Unified Branch CVD Small Design

Last updated
Save as PDF

For detailed comprehensive guide on the Cisco Validated Design (CVD), refer to the Cisco Unified Branch Design Guide.

Design Components

Prerequisites

Component	Model Family	Software Minimum	Co-term License*	Subscription License**
Secure Router	MX67/MX68/MX85/MX95/MX105	MX 19.2	Secure SD-WAN Plus	Advantage
Access Switch	C9300/X/L (-M versions)	CS 17/IOS XE 17.15 or 17.18 depending on the model	Advanced	Advantage
Access Switch	C9200/L (-M versions)	IOS XE 17.15 or 17.18, depending on the model	Advanced	Advantage
Access Switch	MS150/MS130	MS 17.1.4	Advanced	Advantage
Wireless LAN Access Points	AP CW9172 AP CW9176	MR 31	Advanced	Advantage

*For more information on subscription licensing, refer to Co-term – Licensing Overview.

**For more information on co-term licensing, refer to Subscription – Licensing Overview.

Before attempting to onboard a device to the dashboard, ensure all the dashboard pre-requisites are met. This includes creating an organization and adding licenses. Refer to the Getting Started Checklist for additional information.

Automation and Deployment

You can deploy a full-stack Unified Branch within couple minutes through two methods: using the Meraki dashboard interface or leveraging the AI Assistant.

Meraki dashboard-driven execution process:

Go to Automation in the main menu and select Exchange.
Find Unified Branch CVD in the list and click Install.
Next, return to Automation and choose Workspace.
In the Workspace, select Unified Branch and click View workflow.
Locate the Run button at the top right corner and click it.
Enter all required variables as prompted.
Double-check your entered variables, then click Run to proceed.
Once complete, your full-stack branch site will be deployed according to Cisco's validated design.

For more details on Cisco Workflows, refer to Workflow Overview.

AI Assistance-driven execution process:

Request the AI Assistant to deploy a unified branch - ex. "Can you help me automate the deployment of a Unified Branch based on Cisco validated design?" Keywords must include "automate" and "unified branch".
Input your variables
Review your inputs and confirm—deployment begins instantly!
After execution, your full-stack branch site will be provisioned in line with the Cisco-approved design.

You can view a complete demo here, showcasing a sub‑two‑minute branch deployment.

You can view a complete demo here, showcasing a sub‑two‑minute full-stack CVD branch deployment.

What's being provisioned?

Base template includes 1 Secure Router, 1 Smart Switch, and 2 Access Points:

Screenshot 2026-06-11 at 4.59.19 PM.png

Network-wide Settings

Under Network-wide>Configure on the Dashboard

Main Menu	Section	Subsection	Values
General	General	Network name	<User Input>
General	General	Traffic Analysis	Detailed: collect destination hostnames
General	Reporting	Syslog Servers	<User Input Syslog Server IPv4 Address>, port 514, Appliance Event log, Appliance Security events, Switch Event log, Wireless Air Marshal events, Wireless Event log
General	Reporting	Network traffic reporting NetFlow collector IP NetFlow collector port	Enabled: send netflow traffic statistics <User Input Netflow Server IPv4 Address> 2055
Alerts	Alerts Settings	Network-wide WAN appliance	A rogue access point is detected Malware is downloaded

Organization-wide Settings

Under Organization-wide>Configure on the Dashboard

Main Menu

Section

Subsection

Values

Settings

SNMP

Version 2C

Version 3

Authentication mode

Authentication password

Privacy mode

Privacy password

IP restrictions

SNMP V2C disabled

SNMP V3 enabled

SHA

AES128

Policy Objects

All objects

3 objects

3 IPv4 Addresses

Policy Objects

All objects

3 subnets

3 IPv4 Subnets

MX Secure Router Settings

Under Security & SD-WAN>Configure on the Dashboard

Main Menu	Section	Subsection	Values
Appliance Status	Summary	Appliance name	<User Input>
Site-to-site VPN	Site-to-site VPN	Type	Spoke
Site-to-site VPN	Site-to-site VPN	Hubs	<User Input>, IPv4 default route enabled
Addressing & VLANs	Deployment Settings	Mode	Routed
Addressing & VLANs	Routing	LAN Setting	VLANs
Addressing & VLANs	Routing	Subnets	● 511, INFRA, 10.250.1.1/24, VPN mode = Disabled ● 50, GUEST, 172.16.99.1/24, VPN mode = Disabled ● 40, PCI, 10.40.1.1/24, VPN mode = Enabled ● 30, IOT, 10.30.1.1/24, VPN mode = Enabled ● 20, VOICE, 10.20.1.1/24, VPN mode = Enabled ● 10, DATA, 10.10.1.1/24, VPN mode = Enabled ● 1, Default, 192.168.128.1/24, VPN mode = Disabled
Addressing & VLANs	Routing	Per-port VLAN Settings	Port 5 Enabled, Type Trunk, Native VLAN 1, Allowed VLANs = 1,10,20,30,40,50,511
DHCP	VLAN 1 (Default)	Client addressing	Run a DHCP server
DHCP	VLAN 1 (Default)	Mandatory DHCP	Enabled
DHCP	VLAN 1 (Default)	DNS nameservers	Use OpenDNS
DHCP	VLAN 10 (DATA/CORP)	Client addressing	Relay DHCP to another server
DHCP	VLAN 10 (DATA/CORP)	DHCP server IPs	10.102.1.160
DHCP	VLAN 10 (DATA/CORP)	Mandatory DHCP	Disabled
DHCP	VLAN 20 (VOICE)	Client addressing	Relay DHCP to another server
DHCP	VLAN 20 (VOICE)	DHCP server IPs	10.102.1.160
DHCP	VLAN 20 (VOICE)	Mandatory DHCP	Disabled
DHCP	VLAN 30 (IOT)	Client addressing	Relay DHCP to another server
DHCP	VLAN 30 (IOT)	DHCP server IPs	10.102.1.160
DHCP	VLAN 30 (IOT)	Mandatory DHCP	Disabled
DHCP	VLAN 40 (PCI)	Client addressing	Relay DHCP to another server
DHCP	VLAN 40 (PCI)	DHCP server IPs	10.102.1.160
DHCP	VLAN 40 (PCI)	Mandatory DHCP	Disabled
DHCP	VLAN 50 (GUEST)	Client addressing	Run a DHCP server
DHCP	VLAN 50 (GUEST)	Mandatory DHCP	Enabled
DHCP	VLAN 50 (GUEST)	DNS nameservers	Use OpenDNS
DHCP	VLAN 511 (INFRA)	Client addressing	Run a DHCP server
DHCP	VLAN 511 (INFRA)	Mandatory DHCP	Enabled
DHCP	VLAN 511 (INFRA)	DNS nameservers	Use OpenDNS
Firewall	Layer 3	Outbound rules	Top-down Prioritiy Deny Rule: Source = Guest (VLAN 50), Any Source Protocol, Destination = Default (VLAN 1) and Data (VLAN 10) and Voice (VLAN 20) and IOT (VLAN 30) and PCI (VLAN 40) and INFRA (VLAN 511) and Guest (VLAN 50), Any Destination Protocol Deny Rule: Source = Default (VLAN 1) and Data (VLAN 10) and Voice (VLAN 20) and IOT (VLAN 30) and PCI (VLAN 40) and INFRA (VLAN 511) and Guest (VLAN 50), Any Source Protocol, Destination = Guest (VLAN 50), Any Destination Protocol Allow Rule: Source = Default (VLAN 1) and Data (VLAN 10) and Voice (VLAN 20) and IOT (VLAN 30) and PCI (VLAN 40) and INFRA (VLAN 511) and Guest (VLAN 50), Any Source Protocol, Destination = Any, Any Destination Protocol Deny All Rule: Source = Any, Any Source Protocol, Destination = Any, Any Destination Protocol Default Allow All Rule: Any, Any Source Protocol, Destination = Any, Any Destination Protocol
Firewall	Layer 3	WAN appliance services	ICMP Any, Web None
Firewall	IP Source Address Spoofing Protection	Mode	Block
SD-WAN & traffic shaping	Uplink configuration	Uplink Statistics	Test connectivity to: Cloudflare DNS = 1.1.1.1 Google DNS = 8.8.8.8 OpenDNS = 208.67.222.222
SD-WAN & traffic shaping	Uplink selection	Load balancing	Disabled
SD-WAN & traffic shaping	Uplink selection	Multi-Uplink AutoVPN	Enabled
SD-WAN & traffic shaping	SD-WAN policies	Internet traffic	INFRA Traffic Prefer WAN 2. Fail over if uplink down Protocol: Any Source: INFRA VLAN Destination: Custom - Any
SD-WAN & traffic shaping	SD-WAN policies	Internet traffic	SaaS Traffic Prefer WAN 2. Fail over if "SaaS_Traffic" custom performance class is met Protocol: Any Source: VOICE VLAN Destination: Application Categories -> Productivity -> Office 365 or Webex Video or WebEx Meeting or WebEx Control or Webex Audio or Webex Application Sharing or Sharepoint or Microsoft Office Web Applications
SD-WAN & traffic shaping	SD-WAN policies	Internet traffic	SaaS Traffic Prefer WAN 2. Fail over if "SaaS_Traffic" custom performance class is met Protocol: Any Source: IOT VLAN Destination: Application Categories -> Productivity -> Office 365 or Webex Video or WebEx Meeting or WebEx Control or Webex Audio or Webex Application Sharing or Sharepoint or Microsoft Office Web Applications
SD-WAN & traffic shaping	SD-WAN policies	Internet traffic	SaaS Traffic Prefer WAN 2. Fail over if "SaaS_Traffic" custom performance class is met Protocol: Any Source: DATA VLAN Destination: Application Categories -> Productivity -> Office 365 or Webex Video or WebEx Meeting or WebEx Control or Webex Audio or Webex Application Sharing or Sharepoint or Microsoft Office Web Applications
SD-WAN & traffic shaping	SD-WAN policies	VPN traffic	VoIP and Video Conferencing Traffic Prefer WAN 2. Fail over if "VoIP" custom performance class is met Protocol: Any Source: Any Destination: Application Categories -> VoIP & Video Conferencing -> Select All
SD-WAN & traffic shaping	SD-WAN policies	VPN traffic	Critical Apps Prefer WAN 2. Fail over if "Critical Apps" custom performance class is met Protocol: TCP Source: 10.102.1.160 (DHCP/DNS Server IP) Destination: Any
SD-WAN & traffic shaping	SD-WAN policies	VPN traffic	Default SLA Prefer WAN 1. Fail over if "Default SLA" custom performance class is met Protocol: Any Source: Any Destination: Any
SD-WAN & traffic shaping	SD-WAN policies	Custom performance classes	"SaaS_Traffic" = Maximum latency (150), Maximum Jitter (50), Maximum Loss (5)
SD-WAN & traffic shaping	SD-WAN policies	Custom performance classes	"Critical_Apps" = Maximum latency (150), Maximum Jitter (20), Maximum Loss (2)
SD-WAN & traffic shaping	SD-WAN policies	Custom performance classes	"Default_SLA" = Maximum latency (none), Maximum Jitter (100), Maximum Loss (5)
SD-WAN & traffic shaping	Global bandwidth limits	Per-client limit	unlimited
SD-WAN & traffic shaping	Traffic shaping rules	Default Rules	Enable default traffic shaping rules
SD-WAN & traffic shaping	Traffic shaping rules	Rule #1	● Definition: localnet 172.16.99.0/24 (Guest VLAN) ● Bandwidth limit: Ignore network per-client limit (unlimited) ● Priority: Low ● DSCP tagging: 0 (CS0/DF – Best Effort/Default Forwarding)
SD-WAN & traffic shaping	Traffic shaping rules	Rule #2	● Definition: net/port 10.102.1.160/32 (Server IP) ● Bandwidth limit: Ignore network per-client limit (unlimited) ● Priority: High ● DSCP tagging: 18 (AF21 – Low Latency Data, Low Drop)
Threat Protection	Advanced Malware Protection (AMP)	Mode	Enabled
Threat Protection	Intrusion detection and prevention	Mode Ruleset	Prevention Balanced
Content Filtering	Category blocking	Content categories	Adult, Hate Speech, Illegal Activities, Illegal Drugs, Pornography, Child Abuse Content, Illegal Downloads, Terrorism and Violent Extremism
Content Filtering	Category blocking	Threat categories	Malware Sites, Spyware and Adware, Phishing, Botnets, Spam, Exploits, High Risk Sites and Locations, Bogon, Ebanking Fraud, Indicators of Compromise (IOC), Malicious Sites, Cryptojacking, Newly Seen Domains, Domain Generated Algorithm, Open HTTP Proxy, Open Mail Relay, TOR exit Nodes, Linkshare

Switch Settings

Under Switching>Configure> on the Dashboard

Main Menu	Section	Subsection	Values
Switches	Summary	Switch name	<User Input>
Switch Settings	Switch settings	VLAN configuration	511
Switch Settings	Switch settings	STP configuration	Enable Rapid Spanning Tree (RSTP): Enabled
Switch Settings	Switch settings	Quality of service	VLAN: 50, Protocol: Any, Trust: Disabled, Set DSCP: 0 VLAN 10, Protocol: Any, Trust: Enabled VLAN 20, Protocol: Any, Trust: Enabled VLAN 30, Protocol: Any, Trust: Enabled VLAN 40, Protocol: Any, Trust: Enabled
Switch Settings	Switch settings	Storm control	● Broadcast, 20% ● Multicast 30% ● Unknown Unicast 10%
Access Policies	Access Policies	Name Authentication method RADIUS servers RADIUS servers RADIUS servers RADIUS server Connection Options	Radius-MAB Radius server RADIUS Server testing RADIUS CoA support enabled Enable RADIUS accounting servers Host 10.102.1.160 (Server IP), secret <secret>, Auth enabled, Port 1812, Accounting enabled, Port 1813 Hybrid authentication, Multi-Auth, Both Voice auth enabled

Under Switching>Monitor> on the Dashboard

Main Menu	Section	Subsection	Values
Switch Ports	Switch Ports	Port 1 - Uplink Trunk Port - Connection to Appliance	Name: Uplink Trunk Port - Connection to Appliance Port status: Enabled Type: Trunk Native VLAN: 1 Allowed VLANs: 1,10,20,30,40,50,999 Access policy: Open RSTP: Enabled STP guard: Disabled UDLD: Alert only PoE: Enabled Storm control: Enabled
Switch Settings	Switch Ports	Port 4 and 5 - Connection to Wired Client	Name: Connection to Wired Client Port status: Enabled Type: Access Access Policy: RADIUS-MAB VLAN: 10 Voice VLAN: 20 RSTP: Enabled STP guard: BPDU guard UDLD: Alert only PoE: Enabled Storm control: Enabled
Switch Settings	Switch Ports	Port 6 and 7 - Connection to Access Point	Name: Connection to Access Point Port status: Enabled Type: Trunk Native VLAN: 511 Allowed VLANs: 1,10,20,30,40,50 Access policy: Open RSTP: Enabled STP guard: BPDU guard UDLD: Alert only PoE: Enabled Storm control: Enabled

Access Point Settings

Under Wireless>Configure> on the Dashboard.

Main Menu	Section	Subsection	Values
Access Points	Summary	Access Point name	<User Input>
Access Control	Basic info	SSID (name)	Guest-WiFi
Access Control	Security (Guest SSID)		Open (no encryption)
Access Control	Security (Guest SSID)	Mandatory DHCP	Enabled
Access Control	Splash page (Guest SSID)		Click-through
Splash page	Splash page (Guest SSID)	Official themes	Modern
Splash page	Splash behavior (Guest SSID)	Splash frequency Where should users go after the splash page?	Every day The URL they were trying to fetch
Access Control	Client IP and VLAN (Guest SSID)	External DHCP server assigned	Enabled/Bridged
Access Control	Client IP and VLAN (Guest SSID)	VLAN tagging	VLAN ID: Default AP tag, VLAN ID 50
Access Control	Basic info	SSID (name)	Data/CORP-WiFi
Access Control	Security (Data/CORP SSID)		Enterprise with my RADIUS server
Access Control	Security (Data/CORP SSID)	WPA encryption	WPA3 Transition Mode
Access Control	Security (Data/CORP SSID)	802.11w	Enabled (allow unsupported clients)
Access Control	Security (Data/CORP SSID)	802.11r	Enabled
Access Control	Security (Data/CORP SSID)	Mandatory DHCP	Enabled
Access Control	Splash Page (Data/CORP SSID)		None (direct access)
Access Control	RADIUS (Data/CORP SSID)	RADIUS servers	10.102.1.160 (Server IP), 1812, <secret>
Access Control	RADIUS (Data/CORP SSID)	RADIUS accounting servers	10.102.1.160 (Server IP), 1813, <secret>
Access Control	RADIUS (Data/CORP SSID)	RADIUS CoA support	Disabled
Access Control	RADIUS (Data/CORP SSID)	RADIUS attribute specifying group policy name	Filter-Id
Access Control	Client IP and VLAN (Data/CORP SSID)	External DHCP server assigned RADIUS override	Selected/Bridged Override VLAN tag
Access Control	Client IP and VLAN (Data/CORP SSID)	VLAN tagging	VLAN ID: Default AP tag, VLAN ID 10
Firewall & traffic shaping	Block IPs and ports (Guest SSID)	Layer 2 LAN isolation	Enabled
Firewall & traffic shaping	Block IPs and ports (Guest SSID)	Outbound rules	Top-down priority Deny Local LAN Access Rule: Source = Any, Any Source Protocol, Destination = Local LAN, Any Destination Protocol Default Allow All Rule: Any, Any Source Protocol, Destination = Any, Any Destination Protocol
Firewall & traffic shaping	Traffic shaping rules (Guest SSID)	Per-client bandwidth limit Enable SpeedBurst Per-SSID bandwidth limit Shape traffic Default Rules	50 Mbps Enabled 100 Mbps Shape traffic on this SSID Enable default traffic shaping rules
Firewall & traffic shaping	Block IPs and ports (Data/CORP SSID)	Outbound rules	Top-down priority Allow Local LAN Access Rule: Source = Any, Any Source Protocol, Destination = Local LAN, Any Destination Protocol Default Allow All Rule: Any, Any Source Protocol, Destination = Any, Any Destination Protocol
Firewall & traffic shaping	Traffic shaping rules (Data/CORP SSID)	Per-client bandwidth limit Per-SSID bandwidth limit Shape traffic Default Rules	Unlimited Unlimited Shape traffic on this SSID Enable default traffic shaping rules
SSID Availability	SSID availability (all SSIDs)	Visibility	Advertise this SSID publicly
SSID Availability	SSID availability (all SSIDs)	Per access point availability	Enabled on all access points
Radio Settings	RF profiles (Indoor/Outdoor default)	General/Band selection	All SSIDs
Radio Settings	RRM	AI-RRM	Enabled

Under Wireless>Monitor> on the Dashboard

Main Menu

Section

Subsection

Values

Access Points

LAN IP (edit)

DHCP, VLAN 511

Input variables can be conveniently updated through the workflow's user input window, with assistance from the AI Assistant, or by manually accessing the workflow.

Refer to the main KB: Unified Branch