Hey everyone,
Need to kick tires on my SD-WAN knowledge for a project and Meraki is being considered.
I haven’t touched in a looong while so curious on the latest in terms the good, the bad and the ugly…
For one hearing on CiscoLive that they are putting enterprise Cisco stuff on Meraki makes me uneasy…
It’s great as long as your network isn’t too complex, not too much flexibility with routing especially if you have non-meraki peers. BUT if you research enough before diving in and your network fits the bill, it’s an absolute dream.
I’m very happy with it. The deployment is simple and I am satisfied with the flexibility for linking HQ, branch offices, distribution centers, datacenters, etc.
I have about 800 small locations that i use a meraki product in. East to deploy and manage. Auto VPN is nice an easy for backhauling anything they need network access to internally then break out internet locally for stuff not internal. Content filtering , block list and white list you can manage per site or synch those settings. We also use Sig as another layer of protection. Works good, wish it had a few features we are missing but if you network isn’t crazy complex you should be able to make it work.
If you can fully re-engineer your network, there can be a great fit with Meraki.
We have a moderately complex network environment with multiple datacenters plus about 30 cloud integration points. We do NOT use Meraki for anything on the datacenter side.
However, we have 600+ branch offices interconnected to this, all around the world, ranging from 15 to 3000 users. Branch offices are using meraki for wifi, switches and firewalls. And this has been running great. We only need 2 operations people to support the 50K+ devices network. We can remotely deploy new offices: new sites configuration are done remotely and takes a few minutes. Installation does not require technical people. We do hit some snags overtime and be cautious with updates. Yes, there are some bandwidth limitations even on higher end firewalls, you need to plan accordingly. The global solution is not cheap, considering all licenses.
We got rid of all MPLS and most DIA connections. We now use mostly broadband connections and improved bandwidth at a lower price. 2 to 3 ISP at each location.
We also have Fortinet deployments: on the technical standpoint, all my engineers prefer Fortinet and it’s cheaper. However, at the scale we use Meraki, we all agreed that Meraki is faster and easier to scale in a secure way with less resources than what we would need with Fortinet.
After 6 years in, would we go Meraki route again? As a “legacy” engineer who preferred control, flexibility and console, I’m sad to say that from a business perspective Meraki was the best decision.
I love the products.
We use it for 100+ sites connected to datacenters, Azure and AWS through MXs/vMXs we use as Hubs.
The new SDWAN+ License lets you configure complex routing if needed. Like pushing specific vpn traffic to WAN2.
Its really been simple managing this for a whole region with dynamic uplinks like cellular or Starlink.
The inability to easily manage IPS and L7 firewall exceptions is our biggest concern. It’s a fancy DHCP server in our environment with no-nat enabled to a true SDWAN appliance.
It’s more good than bad. But it does have some bad.
It’s great! A few tips:
DevNet Learning Labs Center for Meraki
Meraki API is your friend. I regularly use ChatGPT to rapidly shell out API scripts.
Meraki documentation is really good, especially the best practice articles.
At the drop of a hat, open a ticket (i.e. case) with Meraki support. They are usually very responsive, and you can open a case right from the Dashboard.
In the Dashboard, creating a network means creating a new site. (I wish they called it Site Network, Site, or something like that.) I make it a habit to call them site networks when I’m talking with my team, so there’s no ambiguity of what we’re talking about (i.e. subnet, VLAN, etc).
Early on, practice combining site networks. (Yes, you read that right.) It’s a fairly common practice to take two site networks and say ‘hey, they don’t need to be two things, they can be one thing’, then combine them. Overlapping VLANs notwithstanding, it’s really smooth and seamless. Take a few test site networks, throw some settings in, combine them, then see what you have. (This has dug me out of some pretty deep holes in the past.)
As stated elsewhere here, Meraki’s real strengths are the switches and APs. Its MX line is fair, but the advanced features don’t hold up well against the competition.
Do not - I repeat, do not - move away from co-termination licensing. I know it’s a pain in the neck using an algorithm to calculate the termination date of your licensing, but it’s 1000x better than the alternative, where each license has a completely different expiration date.
Tags, tags, tags. Get a consistent tagging system, then go to town. Huge time saver.
Use profiles, especially port and VLAN profiles. Another time saver.
Use the mobile app. That has saved me in the field, as well as when I had to claim a few dozen appliances when I didn’t have any info from the purchase.
Check out the Early Access section in Organization → Early Access.
Speaking of the Organization section, take a tour of which settings are in the Org section and which are in the Network. (Pop quiz: The Org menu has its own firmware upgrades section. Where’s the section to upgrade firmware just at the network level?)
If you are onboarding a new device/appliance, then first add it to a lone site network, then upgrade its firmware. Yeah, there are groups, staged upgrades, and such that allow you to upgrade firmware in batches, but if you need a one-off upgrade, just move the device to a site network, upgrade the firmware, then move the device back. (Learned to do that the hard way.)
Cisco AnyConnect integrates quite well with Meraki.
Meraki devices and appliances have this weird thing where, during/right after a firmware upgrade, they take on the IP address 1.1.1.1 for just a few seconds. (This might be a thing with other vendors too, but I’ve never come across it.) If you notice IP conflict alerts with that address, then that’s why.
If you need an MDM for anything other than managed Apple iOS w/ Apple Business Manager, then look elsewhere. Like, literally anywhere else. Meraki boasts a long list of Systems Manager features for Mac OS and Android. Problem is that the Android side is pretty bumpy, and the Mac side is so clunky that it’s almost unusable. (I have a fleet of 150+ iOS devices that SM handles just fine, but I wouldn’t use it for a more advanced fleet or enterprise-level demands.)
For sites that have unique ISP’s and aren’t interconnected via Site to Site VPN, what’s the advantage of SD-WAN? Been wondering if it’s something useful but I’m new to Meraki.
I have a network of 200+ physical and virtual MXs and it’s rock solid. Yes there are limitations especially with VPNs to non Meraki but happy with the setup and it’s very much low touch.
We have been pretty happy with it in my enterprise. Use at around 15 locations and adding more locations to the mesh is as easy as clicking some buttons. 95% of servers are in azure with a vmx and ping over vpn is great.
As long as you pay the bill, holding your network hostage for a fee
Works as advertised and intended. It’s good as your internet connection 
I encountered an issue with Meraki SD-WAN that doesn’t support source NAT when utilizing IPsec. In comparison, I believe Fortinet SD-WAN surpasses Meraki significantly. Meraki seems more suitable for small office/home office (SOHO) networks rather than enterprise-level setups. If budget allows, I’d recommend opting for Fortinet. While Meraki is user-friendly, it offers limited logs for troubleshooting purposes
How does Meraki sdwan probes the health (latency,jitter,loss) of IPsec tunnels ? Does it probes the specific IP or actual measurements of data packets in flight over the tunnels ?
Any company that provides OSPF in a one way solution is not worth investing your money in. Yes, MXs will advertise OSPF but will not receive routes. Worst design I have seen in my entire career. If you have a simple hub and spoke network and only use static routes, it works ok, but there are much better options out there. Planning to replace half of ours with Palos in the next year, without SDWAN.
Ease to deploy, manage, and tshoot, Meraki has it all.
Meraki is the future of IT.
It’s garbage for enterprise, and is okay for SOHO types of deployments. FYI, even in 2023 for Meraki as headends for MPLS or tunneled connections – The most bandwidth a single appliance can support is 5Gb which is laughable. Large retailer with over 1k+ locations is locked into this awful ecosystem, and it does not scale well at all.
Basically Cisco bought Meraki – And then they stopped innovating or adding new features. For dick’s sake, Meraki STILL DOESN’T SHOW HIT COUNTERS on it’s firewall in 2023. BGP support is spotty at best, and all advanced features and t-shooting are locked down with only TAC having access.
For something truly next-gen, would highly recommend you look at Cato networks. They have POPs built out in over 160+ locations (compare that to PA’s like not even 2 dozen for Prisma), and are set to beat Cisco and Palo Alto at their own game in terms of Cloud SD-WAN/NGFW capability. Boxes are rented and it’s a pay-per-bandwidth deployment, with all the security features in the cloud, which actually works mostly fine from a latency standpoint since they did their due diligence in building out the POPs. So far I’ve really liked what I’ve seen from them, doing a few POCs with customers looking for very large-scale deployments.
Steer clear unless the use case is extremely simple. I run Meraki SD-Wan between many sites and we are looking to move to Cisco because of the lack of flexibility. There is little to no visibility, and no concept of metric in the overlay, so no duplicate routes. It’s great to connect two or 3 sites together in a very simple manor where you only have a few networks at each site and don’t desire any advanced control.