Meraki has also implemented support for the Cisco TrustSec architecture with a feature called Adaptive Policy. Designed to offer improved management and scalability over more traditional access control methods, Adaptive Policy utilizes Security Group Tags (SGTs) to provide IP-agnostic policy and identity propagation throughout the network without reliance on traditional access control lists. By utilizing inline traffic tagging similar to 802.1Q trunking, Adaptive Policy allows for centrally defined security policies to be enforced across the network based on the SGTs applied to traffic instead of a source/destination IP, port, or other application-based policy.

While supported by most MX devices, Adaptive Policy, along with its functionality and configuration, is discussed in more detail in Chapter 7, “MS Switching Design and Recommendations.”

VPN

As briefly mentioned previously, MX security appliances are capable of several different VPN implementations, allowing flexibility in your deployment to connect with VPN peers around the world. This section provides a brief overview of those implementations, which are discussed in more detail later in this chapter. You can access all of the following configurations by navigating to the Security & SD-WAN > Site-to-Site VPN page on the Dashboard.

Meraki Auto VPN

Meraki Auto VPN simplifies traditional VPN configuration to just a few clicks from in the Dashboard to create a fully functional and secure VPN topology across your entire organization.

Auto VPN utilizes the power of the Meraki cloud to quickly and easily create VPN peering configurations for multiple sites within a Dashboard organization. Through the use of multiple redundant cloud-hosted VPN registry endpoints, each device in an Auto VPN topology is able to provide local device details such as public IP and selected UDP ports to the registry. From there, that registry information is then exchanged across all relevant members of the Auto VPN topology to automatically bring up VPN tunnels directly between the local device and any configured peers, without requiring any unique configurations for each site. Figure 5-7 shows a network configured as an Auto VPN hub with the Management subnet enabled for VPN access and advertisement.

Figure 5-7 Network Configured as an Auto VPN Hub with Several Subnets Enabled for VPN Access and Advertisement

With the ability to configure either a traditional hub-and-spoke topology, a full mesh topology, or something in between, Auto VPN enables you to configure and deploy an entire Auto VPN topology from within the Dashboard with just a few clicks. It also greatly simplifies both the configuration and maintenance of your VPN topology. The VPN registry is consistently updated by each device to account for potentially changing uplink IPs over time, potentially eliminating the need for a dedicated static IP at each location.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Template Best Practice Considerations – Automating the Dashboard – Cisco Meraki

When working with templates, there are some general best practices to keep in mind. One of the most important general best practices is to remember that templates are designed to

Network-wide Multicast Topology – Building a Scalable Foundation with Dashboard – Cisco Meraki

For networks that have multicast routing enabled, you can configure the Layer 3 Topology page to show the current multicast topology as an overlay on top of the existing Layer

Hub Prioritization – MX and MG Best Practices – Cisco Meraki

Meraki has worked to ensure that deploying Auto VPN is as simple as possible while still ensuring that you are able to perform more advanced configuration to fine-tune the deployment