Resilient WAN and Security for Distributed Networks with Cisco Meraki MX Daghan Altas, Director of Product Management BRKSEC-2900
Agenda Problem Cisco CNG Live network creation demo (45m) Product Brief Q&A
How can I keep my PCI traffic isolated from guest traffic? What if my Internet goes down? I pay too much for MPLS! What happens if I discover a threat? What if my firewall dies? I need a solution that just works! BYOM! How do I discover a threat? What about DR? We have a small team responsible for 1000 store networks
WAN access needs to change Cost Agility Security Bandwidth costs MPLS costs Increased bandwidth demands High cost and complexity of network management: Truck roles Zero local IT Difficulty with troubleshooting CPE complexity Management Configuration New WAN architecture demands Agility Migration to Metro-E Adoption of Internet (and DIA) Service creation Intelligent QoS Security is more important than ever: Direct Internet Access to SaaS Guest wireless access BYOD APT protection
Secure and reliable networks that are easy to manage
Cisco CNG
Cloud-managed networking Cisco Meraki MR Wireless LAN Cisco Meraki MX Security Appliances Cisco Meraki MS Ethernet Switches Cisco Meraki SM Mobile Device Management
Cloud-managed networking architecture Network endpoints securely connected to the cloud Cloud-hosted centralized management platform Intuitive browser-based dashboard
A complete Unified Threat Management solution Security NG Firewall, Client VPN, Site to Site VPN, IPS, Geo IP Networking NAT/DHCP, 3G/4G failover, Intelligent WAN (IWAN) Application Control Web caching, Traffic Shaping, Content Filtering 7 models scaling from teleworker and small branch to campus / datacenter
Target customers
Why choose the Cisco Meraki MX? Intuitive centralized management No training, no command line Templates to configure at-scale Packet capture, built-in tools and diagnostics Designed for distributed enterprises Single pane of glass visibility Zero-touch provisioning Seamless updates from the cloud Site-to-site IPSec VPN in 3 clicks Industry-leading visibility Fingerprints users, applications, and devices Network-wide monitoring and alerts Full stack: APs, switches, Security, MDM
Ironclad security Best IPS SOURCEfire IDS / IPS, updated every day Content Filtering Geo-based security AV / antiphishing PCI compliance 4+ billions URLS, updated in real-time Block attackers from rogue countries Kaspersky AV, updated every hour PCI L1 certified cloud-based management
Rock-solid UTM for multi-site organizations Largest diversified provider of postacute care in USA 2000+ locations in 46 states, 75,000+ employees Why Cisco Meraki MX? Lean IT staff; needed centralized remote management for easily-deployed UTMs (zero-touch) Intuitive site-to-site VPN HIPAA compliant Needed single-box solution (MX60W) for security and wireless at rehabilitation centers Guest hotspots provided with MX60W Wi-Fi and 3G/4G uplinks
Penn Mutual saves $858K Projects / Pain Points: Implement a BYOD platform at 50 remote sites Managed Service Provider & MPLS costs Solution: Complete Meraki Stack: MR, MS, MX Phase off MPLS to Broadband Business Outcomes: Reduced Telco Spend by 40% Single platform in branch improved IT efficiency
Demo
New Features: IWAN
What is IWAN? Intelligent WAN (IWAN) is a collection of Cisco technologies and products that enable transport independence, intelligent path control, application optimization, and secure connectivity for multi-site deployments. Need screenshot Transport Independence Application Optimization Intelligent Path Control Secure Connectivity IPsec overlay (Auto VPN) Scalable (cloud architecture) Traffic distribution over multiple pathways (Internet, cellular, MPLS) App visibility & control (Meraki dashboard, group-based policies, traffic analytics) Application QoS & bandwidth optimization (Traffic shaping) Uplink chosen by link latency, data loss, etc. (PfR, aka performance-based routing) Uplink assigned by traffic protocol, subnet, source, destination, etc. (PbR, aka policy-based routing) Intuitive, automatic, scalable VPN solution to connect remote branch sites (Auto VPN)
New IWAN features for the Meraki MX Dual-active path: Active-active VPN - dual internet Active-active Internet-VPN & MPLS 3G/4G for backup only (no active/active Performance-based routing: Automatic failover based on loss, latency and jitter Ensures the best uplink is used based on performance WAN 1 Secure VPN tunnel (active) Latency / loss > threshold WAN 2 Secure VPN tunnel (active) Latency / loss < threshold Policy-based routing: Dual active VPN uplinks, with automatic failover Allows uplinks to be intelligently utilized with traffic-steering based on protocol, subnet, source, destination, etc. Data
Setting up dual-dc VPN network
End goal: DC-to-DC failover and load-balancing Active VPN Tunnel Failover VPN Tunnel Internet Active VPN Tunnel Failover VPN Tunnel HA PAIR DC1 DC2 HA PAIR Branches connected to DC1 Branches connected to DC2
Demo: Resilient WAN and security under 30 min Internet 10..0.10 10.2.0.10 DC1: 10.0.0.0/16 DR: 10.0.0.0/16 Template: West Template: East Branch1: 10.100.0.0/24 HA within DC DC to DC failover WAN link failover (4G) Automated VPN between sites Full UTM features IPS Content Filtering AV L7 firewall rules
Demo: Resilient WAN and security under 30 min Internet 10.2.0.1/24 10.2.0.1/24 10.2.0.2/24 10.2.0.2/24 DC1: 10.0.0.0/16 DR: 10.0.0.0/16 Template: West Template: East Branch1: 10.100.0.0/24
Product Brief
MX64 / MX64W Speed Industry s first 802.11ac UTM Dual radio ~3X speed of 11n wireless 2-3X faster than MX60 / MX60W Security UTM provides one-stop security IPS, content filtering, malware / antiphishing Seamless, automatic updates PCI 3.0-certified cloud backend SKU List Price MX64-HW $595 LIC-MX64-ENT-3Y $600 LIC-MX64-SEC-3Y $1200 MX64W-HW $945 LIC-MX64W-ENT-3Y $650 LIC-MX64W-SEC-3Y $1300
Choosing the right MX for your environment MX64/64W Where Small branches (~25 users) Features Wireless (MX60W) Throughput 100 Mbps MX80 Mid-size branches (~100 users) Mid-size branches (~500 users) Large Web cache (1TB) SFP ports Large Web cache (1TB) 250 Mbps 500 Mbps Z1 For teleworkers (1-5 users) Dual-radio wireless MX100 MX400 Large branch /campus (~2,000 users) Modular interface Large Web cache (1TB) 1 Gbps FW throughput: 50 Mbps MX600 Large branch /campus (~10,000 users) Modular interface Large Web cache (4TB) 2 Gbps All devices support 3G/4G
MX Security Appliances: Licenses Enterprise License Advanced Security License Stateful firewall Site to site VPN Branch routing Intelligent WAN (IWAN) Application control Web caching All enterprise features, plus Content filtering (with Google SafeSearch) Kaspersky Anti-Virus and Anti-Phishing SourceFire IPS / IDS Geo-based firewall rules ` Client VPN
MX Sizing Guide
Q & A
Free evaluations available Try Cisco Meraki with no risk or commitment Complimentary technical assistance available Start trial at meraki.cisco.com/eval
Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could Be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter handle @DaghanAltas Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to follow @CiscoLive and @CiscoPress View the official rules at http://bit.ly/cluswin
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions
Thank you