One of the most popular aspects of the Meraki approach is the ease of deploying and maintaining multi–site networks. This capability is made possible thanks to the centralized, cloud–based architecture we have been operating since we started back in 2006. Configurations can be built within minutes and pushed to thousands of APs, switches and security appliances with just a few clicks of a mouse.
For those setting–up and managing hundreds or even thousands of sites, anything which can be automated will improve efficiency and save time, with a consequential real impact on operational expenditure. In this post we’ll explore how configuration templates can be created and used across the full Meraki stack to streamline deployment to multiple locations.
Before diving into the options available, a quick recap of how Meraki defines a ‘network’. These are essentially logical groupings of network components, so for example, a network could comprise one or more APs and switches, or a single security appliance. Alternatively, a network could be a logical group of more than one product type. For example, Meraki has a network it calls ‘Meraki Corp’ which is a container including all APs, switches and security appliances at our headquarters. The one rule to remember is that there can be only one security appliance (MX or Z1) in a network
In no particular order, here are some of the tools which make building and maintaining multi–site networks easier.
Configuration Sync – replicate and compare APs and Security Appliance configurations
This at–a–glance tool, which lives under the ‘Organization’ tab of the dashboard menu, is designed for networks containing either multiple wireless APs or a single security appliance. The tool enables a comparison between one network and another one or more. For wireless networks, the tool enables comparison and synchronization of:
- Allowed and blocked devices
- Network alerts
- Network admins
- Group policies
- Summary reports
- Syslog servers
- Meraki User databases
Note that the target network can be either a configured network, or a tag name, so in the example above we are comparing the configuration for a network called ‘Corporate WiFi’ with APs tagged as ‘home’.
For the security appliances, the tool will compare settings for:
- Traffic shaping
- Security filtering
- Content filtering
For switch networks, in either standalone (switches only) or combined networks (containing more than one device type), the cloning tool can be used to copy the following attributes between switches of the same type and port count:
- Switch port configuration
- Link aggregates
- Access policies
- Mirrored ports
- RSTP bridge priority
In this example, a search has been done for switches of a certain type which are located on the 4th floor of our building, and tagged accordingly. The configuration for the London branch switch will be copied to the 6 switches found by this search.
Configuration Templates – create master templates for APs and Security Appliances
When deploying to multiple sites, maintaining a standard configuration template can be a highly effective time saver. With this approach, a master network is used to create a template – which appears as a special entry in the networks list – and target networks are then bound to this master. Almost all configuration settings are replicated and every time a change is made on the master network this is replicated to all bound networks. The replication process overwrites any configuration settings which have been made at the individual network level, so this is really an ‘all or nothing’ approach.
Once a network is bound to a template, only a subset of configuration options remain. This might include things like AP channel settings, WPA2 personal passphrases, or IP based VLAN addressing. Note the reduced list of menu options here:
More detail can be found in our excellent Knowledge Base article on the topic. We also recently announced an additional feature enabling the creation of extensible firewall templates for our Security Appliances, ensuring that where subnets are shared between locations, firewall rules are automatically adjusted to match their local addressing schema.
Tags and Profiles for managed client devices
The network infrastructure exists to serve client devices, so our hugely popular MDM solution, Systems Manager, also includes tools to assist with logically grouping and configuring large numbers of dispersed endpoints.
Systems Manager tags can be created to group together devices based on any useful criteria. In an education setting it might be useful to have one tag for ‘staff’ and another for ‘students’. Tagging devices as belonging to a specific business function, like ‘sales’ or ‘engineering’, may help to clearly identify a device’s intended purpose.
Once these tags have been established, profiles containing settings, restrictions and apps can be automatically applied by simply assigning them to tags. Tags can be assigned manually, according to a schedule, or as part of their enrollment into MDM. Apple’s Device Enrollment Program takes the scaling potential even further, enabling the assignment of tags from the moment a batch of newly purchased iOS devices is powered-on for the first time.
This approach makes replication of managed settings, restrictions and apps across tens, hundreds or even thousands of managed devices a cinch. Here’s an example showing the deployment of the Evernote app to all devices in the Physics department:
We’re always looking for ways to make the life of the network admin easier. Templates can play a big part in reducing duplicate effort across multi–site networks, and you can be sure we’re not done yet. Stay tuned for more news on configuration templates coming soon!