Home > Architectures and Best Practices > Cisco Meraki Best Practice Design > Best Practice Design - MX Security and SD-WAN > MX Templates Best Practices

MX Templates Best Practices

As a network deployment grows to span multiple sites, managing individual devices can become highly cumbersome and unnecessary. To help alleviate these operating costs, the Meraki MX Security Appliance offers the use of templates to quickly roll out new site deployments and make changes in bulk.

This guide will outline how to create and use MX templates in the dashboard.

It should be noted that service providers or deployments that rely heavily on network management via API are encouraged to consider cloning networks instead of using templates, as the API options available for cloning currently provide more granular control than the API options available for templates.

Planning a Template Deployment for MX

Before rolling out a template deployment (or enabling templates on a production network), it may be helpful to plan the "units" that make up your deployments. This involves asking questions such as:

  • What are my sites? (e.g. retail location, school, branch office, etc.)

  • Are the MXs going to be in HA?

  • Do I need local overrides?

Template Networks

A "site" in network deployment terms is usually the same as a "network" in dashboard terms; each site gets their own dashboard network. As such, when planning multiple sites to be configured the same way, they will share a template network.

A template network is a network configuration that is shared by multiple sites/networks. Individual site networks can be bound to a template network, so changes to the template will trickle down to all bound sites. A new network can also be created based on a template, making it easy to spin-up new sites of the same type.

When planning a template deployment, you should have one template network for each type of site.


The following sections walk through configuration and use of MX templates in the dashboard.

Creating a Template Network

As outlined above, a template network should be created for each type of site to be deployed.

To create a template network:

  1. In the dashboard, navigate to Organization > Monitor > Configuration templates

  2. Click Create a new template

  3. Select a descriptive name for your template. If this is a completely new template, select Create new and MX template.

    • If this template should be based on an existing network, select Copy settings from and an existing Security appliance network.

  4. Click Add:


MX Template.png


  1. If you would like to bind existing networks to this new template, select those networks as Target networks and click Bind. Otherwise, click Close.

Template VLAN Configuration
  1. In the dashboard, navigate to Security Appliance > Addressing & VLANs > Routing > Subnets

  2. Click on Use VLANs and then Add VLAN

  3. Select a descriptive name for your VLAN

  4. Choose whether the subnetting should be the same or unique for every network bound to this template.

    • If same is chosen, all the networks bound to the template will share the exact same subnet. This is not eligible for site-to-site VPNs.

    • If unique is chosen, each network bound to the template will get a unique subnet based on the configured options. The MX does not support local VLAN overrides on templates.

      • Subnets are assigned randomly to each network bound to the template.




For more information about template IP range VLAN allocation, reference our article on Managing Networks with Configuration Templates.

Template Static Routes
  1. In the dashboard, navigate to Security Appliance > Addressing & VLANs > Routing > Static Routes

  2. Click on Add Static Route

  3. Select a descriptive name for your static route

  4. Specify the subnet that is reached via the static route

  5. Indicate the IP address of the device that connects the MX Security Appliance to this route

  6. Choose the condition that controls when this route will be used


Please note that only VLANs using the ‘same’ subnetting can be validated against for configuration templates. If the local VLAN subnetting is set to Unique, static routes cannot be configured on the template.


Template Firewall Rules

When configuring layer 3 firewall rules, CIDR notation, as well as the VLAN name, can be used. The VLAN name is used when the entire subnet needs to be specified whereas CIDR notation is used when more flexibility is needed to specify the subnets.


  1. Go to Security appliance > Configure > Firewall > Layer 3, click Add a rule

  2. Choose the policy, specify if the rule matched should be allowed or denied

  3. Select the protocol to match in outbound traffic

  4. Specify the IP address or range using CIDR notation to match the outbound traffic. Note that also the name of the VLAN can be chosen as well

  5. Choose the Src/dst port to match in outbound traffic


Screen Shot 2018-07-06 at 12.05.59 PM.png

Template SD-WAN Policies
  1. Go to Security appliance > Configure > Traffic shaping > Flow preferences, and click Add a preference

  2. In the Definition field click Add +.

  3. The Custom expressions field should appear first. In the text field, choose the protocol and then specify the Source address where or ‘Default’ is your private subnet range. If it is only desired to shape one particular host, use the Host button to specify the host address. Click the Add + button again when finished.

  4. Choose the preferred uplink, failover method, and performance class then click Save changes.


Screen Shot 2018-07-06 at 12.18.46 PM.png


Screen Shot 2018-07-06 at 12.24.48 PM.png

Local Overrides

Once an MX Security Appliance network has been bound to a template, some options can still be configured normally through the dashboard. Any local configuration changes made directly on the MX network will override the template configuration.

In the example below, the bound MX was directly configured to have a custom Default VLAN. This change can be made in the template network, under Security Appliance > Configure > Addressing & VLANs:


Screen Shot 2018-07-06 at 12.57.08 PM.png


If a network is removed from a template, local overrides will automatically be lost as well as any template related configuration. The MX will automatically get the configuration from the network it is on.


Note: Auto VPN hubs should not be added to templates at all. It is not possible to configure an MX as a spoke with exit hub that is part of a template.

Note: Static Route and Unique local VLAN overrides are not supported at this moment for MX networks bound to templates.


DHCP Exceptions

The Meraki MX appliance provide a fully-featured DHCP service which can be enabled and configured on each VLAN individually. When bound to a template, local overrides can be made to the DHCP configurations under Security appliance > Configure > DHCP.


Screen Shot 2018-07-06 at 1.28.40 PM.png


Forwarding Rules Overrides

To override forwarding rules, navigate under Security appliance > Configure > Firewall > Forwarding rules overrides.

Screen Shot 2018-07-06 at 2.03.39 PM.png

Templates with MXs of Different Port Counts

Port numbering can differ between MX models, which can cause confusion when assigning a configuration to a specific port number in a template. For example, a configuration on LAN 2 in a template doesn't affect any ports on an MX65.

This table outlines template port numbers and their corresponding physical port on some MX models (red fields indicate ports used for secondary WAN connections):

  Model Z1 Z3 MX60 MX64/W MX65/W MX67/C/W MX68/W/CW MX70 MX80 MX84 MX90 MX100 MX400
  #WAN_Ports 1 1 1 1 2 1 2 2 1 2 1 1 2
  #LAN_Ports 4 5 4 4 10 4 10 4 4 8 8 8 2(+)*
  #Fiber_Ports                   2 2 2  
    Physical Ports
  WAN1 Internet   Internet Internet Internet1 Internet Internet1 Internet1 Internet Internet1 Internet Internet Internet1
  WAN2         Internet2   Internet2 Internet2   Internet2     Internet2

Dashboard Label

LAN 2 1 1 1 1   2     2   2 2  
LAN 3 2 2 2 2 3 3 3 1 3 3 3 3 1
LAN 4 3 3 3 3 4 4 4 2 4 4 4 4 2
LAN 5 4 4 4 4 5 5 5 3 5 5 5 5  
LAN 6   5(PoE)     6   6 4   6 6 6  
LAN 7         7   7     7 7 7  
LAN 8         8   8     8 8 8  
LAN 9         9   9     9 9 9  
LAN 10         10   10     10 8(SFP) 10(SFP)  
LAN 11         11(PoE+)   11(PoE+)     11(SFP) 9(SFP) 11(SFP)  
LAN 12         12(PoE+)   12(PoE+)     12(SFP)      

* (+) : Model is capable of being modified to include additional LAN ports by installing interface modules

You can toggle the LAN2 port between LAN and Internet, through Uplink configuration under the Local status tab on the Local Status Page.

Performing MX Templates Firmware Upgrades

Firmware upgrades scheduled on the template will automatically be applied on the child networks’ network local timezone.


As a best practice, make sure that each MX has the correct local time zone configuration under Security Appliance > Monitor > Appliance Status.


Screen Shot 2018-07-06 at 1.10.17 PM.png


MX Replacement Walkthrough

Below are instructions for how to copy configurations from a failed MX bound to a template.

  1. On the Organization > Configure > Inventory page, claim the new MX and then add the new MX to the existing network.

  2. Navigate to the network that has the faulty MX and remove it under Security Appliance > Monitor > Appliance Status > Remove appliance from network

  3. Add the replacement MX to the same network by navigating to Network-wide > Configure > Add devices

  4. Select the network and click on Add devices.


For more information on replacing an MX, refer to our MX Cold Swap article.


Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 7148

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community