Benefits
- cloud-managed
- automatic upgrade
- ZTP
- topology map
- port schedule
L2
VLAN
- MS 390: VLANs 1-1000 only
- VTP: transparent, cannot read
- native VLAN mismatch detection: dashboard instead of CDP ⇒ does not work with Nexus, Catalyst
- PVLAN: only isolated, not all models support
- LACP
STP
- IEEE RSTP: single instance for all VLANs
- MST
- MS390
- single instance: revision 1, “region 1”
FHRP
- based on VRRP
- only between same family
- no support: 3rd party vendor, stack, OSPF
- single license per pair
SGT
- MS 390, MR 27
- Advanced license
L3
OSPF
- link type: bcast only
- areas: normal, stub, NSSA
- no support: virtual link, redistribution filtering
- RFC 1583
PIM
- PIM-SM only
VPN
Auto VPN
- P2P IPsec on MX
- keys are distributed via cloud
- no routing, routes are distributed by cloud ≈ ACL
- MX register in VPN registry: subnet, public IP, interface IP
- NAT-T support
- public IP = interface IP: no NAT
- public IP 1 = public IP 2: devices are behind same NAT, tunnel between interface IP
- static NAT/PAT
- dynamic PAT:
- MX1 → MX2: dropped
- then MX2 → MX1: success
- OSPF:
- route export only: ASBR
- does not learn routes from OSPF
- Hello are sent on LAN side
- BGP:
- iBGP
- exchange Auto VPN routes within IPsec with VPN concentrator
- no support for VLANs on LAN side in routed mode
Client VPN
- OSPF:
- route export only: ASBR ⇒ static required
- BGP:
- iBGP: Auto VPN routes
- eBGP: external routes
- one-armed, transparent mode
- authC: PAP over IPsec
Insights
- VoIP: delay, jitter
- proactive WAN monitoring + cloud SaaS on MX
Platforms
MV
- can send video locally in LAN, not through cloud (private IPs are discovered via cloud)
- generates FQDN and registers it by Meraki DNS
- A record, private IP
- *.devices.meraki.direct
- SHA-256, AES-256
- digital cameras usecase: temporary security, remote locations
- can connect via Wi-Fi (staging is still via cable)
- cloud storage: Azure, per camera license
- motion detection, heat map
- MQTT client
MX
- route preference
- connected
- client VPN
- static
- Auto VPN
- non-Meraki VPN
- BGP
- NAT
- sticky ECMP: when primary uplink is restored, active session is not switched back from secondary
System
- SNMPv2 only
- LLDP
- CDP: listen only
ACL
- MS switches:
- network-wide
- implicit permit
- up to 128 ACE
- no port range/list
ZTP
- receive address via DHCP in native VLAN
- if DHCP is not available, Local status page via mgmt0
- VLAN 1 is used for management traffic by default
PoE
- up to UPoE
QoS
- application-based shaping: per flow
Firewall
- L3 firewall: stateful
- L7 firewall: stateless
- deny only
- MX: logical &&
- MR: logical ||
- GeoIP: cannot include IP range into whitelist