Download Cisco Meraki MX

The core block. Figure 16. Secure Campus Proposed Design, part 2 shows how multiple floors can be connected to the distribution layer. Figure 17. Secure Campus Proposed Design, part 3 illustrates multiple buildings connected to the core block. Appendix B - Suggested Components Branch Attack Surface Branch Security Suggested Cisco Components Human Users Identity Identity Services Engine (ISE) Cisco Secure Access by Duo Meraki Management Devices Endpoints Client-based Security Cisco Secure Endpoint Cisco Umbrella Cisco AnyConnect Secure Mobility Client Posture Assessment Cisco AnyConnect Secure Mobility Client Identity Services Engine (ISE) Meraki Mobile Device Management Network Wired Network Firewall Cisco Secure Firewall Integrated Services Router (ISR) Meraki MX Intrusion Prevention Cisco Secure Firewall Cisco Secure Firewall on UCS-E Meraki MX Access Control+ TrustSec Wireless Controller/Catalyst Switch Identity Services Engine (ISE) Meraki MX Analysis Anti-Malware Cisco Secure Endpoint Advanced Malware Protection (AMP) for Networks Advanced Malware Protection (AMP) for Web Security Integrated Services Router (ISR) with SecureX Network Analytics SecureX Malware Analytics Threat Intelligence Talos Security Intelligence SecureX Malware Analytics Cognitive Threat Analytics (CTA) Flow Analytics Cisco Secure Firewall Catalyst Switches ISR with SecureX Network Analytics SecureX Network Analytics (Flow Sensor and Collectors) Wireless LAN Controller Meraki MX WAN Web Security Cisco Secure Firewall Cisco Secure Web Umbrella Secure Internet Gateway (SIG) Meraki MX VPN Cisco Secure Firewall Integrated Services Router (ISR) Aggregation Services Router (ASR) Meraki MX Cloud Cloud Security Umbrella Secure Internet Gateway (SIG) Cloudlock Meraki MX Applications Service Server-based Security Cisco Secure Workload Cisco Umbrella Appendix C - Feedback If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to ask-security-cvd@cisco.com. For more information on SAFE, see www.cisco.com/go/SAFE.

Follow these steps to connect a Cisco Meraki MX/Z4 series device to Cisco Secure Access through a Meraki Third Party (non-Meraki) VPN Tunnel (NMVPN) configuration. The two primary uses cases for Secure Access with Meraki Networks are secure internet access and remote access to private applications.To connect to Secure Access, a NMVPN must be established to a Secure Access Network Tunnel Group (NTG). With this configuration in place, internet-bound traffic from Meraki branches will be secured through Secure Access.The same tunnels can be used to securely connect remote users of AnyConnect VPN and Client/Clientless Zero Trust Access modules in the Secure Client to private applications on Meraki networks.Table of ContentsPrerequisitesCaveats and Considerations Supported Use Cases and Requirements Step 1: Add a Network Tunnel Group in Secure AccessStep 2: Configure a Tunnel in Meraki MXVerification and TroubleshootingOptional ConfigurationsPrerequisitesA Cisco Meraki MX/Z4 device (running MX 18.107+ firmware).A valid Cisco Secure Access account.A network tunnel group configured on Cisco Secure Access; see Add a Network Tunnel Group.Caveats and ConsiderationsThis section discusses important caveats and considerations associated with the Meraki Third Party (non-Meraki) VPN tunnel configuration to Secure Access.There is no stateful failover to a Secure Access secondary tunnel.a. The MX only supports active/cold standby to a single headend.b. Traffic from a failed site is required to reestablish the tunnel.Only static routing is supported; BGP is not supported.Requires traffic to be generated from the LAN side of an MX through the non-Meraki VPN to establish connection.a. Remote application access on Meraki networks through an MX is not possible until traffic is initiated from the application side of the MX through the non-Meraki VPN.b. Traffic will also need to be consistently generated from the LAN side of the MX over each non-Meraki VPN to keep the tunnel from timing out.ECMP/Load balancing is not supported. Only a single IPSec tunnel is supported between a single Meraki network and a Secure Access network tunnel group.A unique public uplink IP is required for each network.a. The public uplink IP is used as the MX peer device IP, and this cannot be changed.In the Secure Access dashboard, the network tunnel group will display the status as Warning. This is because the Meraki network cannot build a standby tunnel to the Secondary Hub in the network tunnel group that is provided for intra-region redundancy.Supported Use Cases and RequirementsThe following sections describe supported use cases for Meraki Third Party (non-Meraki) VPN

A Warning status to Connected. This is because the Network Tunnel Group is designed to have a Primary and Secondary tunnel connected to each Hub for failover. Traffic will pass to the Primary Hub even if the Network Tunnel Group status is Warning.Run ping tests from the new VLAN to the internet. For more information, see Using the Ping Live Tool.Check the status of the VPN tunnel. For more information, see VPN Status Page.Follow the VPN troubleshooting procedures. For more information, see Troubleshooting Non-Meraki Site-to-site VPN.👍Note: Cisco Meraki does not support policy based routing. It is not possible to do client side routing to determine if specific traffic belongs inside or outside the tunnel. However, it is possible to choose if an entire VLAN is tunneled to Secure Access.Optional ConfigurationsTo create a VLAN for the subnet to redirect to Secure Access, see Configuring VLANs on the MX Security Appliance.To create a new SSID for the VLAN, see Configuring Simple Guest and Internal Wireless Networks.Configure Tunnels with Cisco Secure Firewall < Configure Tunnels with Meraki MX > Manage Resource Connectors and Groups" data-testid="RDMD">Follow these steps to connect a Cisco Meraki MX/Z4 series device to Cisco Secure Access through a Meraki Third Party (non-Meraki) VPN Tunnel (NMVPN) configuration. The two primary uses cases for Secure Access with Meraki Networks are secure internet access and remote access to private applications.To connect to Secure Access, a NMVPN must be established to a Secure Access Network Tunnel Group (NTG). With this configuration in place, internet-bound traffic from Meraki branches will be secured through Secure Access.The same tunnels can be used to securely connect remote users of AnyConnect VPN and Client/Clientless Zero Trust Access modules in the Secure Client to private applications on Meraki networks.PrerequisitesCaveats and Considerations Supported Use Cases and Requirements Step 1: Add a Network Tunnel Group in Secure AccessStep 2: Configure a Tunnel in Meraki MXVerification and TroubleshootingOptional ConfigurationsA Cisco Meraki MX/Z4 device (running MX 18.107+ firmware).A valid Cisco Secure Access account.A network tunnel group configured on Cisco Secure Access; see Add a Network Tunnel Group.This section discusses important caveats and considerations associated with the Meraki Third Party (non-Meraki) VPN tunnel configuration to Secure Access.There is no stateful failover to a Secure Access secondary tunnel.a. The MX only supports active/cold standby to a single headend.b. Traffic from a failed site is required to reestablish the tunnel.Only static routing is supported; BGP is not

Tunnel configuration to Secure Access.Remote Access VPN and ZTAThe Meraki networks will need to be tagged.Use the Umbrella IKEv2 configuration. No default exit hub.No spokes.Branch-to-Branch through Secure AccessOne of the following options is required to enable Secure Access policy enforcement to apply to branch-to-branch communication. Otherwise, all traffic will traverse Meraki AutoVPN between Meraki networks directly.Each network hosting applications is in a separate org; orAll networks are in a single org. Note: If this is the case, contact Support to have hub-to-hub communication turned off.Secure Internet Access with Non-Meraki VPNThe following are requirements for this configuration:No AutoVPN default route.Local route configuration 0.0.0.0/0.Step 1: Add a Network Tunnel Group in Secure AccessSecure Access enables fast, reliable, and secure private network connections to your applications through IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnels.Tunnels and tunnel groups are core concepts in managing connections between your data centers and Cisco Secure Access. A network tunnel group provides the framework for establishing tunnel redundancy and high availability. Connect tunnels to the hubs within a network tunnel group to securely control user access to the Internet and private resources.Follow the steps in Add a Network Tunnel Group.Make note of the Tunnel ID and Passphrase you enter when configuring the network tunnel group. These values are needed when you configure your Meraki IPsec tunnel.Note: Secure Access provides the option to download a CSV file with the network tunnel group details.Remember to select Static routing under routing options. Only static routing is supported.The new network tunnel group appears in the Secure Access dashboard as Disconnected, and with the Primary Hub and Secondary Hub status showing as Hub Down. The network tunnel group status is updated once it is fully configured and connected with Meraki MX. See the Verification and Troubleshooting section for additional information about how to evaluate the network tunnel group status.Step 2: Configure a Tunnel in Meraki MXConfigure a Meraki Third Party (non-Meraki) VPN tunnel to connect a Meraki MX/Z4 series device to Cisco Secure Access. In the Meraki MX dashboard, navigate to the Organization > Monitor > Overview page.If the page is not expanded by default, expand the Networks list by clicking the left-facing arrow at the top of the network list.Select the desired network from the networks Name list. Select only the network that will connect to the Secure Access Network Tunnel Group.Add a Network tag to the selected network.