Unified Branch

Introduction

Modernizing corporate branches is a strategic imperative that dramatically enhances both digital and in-person interactions, significantly boosting customer experience and driving operational efficiency. This is particularly true as the branch stands as the prime platform for delivering a business model to the customer, serving as the very place where digital experiences are delivered to them.

The Cisco Unified Branch offers a comprehensive, full-stack platform for organizations that want advanced capabilities and simplified management at the branch. Built on Cisco Validated Designs (CVDs) and enhanced with a automation toolkits featuring Cisco Workflows and Branch as Code (BaC). It includes a curated set of products, tested and verified together, that integrate routing with next-generation firewall capabilities, Wi-Fi, and switching into a robust suite of services. All these components are centrally managed through a common dashboard.

This platform represents a fundamental shift from managing individual network and security devices to orchestrating all branch services as a cohesive whole. Organizations can define their operational "intent"—specifying desired capabilities, performance, and security—which is then automatically deployed across all underlying technologies. This platform-centric approach delivers significant benefits, including operational and integration simplification, consistent configurations, accelerated deployments, and a dramatically improved security posture.

This documentation centers on the Cisco Workflows Automation Toolkit and its Unified Branch deployment capabilities.

Key Features of Unified Branch

Full-stack Integration: Combines routing, next-generation firewall, Wi-Fi, IoT, and switching into a single, cohesive platform managed through a unified dashboard.

Cisco Validated Designs (CVDs): Provides prescriptive, tested blueprints that embed Cisco’s best practices to reduce deployment risk and accelerate implementation.

Automation Toolkit with Worfklows: Intuitive interface with user-friendly, drag-and-drop style customization for effortless configuration.

AgenticOps and Security: Leverages AgenticOps to streamline branch network deployment while integrating robust, built-in security capabilities.

Scalability and Simplification: Designed to make branch deployments faster, simpler, and easier to maintain at scale, addressing IT resource and skill gaps.

Benefits of a Cisco Validated Design (CVD)

CVDs serve as the foundational, thoroughly tested blueprints that embed Cisco’s best practices for branch network deployment. Unified Branch workflow operationalizes these CVDs.

This integration:

Embeds CVD best practices directly into workflow templates for consistent, repeatable, and validated branch configurations
Enables faster, more agile, and scalable deployments

In summary, Cisco Unified Branch combines validated design expertise with modern automation through Cisco Workflows, enabling enterprises and partners to deploy, manage, and scale branch networks with consistency and reliability aligned with contemporary DevOps practices.

For detailed implementation guidance, refer to the Cisco Unified Branch Small Branch CVD, which provides comprehensive deployment and configuration guidelines.

Design Components

Prerequisites

Component	Model Family	Software Minimum	Co-term License*	Subscription License**
Secure Router	MX67/MX68/MX85/MX95/MX105	MX 18	Secure SD-WAN Plus	Advantage
Access Switch	C9300/X/L (-M versions)	CS 17/IOS XE 17.15 or 17.18 depending on the model	Advanced	Advantage
Access Switch	C9200/L (-M versions)	IOS XE 17.15 or 17.18, depending on the model	Advanced	Advantage
Access Switch	MS150/MS130	MS 17.1.4	Advanced	Advantage
Wireless LAN Access Points	AP CW9172 AP CW9176	MR 31	Advanced	Advantage

*For more information on subscription licensing, refer to Co-term – Licensing Overview.

**For more information on co-term licensing, refer to Subscription – Licensing Overview.

Before attempting to onboard a device to the dashboard, ensure all the dashboard pre-requisites are met. This includes creating an organization and adding licenses. Refer to the Getting Started Checklist for additional information.

Summary

Unified Branch introduces four key pillars designed to simplify IT operations, reduce risk, and enhance automation:

AgenticOps

Utilizes the Cisco AI Assistant and AI Canvas to support lean IT teams. It focuses on:

Automation: Streamlining branch operations and repetitive tasks.
Collaboration: Enabling better teamwork across different technology domains.
Assurance: Providing end-to-end troubleshooting and network health monitoring.

Cisco Validated Design (CVD)

CVD act as a "prescriptive blueprint" for branch offices. They are designed to:

Simplify: Allow for deployments without needing deep specialized expertise.
De-risk: Use tested designs to reduce implementation errors.
Standardize: Ensure every branch is reliable, secure, and consistent.

Platform-Led Approach

Streamlined and unified management experience:

Unified Dashboard: Offering a single cloud-managed interface for the entire Cisco technology stack.
Full Stack Support: Expanding capabilities beyond the previous Meraki-only focus to include the broader Cisco portfolio.

Automation Toolkit

Deployment frameworks deliver the technical foundation to simplify deployment, enable scalable growth, enforce standardization, and improve operational efficiency through:

Cisco Workflows: Simple plug-n-play modules.
AI Workflows: Providing intelligent, dashboard-based processes.
Branch-as-Code: Enabling programmatic deployments using Terraform for high-speed, repeatable setups.

Workflow Steps

You can deploy a full-stack Unified Branch within couple minutes through two methods: using the Meraki dashboard interface or leveraging the AI Assistant.

Meraki dashboard-driven execution process:

Go to Automation in the main menu and select Exchange.
Find Unified Branch CVD in the list and click Install.
Next, return to Automation and choose Workspace.
In the Workspace, select Unified Branch and click View workflow.
Locate the Run button at the top right corner and click it.
Enter all required variables as prompted.
Double-check your entered variables, then click Run to proceed.
Once complete, your full-stack branch site will be deployed according to Cisco's validated design.

For more details on Cisco Workflows, refer to Workflow Overview.

AI Assistance-driven execution process:

Request the AI Assistant to deploy a unified branch - ex. "Can you help me automate the deployment of a Unified Branch based on Cisco validated design?" Keywords must include "automate" and "unified branch".
Input your variables
Review your inputs and confirm—deployment begins instantly!
After execution, your full-stack branch site will be provisioned in line with the Cisco-approved design.

You can view a complete demo here, showcasing a sub‑two‑minute branch deployment.

You can view a complete demo here, showcasing a sub‑two‑minute full-stack CVD branch deployment.

What's being provisioned?

Base template includes 1 MX, 1 Switch, and N APs:

Screenshot 2026-03-10 at 7.33.29 AM.png

Network-wide Settings

Under Network-wide>Configure on the Dashboard

Main Menu

Section

Subsection

Values

General

Network name

General

Traffic Analysis

Detailed: collect destination hostnames

MX Secure Router Settings

Under Security & SD-WAN>Configure on the Dashboard

Main Menu	Section	Subsection	Values
Site-to-site VPN	Site-to-site VPN	Type	Spoke
Site-to-site VPN	Site-to-site VPN	Hubs	<User Input>, IPv4 default route enabled
Addressing & VLANs	Deployment Settings	Mode	Routed
Addressing & VLANs	Routing	LAN Setting	VLANs
Addressing & VLANs	Routing	Subnets	999, INFRA, 10.250.1.1/24, VPN mode = Disabled 50, GUEST, 172.16.99.1/24, VPN mode = Disabled 30, IOT, 10.30.1.1/24, VPN mode = Enabled 20, VOICE, 10.20.1.1/24, VPN mode = Enabled 10, DATA, 10.10.1.1/24, VPN mode = Enabled 1, Default, 192.168.128.1/24, VPN mode = Disabled
Addressing & VLANs	Routing	Per-port VLAN Settings	Port 5 Enabled, Type Trunk, Native VLAN 999, Allowed VLANs = All
DHCP	VLAN 1 (Default)	Client addressing	Run a DHCP server
DHCP	VLAN 1 (Default)	Mandatory DHCP	Enabled
DHCP	VLAN 1 (Default)	DNS nameservers	Use OpenDNS
DHCP	VLAN 10 (DATA/CORP)	Client addressing	Relay DHCP to another server
DHCP	VLAN 10 (DATA/CORP)	DHCP server IPs	10.102.1.160
DHCP	VLAN 10 (DATA/CORP)	Mandatory DHCP	Disabled
DHCP	VLAN 20 (VOICE)	Client addressing	Relay DHCP to another server
DHCP	VLAN 20 (VOICE)	DHCP server IPs	10.102.1.160
DHCP	VLAN 20 (VOICE)	Mandatory DHCP	Disabled
DHCP	VLAN 30 (IOT)	Client addressing	Relay DHCP to another server
DHCP	VLAN 30 (IOT)	DHCP server IPs	10.102.1.160
DHCP	VLAN 30 (IOT)	Mandatory DHCP	Disabled
DHCP	VLAN 50 (GUEST)	Client addressing	Run a DHCP server
DHCP	VLAN 50 (GUEST)	Mandatory DHCP	Enabled
DHCP	VLAN 50 (GUEST)	DNS nameservers	Use OpenDNS
DHCP	VLAN 999 (INFRA)	Client addressing	Run a DHCP server
DHCP	VLAN 999 (INFRA)	Mandatory DHCP	Enabled
DHCP	VLAN 999 (INFRA)	DNS nameservers	Use OpenDNS
Firewall	Layer 3	Outbound rules	Top-down Prioritiy Deny Rule: Source = Guest (VLAN 50), Any Source Protocol, Destination = Default (VLAN 1) and Data (VLAN 10) and Voice (VLAN 20) and IOT (VLAN 30) and INFRA (VLAN 999) and Guest (VLAN 50), Any Destination Protocol Deny Rule: Source = Default (VLAN 1) and Data (VLAN 10) and Voice (VLAN 20) and IOT (VLAN 30) and INFRA (VLAN 999) and Guest (VLAN 50), Any Source Protocol, Destination = Guest (VLAN 50), Any Destination Protocol Allow Rule: Source = Default (VLAN 1) and Data (VLAN 10) and Voice (VLAN 20) and IOT (VLAN 30) and INFRA (VLAN 999) and Guest (VLAN 50), Any Source Protocol, Destination = Any, Any Destination Protocol Deny All Rule: Source = Any, Any Source Protocol, Destination = Any, Any Destination Protocol Default Allow All Rule: Any, Any Source Protocol, Destination = Any, Any Destination Protocol
Firewall	Layer 3	WAN appliance services	ICMP Any, Web None
Firewall	IP Source Address Spoofing Protection	Mode	Block
SD-WAN & traffic shaping	Uplink configuration	Uplink Statistics	Test connectivity to: Cloudflare DNS = 1.1.1.1, 2606:4700:4700::1111, Google DNS = 8.8.8.8 OpenDNS = 208.67.222.222, 2001:4860:4860::8888, 2620:119:35::35
SD-WAN & traffic shaping	Uplink selection	Load balancing	Disabled
SD-WAN & traffic shaping	Uplink selection	Multi-Uplink AutoVPN	Enabled
SD-WAN & traffic shaping	SD-WAN policies	Internet traffic	Guest Traffic Prefer WAN 2. Fail over if uplink down Protocol: Any Source: Guest VLAN Destination: Custom - Any
SD-WAN & traffic shaping	SD-WAN policies	Internet traffic	SaaS Traffic Prefer WAN 2. Fail over if "SaaS_Traffic" custom performance class is met Protocol: Any Source: Any Destination: Application Categories -> Productivity -> Office 365
SD-WAN & traffic shaping	SD-WAN policies	VPN traffic	VoIP and Video Conferencing Traffic Prefer WAN 2. Fail over if "VoIP" custom performance class is met Protocol: Any Source: Any Destination: Application Categories -> VoIP & Video Conferencing -> Select All
SD-WAN & traffic shaping	SD-WAN policies	Custom performance classes	"SaaS_Traffic" = Maximum latency (150), Maximum Jitter (50), Maximum Loss (5)
SD-WAN & traffic shaping	Local internet breakout	VPN exclusion rules	Office 365 Sharepoint Office 365 Suite Webex
SD-WAN & traffic shaping	Global bandwidth limits	Per-client limit	unlimited
SD-WAN & traffic shaping	Traffic shaping rules	Default Rules	Enable default traffic shaping rules
SD-WAN & traffic shaping	Traffic shaping rules	Rule #1	Definition: localnet 10.20.1.0/24 (Voice VLAN 20) Bandwidth limit: Ignore network per-client limit (unlimited) Priority: High DSCP tagging: 46 (EF – Expedited Forwarding, Voice)
Threat Protection	Advanced Malware Protection (AMP)	Mode	Enabled
Threat Protection	Intrusion detection and prevention	Mode Ruleset	Prevention Balanced
Content Filtering	Category blocking	Content categories	Adult, Hate Speech, Illegal Activities, Illegal Drugs, Pornography, Child Abuse Content, Illegal Downloads, Terrorism and Violent Extremism
Content Filtering	Category blocking	Threat categories	Malware Sites, Spyware and Adware, Phishing, Botnets, Spam, Exploits, High Risk Sites and Locations, Bogon, Ebanking Fraud, Indicators of Compromise (IOC), Malicious Sites, Cryptojacking, Newly Seen Domains, Domain Generated Algorithm, Open HTTP Proxy, Open Mail Relay, TOR exit Nodes, Linkshare

Switch Settings

Under Switching>Configure> on the Dashboard

Main Menu	Section	Subsection	Values
Switch Settings	Switch settings	VLAN configuration	999
Switch Settings	Switch settings	STP configuration	Enable Rapid Spanning Tree (RSTP): Enabled
Switch Settings	Switch settings	Quality of service	VLAN: 50, Protocol: Any, Trust: Disabled, Set DSCP: 0 VLAN 10, Protocol: Any, Trust: Enabled VLAN 20, Protocol: Any, Trust: Enabled VLAN 30, Protocol: Any, Trust: Enabled

Under Switching>Monitor> on the Dashboard

Main Menu	Section	Subsection	Values
Switch Ports	Switch Ports	Port 1 - uplink	Name: Uplink to MX-Primary Type: Trunk Native VLAN: 999 Allowed VLANs: All Access policy: Open RSTP: Enabled PoE: Enabled
Switch Settings	Switch Ports	Port 3 and 4 - Data/CORP connection	Name: Data/CORP Ports Type: Access VLAN: 10 Voice VLAN: 20 PoE: Enabled UDLD: Alert only STP guard: BPDU guard RSTP: Enabled
Switch Settings	Switch Ports	Port 6 and 7 - AP connection	Name: AP Ports Type: Trunk PoE: Enabled UDLD: Alert only STP guard: BPDU guard RSTP: Enabled Allowed VLANs: 1-4094 Native VLAN: 999

Access Point Settings

Under Wireless>Configure> on the Dashboard.

Main Menu	Section	Subsection	Values
Access Control	Basic info	SSID (name)	Guest-WiFi
Access Control	Security (Guest SSID)		Open (no encryption)
Access Control	Security (Guest SSID)	Mandatory DHCP	Enabled
Access Control	Splash page (Guest SSID)		Click-through
Splash page	Splash page (Guest SSID)	Official themes	Modern
Splash page	Splash behavior (Guest SSID)	Splash frequency Where should users go after the splash page?	Every day The URL they were trying to fetch
Access Control	Client IP and VLAN (Guest SSID)	External DHCP server assigned	Enabled/Bridged
Access Control	Client IP and VLAN (Guest SSID)	VLAN tagging	VLAN ID: Default AP tag, VLAN ID 50
Access Control	Basic info	SSID (name)	Data/CORP-WiFi
Access Control	Security (Data/CORP SSID)		Password
Access Control	Security (Data/CORP SSID)	WPA encryption	WPA3 Transition Mode
Access Control	Security (Data/CORP SSID)	802.11w	Enabled (allow unsupported clients)
Access Control	Security (Data/CORP SSID	Mandatory DHCP	Enabled
Access Control	Splash Page (Data/CORP SSID)		None (direct access)
Access Control	Client IP and VLAN (Data/CORP SSID)	External DHCP server assigned	Enabled/Bridged
Access Control	Client IP and VLAN (Data/CORP SSID)	VLAN tagging	VLAN ID: Default AP tag, VLAN ID 10
Firewall & traffic shaping	Block IPs and ports (Guest SSID)	Layer 2 LAN isolation	Enabled
Firewall & traffic shaping	Block IPs and ports (Guest SSID)	Outbound rules	Top-down priority Deny Local LAN Access Rule: Source = Any, Any Source Protocol, Destination = Local LAN, Any Destination Protocol Default Allow All Rule: Any, Any Source Protocol, Destination = Any, Any Destination Protocol
Firewall & traffic shaping	Traffic shaping rules (Guest SSID)	Per-client bandwidth limit Enable SpeedBurst Per-SSID bandwidth limit Shape traffic Default Rules	50 Mbps Enabled 100 Mbps Shape traffic on this SSID Enable default traffic shaping rules
Firewall & traffic shaping	Block IPs and ports (Data/CORP SSID)	Outbound rules	Top-down priority Allow Local LAN Access Rule: Source = Any, Any Source Protocol, Destination = Local LAN, Any Destination Protocol Default Allow All Rule: Any, Any Source Protocol, Destination = Any, Any Destination Protocol
Firewall & traffic shaping	Traffic shaping rules (Data/CORP SSID)	Per-client bandwidth limit Per-SSID bandwidth limit Shape traffic Default Rules	Unlimited Unlimited Shape traffic on this SSID Enable default traffic shaping rules
SSID Availability	SSID availability (all SSIDs)	Visibility	Advertise this SSID publicly
SSID Availability	SSID availability (all SSIDs)	Per access point availability	Enabled on all access points
Radio Settings	RF profiles (Indoor/Outdoor default)	General/Band selection	All SSIDs
Radio Settings	RRM	AI-RRM	Enabled

Under Wireless>Monitor> on the Dashboard

Main Menu

Section

Subsection

Values

Access Points

LAN IP (edit)

VLAN 999

Input variables can be conveniently updated through the workflow's user input window, with assistance from the AI Assistant, or by manually accessing the workflow.

FAQ

What is the support process? How do I open a ticket?

There is no change to the current support process. For complete details, please refer to the support documentation.

For additional information about the Cisco Workflow FAQ, please refer to the FAQ documentation.

Who is the ideal user for Unified Branch?

The ideal user for Unified Branch includes organizations and partners that face challenges managing and optimizing their branch network operations with scale and/or reliability of network changes.

Key examples include:

Enterprises with Distributed Branch Locations: Businesses in industries like retail, healthcare, banking, and hospitality operate multiple branch offices and require simplified network management, high security, and consistent application performance.
Partners and Service Providers: Partners and managed service providers looking to offer branch automation as a service or those with Infrastructure as Code (IaC) practices seeking a game-changing approach to branch network management.

Does a Unified Branch require exclusively Cisco devices, or can it also incorporate networking devices from other vendors?

Unified Branch is designed to bring together the full breadth of Cisco's portfolio—routers, switches, wireless access points — along with Cisco's expertise. The solution is fully optimized for Cisco devices to ensure seamless integration, robust security, centralized management, and automation. It does not support or validate third-party devices.