Things You Should Know About Meraki Security Appliances Leave a comment

Greetings everyone Raymond Lacoste here with StormWind Studios, and I want to share with you today five things you should know about: Meraki Security Appliances. Now I love Meraki products, easy to set up easy to troubleshoot, easy to monitor easy to maintain, but even though they are easy, you can still get tripped up. So I’m gonna share with you five things that we feel that, if you knew about you would have a much better Meraki Security Appliance deployment. Experience

So, first and foremost, let’s look at this topology. We have a single security appliance topology and that single security appliance is what many of you might deploy. But what we’re lacking in this deployment is high availability. So I’m a big big fan of dual security appliance deployment because we get high availability when we go with our dual security appliances. However, we end up with many more caveats that many of us are not aware of, and that’s what I’m gonna share with you right now. So, first and foremost, our security appliances don’t support Spanning Tree Protocol. So when we implement this dual high availability deployment with two security appliances, we could have a serious problem on our hands and that is Layer 2 loops. So let’s really dive into where these loops could occur. Well, our security appliance since it doesn’t participate in Spanning Tree Protocol doesn’t understand any of those Spanning Tree Protocol BPDUs. So any of those links you see right there between the security appliances and our downstream switches are subject to Layer 2 loops. So we definitely want to make sure Spanning Tree Protocol is running everywhere. It can, and if we recognize that a Spanning Tree loop could occur between any of the links up in this area of the topology. We’Re gonna want to manually control which VLANs, which traffic is allowed to flow across each of the links, and that will allows us to make sure that the Spanning Tree loops do not occur at that point in time.

Now you might be saying “ Well, wait! A second “! Why are we running Layer 2 up there ?”, because these are all classified as Trunks, ports or access ports when it comes to the security appliance they’re, not Layer, 3 routed ports. So what that means is that if you have your typical Layer, 3 slash Layer, 2 architecture – well, these are still Layer, 2 links and they are susceptible to loops, so you’re gonna have to identify the loops and stop them from happening. In addition, if you are running Layer 3 up here and Layer 2 all down here, we have one large Layer, 2 domain, which is susceptible to loops in this portion of the network. So you’ll want to be able to identify where those loops could happen and then prune the traffic as necessary on a VLAN by VLAN basis off the links to stop any loops from occurring Now. You’Ll see here that we have this link between the two appliances. This link is here not for passing traffic. It’S there as the VRRP heartbeat used for that high availability scenario, so they can see if each other exist.

Why? Because we have an active-standby scenario here when it comes to our high availability deployment. Only one of these security appliances is gonna be active at any point in time. If the active one fails, the standby one learns about this through VRRP heartbeats, and then it could promote itself to be the active one and for the traffic is necessary. So this direct connection is there to make sure that we have the ability to communicate directly with each other and not end up in an accidental active-active scenario because the heartbeat is not successfully going through the downstream switches. So the heartbeat will be running on all the links. However, this extra link that dedicated link is gonna, ensure that we never end up in that active-active type of scenario. However, what you need to realize about this is that this link here definitely becomes a problem with Spanning Tree Protocol loops. So what we need to do is we need to make sure that only VRRP traffic is going across. That link. You don’t want any other traffic going across that link.

You’Re not using it to forward any other types of traffic for any other types of VLANs, so only allow the VRRP heartbeat to go across that link and nothing else, And that will help you avoid loops. Due to the fact that Spanning Tree Protocol is not running on our appliance Next item on our list is dynamic, routing protocol. Now, that’s not a problem. If you are running Layer 3 up here and Layer 2 down here, because you’re, not gonna have to worry about routing at all in this part of the network. So the security appliances they’re gonna be your default gateway, So through Layer 2 forwarding using MAC addresses, we can get to our default gateways. Those security appliances

No problem there whatsoever It’s when we have our typical setup of Layer 3 Layer 2. Now, in this case, we don’t have the ability to run our dynamic routing protocol on our what On our security appliance. So the end result of that is, how do we even get traffic forwarded from here upstream? However, we need it to flow Well. This is where we have to get creative with static default. Routing set up some floating static default routes, maybe rely on some interface tracking through some sort of first hop redundancy protocol. We have at the distribution layer, maybe even rely on IP SLA as well.

So we really have to get creative here simply because they don’t support dynamic routing protocols, But let’s also think about the fact that traffic has to come back So for traffic to come back. How are we gonna forward traffic when it comes back in, depending on who’s, active and who’s standby? Well again, we’re gonna have to rely on being creative, with static routes on the security appliances, and we’ll also have to make sure that we have some way to control which static route is being used at what time and that’s where IP SLA can help us. There as well

So, even though they don’t run dynamic routing protocols by being creative, we can still accomplish the goals that we need to accomplish. Also, your spare config is assumed based on the primary config, So you’re not gonna, be configuring that secondary spare device. We configure our primary as need, be. We push a button to activate a spare. We put in a serial number of that spare device in the dashboard and everything’s done for us automatically behind the scenes. So what that means is that whatever we configure on the primary is inherited by the secondary Now. Why do you care about that? You care, because, if you physically cable, the spare incorrectly, your high availability, solution’s, not gonna work, And the reason why that is are that the config is based on. Let’S say this is being port three! Well, this better be port three as well. The config is based on this being port four. Well, then, this better be port, four as well. It’S based on that being port five, so this better is port five as well.

It’S based on this being port one, so this better be port one Based on port. Two, this better be port. Two, I think you get the picture, But the physical cabling also plays an extremely important role here. So if port one on the primary goes to the primary ISP, then port, one on the secondary, better go to the primary ISP as well, whereas port two goes to the secondary ISP and so on and so forth. So the cabling is extremely important because that config is inherited so that way they are exact, matching copies of each other.

That’S extremely important when you’re setting up the solution Next, regardless of whether you’re a high availability solution or a single security appliance solution, you want to use the Advanced Security license and the reason why is because the enterprise license, albeit it’s great, providing us with stateful firewall And VPNing and application control and web caching, I want more – and I want you to have more as well. You want control filtering, you want IDS/IPS, you want Advance Malware Protection. You want Cisco Threat Grid, you want to sleep better at night, And for myself I sleep better at night, knowing that IDS and IPS are working for me. I sleep better at night, knowing that I am amped with Advanced Malware Protection and Cisco Threat Grid. So, as my network keeps getting attacked at night, I am sleeping soundly and well knowing that I’ve got a team out there somewhere behind the scenes that don’t even work for my company, but because I paid for the Advanced Security license. I’m getting all this extra stuff for me behind the scenes that my security appliance just learns about and knows about and can protect my organization

So this is gonna cost. You more potentially double what you were originally anticipating to spend, but definitely, it’s well worth the investment Now. Lastly, you need to have the same models for NAT HA mode, Plain and simple. Why is that Well think about it? We already said we inherit the config, So if we don’t have the exact same models of security appliances, it’s not gonna work for us And the reason why I bring this to your attention is because a lot of organizations think I am gonna go with A high end, security appliance as the primary and we’re gonna get a low end, one as our standby as our spare because we could deal with slower, throughput and slower processing and slower everything else during a failover scenario. As long as we still have connectivity,

It’s not gonna work for you that way, You must wipe that mentality from your brain. They must match. So if you go with an MX100 as the primary, you need to use an MX100 as your standby. So folks, by keeping these five things in mind when transitioning from other security appliances to Meraki Security Appliances or deploying security appliances for the first time using Meraki Security Appliances, knowing these keeping them in mind, you’re gonna have a much better trouble-free deployment experience. Knowing all of this ahead of time So from all of us here at StormWind Studios, thank you very much for listening today And until next. Keep on learning Take care folks and bye for now…

Leave a Reply

Your email address will not be published. Required fields are marked *