Managed Service Providers (MSPs)
Managed Service Providers (MSPs) are in a unique situation of needing to manage multiple distinct customer organizations in Dashboard. These customers often need to have independently managed licensing, users, and VPN peers. This page outlines tools, best practices, and recommended steps for managing multiple organizations as an MSP.
This document is intended to be used as a general reference guide for best practice design with Meraki, but it is important to note that each deployment is unique and users should determine design and configurations based on their individual needs. Deployment plans should be created, reviewed, and finalized with your Meraki sales team and systems engineer.
Global Overview Page
To aid MSPs in the management of multiple organizations, the Global Overview Page will automatically be displayed for any user account with access to multiple organizations with a single set of credentials. The Global Overview link is displayed at the top of the left hand navigation in addition to the Organization dropdown above the network dropdown. When you select an Organization from the drop down, you will then see the networks contained in that Organization in its corresponding network drop down.
Creating an Organization
In order to create a new organization for a customer/company, that will then contain their various networks, perform the following steps:
If the Organization dropdown is already present:
- Click Global Overview.
- On the Global Overview Page, Select the Add Organization button on the right side of the page.
If the Organization dropdown is not present:
- Sign-out of Dashboard if already logged in
- Click Create an account
- Enter the same Email and Password that is currently used for the MSP admin account (the generic address mentioned above)
- Enter Company as the name for the organization (best used to identify the company/customer)
- This can be changed later if needed under Organization > Settings
- Address is optional and not required
- Click Create account
- The organization has been created. If a network needs to be created at this time, that can be done from this page.
- If a network is not created at this time, the organization will only be available from the MSP portal page, and not from the Organization dropdown
- It is recommended to create a network, even if left empty. It can be deleted or renamed at a later time.
If an Organization dropdown is not presented at this time, the account password may need to be updated in order to sync across organizations.
- Click My profile in the upper right corner of Dashboard
- Go to Change your password
- Enter the account's current password in all three fields
- Click Change password
- Click Sign out in the upper right corner of Dashboard
- Proceed to login, and an organization dropdown should be displayed
Best Practices For Service Providers
For service providers, the standard service model is "one organization per service, one network per customer."
Recommended Dashboard Structures
The following three models represent the three main methods of dashboard structure recommended for MSPs. While the Standard Service model is recommended for most customers (and is used by roughly 80% of our MSPs), it may be worth considering the other models if the end-customers’ network requirements warrant a more tailored approach. Keep in mind that the differentiator among Organizations in the dashboard should be the nature of the service for the organization or the nature of the customer’s network.
Standard Service: Organization per Service, Network per Customer
The standard service model is the most popular and common structure used by MSPs and is highly recommended by Meraki as it enables multiple operational benefits for the MSP. In the Standard Service model, the Global Overview is structured around services offered. This Standard Service is based on the notion of the MSP offering a uniform service to all customers, and in this model, an MSP will typically create separate organizations for each service offering. Generally, organizations could represent tiers of service such that Basic, Intermediate, and Advanced services provided by an MSP would each warrant one organization.
When a customer wants to change their service model, they can move to the Meraki organization that is already set for the service they want to move to, which allows organizations to function as templates for service offerings. This eliminates the overhead required to create organization configurations from scratch to suit each customer.
Bespoke/Tailored Service: One Organization per Customer
Sometimes, customers require having an organization-per-customer model, as in cases when the end customer owns their own equipment or requires full management of their own network. In a Tailored Service model, usually, each end customer owns hardware equipment and the MSP generally provides IT services or consulting. The Tailored Service model is best used for customers who require custom environments, customers who manage their own equipment, or customers whose contracts require their own access. This model is only recommended if the customer’s network structure requires it because it does not scale as well as the Standard Service model. This structure should be used if customers own equipment, as it allows the freedom for customers to be treated in a modular manner and can be separated from the MSP if necessary, and the customers can be granted full management access. This model is best suited for small MSPs, or large bespoke MSPs with locally-managed locations.
SD-WAN as a Service: One Organization per Customer
In a Standard Service model, MSPs have multiple customers in the same organization for ease of management. This structure should not be used if SD-WAN is the service that is delivered to the customers because the scope of an organization defines the connectivity domain for AutoVPN. Each SD-WAN customer will therefore need to be assigned to its dedicated organization. This model is typically optimized for mid-sized to large end-customers with multiple locations/branches.
-
Ideal structure for a Global Overview page also has:
- One or more totally empty organization(s) for cloning purposes (no devices or licenses, ever)
- One shutdown organization with a shutdown network, used to keep devices that are currently unused
- Separate networks under each organization, generally organized by physical location
-
Note that the ‘Global Overview’ is tied to an account. Multiple accounts under the same MSP company do not necessarily have the same Global Overview page view. Another account could potentially see a different set of customers if their account has not been added to the same organization admin lists.
Operational Best Practices for Service Providers
When creating new networks and organizations as an MSP, there are some best practices that increase the ease of management and prevent scalability problems as the service grows.
- When creating multiple Organizations:
- Create a unique name for each Organization to avoid confusion.
- Licenses, user accounts, and site-to-site VPN, and device inventory are organization-wide. Because of this, deploy a separate Organization for each budgetary group/company.
- When creating the Organization an email is required. This email is used as the administrative login for the Dashboard account. Therefore it should not be a personal email. This will allow recovery of the account if there is a change in personnel.
- Clone new customer organizations from an existing organization to preserve SP specific features
- Some settings, such as branding or EoGRE, must be enabled by Support. Cloning from an organization that already has these features will prevent an extra call to Support as the SP specific features are retained during the cloning process.
- Please see the linked article for information on what settings are carried over during the cloning process
- Create networks and organizations using a generic shared address, such as meraki@example.com
- Multiple admins can easily access and share this account
- As admins change, the account remains the same. The account can be tied to a mailer list to ensure that, in the event of an alert or licensing issue, multiple parties are notified
- Additional admins can still be added with their own e-mails, after creation is done using the generic account
- Create separate organizations for each customer/company, since each organization will share the following across its networks/devices:
- User accounts
- Cisco Meraki VPN peers
- 3rd party VPN peers
- Licensing co-termination and feature set
- Use SAML with the Cisco Meraki Dashboard to provide external authentication of users and a means of SSO (Single Sign-On)
MSP Features and Tools
There are a number of features and tools in Dashboard designed to aid new customer deployment and make the MSP experience as seamless as possible. Please refer to the following articles for more information:
- Dashboard Branding for MSPs - Allows different elements of the end-customer's Dashboard to be customized, allowing for an MSP-branded experience.
- Private Uplinks - Bypasses connection monitor, thus allowing the use of private links as a WAN connection to establish Auto-VPN or third-party VPNs over MPLS links.
- SSID-only Administrators - Provide a simplified interface for end customers to view statistics and modify specific SSIDs.
- MV Video Privacy for Service Providers - Restricts access to video footage while allowing end customers to grant access to video when needed.
- Dashboard API - Designed to allow rapid provisioning and configuration of new and existing customer organizations.
- L2TPv3 Concentration for SSID - Allows Customer Premises Equipment (CPE) to bridge the Layer 2 traffic from an end host to an aggregation gateway.
- EoGRE - Enables Customer Premises Equipment (CPE) to bridge the Layer 2 traffic from an end host to an aggregation gateway.
Additional Resources
Please refer to the following articles for more info about MSP resources:
- Cloning an Organization
- F.A.Q. about Licensing for MSPs
- Managing Dashboard Administrators and Permissions
- Using Configuration Templates - Templates can be used to bulk manage sites with similar configurations, or quickly spin up new sites.
- SP initiated SAML