Secure your branch office with thed2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/BRKSEC-2900.pdf ·...

Secure your branch office with the Cisco Meraki MX

BRKSEC-2900

Daghan Altas

Product Manager

Cisco CNG

© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2900 Cisco Public

Agenda

• Problem

• Cisco CNG

• Live network creation demo (45m)

• Product Brief

• Q&A

3

4

What if my firewall dies?

What if my Internet goes down?

What about DR?

What happens if I discover a threat?

How can I keep my PCI traffic isolated from guest traffic?

I need a solution that just works!

We have a small team responsible for 1000 store networks

I pay too much for MPLS!

BYOM!

How do I discover a threat?


Cost Agility Security

Bandwidth costs • MPLS costs

• Increased bandwidth demands

High cost and complexity of

network management:• Truck roles

• Zero local IT

• Difficulty with troubleshooting

CPE complexity• Management

• Configuration

New WAN architecture demands• Agility

• Migration to Metro-E

• Adoption of Internet (and DIA)

• Service creation

• Intelligent QoS

Security is more important than

ever:• Direct Internet Access to SaaS

• Guest wireless access

• BYOD

• APT protection

WAN access needs to change

Secure and reliable networks that are easy to manage

6

Cisco CNG

7


Cisco Cloud-managed Networking Group

• Cisco Meraki: a complete cloud-managed networking solution

– Wireless, switching, security, WAN optimization, and MDM

– Built from the ground up for cloud management

• Leader in cloud-managed networking

– Among Cisco’s fastest-growing portfolios: over 100% annual growth

– Tens of millions of devices connected worldwide

• Recognized for innovation

– Gartner Magic Quadrant, InfoWorld Technology of the Year, CRN Coolest Technologies

Trusted by thousands of customers worldwide:


Cisco Meraki MR

Wireless

LAN

Cisco Meraki MX

Security

Appliances

Cisco Meraki MS

Ethernet

Switches

Cisco Meraki SM

Mobile Device

Management

Today: 100% cloud managed edge networking


Cloud-managed networking architecture

Network endpoints securely

connected to the cloud

Cloud-hosted centralized

management platform

Intuitive browser-based

dashboard


The EU Cloud

EU privacy laws limit the transfer of private data out of the EU

Meraki EU Cloud features local datacenters: Frankfurt, Munich, Dublin

Management info, user traffic analytics, location data never leave the EU

Scalable, secure networks that

comply with EU privacy regulations


Application Control

WAN Optimization, Traffic

Shaping, Content Filtering

Security

NG Firewall, Client VPN,

Site to Site VPN, IDS/IPS

Networking

NAT/DHCP, 3G/4G failover,

Static Routing, Link Balancing

7 models scaling from teleworker and small branch to campus / datacenter

A complete Unified Threat Management solution


Target customers


Why choose the Cisco Meraki MX?

Intuitive centralized management• No training, no command line

• Templates to configure at-scale

• Packet capture, built-in tools and

diagnostics

Industry-leading visibility• Fingerprints users, applications, and devices

• Network-wide monitoring and alerts

• Full stack: APs, switches, Security, MDM

Designed for distributed enterprises• Single pane of glass visibility

• Zero-touch provisioning

• Seamless updates from the cloud

• Site-to-site IPSec VPN in 3 clicks


Ironclad security

Best IPSSOURCEfire IDS / IPS,

updated every day

Content

Filtering

4+ billions URLS, updated in

real-time

Geo-based

security

Block attackers from rogue

countries

AV / anti-

phishing

Kaspersky AV, updated every

hour

PCI

compliance

PCI L1 certified cloud-based

management


Rock-solid UTM for multi-site organizations

Why Cisco Meraki MX?

• Lean IT staff; needed centralized remote management for easily-deployed UTMs (zero-touch)

• Intuitive site-to-site VPN

• HIPAA compliant

• Needed single-box solution (MX60W) for security and wireless at rehabilitation centers

• Guest hotspots provided with MX60W Wi-Fi and 3G/4G uplinks

• Largest diversified provider of post-

acute care in USA

• 2000+ locations in 46 states,

75,000+ employees


Penn Mutual saves $858K

Projects / Pain Points: • Implement a BYOD platform at 50 remote sites

• Managed Service Provider & MPLS costs

Solution:• Complete Meraki Stack: MR, MS, MX

• Phase off MPLS to Broadband

Business Outcomes:• Reduced Telco Spend by 40%

• Single platform in branch improved IT efficiency

Setting up dual-DC VPN network


Demo: Resilient WAN and security under 30 min

• HA within DC

• DC to DC failover

• WAN link failover (4G)

• Automated VPN between sites

• Full UTM features

– IPS

– Content Filtering

– AV

– L7 firewall rules

20

Internet

DC1:

10.2.0.0/16 DR: 10.2.0.0/16

Template:

West Template: East

10.2.0.10 10.2.0.10

Branch1: 192.168.1.0/24


End goal: DC-to-DC failover and load-balancing

Internet

DC1HA PAIR

Branches connected to DC1

Active VPN Tunnel

DC2 HA PAIR

Branches connected to DC2

Active VPN Tunnel

Failover VPN TunnelFailover VPN Tunnel

Product Brief

22


Introducing the MX64 / MX64W


MX64 / MX64W

Speed

• Industry’s first 802.11ac UTM

• Dual radio

• ~3X speed of 11n wireless

• 2-3X faster than MX60 /

MX60W

Security

• UTM provides one-stop security

• IPS, content filtering, malware / anti-

phishing

—Seamless, automatic updates

• PCI 3.0-certified cloud backend

SKU List Price

MX64-HW $595

LIC-MX64-ENT-3Y $600

LIC-MX64-SEC-3Y $1200

MX64W-HW $945

LIC-MX64W-ENT-3Y $650

LIC-MX64W-SEC-3Y $1300

New Features: IWAN


What is IWAN?

“Intelligent WAN” (IWAN) is a collection of Cisco technologies and products that enable transport independence, intelligent path

control, application optimization, and secure connectivity for multi-site deployments.

Transport

Independence

Application

Optimization

Intelligent Path

Control

Secure

Connectivity

• IPsec overlay (Auto VPN)

• Scalable (cloud architecture)

• Traffic distribution over

multiple pathways (Internet,

cellular, MPLS)

• App visibility & control (Meraki

dashboard, group-based

policies, traffic analytics)

• Application QoS & bandwidth

optimization (Traffic shaping)

• Uplink chosen by link latency,

data loss, etc. (PfR, aka

performance-based routing)

• Uplink assigned by traffic

protocol, subnet, source,

destination, etc. (PbR, aka

policy-based routing)

• Intuitive, automatic,

scalable VPN solution to

connect remote branch

sites (Auto VPN)

Need

screenshot


Upcoming IWAN features for the MX (FQ3)

Dual-active path:• Active-active VPN + VPN

• Active-active VPN + MPLS

Policy-based routing (PbR) :• Allows uplinks to be intelligently assigned

based on traffic protocol, subnet, source,

destination, etc.

Performance-based routing (PfR):• Ensures the best uplink is used based on

latency and loss metrics


Choosing the right MX for your environment

MX64/64W

MX80

MX100

MX400

MX600

Z1

Small branches

(~25 users)

Where Throughput

100 Mbps

Large branch

/campus

(~10,000 users)

Large branch

/campus

(~2,000 users)

Mid-size branches

(~100 users)

Mid-size branches

(~500 users)

Features

Wireless (MX60W)

Modular interface

Large Web cache (4TB)

250 MbpsLarge Web cache (1TB)

500 MbpsSFP ports


1 Gbps

2 Gbps

Modular interface


For teleworkers

(1-5 users)

Dual-radio wireless

FW throughput: 50

Mbps

All devices support 3G/4G


MX Security Appliances: Licenses

Enterprise License Advanced Security

License

Stateful firewall

Site to site VPN

Branch routing

Link bonding and failover

Application control

Web caching

WAN optimization

Client VPN

`

All enterprise features, plus

Content filtering (with Google SafeSearch)

Kaspersky Anti-Virus and Anti-Phishing

SourceFire IPS / IDS

Geo-based firewall rules


MX Sizing Guide


EU Cloud

https://meraki.cisco.com/lib/pdf/meraki_datasheet_eu_cloud.pdf

Q & A

32


Free evaluations available

• Try Cisco Meraki with no risk or commitment

• Complimentary technical assistance available

• Start trial at meraki.cisco.com/eval


Call to Action

• Visit the World of Solutions for

– Cisco Campus

– Walk in Labs

– Technical Solution Clinics

• Meet the Engineer

• Lunch time Table Topics

• DevNet zone related labs and sessions

• Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015

34

http://www.pearson-books.com/CLMilan 2015


Complete Your Online Session Evaluation

• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.

• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations

35

Secure your branch office with thed2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/BRKSEC-2900.pdf ·...

Documents

Transcript of Secure your branch office with thed2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/BRKSEC-2900.pdf ·...