Thanks for the input! Meraki’s are still a bit steep in terms of initial cost, but my main concern is the recurring licensing…seems that it would be almost like buying the devices all over again every 3 years or so…Admin knows our ASA’s were pretty much a buy once and done deal, and we haven’t had to use SmartNet for any of them.
i have a mx64 at home that I got from the webinar…the setup looks easy for site-to-site…but in reality, is meraki itself being the “dynamic dns” provider for these to work? My concern is that since each of my remote sites are dhcp, they would depend on meraki to connect and route correctly.
Meraki uses the native VPN client built into Windows, no extra software necessary. This is nice on one hand because it’s built right in, but the VPN functionality with Meraki is pretty limited and can become a dealbreaker very quickly in certain deployments.
For VPN client, some settings are not pushed down to the client upon connection like you’d get with Cisco Anyconnect. Domain suffix and split-tunneling settings need to be configured manually on the client side for example.
Site-to-site tunnels to non-Meraki peers (basically any firewall outside your organization, even if its a Meraki outside your org) is basically garbage. All VPN peers need to have the same ‘local networks’ configured, so you can’t have something like Peer 1 tunnel is only the server VLAN, Peer 2 tunnel gets server, voice, and PC VLANs. There’s no support for IKEv2, only DH groups 1/2/5 supported. You can’t have any redundancy like if the remote side has 2 WANs, it only supports defining 1 remote IP. If your side has dual WANs, doing VPNs to Azure/AWS will basically limit you to just using 1 of your WANs.
So if all these sites are sites you manage, the Meraki Auto-VPN is very nice and ‘just works’, a few clicks to enable it and you’re done. But if you need to maintain VPNs to other parties, we’ve basically had to scrap Meraki in those deployments or keep another firewall in the network for those VPNs.
Meraki Z1’s for the remote locations are cheap and their license is $33 a year. They can handle 30 megabits no problem. MX64 for headquarters.
Client VPN utilizes the native Windows or Mac VPN client.
I’ll have to look up what. My client paid for meraki vs. my costs on sonicwall.
Very true. I’m not getting quotes in and putting in a spreadsheet, adjusting for 5 years of total costs…meraki are more expensive up front but are coming out cheaper over the distance than others.
Have you had any experience with their “next day hardware replacement” Service? Worried about if something does how quick we could be back up.
With the l2tp vpn client in windows, you have to enable ppp Auth for the vpn to connect. We found this out when we called
Meraki to understand why we couldn’t get clients connected via l2tp. The situation you describe makes the meraki setup sound like a great fit for your org.
Support is email or chat only. They’re working on rolling out a paid support tier with phone support too. They push firmware updates fairly frequently but they’re easy and quick to install. No licensing costs of any kind. If the box can physically do it you’re allowed to.
Do you require any of the security features of a new firewall? Content filtering/malware/IDS/IPS/etc? The current line of ASA is subscription based for those services (its called FirePOWER). Even Anyconnect licensing is subscription based at this point.
ASA’s were pretty much a buy once and done deal
I don’t remember what kind of warranty/support are included in that, but part of what you’re paying for with Merakis is warranty/support/updates.
Also, if you consider the amount of time you spend making sure firmware is up to date, making configuration changes, and troubleshooting issues, those are all recurring costs.
You say you haven’t had to use SmartNet, and maybe you’re good enough with Cisco stuff that you have firmware updates, configuration changes, monitoring, and troubleshooting down pat. If that’s the case, then Merakis are going to provide limited benefit. However, if that stuff takes up a bunch of your time, compare the cost of your time vs. the cost of the Meraki subscription. If the Merakis save you enough time, the TCO is lower.
Yeah they use their cloud to establish the connection handoff. If it had to rebuild due to a new public IP, the cloud would establish the direct connection between both units.
Hmm…we don’t have dual WAN’s at any of the remote sites, or even at our hub.
What I have set up for the current ASA’s is that each site gets their own IP range (site A = 192.168.10.x /24, site B = 192.168.11.x /24, etc.)
For the client VPN’ers, they get an IP out of a pool (10.10.111.x /24).
We do have VLANs at our hub/across our managed switches, but at these remote sites there is no need; it’s literally maybe three computers on desks and one user each. Anything that would normally go on a VLAN at the hub just goes on the site’s regular subnet…not standard across the board but works.
So with IKEv2…that means we won’t have AES for VPN? We’re currently IKEv1, with stage 1 3DES/ stage 2 AES, but looking for AES 256 across the board, even with client VPNs.
We currently do not have relations to any other parties. Perhaps in the future there may be a situation where we have a public customer portal that’s either A.) a cloud hosted server that is managed by us or B.) a local server, but on a different public IP and infrastructure to air gap it. Worst case scenario is we have to DMZ this server, but I’d like to keep it totally off our production network.
No they can’t, they cap at 10Mbps for vpn tunnels.
That said, it’s still my go to brand for anything we do on the edge. All our primary sites have MX64 or better and z1 for small office p2p vpn and mx64 where vpn over 10Mbps is required
I had seen the Z1’s but overlooked them for this application i guess.
You think the MX64 would really be enough to handle the HQ? I know what the specs say on the site, but I always like to cut those in half and consider that the best case situation…which is why I looked at the MX84/100
I’m not to sure, we’re in Hawaii, took us two days to.get the replacement. We used a spare router (non meraki) for basic internet needs while we.waited
no, we already have a web filtering appliance…as for the others, we don’t currently have them…we’ve discussed adding them, but never gotten to it. we wouldn’t miss anything from not getting FirePower.
I saw that AnyConnect is subscription based…we just need a 25 chuck of users though…but that’s an easier sell to admin as a recurring cost than Meraki’s setup it seems.
How many remote sites do you have?
MX64 is good up to 250x250 megabits. I have it at several sites on 100x100 fiber and it doesn’t even blink.
Make sure to take into account VPN traffic. Normal internet traffic it may be fine, but the smaller MX64 does all its VPN in CPU vs. offloading to a crypto module. I had some customers put in MX64’s on 150Mbps circuits, but the circuit is basically dedicated to a VPN, they couldn’t push more than 90Mbps of VPN traffic and the MX’s CPU was getting wrecked.
9 sites, varying speeds but I think a max of 30 Mbps from Comcast.
our hub has fiber at 75/50 Mbps.
I didn’t know to really take their specs at face value or not. I got nervous thinking of old Cisco licensing when the mentioned recommended user counts…that’s why I went higher…
I have 12 sites on an MX64 with no issues. I’m not pushing a huge amount of traffic, just DNS and SQL mostly. Unless you are doing a closed tunnel where all traffic goes to HQ you will be fine.