Home > Architectures and Best Practices > Cisco Meraki Best Practice Design > Best Practice Design - MX Security and SD-WAN > MX Templates Best Practices

MX Templates Best Practices

As a network deployment grows to span multiple sites, managing individual devices can become highly cumbersome and unnecessary. To help alleviate these operating costs, the Meraki MX Security Appliance offers the use of templates to quickly roll out new site deployments and make changes in bulk.

This guide will outline how to create and use MX templates in the dashboard.

It should be noted that service providers or deployments that rely heavily on network management via API are encouraged to consider cloning networks instead of using templates, as the API options available for cloning currently provide more granular control than the API options available for templates.

Planning a Template Deployment for MX

Before rolling out a template deployment (or enabling templates on a production network), it may be helpful to plan the "units" that make up your deployments. This involves asking questions such as:

  • What are my sites? (e.g. retail location, school, branch office, etc.)

  • Are the MXs going to be in HA?

  • Do I need local overrides?

Template Networks

A "site" in network deployment terms is usually the same as a "network" in the dashboard terms; each site gets their own dashboard network. As such, when planning multiple sites to be configured the same way, they will share a template network.

A template network is a network configuration that is shared by multiple sites/networks. Individual site networks can be bound to a template network, so changes to the template will trickle down to all bound sites. A new network can also be created based on a template, making it easy to spin up new sites of the same type.

When planning a template deployment, you should have one template network for each type of site.

Configuration

The following sections walk through configuration and use of MX templates in dashboard.

Creating a Template Network

As outlined above, a template network should be created for each type of site to be deployed.

To create a template network:

  1. In the dashboard, navigate to Organization > Monitor > Configuration templates

  2. Click Create a new template

  3. Select a descriptive name for your template. If this is a completely new template, select Create new and MX template.

    • If this template should be based on an existing network, select Copy settings from and an existing Security appliance network.

  4. Click Add:

 

MX Template.png

 

  1. If you would like to bind existing networks to this new template, select those networks as Target networks and click Bind. Otherwise, click Close.

Template VLAN Configuration
  1. In the dashboard, navigate to Security Appliance > Addressing & VLANs > Routing > Subnets

  2. Click on Use VLANs and then Add VLAN

  3. Select a descriptive name for your VLAN

  4. Choose if the subnetting should be the same or unique for every network bound to this template.

    • If same is chosen, all the networks bound to the template will share the exact same subnet. Not eligible for site-to-site VPN.

    • If unique is chosen, each network bound to the template will get a unique subnet based on the configured options. The MX does not support local VLAN overrides on templates.

      • Subnets are assigned randomly to each network bound to the template.

 

VLAN.png

 

For more information about template IP range VLAN allocation, reference our article on Managing Networks with Configuration Templates.

Template Static Routes
  1. In the dashboard, navigate to Security Appliance > Addressing & VLANs > Routing > Static Routes

  2. Click on Add Static Route

  3. Select a descriptive name for your static route

  4. Specify the subnet that is reached via the static route

  5. Indicate the IP address of the device that connects the MX Security Appliance to this route

  6. Choose the condition that controls when this route will be used

 

Please note that only VLANs using the ‘same’ subnetting can be validated against for configuration templates. If the local VLAN subnetting is set to Unique, static routes cannot be configured on the template.

 

Template Firewall Rules

When configuring layer 3 firewall rules, CIDR notation as well as the VLAN name can be used. The VLAN name is used when the entire subnet needs to be specified whereas CIDR notation is used when more flexibility is needed to specify the subnets.

 

  1. Go to Security appliance > Configure > Firewall > Layer 3, click Add a rule

  2. Choose the policy, specify if the rule matched should be allowed or denied

  3. Select the protocol to match in outbound traffic

  4. Specify the IP address or range using CIDR notation to match the outbound traffic. Note that also the name of the VLAN can be chosen as well

  5. Choose the Src/dst port to match in outbound traffic

 

Screen Shot 2018-07-06 at 12.05.59 PM.png

Template SD-WAN Policies
  1. Go to Security appliance > Configure > Traffic shaping > Flow preferences, and click Add a preference

  2. In the Definition field click Add +.

  3. The Custom expressions field should appear first. In the text field, choose the protocol and then specify the Source address where 192.168.0.0/16 or ‘Default’ is your private subnet range. If it is only desired to shape one particular host, use the Host button to specify the last octet. Click the Add + button again when finished.

  4. Choose the preferred uplink, failover method, and performance class then click Save changes.

 

Screen Shot 2018-07-06 at 12.18.46 PM.png

 

Screen Shot 2018-07-06 at 12.24.48 PM.png

Local Overrides

Once an MX Security Appliance network has been bound to a template, some options can still be configured normally through the dashboard. Any local configuration changes made directly on the MX network will override the template configuration.

In the example below, the bound MX was directly configured to have a custom Default VLAN. This change can be made in the template network, under Security Appliance > Configure > Addressing & VLANs:

 

Screen Shot 2018-07-06 at 12.57.08 PM.png

 

If a network is removed from a template, local overrides will automatically be lost as well as any template related configuration. The MX will automatically get the configuration from the network it is on.

 

Static Route overrides is not supported at this moment for MX networks bound to templates.

 

DHCP Exceptions

The Meraki MX appliance provide a fully-featured DHCP service which can be enabled and configured on each VLAN individually. When bound to a template, local overrides can be made to the DHCP configurations under Security appliance > Configure > DHCP.

 

Screen Shot 2018-07-06 at 1.28.40 PM.png

 

Forwarding Rules Overrides

To override forwarding rules, navigate under Security appliance > Configure > Firewall > Forwarding rules overrides.
 

Screen Shot 2018-07-06 at 2.03.39 PM.png

 

Performing MX Templates Firmware Upgrades

Firmware upgrades scheduled on the template will automatically be applied on the child networks’ network local timezone.

 

As a best practice, make sure that each MX has the correct local time zone configuration under Security Appliance > Monitor > Appliance Status.

 

Screen Shot 2018-07-06 at 1.10.17 PM.png

 

MX Replacement Walkthrough

Below are instructions for how to copy configurations from a failed MX bound to a template.

  1. On the Organization > Configure > Inventory page, claim the new MX and then add the new MX to the existing network.

  2. Navigate to the network that has the faulty MX and remove it under Security Appliance > Monitor > Appliance Status > Remove appliance from network

  3. Add the replacement MX to the same network by navigating to Network-wide > Configure > Add devices

  4. Select the network and click on Add devices.

 

For more information on replacing an MX, refer to our MX Cold Swap article.

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 7148

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community