This blog outlines options for deploying Meraki MX SD-WAN with Secure Access to deliver a comprehensive SASE solution. Following these recommended designs will help ensure your network achieves optimal performance and security.

Overview 

Today's remote and hybrid workforce, widespread cloud adoption, and increased internet-bound traffic require organizations to deliver secure, optimized access to applications anywhere, on any device. Traditional network models struggle to keep pace, prompting organizations to embrace Secure Access Service Edge (SASE) architectures. By integrating Cisco Meraki SD-WAN with Cisco Secure Access, businesses benefit from unified, cloud-native networking and security, ensuring consistent protection, simplified operations, and a scalable user experience across all locations.

Cisco Meraki and Secure Access stand out with their centralized, cloud-based dashboards, enabling IT teams to deploy, monitor, and manage networks from anywhere—eliminating the need to build more on-premises controllers. The platform integration prioritizes simplicity, scalability, and automation, while offering built-in analytics and security for both enterprise and distributed environments. Managed through the Cisco Meraki dashboard, Meraki MX SD-WAN leverages AutoVPN technology to seamlessly orchestrate and provision Secure Access cloud hubs and tunnels between sites in a spoke-and-hub network.

Dual Fabric Terminology

For clearer guidance, the following special terms describe devices and traffic paths within two SD-WAN fabrics: Traditional Cisco Meraki MX SD-WAN and Cisco SSE Secure Access.

Cisco SASE Supported Topologies for Meraki

Spoke-Spoke Communication Without Secure Access

In a traditional SD-WAN topology without Secure Access, spokes communicate directly with each other via the MX Hub using AutoVPN tunnels. Traffic between Spoke 1 and Spoke 2 flows through Hub.

Spoke-Spoke Communication With Secure Access (SSE)

When Secure Access SIA is enabled, the topology changes significantly:

• Spokes connect to Secure Access cloud hubs (e.g., US West 1, US East 1) via Cloud AutoVPN tunnels
• Direct spoke-spoke communication via MX Hub is disabled by default (path #2)
• Site-to-site via Cloud Hub is enabled by default (path #1)
• Support must take action to re-enable site-to-site via MX Hub if needed

Why These Changes Occur

When deploying a SASE architecture, it is recommended to inspect East-West traffic between sites to maximize security efficacy. Secure Access integration with Meraki org disables direct Spoke-Spoke communication via MX Hub to ensure all traffic is inspected and policy is applied as intended.

Platform Optimization

To improve platform stability and resiliency, the following optimizations are adopted at onboarding for all organizations that enable Meraki Secure Access integration:

• Dashboard installed routes are removed from all Spokes and Hubs
• BGP protocol is used as the sole method of providing routes to sites
• Meraki Hubs are prevented from sharing Spoke routes they learned toward other Spokes
• Cloud Spokes traffic to any other sites prefers the cloud path

Connectivity Path Matrix

* MX Hub (Hybrid or Local) must be configured on a Spoke to enable direct local-path access to its prefixes.

Note: Meraki Hubs form a mesh and communicate using their Local connectivity path.

Scale of Sites and Routes

• For quicker convergence with Cloud Hubs, Spoke sites can be configured to receive only a default route, bypassing specific iBGP route prefixes
• MX-advertised prefixes encompass local subnets, eBGP-learned routes, and defined static routes
• Cloud and Hybrid Spokes will receive a default route and specific routes known by the Cloud Hubs

Early Access Limitations

• Organizations deploying Design B (Hybrid Spokes with Hybrid and Cloud Hubs) can accommodate a maximum of 2 MX Hybrid Hubs
• For organizations using a small number of Sites, up to 10 MX Hybrid Hubs can be enrolled
• The Sites UI displays a warning if 2-10 hubs are enrolled and will prevent enrollment of more than 10 MX hubs

The integration fundamentally changes traffic flow by forcing East-West traffic through Secure Access cloud hubs for inspection, while disabling traditional direct spoke-to-spoke paths via MX hubs by default. This ensures consistent security policy enforcement across all site-to-site communications.