Embed Size (px)
Citation preview
Resilient WAN and Security for Distributed Networks with Cisco
Meraki MX
Daghan Altas, Director of Product Management
BRKSEC-2900
• Problem
• Cisco CNG
• Live network creation demo (45m)
• Product Brief
• Q&A
Agenda
What if my firewall dies?
What if my Internet goes down?
What about DR?
What happens if I discover a threat?
How can I keep my PCI traffic isolated from guest traffic?
I need a solution that just works!
We have a small team responsible for 1000 store networks
I pay too much for MPLS!
BYOM!
How do I discover a threat?
Cost Agility Security
Bandwidth costs • MPLS costs
• Increased bandwidth demands
High cost and complexity of
network management:• Truck roles
• Zero local IT
• Difficulty with troubleshooting
CPE complexity• Management
• Configuration
New WAN architecture demands• Agility
• Migration to Metro-E
• Adoption of Internet (and DIA)
• Service creation
• Intelligent QoS
Security is more important than
ever:• Direct Internet Access to SaaS
• Guest wireless access
• BYOD
• APT protection
WAN access needs to change
Secure and reliable networks that are easy to
manage
Cisco CNG
Cisco Meraki MR
Wireless
LAN
Cisco Meraki MX
Security
Appliances
Cisco Meraki MS
Ethernet
Switches
Cisco Meraki SM
Mobile Device
Management
Cloud-managed networking
Cloud-managed networking architecture
Network endpoints securely
connected to the cloud
Cloud-hosted centralized
management platform
Intuitive browser-based
dashboard
Application Control
Web caching, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN, IPS, Geo IP
Networking
NAT/DHCP, 3G/4G failover,
Intelligent WAN (IWAN)
7 models scaling from teleworker and small branch to campus / datacenter
A complete Unified Threat Management solution
Target customers
Why choose the Cisco Meraki MX?
Intuitive centralized management• No training, no command line
• Templates to configure at-scale
• Packet capture, built-in tools and
diagnostics
Industry-leading visibility• Fingerprints users, applications, and devices
• Network-wide monitoring and alerts
• Full stack: APs, switches, Security, MDM
Designed for distributed enterprises• Single pane of glass visibility
• Zero-touch provisioning
• Seamless updates from the cloud
• Site-to-site IPSec VPN in 3 clicks
Ironclad security
Best IPSSOURCEfire IDS / IPS,
updated every day
Content
Filtering
4+ billions URLS, updated in
real-time
Geo-based
security
Block attackers from rogue
countries
AV / anti-
phishing
Kaspersky AV, updated every
hour
PCI
compliance
PCI L1 certified cloud-based
management
Rock-solid UTM for multi-site organizations
Why Cisco Meraki MX?
• Lean IT staff; needed centralized remote management for easily-deployed UTMs (zero-touch)
• Intuitive site-to-site VPN
• HIPAA compliant
• Needed single-box solution (MX60W) for security and wireless at rehabilitation centers
• Guest hotspots provided with MX60W Wi-Fi and 3G/4G uplinks
• Largest diversified provider of post-
acute care in USA
• 2000+ locations in 46 states,
75,000+ employees
Penn Mutual saves $858K
Projects / Pain Points: • Implement a BYOD platform at 50 remote sites
• Managed Service Provider & MPLS costs
Solution:• Complete Meraki Stack: MR, MS, MX
• Phase off MPLS to Broadband
Business Outcomes:• Reduced Telco Spend by 40%
• Single platform in branch improved IT efficiency
Demo
New Features: IWAN
What is IWAN?
“Intelligent WAN” (IWAN) is a collection of Cisco technologies and products that enable transport independence, intelligent path
control, application optimization, and secure connectivity for multi-site deployments.
Transport
Independence
Application
Optimization
Intelligent Path
Control
Secure
Connectivity
• IPsec overlay (Auto VPN)
• Scalable (cloud architecture)
• Traffic distribution over
multiple pathways (Internet,
cellular, MPLS)
• App visibility & control (Meraki
dashboard, group-based
policies, traffic analytics)
• Application QoS & bandwidth
optimization (Traffic shaping)
• Uplink chosen by link latency,
data loss, etc. (PfR, aka
performance-based routing)
• Uplink assigned by traffic
protocol, subnet, source,
destination, etc. (PbR, aka
policy-based routing)
• Intuitive, automatic,
scalable VPN solution to
connect remote branch
sites (Auto VPN)
Need
screenshot
Dual-active path:
• Active-active VPN - dual internet
• Active-active Internet-VPN & MPLS
• 3G/4G for backup only (no active/active
Policy-based routing:
• Dual active VPN uplinks, with automatic failover
• Allows uplinks to be intelligently utilized with traffic-steering
based on protocol, subnet, source, destination, etc.
Performance-based routing:
• Automatic failover based on loss, latency and jitter
• Ensures the best uplink is used based on performanceWAN 1
Secure VPN tunnel (active)
Latency / loss > threshold
WAN 2
Secure VPN tunnel (active)
Latency / loss < threshold
Data
New IWAN features for the Meraki MX
Setting up dual-DC VPN network
End goal: DC-to-DC failover and load-balancing
Internet
DC1HA PAIR
Branches connected to DC1
Active VPN Tunnel
DC2 HA PAIR
Branches connected to DC2
Active VPN Tunnel
Failover VPN TunnelFailover VPN Tunnel
Demo: Resilient WAN and security under 30 min
• HA within DC
• DC to DC failover
• WAN link failover (4G)
• Automated VPN between sites
• Full UTM features
• IPS
• Content Filtering
• AV
• L7 firewall rules
Internet
DC1:
10.0.0.0/16 DR: 10.0.0.0/16
Template:
West Template: East
10..0.10 10.2.0.10
Branch1: 10.100.0.0/24
Demo: Resilient WAN and security under 30 min
Internet
DC1: 10.0.0.0/16 DR: 10.0.0.0/16
Template: West Template: East
10.2.0.1/24 10.2.0.1/24
Branch1: 10.100.0.0/24
10.2.0.2/2410.2.0.2/24
Product Brief
MX64 / MX64W
• Speed
• Industry’s first 802.11ac UTM
• Dual radio
• ~3X speed of 11n wireless
• 2-3X faster than MX60 / MX60W
• Security
• UTM provides one-stop security
• IPS, content filtering, malware / anti-phishing
• Seamless, automatic updates
• PCI 3.0-certified cloud backend
SKU List Price
MX64-HW $595
LIC-MX64-ENT-3Y $600
LIC-MX64-SEC-3Y $1200
MX64W-HW $945
LIC-MX64W-ENT-3Y $650
LIC-MX64W-SEC-3Y $1300
Choosing the right MX for your environment
MX64/64W
MX80
MX100
MX400
MX600
Z1
Small branches
(~25 users)
Where Throughput
100 Mbps
Large branch
/campus
(~10,000 users)
Large branch
/campus
(~2,000 users)
Mid-size branches
(~100 users)
Mid-size branches
(~500 users)
Features
Wireless (MX60W)
Modular interface
Large Web cache (4TB)
250 MbpsLarge Web cache (1TB)
500 MbpsSFP ports
Large Web cache (1TB)
1 Gbps
2 Gbps
Modular interface
Large Web cache (1TB)
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput: 50
Mbps
All devices support 3G/4G
MX Security Appliances: Licenses
Enterprise License Advanced Security
License
Stateful firewall
Site to site VPN
Branch routing
Intelligent WAN (IWAN)
Application control
Web caching
Client VPN
`
All enterprise features, plus
Content filtering (with Google SafeSearch)
Kaspersky Anti-Virus and Anti-Phishing
SourceFire IPS / IDS
Geo-based firewall rules
MX Sizing Guide
Q & A
Free evaluations available
• Try Cisco Meraki with no risk or commitment
• Complimentary technical assistance available
• Start trial at meraki.cisco.com/eval
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @DaghanAltas
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
