) You might consider using the MX65 (Not W). The MX65 has 8 regular Ethernet switch ports and two additional PoE ports for external AP's. One AP would be more than enough for 15 people, unless they are placed on different floors ;-). MR42 is a nice all-round AP.
Using the switch ports on the MX65 together with the MR42, will enable you to use the EAP-TLS or PEAP fully. This is not possible with the build-in AP in the MX64/65. Also it will be somewhat easier for you to configure guest access. I know that Meraki together with Cisco ISe, has a lot of functionality. Take a look at this document: https://communities.cisco.com/docs/DOC-68192. You can download the ISE as a VM-image and try it for 90 days.
3) The traffic will flow to the HUB, in this case the MX84, and then further on to the AWS. So the MX84 will be single point of failure, unless you configure two hubs: the MX84 and the vMX100. Add them in the list on the spokes, with the MX84 as the first one. If this one fails, the spokes will connect to the vMX100. Just a suggestion ;-).
4) Make sure you do a proper site survey when installing the AP's. This will ensure you have a good user experience, when the network goes live. Nothing more cumbersome, than users complaining all the time ;-). Also, if the environment is dense, in terms of your own AP's and neighbour AP's, or you live close to the harbour/airport, you might want to use smaller channels 20/40MHz and disable DFS. Configure band-steering and disable 802.11b devices. This is also not possible in the 64/65W
5) The client-VPN should work just fine. I think if you use the default Meraki authentication, it is PEAP-MSCHAPv2, but I am not sure. It is if you use the default Meraki authentication together with the MR. I have heard that EAP-TLS is supported with the client-VPN, but this somebody else have to verify. Again EAP-TLS is supported if you use it together with the MR.
Negative to @kruse on (3). If you make the vMX100 a hub the traffic for AWS will go directly to AWS. It will not flow via the hub.
Wow, I wasn't expecting this much of in depth answers. Thank you very much for all who helped me in this.
Does anyone know how much maintenance does Meraki devices require per year? As you can see we have a lot of remote offices (and they move locations a lot due to nature of our business) and they are all over the world and our company can't offered to have IT at each remote site yet. (This is in fact the main driver for us to look in to Meraki as my understanding is that Meraki devices can be managed from HQ thru cloud.). We also looked at Cisco ASA and while it looks very nice, it seems to me that it is for a large company with more structured IT department.
Lastly, we would be also setting up a Microsoft Active Directory on our network and all our machines will be joined to the domain. Would this setup support RADIUS authentication (even in the remote sites) for WIFI connection? (Can MX64W do the RADIUS authentication with AD in HQ?; assuming the VPN connection is configured correctly)
Thank you very much! This community is one of the best place I've ever been!