Today, we’re excited to announce a slew of new features for Cisco Meraki MX Security Appliances that offer more robust failover, enhanced security, and improved flexibility.
New MX functionality includes:
Datacenter (DC-to-DC) failover
Warm spare failover
Geo-based IP firewall rules
These features will be rolled out to our existing MX customers as part of our summer firmware update. We’ll deliver blog posts diving into each feature in the coming days, so stay tuned!
Avoid downtime, disruption
If you’re managing multiple branch sites that tunnel back to datacenters, the Meraki MX’s new datacenter failover support is a mission critical enhancement. Using AutoVPN, you can already tunnel branch connections securely through MXs deployed elsewhere, either in a hub-and-spoke or mesh topology. Now, you can specify concentrator priority for multiple sites, enabling predefined failover to specific locations should a site go offline.
For example, each branch site (“spoke”) in a hub-and-spoke VPN can select which datacenter (“hub”) it wishes to tunnel to by default for shared subnet resources. It can also specify which other hubs to establish secure tunnels with in the event the primary hub becomes unreachable—and this failover will be automatic. The hubs themselves can then be deployed in a mesh topology, ensuring layers of redundancy for branches and datacenters, an exciting enhancement for customers who can’t afford disruption due to datacenter outages.
Meraki MXs now support hub-and-spoke (pictured) and mesh datacenter failover.
We’re also thrilled to announce warm spare failover functionality for MXs running in NAT mode—one of two deployment modes an MX can be configured in (the other being VPN concentrator mode). This feature ensures the integrity of MX service at the appliance level regardless of configuration. In the event an MX goes offline, a secondary MX will automatically take over its duties—ensuring a site is not deprived of functionality like industry-leading intrusion prevention, VPN, application and client control, DHCP service, and more.
Configuring MX warm spare in the Meraki dashboard.
Improved addressing flexibility
To host services—such as web and email—across the Internet, organizations require public IP addresses. As the demand for public IP addresses has grown, the cost of acquiring one has increased (there is a finite supply). Meraki MX security appliances already support 1:1 Network Address Translation (NAT), which allows direct one-to-one mapping of any public IP addresses with internal IPs, as well as port forwarding, the ability to map several services (e.g., web, email) to internal servers through the MX’s public IP address.
With new 1:Many NAT functionality, we’ve combined these features so that mapping between any public IP can be made to multiple different internal IPs and ports.
In short, the MX now provides enormous addressing flexibility for organizations relying on external, routable IP address management for hosting services.
Map any public IP to internal addresses and ports with 1:Many NAT support in the Meraki MX.
Secure your borders
Meraki MX security appliances already provide superior branch protection through integrated Sourcefire intrusion prevention, cloud-based content filtering, and stateful firewalling. Now, you can restrict traffic in your network based on the physical geography of packet origin or destination. This means if you are a US-based business with no legitimate reason to share traffic with, say, Albania, you could prevent all packets originating from that country into your network. Conversely, if you wish to keep network interactions solely within US borders, you can limit traffic to US-based Internet segments. Additionally, it’s now possible to view the geographic location of specific traffic flows in the Monitor > Traffic analytics page.
View geographic origin and destination of traffic flows in the Meraki dashboard.
For More Information
Stay tuned for additional blog posts on these exciting new features, and check out our website for more details about specific MX models for your environment.
Finally, as always, we’re listening to your feedback, so please let us know what you think on our social media feeds or through our dashboard’s “make a wish” feature — and offer any ideas you may have.