Unified Branch
Overview
Modernizing corporate branches is a strategic imperative that dramatically enhances both digital and in-person interactions, significantly boosting customer experience and driving operational efficiency. This is particularly true as the branch stands as the prime platform for delivering a business model to the customer, serving as the very place where digital experiences are delivered to them.
The Cisco Unified Branch offers a comprehensive, full-stack platform for organizations that want advanced capabilities and simplified management at the branch. Built on Cisco Validated Designs (CVDs) and enhanced with a automation toolkits featuring Cisco Workflows and Branch as Code (BaC). It includes a curated set of products, tested and verified together, that integrate routing with next-generation firewall capabilities, Wi-Fi, and switching into a robust suite of services. All these components are centrally managed through a common dashboard.
This platform represents a fundamental shift from managing individual network and security devices to orchestrating all branch services as a cohesive whole. Organizations can define their operational "intent"—specifying desired capabilities, performance, and security—which is then automatically deployed across all underlying technologies. This platform-centric approach delivers significant benefits, including operational and integration simplification, consistent configurations, accelerated deployments, and a dramatically improved security posture.
This documentation centers on the Cisco Workflows Automation Toolkit and its Unified Branch deployment capabilities.
Key Features of Unified Branch
Full-stack Integration: Combines routing, next-generation firewall, Wi-Fi, IoT, and switching into a single, cohesive platform managed through a unified dashboard.
Cisco Validated Designs (CVDs): Provides prescriptive, tested blueprints that embed Cisco’s best practices to reduce deployment risk and accelerate implementation.
Automation Toolkit with Worfklows: Intuitive interface with user-friendly, drag-and-drop style customization for effortless configuration.
AgenticOps and Security: Leverages AgenticOps to streamline branch network deployment while integrating robust, built-in security capabilities.
Scalability and Simplification: Designed to make branch deployments faster, simpler, and easier to maintain at scale, addressing IT resource and skill gaps.
Benefits of a Cisco Validated Design (CVD)
CVDs serve as the foundational, thoroughly tested blueprints that embed Cisco’s best practices for branch network deployment. Unified Branch workflow operationalizes these CVDs.
This integration:
- Embeds CVD best practices directly into workflow templates for consistent, repeatable, and validated branch configurations
- Enables faster, more agile, and scalable deployments
In summary, Cisco Unified Branch combines validated design expertise with modern automation through Cisco Workflows, enabling enterprises and partners to deploy, manage, and scale branch networks with consistency and reliability aligned with contemporary DevOps practices.
For detailed implementation guidance, refer to the Cisco Unified Branch Small Branch CVD, which provides comprehensive deployment and configuration guidelines.
Unified Branch Design Components
Prerequisites
|
Component
|
Model Family
|
Software Minimum
|
Co-term License*
|
Subscription License**
|
|
Secure Router |
MX 18 |
Secure SD-WAN Plus |
Advantage |
|
|
Access Switch |
CS 17/IOS XE 17.15 or 17.18 depending on the model |
Advanced |
Advantage |
|
|
Access Switch |
IOS XE 17.15 or 17.18, depending on the model |
Advanced |
Advantage |
|
|
Access Switch |
MS 17.1.4 |
Advanced |
Advantage |
|
|
Wireless LAN Access Points |
MR 31 |
Advanced |
Advantage |
*For more information on subscription licensing, refer to Co-term – Licensing Overview.
**For more information on co-term licensing, refer to Subscription – Licensing Overview.
Before attempting to onboard a device to the dashboard, ensure all the dashboard pre-requisites are met. This includes creating an organization and adding licenses. Refer to the Getting Started Checklist for additional information.
Workflow Steps
You can deploy a full-stack Unified Branch within seconds through two methods: using the Meraki dashboard interface or leveraging the AI Assistant.
Meraki dashboard-driven execution process:
-
Go to Automation in the main menu and select Exchange.
-
Find Unified Branch CVD in the list and click Install.
-
Next, return to Automation and choose Workspace.
-
In the Workspace, select Unified Branch and click View workflow.
-
Locate the Run button at the top right corner and click it.
-
Enter all required variables as prompted.
-
Double-check your entered variables, then click Run to proceed.
-
Once complete, your full-stack branch site will be deployed according to Cisco's validated design.
For more details on Cisco Workflows, refer to Workflow Overview.
AI Assistance-driven execution process:
-
Request the AI Assistant to deploy a unified branch - ex. "Can you help me automate the deployment of a Unified Branch based on Cisco validated design?" Keywords must include "automate" and "unified branch".
-
Input your variables
-
Review your inputs and confirm—deployment begins instantly!
-
After execution, your full-stack branch site will be provisioned in line with the Cisco-validated design.
What's being provisioned?
Base template includes 1 MX, 1 Switch, and 2 APs:
Network-wide Settings
Under Network-wide>Configure on the Dashboard
|
Main Menu
|
Section
|
Subsection
|
Values
|
|
General |
General |
Network name |
<User Input> |
MX Secure Router Settings
Under Security & SD-WAN>Configure on the Dashboard
|
Main Menu
|
Section
|
Subsection
|
Values
|
|
Site-to-site VPN |
Site-to-site VPN |
Type |
Spoke |
|
Site-to-site VPN |
Site-to-site VPN |
Hubs |
<User Input>, IPv4 default route enabled |
|
Addressing & VLANs |
Deployment Settings |
Mode |
Routed |
|
Addressing & VLANs |
Routing |
LAN Setting |
VLANs |
|
Addressing & VLANs |
Routing |
Subnets |
|
|
Addressing & VLANs |
Routing |
Per-port VLAN Settings |
|
|
DHCP |
VLAN 10 |
Client addressing |
Run a DHCP server |
|
DHCP |
VLAN 10 |
DNS nameservers |
Use OpenDNS |
|
DHCP |
VLAN 20 |
Client addressing |
Run a DHCP server |
|
DHCP |
VLAN 20 |
DNS nameservers |
Use OpenDNS |
|
DHCP |
VLAN 30 |
Client addressing |
Run a DHCP server |
|
DHCP |
VLAN 30 |
DNS nameservers |
Use OpenDNS |
|
DHCP |
VLAN 40 |
Client addressing |
Run a DHCP server |
|
DHCP |
VLAN 40 |
DNS nameservers |
Use OpenDNS |
|
Firewall |
Layer 3 |
Outbound rules |
<User Input> |
|
Firewall |
Layer 3 |
WAN appliance services |
ICMP Any, Web None |
|
SD-WAN & traffic shaping |
Uplink selection |
Load balancing |
Enabled |
|
SD-WAN & traffic shaping |
Uplink selection |
Multi-Uplink AutoVPN |
Enabled |
|
SD-WAN & traffic shaping |
Global bandwidth limits |
Per-client limit |
unlimited |
|
SD-WAN & traffic shaping |
Traffic shaping rules |
Default Rules |
Enable default traffic shaping rules |
|
Threat Protection |
Advanced Malware Protection (AMP) |
Mode |
Enabled |
|
Threat Protection |
Intrusion detection and prevention |
Mode Ruleset |
Prevention Balanced |
Switch Settings
Under Switching>Configure> on the Dashboard
|
Main Menu
|
Section
|
Subsection
|
Values
|
|
Switch Settings |
Switch settings |
VLAN configuration |
10 |
|
Switch Settings |
Switch settings |
STP configuration |
Enable Rapid Spanning Tree (RSTP): Enabled |
Under Switching>Monitor> on the Dashboard
|
Main Menu
|
Section
|
Subsection
|
Values
|
|
Switch Ports |
Switch Ports |
Port 1 - uplink |
|
|
Switch Settings |
Switch Ports |
Port 8 and 9 - AP connection |
|
Access Point Settings
Under Wireless>Configure> on the Dashboard.
|
Main Menu
|
Section
|
Subsection
|
Values
|
|
Access Control |
Basic info |
SSID (name) |
Guest-WiFi |
|
Access Control |
Security (Guest SSID) |
|
Password |
|
Access Control |
Security (Guest SSID) |
WPA encryption |
WPA3 Transition Mode |
|
Access Control |
Security (Guest SSID) |
802.11w |
Enabled (allow unsupported clients) |
|
Access Control |
Security (Guest SSID) |
Mandatory DHCP |
Enabled |
|
Access Control |
Splash page (Guest SSID) |
|
Click-through |
|
Splash page |
Splash page (Guest SSID) |
Official themes |
Modern |
|
Splash page
|
Splash behavior (Guest SSID) |
Splash frequency Where should users go after the splash page? |
Every day The URL they were trying to fetch |
|
Access Control |
Client IP and VLAN (Guest SSID) |
Meraki AP Assigned (NAT Mode) |
Isolated 10.0.0.0/8 network |
|
Access Control |
Basic info |
SSID (name) |
Staff-POS-WiiFi |
|
Access Control |
Security (Staff-POS SSID) |
|
Password |
|
Access Control |
Security (Staff-POS SSID) |
WPA encryption |
WPA3 Transition Mode |
|
Access Control |
Security (Staff-POS SSID) |
802.11w |
Enabled (allow unsupported clients) |
|
Access Control |
Security (Staff-POS SSID) |
Mandatory DHCP |
Enabled |
|
Access Control |
Splash Page (Staff-POS SSID) |
|
None (direct access) |
|
Access Control |
Client IP and VLAN (Staff-POS SSID) |
External DHCP server assigned
|
Enabled/Bridged |
|
Access Control |
Client IP and VLAN (Staff-POS SSID) |
VLAN tagging |
VLAN ID: Default AP tag, VLAN ID 20 |
|
Firewall & traffic shaping |
Block IPs and ports (Guest SSID) |
Outbound rules |
|
|
Firewall & traffic shaping |
Allow IPs and ports (Staff-POS SSID) |
Outbound rules |
|
|
Firewall & traffic shaping |
Traffic shaping rules (Guest SSID) |
Per-client bandwidth limit Per-SSID bandwidth limit Shape traffic Default Rules |
Unlimited Unlimited Shape traffic on this SSID Enable default traffic shaping rules |
|
Firewall & traffic shaping |
Traffic shaping rules (Staff-POS SSID) |
Per-client bandwidth limit Per-SSID bandwidth limit Shape traffic Default Rules |
Unlimited Unlimited Shape traffic on this SSID Enable default traffic shaping rules |
|
SSID Availability |
SSID availability (all SSIDs) |
Visibility |
Advertise this SSID publicly |
|
SSID Availability |
SSID availability (all SSIDs) |
Per access point availability |
Enabled on all access points |
|
Radio Settings |
RF profiles (Indoor/Outdoor default) |
General/Band selection |
All SSIDs |
Under Wireless>Monitor> on the Dashboard
|
Main Menu
|
Section
|
Subsection
|
Values
|
|
Access Points |
<Select AP> |
LAN IP (edit) |
VLAN 10 |
Input variables can be conveniently updated through the workflow's user input window, with assistance from the AI Assistant, or by manually accessing Automation > Variables and selecting the appropriate JSON file.