Configuration templates can allow many Cisco Meraki devices to be deployed following a single base configuration. This makes it much easier to roll-out new sites/users and maintain consistency across each site's configuration. It is most useful in cases were a large number of sites exist that share a common network design. Such as a retail deployment with many stores, or a large number of home users with Z1s connecting to a corporate network over VPN. Keep in mind though that sites as part of a template cannot have exceptions to the configuration, and devices that need to be treated differently, even if slightly, should not be bound to a template.
To begin, a configuration template must be created. This template will then be used as the base for all of the networks that are bound to it.
To create the configuration template:
Once a network has been created, any changes desired for all of the bound networks must be made to the template. To edit the template's configuration, select it from the Network dropdown under "Select a template", and make any desired changes. The tabs on the left-hand side of the page can be used to navigate configuration options as normal. Some settings may exist which aren't relevant for all devices in bound networks, such as Wireless settings on a bound MX100, or extra port configurations. Extraneous settings will be ignored on devices not able to use them.
MR access points can be managed and deployed in bulk using network templates. It may be helpful to group into common deployment types, such as retail locations or branch offices, so APs deployed at different locations all use the same SSIDs and authentication methods. This way, a user at one location can seamlessly join wireless networks at another location without needing to provide a different PSK or credentials.
While Configure > Addressing & VLANs > VLANs is set to "Disabled", all bound security appliances will use the same subnet. This allows for a high level of consistency across all sites, but it inherently disallows the use of Site-to-site VPN, as each site would result in a duplicate route.
To allow for the use of Site-to-site VPN, set the VLANs field to Enabled. This will then provide several new configuration options specific to templates:
When using Unique Subnetting, the appliance IP will always be the first usable IP address within the range automatically allocated. The subnet will be randomly selected based on the address space and subnet mask, but will not use any subnets that have previously been used in the organization.
When selecting a subnet allocation, it's important to keep in mind how many unique networks can be created with that selection. More networks cannot be bound to a template than can be supported by the number of unique allocations available. To calculate the number of unique subnets, take the number after the "/" in the second box and subtract it from the number after the "/" in the first box. Then use the result as a power of 2.
Ex. /24 from 192.168.0.0/16 would allow for 256 unique subnets.
Ex. /23 from 10.0.0.0/8 would allow for 32,768 unique subnets.
If a network is unbound from a template, its subnet is made available for use by other future networks.
Note: When selecting Unique subnets, ensure that the address space being provided for use by the template is not currently in use by other networks. Otherwise, networks utilizing the template may overlap with other individually configured networks.
You have additional source and destination options when configuring layer 3 firewall rules for a configuration template. Because the subnet for a given VLAN may be different in each template child network, VLAN objects allow you to create firewall rules using the VLAN names as source and destination network objects, rather than actual IPs or CIDR subnets. These VLAN objects are automatically translated by each child network into the local subnet associated with that VLAN.
If you wish to use only a certain IP within a VLAN in a firewall rule, you can add a host bit. For instance, let us imagine that you have a firewall rule containing the source Data.50 representing the Data VLAN, host bit 50. If a child network has subnet 192.168.100.0/24 for the Data VLAN, this source will be interpreted in this network as 192.168.100.50.
Mousing over the VLAN dropdown when entering a Source or Destination will display a hover list of available VLANs and their addressing.
DHCP reservations can be configured in much the same way. The VLAN name for each DHCP scope will be autopopulated, and only the host bits of the reserved range needs to be set.
MS Switch templates consist of two components: Template networks and switch profiles. Whereas a template network is a standard template as defined above, a switch profile is a port configuration that can be shared by multiple switches of the same model.
For more information about MS templates and profiles, please refer to our Switch Templates Deployment Guide.
Once a template has been created, networks that are bound to it will utilize its configuration as a base. Any changes made to the template will then be pushed out to all bound networks.
To bind an existing network to a template:
Note: When binding an existing network to a template, its current configuration will be lost and it will begin using the template configuration.
To bind a new network to a template:
Once bound to a template, individual networks will lose most of their Configure menu, and any changes impacting the network's configuration should be made from the template.
Once a template has been created, the bulk network tool can be used to create multiple networks, bound to the same template (or based on an existing network configuration).
If a network needs to stop following the shared configuration, so that it can be configured independently, it must be unbound from the template.
Note: When a network is unbound from a template, all devices within the network will revert to the configuration last used prior to any template binding, regardless of current network.
To unbind a network from a template:
Note: When a network is unbound from a template, it will retain some settings (such as addressing and VLANs) but most settings will revert to their state before binding, if there were any.
Once a network has been bound to a template, the network's status can still be monitored by selecting the network from the Network dropdown. Then browsing to the desired option under Monitor. Local settings for the device can be viewed under Configure > Local settings. These local settings are limited to the name of the network, the option to unlink it from the template, and a table of the IP addressing assigned to that network (if VLANs are configured). Once a network has been bound to a template, the intention is for all future changes to be made to the template.
If a template must be deleted, it can be done so using the instructions below. When a template is deleted, all networks bound to it will be automatically unbound.