Deploying distinct networks with templates.

SOLVED
Cyber_Owl
Here to help

Deploying distinct networks with templates.

Hello guys,

 

Hope you guys are well!

 

In this very moment I am working in a considerable deployment of Meraki security and Wireless appliances.

 

The organization I work for got a project where our client has 700 branches to be deployed with Meraki Auto VPN. The topology is a Hub-and-Spoke which each branch has its own subnets and firewall rules.

 

There are 2 MX-250 working as a Hub in our data center, 700 MX-64 and MR-33 for the branches, the plan is to use templates for the networks, however, I noticed that the templates to work well, requires the networks to be exactly the same as well as the configuration on each.

 

In this case, each branch has its own subnets and firewall rules. I was wondering if there is any way we could change just a few fields in the template without overwriting the configuration of the braches when the template is applied.

 

Also, if there is a fasther way to deploy so many networks. Because this client can't afford to manage one by one branches.

 

Thank you guys in advance!

 

Regards,

1 ACCEPTED SOLUTION

>The only issue now is the firewall rules

 

Sometimes firewall exist because of just a single machine.  You can address these using group policy.  Put the firewall rules into that, and apply that to the machines that need it.

 

If you have a lot of firewall rules, this makes things much more readable as well.

View solution in original post

7 REPLIES 7
jdsilva
Kind of a big deal

Hey @Cyber_Owl,

 

So you can override a number of template settings in the network itself, but not everything. Things like port forwards can be overridden so each MX can have unique rules there, but the L3 FW rules themselves cannot. 

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

There's a few sections in there that explain this. 

 

For your addressing, there is a neat auto allocation feature you can use with templates. It has some limitations in that it picks for you, but if it fits your use case it can make standing these sites up a lot easier.

 

https://documentation.meraki.com/zGeneral_Administration/Templates_and_Config_Sync/Managing_Multiple...

Hi @jdsilva 

 

Thank you for your help.

In this case scenario the branches are already in production, so we need to keep the same addressing.

 

I talked to the Meraki support team and they sugested me to work with API, but to be sincere and don't know where I should start.

 

Regards,

jdsilva
Kind of a big deal

That's a good suggestion to be honest. You could craft a script that could set up all your sites for you in far less time than it would take for you to click through everything. But if you're not comfortable with something like Python already then that would have a steep learning curve for you to go that route.

>In this case scenario the branches are already in production, so we need to keep the same addressing.

 

When you bind a network to a template it will overwrite the addressing, but then you can change it straight back to what it was (as long as the template is set to use "unique" addressing and all the stores are in the same supernet).

Hi @PhilipDAth ,

 

I tested this option and seems to work well, I guess that`s the best option.

The only issue now is the firewall rules, me and my team are thinking how we going to deal with that.

 

Thank you for your help!

 

Regards,

>The only issue now is the firewall rules

 

Sometimes firewall exist because of just a single machine.  You can address these using group policy.  Put the firewall rules into that, and apply that to the machines that need it.

 

If you have a lot of firewall rules, this makes things much more readable as well.

@PhilipDAth ,

 

You are right, the group policies may solve my problem with specific firewall rules.

Thank you for the help guys, when the project is finished, I'll give a feedback to you guys.

 

Regards,

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels