Meraki has also implemented support for the Cisco TrustSec architecture with a feature called Adaptive Policy. Designed to offer improved management and scalability over more traditional access control methods, Adaptive Policy utilizes Security Group Tags (SGTs) to provide IP-agnostic policy and identity propagation throughout the network without reliance on traditional access control lists. By utilizing inline traffic tagging similar to 802.1Q trunking, Adaptive Policy allows for centrally defined security policies to be enforced across the network based on the SGTs applied to traffic instead of a source/destination IP, port, or other application-based policy.
While supported by most MX devices, Adaptive Policy, along with its functionality and configuration, is discussed in more detail in Chapter 7, “MS Switching Design and Recommendations.”
VPN
As briefly mentioned previously, MX security appliances are capable of several different VPN implementations, allowing flexibility in your deployment to connect with VPN peers around the world. This section provides a brief overview of those implementations, which are discussed in more detail later in this chapter. You can access all of the following configurations by navigating to the Security & SD-WAN > Site-to-Site VPN page on the Dashboard.
Meraki Auto VPN
Meraki Auto VPN simplifies traditional VPN configuration to just a few clicks from in the Dashboard to create a fully functional and secure VPN topology across your entire organization.
Auto VPN utilizes the power of the Meraki cloud to quickly and easily create VPN peering configurations for multiple sites within a Dashboard organization. Through the use of multiple redundant cloud-hosted VPN registry endpoints, each device in an Auto VPN topology is able to provide local device details such as public IP and selected UDP ports to the registry. From there, that registry information is then exchanged across all relevant members of the Auto VPN topology to automatically bring up VPN tunnels directly between the local device and any configured peers, without requiring any unique configurations for each site. Figure 5-7 shows a network configured as an Auto VPN hub with the Management subnet enabled for VPN access and advertisement.
Figure 5-7 Network Configured as an Auto VPN Hub with Several Subnets Enabled for VPN Access and Advertisement
With the ability to configure either a traditional hub-and-spoke topology, a full mesh topology, or something in between, Auto VPN enables you to configure and deploy an entire Auto VPN topology from within the Dashboard with just a few clicks. It also greatly simplifies both the configuration and maintenance of your VPN topology. The VPN registry is consistently updated by each device to account for potentially changing uplink IPs over time, potentially eliminating the need for a dedicated static IP at each location.