[c-nsp] Devil's Advocate - Segment Routing, Why?

Mark Tinka mark.tinka at seacom.mu
Sat Jun 20 17:30:17 EDT 2020



On 20/Jun/20 08:49, Reuben Farrelly via cisco-nsp wrote:

> Meraki doesn't currently support IPv6 in any way, shape or form.
>
> Some other things you'll find missing in Meraki products:
>
> - Zone based firewalls - Meraki MX doesn't do zones
> - Routing protocols for all but the most absolutely basic use cases
> - Client side VPN.  More specifically it does PPTP but not so many
> people are sold on the security and NAT problems that come with PPTP
> - Modern crypto - IPSec Auth is limited to MD5/SHA1 for example.
> - Any sort of xDSL, they only have Ethernet models.  If you need xDSL
> you'll need a bridge modem for the carriage circuit
> - Extremely limited NAT capabilities, no ALG, no ability to disable
> NAT between eg WAN and LAN ports which means it's almost useless for
> an MPLS circuit.  The lack of control over NAT also makes it
> impossible to run a publically addressable DMZ
> - SSL decryption which makes content filtering a bit less useful
> - Cellular is limited to not all 4G bands (notably does not support
> 700MHz here in Australia) and Cell backup is not supported in an HA setup
>
> And dare I say it, Segment Routing and MPLS definitely are not part of
> the featureset ;)
>
> There are many good things about Meraki (eg dashboard, autovpn,
> updates, ease of provisioning), but in my recent experience with MX/MS
> products you have to spend as much if not more time working out what
> Meraki products *can not* do as what they *can* do - and know the
> product limitations before you design and deploy not during (don't
> assume anything).
>
> Personally I would only recommend Meraki for a small business with
> very basic and well defined requirements.  Even then once you factor
> in the cost of licensing + hardware and compare it to a low end Cisco
> Enterprise product that does not have said limitations, you may find
> the cost is about the same over 3 or more years.

Sounds like pfSense might be a better option :-).

If I can summarize it in one sentence, is Meraki meant to be Cisco's
SD-WAN job?

Mark.



More information about the cisco-nsp mailing list