Internet censorship is a well-known term for many governments to control or suppress what can be accessed, published, or viewed on the Internet enacted by regulators.
China's Internet censorship is more comprehensive and sophisticated than any other country in the world, which has a much more significant implication on the traffic destined and/or sourced to/from mainland China. Some of those implications are:
Unreliable packet delivery
Blockage of a list of services and websites
In 2017, the Standing Committee of the National People's Congress of China promulgated a cybersecurity law which among other things, requires network operations to store data locally within mainland China.
In response to all that, Cisco Meraki built a China service to serve better our customers who are located or have a presence in mainland China. China service is an exclusive instance of the Cisco Meraki dashboard located in mainland China and is separate from the global Meraki dashboard.
For global customers with a presence in mainland China, Cisco Meraki strongly advises to ensure the Cisco Meraki devices in mainland China are placed in Cisco Meraki's China service (https://dashboard.meraki.cn), which will require some extra considerations for the SDWAN deployment.
This blog will cover the solution and design considerations of building a Cross-border data connection over the Alibaba Cloud to connect the SDWAN fabric across the two instances of Cisco Meraki dashboards to offer better latency and more reliable packet delivery without the need to invest in expensive private network.
Create a new Meraki network
- From Organization menu, select Create network
- Choose network name and select the network type to be either Combined hardware or Security appliance, then select the vMX from the inventory list.
- Generate Authentication token - Meraki Authentication token will be valid within an hour from generating it and it's required to map the virtual MX hosted in the cloud vendors to correct Meraki organiztion/network.
- Navigate to the vMX network and click on Security & SDWAN menu then Appliance status
- The Meraki virtual MX will be in NAT mode by default and it's required to change the operating mode to passtrhough.
- From Addressing & VLANs menu, choose Passthrough or VPN Concentrator mode instead of Routed
- Make sure to build at least two vMXs, one hosted in the Meraki https://dashboard.meraki.com and another instace hosted in Meraki service in https://dashboard.meraki.cn
Alibaba Cloud Configuration
Create at least two Virtual Private Clouds (VPCs) within Alibaba organization. One hosted in a global Point of Presense, like Sydney, and other hosted withing Mainland China, like Shenzhen.
Building Virtual Private Cloud (VPC)
- From Products and Services menu, select Virtual Private Cloud.
- Select the Point of Presence (PoP) to host the vMX on.
- Configure the VPC name and CIDR block
- Create at least two virtual switches within the VPC in two different zones and assign CIDR ranges within the chosen block.
Create Elastic Compute Service
- From Alibaba Marketplace, and under Software Infrastructure / Network Infrastructure search for Cisco Meraki vMX
- Click on "Choose your plan" then
- Select your Billing Method
- Choose Alibaba Point of Presence (PoP) and the primary zone to deploy the vMX on
- Keep the rest of configuration as default then click next
- Configure the Networking
- Make sure to select the correct virtual SW
- Tick the Assign Public IPv4 Address option
- Select the billing method then click Next
- Apply the Meraki vMX Token
- Change the Instance name or keep the default
- Expand Advanced (based on instance RAM roles or Cloud-init) and paste the Meraki vMX Authentication token under User Data and Click next
- Keep the rest of configuration as default then click Next
- Repeat the same steps to create at least two vMX in Sydney and Shenzhen PoPs
After completing this section, you should have Cisco Meraki vMXs up and running. Make sure to verify the public IPs used by each vMX and match it with Alibaba ECS instance.
Routing Adjustment across Domains
There are at least four routing tables that will need adjustment to allow the cross-border communication, and it will split into 2 sections.
Cisco Meraki Routing
- Select vMX network and then go to Security & SD-WAN > Site-to-Site VPN and enable Hub mode
- Under VPN settings section, Add a local Network
- Add Local subnet(s) of the current vMX
- Add the remote subnet(s) of the other Meraki vMX
- Add the remote subnet(s) of the cross-border network
- Configure the Site-to-Site VPN spokes to point to the respective Alibaba vMX hub
- Repeat the same steps to create the other side of the network
- From main menu, select Cloud Enterprise Network then, create a new Instance and give it a name
- Exit the page and Create Transit Router, select the region (PoP) and configure a name
- Create a connection and choose VPC, Networks and the virtual switches In the advanced settings, by click all the boxes, it will create 3 static routes for the RFC1918 subnets and direct the traffic to the transit router as the next hop
- Repeat steps 2 and 3 for the other PoP
- Create additional connection and choose cross-region From any of the instances created in steps 3 or 4, select Cross-region connections
- Create route back in route tables of each VPC
- From VPC menu, choose Route Table and click on Custom Route. Add the routes of the branches and select the next hop to be the vMX ECS Instance
- After adding the route, make sure to publish it to CEN from "Route Status in CEN" Column
- Repeat last step for the other VPC in the network
Overall, integrating Cisco Meraki SD-WAN with Alibaba Cloud Enterprise Networks enables organizations to create a unified and efficient network infrastructure that spans across different regions and meets their business needs. The integration provides a secure and reliable way to connect your branch offices or data centres within mainland China to other global locations, and allows you to optimize network traffic and improve application performance.