Meraki has also implemented support for the Cisco TrustSec architecture with a feature called Adaptive Policy. Designed to offer improved management and scalability over more traditional access control methods, Adaptive Policy utilizes Security Group Tags (SGTs) to provide IP-agnostic policy and identity propagation throughout the network without reliance on traditional access control lists. By utilizing inline traffic tagging similar to 802.1Q trunking, Adaptive Policy allows for centrally defined security policies to be enforced across the network based on the SGTs applied to traffic instead of a source/destination IP, port, or other application-based policy.

While supported by most MX devices, Adaptive Policy, along with its functionality and configuration, is discussed in more detail in Chapter 7, “MS Switching Design and Recommendations.”

VPN

As briefly mentioned previously, MX security appliances are capable of several different VPN implementations, allowing flexibility in your deployment to connect with VPN peers around the world. This section provides a brief overview of those implementations, which are discussed in more detail later in this chapter. You can access all of the following configurations by navigating to the Security & SD-WAN > Site-to-Site VPN page on the Dashboard.

Meraki Auto VPN

Meraki Auto VPN simplifies traditional VPN configuration to just a few clicks from in the Dashboard to create a fully functional and secure VPN topology across your entire organization.

Auto VPN utilizes the power of the Meraki cloud to quickly and easily create VPN peering configurations for multiple sites within a Dashboard organization. Through the use of multiple redundant cloud-hosted VPN registry endpoints, each device in an Auto VPN topology is able to provide local device details such as public IP and selected UDP ports to the registry. From there, that registry information is then exchanged across all relevant members of the Auto VPN topology to automatically bring up VPN tunnels directly between the local device and any configured peers, without requiring any unique configurations for each site. Figure 5-7 shows a network configured as an Auto VPN hub with the Management subnet enabled for VPN access and advertisement.

Figure 5-7 Network Configured as an Auto VPN Hub with Several Subnets Enabled for VPN Access and Advertisement

With the ability to configure either a traditional hub-and-spoke topology, a full mesh topology, or something in between, Auto VPN enables you to configure and deploy an entire Auto VPN topology from within the Dashboard with just a few clicks. It also greatly simplifies both the configuration and maintenance of your VPN topology. The VPN registry is consistently updated by each device to account for potentially changing uplink IPs over time, potentially eliminating the need for a dedicated static IP at each location.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Network-wide Multicast Topology – Building a Scalable Foundation with Dashboard – Cisco Meraki

For networks that have multicast routing enabled, you can configure the Layer 3 Topology page to show the current multicast topology as an overlay on top of the existing Layer

IDS/IPS – MX and MG Best Practices – Cisco Meraki

Alongside Cisco AMP, you can configure the IDS/IPS feature set for even further security monitoring. When enabled, the IDS/IPS feature set inspects all routed traffic passing through the MX while

Using Webhooks, Syslog, and SNMP to Trigger Outside Automation – Automating the Dashboard – Cisco Meraki

Now that you’ve been introduced to the use of templates within the Dashboard to help automate network configuration, it’s time to start thinking outside the Dashboard. With the help of