Meraki SDWAN
&
Alibaba Cloud

Updated on 8 April 2023 by Fady Sharobeem

Overview

Extending your Meraki SDWAN fabric across mainland China and global

Use Case

Implementation

Summary

Use Case

Internet censorship is a well-known term for many governments to control or suppress what can be accessed, published, or viewed on the Internet enacted by regulators.

China's Internet censorship is more comprehensive and sophisticated than any other country in the world, which has a much more significant implication on the traffic destined and/or sourced to/from mainland China. Some of those implications are:

· Increased latency

· Unreliable packet delivery

· Blockage of a list of services and websites

In 2017, the Standing Committee of the National People's Congress of China promulgated a cybersecurity law which among other things, requires network operations to store data locally within mainland China.

In response to all that, Cisco Meraki built a China service to serve better our customers who are located or have a presence in mainland China. China service is an exclusive instance of the Cisco Meraki dashboard located in mainland China and is separate from the global Meraki dashboard.

For global customers with a presence in mainland China, Cisco Meraki strongly advises to ensure the Cisco Meraki devices in mainland China are placed in Cisco Meraki's China service (https://dashboard.meraki.cn), which will require some extra considerations for the SDWAN deployment.

This blog will cover the solution and design considerations of building a Cross-border data connection over the Alibaba Cloud to connect the SDWAN fabric across the two instances of Cisco Meraki dashboards to offer better latency and more reliable packet delivery without the need to invest in expensive private network.

Implementatio n

Create a new Meraki network

From Organization menu, select Create network

Choose network name and select the network type to be either Combined hardware or Security appliance, then select the vMX from the inventory list.

Generate Authentication token - Meraki Authentication token will be valid within an hour from generating it and it's required to map the virtual MX hosted in the cloud vendors to correct Meraki organiztion/network.
Navigate to the vMX network and click on Security & SDWAN menu then Appliance status

The Meraki virtual MX will be in NAT mode by default and it's required to change the operating mode to passtrhough.
From Addressing & VLANs menu, choose Passthrough or VPN Concentrator mode instead of Routed

Make sure to build at least two vMXs, one hosted in the Meraki global dashboard (https://dashboard.meraki.com) and another instace hosted in Meraki service in China dashboard (https://dashboard.meraki.cn)

Alibaba Cloud Configuration

Create at least two Virtual Private Clouds (VPCs) within Alibaba organization. One hosted in a global Point of Presense, like Sydney, and other hosted withing Mainland China, like Shenzhen.

Building Virtual Private Cloud (VPC)

From Products and Services menu, select Virtual Private Cloud.
Select the Point of Presence (PoP) to host the vMX on.

Configure the VPC name and CIDR block

Create at least two virtual switches within the VPC in two different zones and assign CIDR ranges within the chosen block.

Create Elastic Compute Service

From Alibaba Marketplace, and under Software Infrastructure / Network Infrastructure search for Cisco Meraki vMX or Click here
Click on "Choose your plan" then
Select your Billing Method
Choose Alibaba Point of Presence (PoP) and the primary zone to deploy the vMX on
Keep the rest of configuration as default then click next

Configure the Networking
Make sure to select the correct virtual SW
Tick the Assign Public IPv4 Address option
Select the billing method then click Next

Apply the Meraki vMX Token
Change the Instance name or keep the default
Expand Advanced (based on instance RAM roles or Cloud-init) and paste the Meraki vMX Authentication token under User Data and Click next
Keep the rest of configuration as default then click Next

Repeat the same steps to create at least two vMX in Sydney and Shenzhen PoPs

After completing this section, you should have Cisco Meraki vMXs up and running. Make sure to verify the public IPs used by each vMX and match it with Alibaba ECS instance.

Routing Adjustment across Domains

There are at least four routing tables that will need adjustment to allow the cross-border communication, and it will split into 2 sections.

Cisco Meraki Routing

Select vMX network and then go to Security & SD-WAN > Site-to-Site VPN and enable Hub mode
Under VPN settings section, Add a local Network
Add Local subnet(s) of the current vMX
Add the remote subnet(s) of the other Meraki vMX
Add the remote subnet(s) of the cross-border network

Configure the Site-to-Site VPN spokes to point to the respective Alibaba vMX hub

Repeat the same steps to create the other side of the network

Alibaba Routing

From main menu, select Cloud Enterprise Network then, create a new Instance and give it a name

Exit the page and Create Transit Router, select the region (PoP) and configure a name

Create a connection and choose VPC, Networks and the virtual switches

In the advanced settings, by click all the boxes, it will create 3 static routes for the RFC1918 subnets and direct the traffic to the transit router as the next hop

Repeat steps 2 and 3 for the other PoP

Create additional connection and choose cross-region

From any of the instances created in steps 3 or 4, select Cross-region connections

Create route back in route tables of each VPC
From VPC menu, choose Route Table and click on Custom Route. Add the routes of the branches and select the next hop to be the vMX ECS Instance

After adding the route, make sure to publish it to CEN from "Route Status in CEN" Column

Repeat last step for the other VPC in the network

SUMMARY

Overall, integrating Cisco Meraki SD-WAN with Alibaba Cloud Enterprise Networks enables organizations to create a unified and efficient network infrastructure that spans across different regions and meets their business needs. The integration provides a secure and reliable way to connect your branch offices or data centres in mainland China to other global locations, and allows you to optimize network traffic and improve application performance.

Meraki SDWAN & Alibaba Cloud

Updated on 8 April 2023 by Fady Sharobeem

On YouTube

Overview

Use Case

Implementation

Summary

Use Case

Implementatio n

Create a new Meraki network

Alibaba Cloud Configuration

Building Virtual Private Cloud (VPC)

Create Elastic Compute Service

Routing Adjustment across Domains

Cisco Meraki Routing

Alibaba Routing

SUMMARY

Meraki SDWAN
&
Alibaba Cloud