Meraki

  1. Benefits
  2. L2
    1. VLAN
    2. STP
    3. FHRP
    4. SGT
  3. L3
    1. OSPF
    2. PIM
  4. VPN
    1. Auto VPN
    2. Client VPN
  5. Insights
  6. Platforms
    1. MV
    2. MX
  7. System
  8. ACL
  9. ZTP
  10. PoE
  11. QoS
  12. Firewall

Benefits

  • cloud-managed
  • automatic upgrade
  • ZTP
  • topology map
  • port schedule

L2

VLAN

  • MS 390: VLANs 1-1000 only
  • VTP: transparent, cannot read
  • native VLAN mismatch detection: dashboard instead of CDP ⇒ does not work with Nexus, Catalyst
  • PVLAN: only isolated, not all models support
  • LACP

STP

  • IEEE RSTP: single instance for all VLANs
  • MST
    • MS390
    • single instance: revision 1, “region 1”

FHRP

  • based on VRRP
  • only between same family
  • no support: 3rd party vendor, stack, OSPF
  • single license per pair

SGT

  • MS 390, MR 27
  • Advanced license

L3

OSPF

  • link type: bcast only
  • areas: normal, stub, NSSA
  • no support: virtual link, redistribution filtering
  • RFC 1583

PIM

  • PIM-SM only

VPN

Auto VPN

  • P2P IPsec on MX
  • keys are distributed via cloud
  • no routing, routes are distributed by cloud ≈ ACL
  • MX register in VPN registry: subnet, public IP, interface IP
  • NAT-T support
    • public IP = interface IP: no NAT
    • public IP 1 = public IP 2: devices are behind same NAT, tunnel between interface IP
    • static NAT/PAT
    • dynamic PAT:
      1. MX1 → MX2: dropped
      2. then MX2 → MX1: success
  • OSPF:
    • route export only: ASBR
    • does not learn routes from OSPF
    • Hello are sent on LAN side
  • BGP:
    • iBGP
    • exchange Auto VPN routes within IPsec with VPN concentrator
  • no support for VLANs on LAN side in routed mode

Client VPN

  • OSPF:
    • route export only: ASBR ⇒ static required
  • BGP:
    • iBGP: Auto VPN routes
    • eBGP: external routes
  • one-armed, transparent mode
  • authC: PAP over IPsec

Insights

  • VoIP: delay, jitter
  • proactive WAN monitoring + cloud SaaS on MX

Platforms

MV

  • can send video locally in LAN, not through cloud (private IPs are discovered via cloud)
  • generates FQDN and registers it by Meraki DNS
    • A record, private IP
    • *.devices.meraki.direct
  • SHA-256, AES-256
  • digital cameras usecase: temporary security, remote locations
  • can connect via Wi-Fi (staging is still via cable)
  • cloud storage: Azure, per camera license
  • motion detection, heat map
  • MQTT client

MX

  • route preference
    1. connected
    2. client VPN
    3. static
    4. Auto VPN
    5. non-Meraki VPN
    6. BGP
    7. NAT
  • sticky ECMP: when primary uplink is restored, active session is not switched back from secondary

System

  • SNMPv2 only
  • LLDP
  • CDP: listen only

ACL

  • MS switches:
    • network-wide
    • implicit permit
    • up to 128 ACE
    • no port range/list

ZTP

  • receive address via DHCP in native VLAN
    • if DHCP is not available, Local status page via mgmt0
  • VLAN 1 is used for management traffic by default

PoE

  • up to UPoE

QoS

  • application-based shaping: per flow

Firewall

  • L3 firewall: stateful
  • L7 firewall: stateless
    • deny only
  • MX: logical &&
  • MR: logical ||
  • GeoIP: cannot include IP range into whitelist