Cisco Meraki is currently the undisputed market leader when it comes to simplicity and elegance with SD WAN deployments.
The Meraki simplified cloud-based dashboard and automatic default full-mesh VPN capabilities enable extremely rapid Zero Touch Provisioning (ZTP) rollouts of an SD WAN across your enterprise, ensuring a smooth and relatively painless experience. However, the Cisco Meraki solution is not necessarily appropriate for all situations and you must be aware of the limitations in both hardware and software that could affect your overall business decisions and associated network design.
Note: Readers looking to book a Meraki demo via their free loan programme, please click here to learn more.
One of the largest criticisms of Cisco Meraki is their business licensing model. In addition to purchasing the hardware, you must also maintain licences to use the hardware. This in itself is nothing new as most hardware vendors operate this way. With most traditional hardware licensing models, if you let your licensing lapse, the hardware continues to operate, though you may be out of compliance. This could have its own potential legal ramifications. However, Meraki forces licence compliance by actually disabling the hardware if the licence subscriptions are not maintained. This means that unlike with other vendors, there is no permanent grace period if your licensing lapses (though a small 30-day grace period is provided), so your accounting department must be aware of this. When you move to a managed SD WAN model, you do not have to take this issue into consideration because your Managed Services Provider (MSP) will handle it for you.
Meraki’s SD WAN is enabled across their entire line of MX hardware and virtual appliances. This is based on their Auto VPN technology which automatically establishes private connectivity between all other MX appliances. Meraki’s SD WAN is currently limited to two uplinks being used simultaneously, with failover to a third 4G link in standby mode a possibility. For most enterprises, this will be adequate, especially for smaller branch offices. Unfortunately, this dual uplink limitation applies to the entire MX product line, including high-end devices that are meant to run in data centres. You may have to put more planning into your network design to work around this limitation if necessary. The good news is that this particular limitation could potentially be lifted at some point, just as the SD WAN feature itself was introduced through software without requiring hardware upgrades.
The hardware performance of Meraki MX appliances could also be a potentially limiting factor depending on your needs and network design for SD WAN. Meraki’s product line designed for small branch offices is limited to 100 - 200 Mbps of VPN throughput, depending on the model, and Meraki recommends no more than 50 client devices connecting through these appliances. The medium-size offerings make a fairly large jump in price and have a VPN throughput range of 250 - 500 Mbps. The high-end offerings meant for large branches, campuses, and data centres offer a maximum throughput of 2 Gbps. While this will certainly be good enough for most environments, bandwidth usage across your company will only continue to grow with time and this limitation may be too small if you have a very large environment or you need to distribute a lot of SD WAN traffic.
Directly related to the hardware performance is the VPN tunnel scaling limitations. This is not unique to Meraki as all SD WAN platforms have tunnel scaling limitations you must be aware of. With Meraki, though, the default design is for an automatic full mesh of VPN tunnels where every site establishes a tunnel with every other site. The MX appliances designed for small and branch offices support a maximum of 50 tunnels, while the high-end appliances support up to 5,000 tunnels. This is where a good network design strategy comes into play to help maximise performance and lower the Total Cost of Ownership (TCO).
If your network is sufficiently large (e.g. more than 50 sites), you should create a network design involving hubs and spokes with the MX appliances. This is all easily done through Meraki’s cloud-based interface. The hub and spoke design improves performance by limiting the number of SD WAN VPN tunnels that must be established on the spoke MX devices. The spokes only form tunnels with the hubs if configured to do so, instead of the default full mesh of tunnels established to all sites.
The limitation in this design model is that all traffic between spokes must traverse a hub, rather than the traffic going directly between the sites. For most enterprises, critical company data is centralised within regional data centres and branch sites rarely communicate directly with each other over the network. Meraki’s dashboard allows you to make exceptions and you can still establish individual spoke-to-spoke tunnels to eliminate traffic passing through the hub.
One perhaps surprising limitation is that none of the MX appliances designed for smaller branch offices feature an SFP port for optical fibre connectivity. It is not until you get into the higher-priced mid-range models that this option becomes available. This is surprising because, for many rural areas where branch offices may be located, broadband connectivity may not be an available option, but Direct Internet Access (DIA) delivered via fibre Ethernet may be all that you can get. Your options, in this case, would be to either upgrade to the larger MX appliance or place another device in front of the MX to convert the Ethernet handoff from fibre to copper.
The other limitations to be aware of with Meraki SD WAN are high availability (HA) and failover times. HA is typically only used in large campuses and data centres where reliability is critically important. Meraki currently offers a “warm spare” active/standby model using the Virtual Router Redundancy Protocol (VRRP). This means that you can only use the forwarding capacity of a single appliance, not both as in an active/active model. Failover between the active and standby appliance could take up to 30 seconds. Additionally, there are failover and failback limitations for the AutoVPN tunnels and dynamic path selection where issues could be present for 30 - 40 seconds before action is taken. These kinds of limitations may not be acceptable for your particular environment and you should be aware of them.
Ultimately Cisco Meraki’s SD WAN platform covers the vast majority of enterprise use cases. The product is stable, elegant, and extremely easy to operate which lowers your TCO because you do not necessarily need expert-level staff to operate and maintain the SD WAN. For many of the present limitations, you can enable workarounds through smart network design. Likewise, some limitations may be removed with future software releases that do not require replacing existing hardware which further protects your investment.
About Jedadiah Casey
Senior Network Engineer for 5 years General IT/sysadmin experience 10 years prior Bachelor of Science degree in Information Systems Certifications: Cisco CCNP Routing & Switching, CCDP Network Design, CCNA Routing & Switching, CCNA Wireless, CCNA Industrial, CCNA Service Provider Certified Wireless Network Professional CWNA VMware VCP-DCV Juniper JNCIA Working toward Cisco CCIE R&S, first lab attempt was June 2018.