Hello, I was wondering if I can get some advice on my company’s network topology plan. (Attached)
Currently we do not have any of these set up yet and would like to validate the design with Meraki before we make decision.
We have a HQ located in Seoul, South Korea with about 30 people in office.
- Planning to use this site as a main where all remote Meraki routers (Site A,B,C,D,E as well as software VPN clients) will be connecting to this site.
- This site will host servers for internal application. (including Active Directory) So employers in Site A,B,C,D,E as well as those with software VPN client must be able to access the servers located in this HQ.
- We also have VPC (Virtual Private Cloud) set up in Amazon AWS. Can this HQ make VPN connection to the AWS VPC so that all sites A,B,C,D, E as well as those who use software VPN can access Amazon AWS VPC? (My understanding is that we pay VPN connection per hour for AWS. And it would be very expensive if all sites to make VPN connection directly to AWS.)
Here are the list of equipments we are planning to purchase.
MX84 Cloud managed Router
MX64W Router + Wireless
MX84 - 3yr Adv License
MX64W - 3yr Adv License
MS225-24 - 3yr License
MR52 WAP - 3yr License
Could you please give us some feedback on this design?
With regard to Amazon AWS - you would be better off using the Cisco Meraki vMX100. The advantage with this is it allows all sites to automatically build a connection to Amazon and your HQ. This does not use the Amazon VPC VPN system so you don't need to pay per connection.
You don't mention how many users are in the satellite offices. I don't like using the built in WiFi unless the site is very small. The standalone access points have considerably more functionality than the built in access points. In offices I most typically use MR42's. The MR42 is a 3x3 MIMO radio (versus the MR33 which is 2x2). The MR52 requires you either have an MGig port or channel two ports together to get maximum performance.
I particularly like using the MX65 because it has a pair of PoE ports - perfect for powering a couple of access points.
What you you want to avoid doing is using an MX with a built in access point and a standalone access point. The configs are completely different. Avoid this config. Using exclusively one or the other.
I agree with @PhilipDAth that you would be better off using the vMX100 to accomplish what you've laid out. I also second his recommendation of purchasing standalone MR devices for each office where you want wireless. I don't think you'll need an MR52/3 level device unless you are going for significant density and throughput. We typically deploy the MR33 or MR42 in most cases.
Looking at your design, I have the following suggestions:
1) As PhillipDAth write use the vMX100 in the AWS. You will ned to pay for the license, of course, but also for the server itself. You can take a look at this document. It explains in detail what you need:
2) You might consider using the MX65 (Not W). The MX65 has 8 regular Ethernet switch ports and two additional PoE ports for external AP's. One AP would be more than enough for 15 people, unless they are placed on different floors ;-). MR42 is a nice all-round AP.
Using the switch ports on the MX65 together with the MR42, will enable you to use the EAP-TLS or PEAP fully. This is not possible with the build-in AP in the MX64/65. Also it will be somewhat easier for you to configure guest access. I know that Meraki together with Cisco ISe, has a lot of functionality. Take a look at this document: https://communities.cisco.com/docs/DOC-68192. You can download the ISE as a VM-image and try it for 90 days.
3) The traffic will flow to the HUB, in this case the MX84, and then further on to the AWS. So the MX84 will be single point of failure, unless you configure two hubs: the MX84 and the vMX100. Add them in the list on the spokes, with the MX84 as the first one. If this one fails, the spokes will connect to the vMX100. Just a suggestion ;-).
4) Make sure you do a proper site survey when installing the AP's. This will ensure you have a good user experience, when the network goes live. Nothing more cumbersome, than users complaining all the time ;-). Also, if the environment is dense, in terms of your own AP's and neighbour AP's, or you live close to the harbour/airport, you might want to use smaller channels 20/40MHz and disable DFS. Configure band-steering and disable 802.11b devices. This is also not possible in the 64/65W
5) The client-VPN should work just fine. I think if you use the default Meraki authentication, it is PEAP-MSCHAPv2, but I am not sure. It is if you use the default Meraki authentication together with the MR. I have heard that EAP-TLS is supported with the client-VPN, but this somebody else have to verify. Again EAP-TLS is supported if you use it together with the MR.
Wow, I wasn't expecting this much of in depth answers. Thank you very much for all who helped me in this.
Does anyone know how much maintenance does Meraki devices require per year? As you can see we have a lot of remote offices (and they move locations a lot due to nature of our business) and they are all over the world and our company can't offered to have IT at each remote site yet. (This is in fact the main driver for us to look in to Meraki as my understanding is that Meraki devices can be managed from HQ thru cloud.). We also looked at Cisco ASA and while it looks very nice, it seems to me that it is for a large company with more structured IT department.
Lastly, we would be also setting up a Microsoft Active Directory on our network and all our machines will be joined to the domain. Would this setup support RADIUS authentication (even in the remote sites) for WIFI connection? (Can MX64W do the RADIUS authentication with AD in HQ?; assuming the VPN connection is configured correctly)
Thank you very much! This community is one of the best place I've ever been!