Meraki

Cisco Meraki Cloud Managed

Solution
Reduce CapEx and OpEx
Improve performance and efficiency
Enhance distributed network security
Centralized visibility and control
across distributed locations
 Remotely deploy the proposed Meraki MX Cloud Managed Security Appliances
in minutes through zero-touch cloud provisioning.
 Synchronize configurations across thousands of sites using templates.
 Securely connect branch locations with three clicks in the intuitive dashboard
using the included Meraki Auto VPN.
 Perform remote configurations and diagnostics just as easily as you can onsite.
Your network and security policies are applied automatically.
 Use the centralized dashboard management to eliminate the need for costly
onsite provisioning.
SD-WAN
Automatic Self-Healing VPN
SECURE OPERATIONS
Stateful Cisco NGFW
Intrusion Prevention
Content Filtering and Malware Protection
High Availability and Failover
 SD-WAN
 Active-active VPN with load balancing: Automatically form VPN tunnels
over multiple Internet or MPLS connections. This allows you to load
balance VPN traffic for optimum bandwidth efficiency.
 Policy-based routing: Easily direct certain types of traffic over a particular
link, such as sending voice traffic over an MPLS path.
 Dynamic path selection: Automatically adjust the VPN path that is used
for different types of traffic based on VPN performance. This includes set
loss, latency, and jitter thresholds to control which path the proposed
Meraki MX Cloud Managed Security Appliances will use to send traffic
based on current network conditions.
 Automatic Self-Healing VPN
 Auto provisioning IPsec VPN: Using IPsec—over any WAN—allows you to
link branches to your headquarters, data centers, or one another as if
connected with a virtual Ethernet cable.
 Automatically configured VPN parameters: Establish site-to-site
connectivity with just a few clicks in the dashboard. Intuitive tools built into
the dashboard provide a real-time view of VPN site connectivity and
health.
 Flexible tunneling, topology, and security policies: Create configurations
for split tunneling and full tunneling back to a concentrator at
headquarters with a single click. Hub-and-spoke and full-mesh VPN
topologies provide deployment flexibility.
SECURE OPERATIONS
Stateful Cisco Next-Generation Firewall (NGFW)
Cisco Firepower Intrusion Prevention
Automatic, self-healing site-to-site and client VPN
URL content filtering and malware protection
High availability and failover
Integrated SD-WAN capabilities
Stateful Cisco NGFW
 L7 traffic classification and control: Get in-depth visibility into client
devices, users, applications, bandwidth, and content natively in the
dashboard.
 Identity-based and device-aware security: Assign the appropriate
access, traffic, and security policies for each device, VLAN, or user
group using Meraki group policies. Clients are automatically detected
and classified so the correct policies can be applied.
Intrusion Prevention
 Cisco Firepower Intrusion Prevention: Protect your network with an
integrated intrusion detection and prevention engine. These components
use a combination of signature (automatically updated), protocol, and
anomaly-based inspection methods. Rulesets refresh daily to provide
predefined security policies that protect against the latest vulnerabilities,
including exploits, viruses, rootkits, and more.
 Simple deployment: Deploy the included Cisco Firepower Intrusion
Prevention (includes automatic vulnerability definitions) on your appliance in
seconds with just a few clicks in the dashboard.
 Real-time graphical reporting: Take advantage of built-in security reporting
that makes it easy to filter data and view wide-ranging security event data in
the dashboard.
Content Filtering and Malware
Protection
 Identity-based filtering policies: Tailor granular identity-based policies to
specific groups wherever Active Directory (AD) is used. This reduces
configuration steps and simplifies group-based filtering.
 Automatic, cloud-based signature updates: Administer content filtering
and malware protection with ease. The associated databases are kept up
to date automatically, so you don’t have to manually purchase, track, or
apply updates.
High Availability and Failover
 3G/4G cellular and dual uplink support: Sustain dual WAN uplinks
with automatic failover for protection against ISP connection
outages.
 Warm-spare failover: Maintain the integrity of the proposed
solution’s service at the appliance level regardless of deployment
mode.
 Data center high availability: Uphold secure tunneling between sites
using either mesh- or hub-and-spoke topologies.
CISCO MERAKI FAMILY PORTFOLIO
CISCO MERAKI FAMILY PORTFOLIO
The proposed Meraki MX Cloud Managed
Security Appliances are part of a broader
offering from the Cisco Meraki family solution.
It is a family of cloud managed networking,
communications and IT solutions which unify
and dramatically simplify the management and
troubleshooting experience for over 150,000
customers around the world.
Meraki solutions include Wi-Fi, switching,
security, SD-WAN, communications, security
cameras and enterprise mobility management
(EMM)—all managed through a single intuitive
graphical interface.
 Cisco Meraki Cloud Managed Solutions
Cisco Meraki MX Cloud Managed Security Application
Features include:

Template-based settings: Easily scale from small networks to large multisite

deployments with massive numbers of devices.
Integrated wireless: Deliver 802.11ac Wi-Fi without adding access points
(APs)—available on models MX64W and MX65W.
Two dedicated PoE+ ports: Provide power for two devices up to 30W
each, without requiring a separate power injector.
Auto VPN connection to public cloud services: Extend Auto VPN and SD-
WAN functionality directly into the Amazon web services public cloud
(available on vMX100).
Available on models MX65 and MX65W:
Integrated L7 security features: Enhance security with Cisco AMP, Cisco
NGIPS, URL content filtering, and Geo-IP firewalling.
Meraki SD-WAN capabilities: Deliver cloud-based Meraki Auto VPN with
load balancing, policy-based routing, and dynamic path selection.
Models include: MX64, MX64W, MX65, MX65W, MX84, MX100, MX400,
MX600, vMX100
 Cisco Meraki MR Cloud Managed Wireless
Access Points
Features include:
• Automatic monitoring: Enhance Wi-Fi performance and
improve end-user experience.
• 802.11ac multi–user – multiple input multiple output (MU-
MIMO): Efficiently service a large number of devices with up
to four spatial streams.
• Enhanced transmit power and receive sensitivity: Increase
communication distance and reliability.
• Integrated enterprise security and guest access: Protect your
extended network and users.
• Location Analytics: Improve customer engagement and
loyalty. Use Cisco’s self-learning application-aware analytics
engine.
Models include: MR30H, MR33, MR42, MR52, MR53, MR62, MR66,
MR74, MR84
Cisco Meraki MS Cloud Managed Switches
Features include:
• Email alerts: Provide notification of power loss, downtime, or
configuration changes.
• Stacking: Manage up to tens of thousands of ports from a
single view.
• Powerful tools: Isolate physical layer issues or run a packet
capture.
• Highly redundant switch architecture: Support cost-effective
stacking and top-of-rack (ToR) fiber aggregation.

Models include: MS220-8, MS220-8P, MS225-24, MS225-24P,

MS225-48, MS225-48LP, MS225-48FP, MS250-24, MS250-24P,
MS250-48, MS250-48LP, MS250-48FP, MS350-24, MS350-24P,
MS350-24X, MS350-48, MS350-48LP, MS350-48FP, MS410-16,
MS410-32, MS425-16, MS425-32
Cisco Meraki Systems Manager Enterprise
Mobility Management
Features include:
• Built-in asset management: Simplify software license
management, even in multiplatform environments.
• Rapid provisioning: Use device enrollment to facilitate 1:1
and BYOD initiatives.
• Remote live tools: Manage requests for devices such as
remotely clearing a passcode, initiating remote startups,
and erasing data in the event of a compromise.

Network integration: Unify WAN, LAN, WLAN, and mobility

device management (MDM) through a single interface.
Cisco Meraki MV Cloud Managed Security
Cameras
Features include:
Centralized cloud management: Deliver secure monitoring and management of
all cameras anywhere in the world through the dashboard.
Cloud-augmented edge storage: Eliminate the need for a network video
recorder (NVR) due to 128 GB of high write endurance solid state storage on
every camera.
Video wall: Set up video tiles quickly and group video streams in different video
walls for easy organization.
Nighttime vision: Provide day and night security with video recording in dark
settings up to 30m with infrared (IR) illumination motion search.
Granular access controls: Manage which users can see videos, view historical
streams, and export videos from the dashboard.
Optimized retention: Customize retention time by discarding video footage more
than three days old that contains no motion, and by creating recording
schedules.
Models include: MV21 (indoor), MV71 (outdoor)
Cisco Meraki MC Cloud Managed Communications

Features include:
• Centralized cloud management: Securely manage all your phones
from anywhere through the dashboard.
• IVR and call groups: Deliver simplified voice menus setup, letting
users load files, assign actions as needed, and initiate responses
without complicated instructions.
• Wideband audio: Have clear conversations with Hi-Fi quality during
phone calls.
• Contact and phone integration: Import your group’s contacts into
the dashboard smoothly, making it easier to assign phones and
numbers to group members.
• Easy onboarding: Start without delay when adding more phone
numbers as needed. You’re ready to start using the new numbers
in minutes, not weeks.
Additional lines: You can make and receive calls on up to eight lines.
Cisco Meraki Dashboard
Cisco Meraki Dashboard
MX Setup | How to Create VLANs
 Monitor > Appliance Status
 By default, MX’s name will appear as its MAC address – look for and
click on the pencil icon , to edit this. MX[n] n is your station number.
 In a Similar fashion, proceed to add/edit a physical address. This
can be your actual address.
 To setup VLAN go to Configure > Address & VLANs
Name: Corp ; VLAN ID 10 ; subnet :10.20.10.0/24
Name: Voice: VLAN ID 30 : subnet : 10.20.11.0/24
Create this to all MX Appliance .
Addressing and VLANs
Appliance settings are accessible through the Security Appliance >
Configure > Addressing & VLANs page and include Network name,
passthrough or NAT mode, client tracking methods, subnet and VLAN
configuration, Static LAN routes, and Dynamic DNS settings.

Name
This field allows you to set or modify the name of the Dashboard network
that contains the security appliance.

Deployment Mode
The MX appliance can be deployed in two possible modes:
•Passthrough or VPN concentrator mode
•NAT mode
Passthrough or VPN concentrator mode
As a Layer 2 passthrough device
Choose this option if you simply want to deploy the MX device:
•In bridge mode for traffic shaping and additional network visibility.
•As a one-armed VPN concentrator.

In this mode, the MX device does not provide any address translation
and operates as a passthrough device between the Internet and the
LAN ports (sometimes referred to as a Layer 2 bridge).

The appliance also provides VPN tunneling functionality.

Network Address Translation (NAT)
Choose this option if you want to use the MX appliance as a Layer 7
firewall to isolate and protect LAN traffic from the Internet (WAN).

Client traffic to the Internet will have its source IP rewritten to match the
WAN IP of the appliance. In this mode, the MX appliance is generally also
the default gateway for devices on the LAN.

This section also provides a link to the DHCP settings page.

Client tracking
Here you can configure how the MX appliance identifies and tracks client
devices in order to apply network access policies and store information on
client activity. You have two options available:

•Track client by MAC address: This is the default selection. Use this option if
all client devices are within the VLANs/subnets configured on the
appliance, and there is no Layer 3 device between the appliance and the
clients.

•Track clients by IP address: Use this option if there is a Layer 3 device

between the appliance and the clients, and MAC address identification is
therefore not reliable or accurate. Some ARP-based (Layer 2) tools will be
unavailable in this mode. These include client ping and client connectivity
alerts.
Enabling VLANs

You can configure a single LAN or multiple VLANs through the

Addressing & VLANs page. You can use the VLAN selector to
configure the appliance to use a single LAN subnet or multiple LAN
subnets (VLANs).

Routes

This section displays the local routes configured on the MX appliance.

This includes configured subnets or VLANs as well as static routes.
VLANs and Static Routes can be added, deleted, or modified here.
VLANs
VLANs allow you to partition your network into different subnets such
that downstream hosts are separated into different broadcast
domains based on the VLAN they operate in.

VLAN-based network separation can be an effective tool for

isolating and identifying different segments of your network and
therefore provides an additional layer of security and control.

The appliance has multiple LAN IPs, each of which is the default
gateway address on its particular VLAN.

To add a new VLAN, click "Add a local VLAN" at the bottom of the
routes table. To modify an existing VLAN, click on that VLAN in the
Routes table. The following fields can be set for a local VLAN:
VLANS
•Name: The name of the VLAN.
•Subnet: Use this option to enter the IP subnet for the VLAN. Note that as
with Single LAN mode, you need to provide this information in CIDR
notation.
•MX IP: The IP address of the MX appliance in this particular VLAN/subnet.
This is the default gateway IP address on that VLAN.
•VLAN ID: The numerical identifier that is assigned to the VLAN.
•Group Policy: The Group Policy you wish to apply to this VLAN.
•In VPN: Determines whether the MX advertises this VLAN to site-to-site VPN
peers.
To delete a VLAN, click on the X next to that VLAN on the far right side of
the Routes table.
Static LAN routes
Static LAN routes are used to reach a subnet that is behind a layer-3 switch or
otherwise not directly connected to or configured on the appliance.

To add a new static LAN route, click "Add a static route" at the bottom of the
routes table. To modify an existing static route, click on it in the Routes table. The
following fields can be set for a static LAN route:

•Enabled: Whether the MX should use the route or not. Use this setting if you wish to
temporarily remove a route from the MX without having to manually recreate it
later.
•Name: The name of the static route.
•Subnet: Use this option to enter the remote subnet that is reached via this static
route (in CIDR notation).
•Next hop IP: IP address of the device (such as a router or layer 3 switch) that
connects the MX appliance to the static route subnet. This is also sometimes
referred to as the 'route gateway IP'.
Static LAN routes
•Active: Conditions that control when this route will be used. A static route can be
set to one of three modes:
• Always: Route is always used.
• While next hop responds to ping: Route is used only if the MX can successfully
ping the next hop IP configured for the route.
• While host responds to ping: Route is used only if the MX can ping a specified
host IP using the route.
•Host IP to ping: Only appears if While host responds to ping is selected above. This is
the IP that the MX will ping via the static route to determine whether the route is
working properly. This device must be in the subnet specified in the static route, and
should always be a device with a static IP or a DHCP reservation (such as a server).
•In VPN: Determines whether the MX advertises this static route to site-to-site VPN
peers.
To delete a static LAN route, click on the X next to that route on the far right side of
the Routes table.
Per-port VLAN configuration
Here you can view and modify the VLAN settings for your MX appliance on a per-
port basis. To modify the per-port VLAN settings, select the port or ports you wish to
reconfigure and click Edit. You will be presented with a menu that allows you to set
the following parameters:
•Enabled: Enable or disable the port. If the port is set to Disabled, no other options will
be available.
•Type: Set the port to either trunk or access mode. A port configured in trunk mode
can pass traffic on multiple VLANs, while an access mode port passes traffic for only
one VLAN.
•Native VLAN (trunk mode only): Sets the Native VLAN for the port. All untagged
traffic that comes in on this port will be treated as if it belonged to this VLAN. This can
also be set to 'Drop untagged traffic'.
•Allowed VLANs (trunk mode only): The VLANs for which this port will accept and
pass traffic. This must include the Native VLAN if one is set.
•VLAN (access mode only): The VLAN for which this port will accept and pass traffic.
All untagged traffic will automatically be treated as if it belonged to this VLAN.
Dynamic DNS
Dynamic DNS allows you to reach a public-facing MX appliance over
the internet even if the public IP address changes.

Meraki will automatically issue a unique FQDN (fully qualified domain

name) for the appliance and auto-register the MX through Meraki's own
Dynamic DNS service.

This public DNS record will be updated if the public IP address of the
appliance changes due to DHCP lease renewal or uplink failover.
Custom FQDN name:
Creating a custom DNS name for your appliance is simple. Let's assume that
you have an MX90 that you've named "myMX90" and you want to name it
"myMX90.example.com". Meraki will auto-generate a unique FQDN, for
example: myMX90-wmktpbbzt.dynamic-m.com.

Using a type of DNS record called a CNAME record, you can map arbitrary
DNS names to other DNS names. If you register a domain (e.g., example.com),
your registrar should be able to help you set up a CNAME from your new
domain (or a subdomain) to myMX90-wmktpbbzt.dynamic-m.com.

At this point your custom DNS name would resolve to the public IP of the
appliance the same way that the original, auto-generated FQDN would.
Warm spare
Here you can add a second MX appliance as a warm spare unit to create a
high availability (HA) pair. To do so, click the Add a warm spare button and
enter the serial number of the spare, along with virtual IPs for any uplinks that
are being used.

You can perform the following functions on an existing HA pair:

•Change the virtual IP(s) being used for the uplink(s)
•Swap the primary and secondary roles of the appliances in the pair by clicking
the Swap primary and spare button

•Remove the spare from the network to be used elsewhere by clicking the
Remove spare button. The spare will return to default configuration, so it is highly
recommended that it be removed from the network or taken offline before this
action is taken.
Setting up Security Policy on MX: Task

 Take Advantage of MX’s ability to traffic shape by enforcing a

per-client bandwidth limit of 5 Mbps.
 Add a new traffic shaping rule for Netflix and Pandora – Choose a
limit of 1 Mbps down, 500 Kbps up on this rule with “low priority”
 Create another traffic shaping rule for all VoIP & Video
conferencing traffic – ignore network bandwidth restrictions for this
rule and ensure the applications are treated as “High” priority .
 Turn on (enable) content filtering for your MX by adding “Adult &
Pornography” as a website category that will be blocked.
Traffic Shaping Settings
The MX appliance/Z1 gateway includes an integrated Layer 7 packet
inspection engine, enabling you to set QoS policies, load balancing,
and prioritization based on traffic types and applications.

Uplink configuration
This section allows you to configure bandwidth settings, list update
frequency, primary uplink, load balancing, and layer 3 uplink
preferences.
Uplink bandwidth settings
This option allows you to configure the upload and download bandwidth
of the uplinks. This information is needed for traffic load balancing
between the active WAN / Internet ports as well as for limiting upload
and download traffic through the WAN ports.

You can configure Uplink 1, Uplink 2, and the cellular uplink individually.
To configure different upload and download bandwidths for a particular
uplink, click the details button next to that uplink's bandwidth slider.
Primary uplink
This option determines which uplink should be the primary connection.

VPN traffic and management traffic to the Meraki Dashboard use the
primary uplink. If load balancing is disabled, all traffic will use the primary
uplink unless an uplink preference is configured specifying otherwise.

Load balancing
When enabled, Load balancing spreads Internet traffic across both uplinks
proportional to the Internet1 and Internet2 bandwidths specified above.

Example: If Internet1 bandwidth is 9 Mbps and Internet2 bandwidth is 1

Mbps, the load-balancing algorithm sends 90% of the traffic through the
Internet 1 uplink and 10% of the traffic through the Internet 2 uplink.
Uplink preferences
Use this option to direct traffic matching a layer 3 definition out a
particular uplink.
A common use case involves sending traffic from different VLANs
through different Internet uplinks, or sending a particular type of
traffic such as FTP traffic out a particular uplink based on the
destination port.
List update interval
This setting determines how often the MX should check for updates
to security lists.

You can specify an Hourly, Daily, or Weekly update interval. To

specify different intervals depending on which uplink is being used to
download lists, click "details".

This can be useful if you want to control bandwidth usage due to

security list downloads on a low-bandwidth WAN link or cellular
uplink.
Features affected by this setting include IDS/IPS, Top Sites Content
Filtering, and Malware Scanning.
Global bandwidth limits
This setting allows you to put limits on each client devices total
network traffic (incoming / outgoing).

The minimum limit on the throughput is 20 kb/s. Click details or simple

to switch between two possible modes.

• simple: Single setting that applies to both upload and download

traffic throughput. Move the slider control right or left to set the limits.

• details: Allows you to set different limits on upload and download

throughput. Enter the limits manually in kb/s.

You can also use this mode to create more-precise per-client limits
than in simple mode.
Enable SpeedBurst:
To provide a better user experience in bandwidth-limited
environments, an administrator can enable SpeedBurst by selecting
the Enable Speedburst checkbox.

SpeedBurst allows users to exceed their assigned limit in a "burst" for a

short period of time, providing a more satisfying Internet browsing
experience while still preventing any one user from using more than
his or her fair share of bandwidth over the longer term.

Users are allowed up to four times their allotted bandwidth limit for a
period of up to five seconds.
 Add a new traffic shaping rule for Netflix and Pandora – Choose a
limit of 1 Mbps down, 500 Kbps up on this rule with “low priority”

 Create another traffic shaping rule for all VoIP & Video
conferencing traffic – ignore network bandwidth restrictions for this
rule and ensure the applications are treated as “High” priority .

 Turn on (enable) content filtering for your MX by adding “Adult &

Pornography” as a website category that will be blocked.
Traffic shaping rules
To optimize your network, you can create shaping policies to apply per-
user controls on a per-application basis.

This allows you to reduce bandwidth for recreational applications such as

peer-to-peer file sharing programs, and to prioritize bandwidth for your
business-critical enterprise applications.

Creating Shaping Rules

Click Create a new rule to add a traffic shaping rule. Traffic shaping
policies consist of a series of rules that are performed in the order in which
they appear in the policy, similar to custom firewall rules.

There are two main components to each rule: the type of traffic to be
limited or shaped (rule definition), and how that traffic should be limited or
shaped (rule actions).
Rule Definition
Rules can be defined in two ways:
• You can select from various predefined application categories
such as Video & Music, Peer-to-Peer, or Email.
• You can create rules by specifying HTTP hostnames (for example,
salesforce.com), port numbers (such as 80), IP ranges (such as
192.168.0.0/16), or IP address range and port combinations (such
as 192.168.0.0/16:80).

The rule action is enforced on all traffic that matches the

specifications you select. By clicking Add an expression, you can
create additional specifications for traffic that is shaped
according to the same rule action.
Rule Actions
Traffic-matching-specified rule sets can be shaped or prioritized.

• Bandwidth limits can be specified to ignore any limits specified for the
whole network, to obey the specified limits, or to apply more-restrictive
limits than the network limits.

Use the bandwidth slider control to choose the appropriate limit for each
type of traffic. To specify asymmetric limits on uploads and downloads,
click details next to the bandwidth slider control.

• Priority can be set to High, Normal, or Low, allowing the MX series to

prioritize a given network flow relative to the rest of the network traffic.
The ratios are as follows:
◦ High: 4/7
◦ Normal: 2/7
◦ Low: 1/7

• Quality of Service (QoS) prioritization can be applied to Layer 3

traffic. To prioritize traffic at Layer 3, select a value for the DSCP tag
in the IP header on all incoming and outgoing IP packets.

This also affects the Wi-Fi Multimedia (WMM) priority of the traffic.
HTTP content caching
When this setting is enabled, the MX will cache web content on its
local hard drive. This can improve end-user experience by reducing
page load times and file download times for frequently accessed web
content. This option is not available on the MX60, MX60W, MX64,
MX64W, MX65, or MX65W.

Traffic Shaping
Over VPN Traffic shaping rules will apply to traffic sent over an AutoVPN
tunnel between Meraki devices. Please note that traffic shaping rules
do not apply to traffic that passes over a non-Meraki VPN tunnel.
Create a Layer7 firewall rule to
completely block Bit Torrent
The firewall settings page in the Meraki Dashboard is accessible via
Security Appliance/Teleworker Gateway > Configure > Firewall.

On this page you can configure Layer 3 and Layer 7 outbound firewall
rules, publicly available appliance services, port forwarding, 1:1 NAT
mappings, and 1:Many NAT mappings
Outbound rules
Outbound rules Here you can configure permit or deny Access Control
List (ACL) statements to determine what traffic is allowed between VLANs
or out from the LAN to the Internet.

These ACL statements can be based on protocol, source IP address and

port, and destination IP address and port. These rules do not apply to VPN
traffic.
Click Add a rule to add a new outbound firewall rule.
• The Policy field determines whether the ACL statement permits or blocks
traffic that matches the criteria specified in the statement.
• The Protocol field allows you to specify TCP traffic, UDP traffic, ICMP
traffic, or Any.
• The Sources and Destinations fields support IPs or CIDR subnets.
Multiple IPs or subnets can be entered comma-separated.

• The Src Port andDst Port fields support port numbers or port
ranges. Multiple ports can be entered comma separated.

Port ranges cannot be entered comma-separated. You can enter

additional information in the Comments field .
FQDN Support
In MX 13.4 and higher, fully qualified domain names can be configured in
the Destinations field.

FQDN-based L3 firewall rules are implemented based on snooping DNS

traffic. When a client device attempts to access a web resource, the MX will
track the DNS requests and response to learn the IP of the web resource
returned to the client device.

There are several important considerations for utilizing and testing this
configuration:

1. The MX must see the client's DNS request and the server's response in order
to learn the proper IP mapping. The communication between the client and
DNS server cannot be intra-VLAN (this DNS traffic is not snooped).
2. In some cases a client device may already have IP information
about the web resource it is attempting to access. This could be due to
the client having cached a previous DNS response, or a local statically
configured DNS entry on the device.

The MX may not be able to properly block or allow communications to

the web resource in these cases if the client devices does not generate
a DNS request for the MX to inspect.
An example configuration is included below:
Cellular failover rules
These firewall rules are appended to the existing outbound rules when
the appliance has failed over to using a cellular modem as its uplink.

This can be useful for limiting cellular traffic to only business-critical uses
in order to prevent unnecessary cellular overages.
Appliance services
• ICMP Ping: Use this setting to allow the MX to reply to inbound ICMP ping
requests coming from the specified address(es). Supported values for the
remote IP address field include None, Any, or a specific IP range (using
CIDR notation).
You can also enter multiple IP ranges separated by commas. To add
specific IP addresses rather than ranges, use the format X.X.X.X/32.

• Web (local status & configuration): Use this setting to allow or disable
access to the local management page (wired.meraki.com) via the WAN IP
of the MX. Supported values for the remote IPs field are the same as for
ICMP Ping.
• SNMP: Use this setting to allow SNMP polling of the appliance from the
WAN. Supported values for the remote IPs field are the same as for ICMP
Ping.
Layer 7 Firewall Rules
Using Meraki's unique layer 7 traffic analysis technology, it is possible to
create firewall rules to block specific webbased services, websites, or types
of websites without having to specify IP addresses or port ranges.

This can be particularly useful when applications or websites use more than
one IP address, or when their IP addresses or port ranges are subject to
change.
It is possible to block applications by category (e.g. 'All video & music sites')
or for a specific type of application within a category (e.g. only iTunes within
the 'Video & music' category).

The figure below illustrates a set of layer 7 firewall rules that includes both
blocking entire categories and blocking specific applications within a
category:
It is also possible to block traffic based on HTTP hostname, destination
port, remote IP range, and destination IP/port combinations
Geo-IP Based Firewalling
The Layer 7 Firewall can also be used to block traffic based on the
source country of inbound traffic or the destination country of
outbound traffic.

To do so, create a new Layer 7 Firewall rule and select Countries... from
the Application drop-down.

You have the option of blocking all traffic to or from a specified set of
countries or blocking any traffic that is not to or from a specified set of
countries.
AMP is a robust anti-malware technology integrated into the proposed
Meraki MX Cloud Managed Security Appliances. There are two important
concepts with AMP: Disposition and Retrospection.
A file's disposition is a categorization from the AMP cloud that determines what
actions are taken on the file download. There are three file dispositions: (1)
Clean—the file is known to be good, (2) Malicious—the file is known to be
harmful, and (3) Unknown—there is insufficient data to classify the file as clean or
malicious.
Sometimes files will change disposition, based on new threat
intelligence gained by the AMP cloud. This re-classification can also
generate retrospective alerts and notifications.
The proposed Meraki MX Cloud Managed Security Appliances will
block HTTP-based file downloads based on the disposition received
from the AMP cloud.
If the proposed appliance receives a disposition of malicious for the file
download, it will be blocked. If it receives a disposition of clean or
unknown, the file download will be allowed to complete.

Task:
Turn on (enable) Advanced Malware Protection within the threat
protection mechanisms available for your MX . Also proceed to enable
Intrusion Prevention and enforce a “Balanced” ruleset.
Forwarding rules

Use this area to configure port forwarding rules and 1:1 NAT
mappings as desired.
Port forwarding
Use this option to forward traffic destined for the WAN IP of the MX on a
specific port to any IP address within a local subnet or VLAN.

Click Add a port forwarding rule to create a new port forward. You need
to provide the following:

• Description: A description of the rule.

• Uplink: Listen on the Public IP of Internet 1, Internet 2, or both.
• Protocol: TCP or UDP.
• Public port: Destination port of the traffic that is arriving on the WAN.
• LAN IP: Local IP address to which traffic will be forwarded.
• Local port: Destination port of the forwarded traffic that will be sent
from the MX to the specified host on the LAN. If you simply wish to
forward the traffic without translating the port, this should be the same
as the Public port.
• Allowed remote IPs: Remote IP addresses or ranges that are
permitted to access the internal resource via this port forwarding rule.

You can also create a port forwarding rule to forward a range of

ports. However, the range configured in the Public port field must be
the same length as the range configured in the Local port field.

The public ports will be forwarded to their corresponding local ports

within the range. For instance, if you forward TCP 223-225 to TCP 628-
630, port 223 would be translated to 628, port 224 would be translated
to 629, and port 225 would be translated to 630.
1:1 NAT
Use this option to map an IP address on the WAN side of the MX (other
than the WAN IP of the MX itself) to a local IP address on your network.
Click Add a 1:1 NAT mapping to create a new mapping. You need to
provide the following:

• Name: A descriptive name for the rule

• Public IP: The IP address that will be used to access the internal
resource from the WAN.
• LAN IP: The IP address of the server or device that hosts the internal
resource that you wish to make available on the WAN.
• Uplink: The physical WAN interface on which the traffic will arrive.
• Allowed inbound connections: The ports this mapping will provide
access on, and the remote IPs that will be allowed access to the
resource. To enable an inbound connection, click Allow more
connections and enter the following information:

◦ Protocol: Choose from TCP, UDP, ICMP ping, or any.

◦ Ports: Enter the port or port range that will be forwarded to the host on
the LAN. You can specify multiple ports or ranges separated by
commas.
◦ Remote IPs: Enter the range of WAN IP addresses that are allowed to
make inbound connections on the specified port or port range. You
can specify multiple WAN IP ranges separated by commas.

Under Actions you can move a configured rule up or down in the list.
Click the X to remove it entirely.

Creating a 1:1 NAT rule does not automatically allow inbound traffic to
the public IP listed in the NAT mapping. By default all inbound
connections are denied.

You will have to configure Allowed inbound connections as described

above in order to allow the inbound traffic.
1:Many NAT
1:Many NAT, also known as Port Address Translation (PAT), is more flexible
that 1:1 NAT. It allows you to specify one public IP that has multiple
forwarding rules for different ports and LAN IPs. To add a 1:Many NAT
listener IP, click Add 1:Many IP.

• Public IP: The IP address that will be used to access the internal resource
from the WAN.
• Uplink: The physical WAN interface on which the traffic will arrive.

A 1:Many NAT entry will be created with one associated forwarding rule. To
add additional rules, click Add a port forwarding rule under the existing
rule or rules for a particular 1:Many entry.
• Description: A description of the rule.
• Protocol: TCP or UDP.
• Public port: Destination port of the traffic that is arriving on the
WAN.
• LAN IP: Local IP address to which traffic will be forwarded.

• Local port: Destination port of the forwarded traffic that will be sent
from the MX to the specified host on the LAN. If you simply wish to
forward the traffic without translating the port, this should be the
same as the Public port.

• Allowed remote IPs: Remote IP addresses or ranges that are

permitted to access the internal resource via this port forwarding
rule.
Bonjour Forwarding
Use this feature to allow Bonjour to work between VLANs. Click Add a Bonjour
forwarding rule to create a new forwarding rule.
• Description: Specify a name for the rule.
• Service VLANs: Select one or more VLANs where network services are running.
Bonjour requests from the Client VLANs will be forwarded to these VLANs.
• Client VLANs: Select one or more VLANs from which client Bonjour requests
can originate. Requests on these VLANs will be forwarded to the Service VLANs.
The list of services that can be forwarded include:
◦ All services
◦ AirPlay
◦ Printers
◦ AFP (Apple file sharing)
◦ Scanners
◦ iChat
Cisco Meraki SD-WAN
What is SD-WAN?
Software-defined WAN (SD-WAN) is a suite of features designed to
allow the network to dynamically adjust to changing WAN conditions
without the need for manual intervention by the network
administrator.

By providing granular control over how certain traffic types respond

to changes in WAN availability and performance, SD-WAN can
ensure optimal performance for critical applications and help to
avoid disruptions of highly performance-sensitive traffic, such as VoIP.
Cloud Managed SD-WAN
In addition to augmenting or replacing premium WAN bandwidth,
lowering costs, maximizing investments, improving the application
experience and delivering innovative services across the organization with
agility, technology leaders like yourself are eager to lower operational
complexity as they embrace Fast IT as a part of the overall business
strategy.
Management solutions are a crucial part of making Fast IT into a reality.
One should not have to sacrifice critical solution capabilities based on the
desire for a simplified control point.

As a result of our initial discovery, we are confident that the Meraki SD-
WAN solution is an excellent fit for your company.
SD-WAN Technologies
The Meraki SD-WAN implementation is comprised of several key
features, built over our AutoVPN technology.

Dual-Active VPN uplinks - Secure Conectivity

Dynamic Path Selection - Transport Independent
Policy-based Routing - PBR
Performance Probes - Application Optimization
Dual-Active VPN uplinks
Prior to the SD-WAN release, AutoVPN tunnels would form only over a single
interface. With the SD-WAN release, it will now be possible to form concurrent
AutoVPN tunnels over both Internet interfaces of the MX.

The ability to form and send traffic over VPN tunnels on both interfaces
significantly increases the flexibility of traffic path and routing decisions in
AutoVPN deployments.

In addition to providing administrators with the ability to load balance VPN

traffic across multiple links, it also allows them to leverage the additional path
to the datacenter in a variety of ways using the built-in Policy-based Routing
and Dynamic Path Selection capabilities of the MX.
Cisco Meraki SD-WAN
Policy-based Routing
Policy-based Routing allows an administrator to configure preferred VPN
paths for different traffic flows based on their source and destination IPs
and ports.
Dynamic Path Selection
Dynamic Path Selection allows a network administrator to configure
performance criteria for different types of traffic.

Path decisions are then made on a per-flow basis based on which of

the available VPN tunnels meet these criteria, which is determined using
packet loss, latency, and jitter metrics that are automatically gathered
by the MX.
Performance Probes
Performance-based decisions rely on an accurate and consistent stream
of information about current WAN conditions in order to ensure that the
optimal path is used for each traffic flow. This information is collected via
the use of performance probes.

The performance probe is a small payload (approximately 100 bytes) of

UDP data sent over all established VPN tunnels every 1 second.

MX appliances track the rate of successful responses and the time that
elapses before receiving a response. This data allows the MX to determine
the packet loss, latency, and jitter over each VPN tunnel in order to make
the necessary performance based decisions.