Apstra’s Intent-Based Networking
This blog updates a recent blog, taking note of recently-added and/or new-to-me SD-WAN and other functionality in the Meraki products.
In particular, the Meraki firewalls support:
I must note I changed my opinion from that in a comment in the prior blog: Meraki now does support the main features of SD-WAN, alongside security / firewall / UTM functionality and split tunnel capability (local Internet) for the branch. Cisco AMP, Snort IDS / IPS, and ThreatGrid integration can be had with a few clicks.
The CVD covers establishing connectivity, discusses NAT traversal (if needed), etc. It also covers use of a warm spare. It then goes into getting Auto-VPN working.
You can configure split tunneling, and steer Internet one way and VPN over the other link, if you wish. The CVD goes on to show how to steer VOIP to prefer “Best for VOIP.”
It goes on to cover PbR (Policy-based Routing), with performance failover if desired.
Throughout, the feature set and the GUI exhibit the hallmark of Meraki: simplicity.
In case you were curious, the following failover information is from the Meraki CVD:
|Service||Failover Time||Failback Time|
|AutoVPN Tunnels||30-40 seconds||30-40 seconds|
|DC-DC Failover||20-30 seconds||20-30 seconds|
|Dynamic Path Selection||Up to 30 seconds||Up to 30 seconds|
|Warm Spare||30 seconds or less||30 seconds or less|
|WAN connectivity||300 seconds or less||15-30 seconds|
I’m told by Meraki personnel that most of the items are in practice significantly shorter.
Concerning performance monitoring, a MX sends probes across all possible paths on each uplink, at either 1 or 10 second intervals. Average latency, loss, jitter, and Mean Opinion Score (MOS) is computed over the last 6 samples for each path. A synthetic Mean Opinion Score (MOS) is used to decide “Best for VoIP.”
In case you haven’t looked recently, Meraki Insight provides a GUI management tool, tracking User Experience for web-based applications (internal or SaaS / cloud). NetCraftsmen has been recommending UX tools such as AppNeta and NetBeez for similar reporting. Meraki Insight is claimed to assist in troubleshooting user experience problems in a simple (Meraki!) way. While I can’t claim to have used it yet, it hits a lot of my hot buttons.
I just finished some work with an organization that provides billing, IT, and other services for doctors at about 10 locations. They’re switching to externally-provided medical record services, and initial testing reveals slowness at some locations for some users. The WAN data Xfinity provides is fairly useless. Network visibility right now is slim to none. That’s been the case in most of the smaller organizations I’ve worked with, and even can be a problem in larger ones. It’s hard to troubleshoot without data about which sites have problems, and some ability to detect high utilization, or high percentages of packet loss, errors, or discards. It looks like Meraki Insight can provide such data. Win!
You might have noticed Cisco has two SD-WAN products now. Here are the two offerings:
I believe Meraki currently supports up to two paths. Viptela supports more. Viptela does VRF’s and routing. Meraki has firewall and UTM functionality.
I’m told Meraki’s strongest sales are within retail and small branch designs, typically with small central IT teams and many small branch sites without IT staff, “lean IT.” That extends to Meraki being cost-effective for other applications, e.g. VPN to indoor parking payment stations.
Viptela may be used for the same purposes, especially where site firewalling is not needed, perhaps because a CoLo-based regional security stack approach is being used (as I’ve written about in prior blogs).
Concerning that pay station use: note the word ‘indoor.’ Do bear in mind that both types of equipment are mostly, if not 100% intended for indoor use — for outdoors, always check any device’s temperature specs and site power reliability.
Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!
Hashtags: #CiscoChampion #TheNetCraftsmenWay #Meraki #SDWAN
Did you know that NetCraftsmen does network /datacenter / security / collaboration design / design review? Or that we have deep UC&C experts on staff, including @ucguerilla? For more information, contact us at firstname.lastname@example.org.
Apstra’s Intent-Based Networking
Silver Peak is Serious about SD-WAN
BlueCat: DNS, DDI + Visibility and Workflow Automation
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.