# Cisco Meraki MX + MS Cloud-Managed Baseline > Reference baseline for a multi-site Meraki deployment: MX security appliance + MS switch stack + MR wireless. Dashboard configuration captured as a checklist, API-driven provisioning snippets, and the operational settings that make the difference between "working" and "auditable". MIT licensed. **Target:** a 3–20 site retail / SMB / professional services deployment, centrally managed from one Meraki organisation. Applicable to Co-Term or Meraki Subscription licensing. --- ## 0. Pack contents | Section | What it covers | |---|---| | 1 | Organisation + network structure | | 2 | Administrator access + security | | 3 | MX security appliance baseline | | 4 | MS switch baseline | | 5 | MR wireless baseline | | 6 | Content filtering + L7 firewall | | 7 | Threat protection (IDS/IPS, AMP) | | 8 | Site-to-site VPN (AutoVPN) | | 9 | Client VPN (AnyConnect or legacy L2TP) | | 10 | Logging + API | | 11 | Backups + DR | | 12 | API-driven provisioning | --- ## 1. Organisation + network structure - **One org per legal entity.** Multi-org for MSPs. - **Networks per site.** Name convention: `site-location-function` → `LON-HQ-NET`, `MAN-BRANCH-RET`. - **Templates** (Network > Configuration > Templates) for any deployment with more than 3 similar sites. Parent template + per-site override. - **Tags** used consistently for reporting, search, and policy: `prod`, `retail`, `corp`, `warehouse`, `store-lg`, `store-sm`. Dashboard location hierarchy: ``` Organization: ExampleCorp ├── Template: T_RETAIL_STORE │ └── Networks bound: 12 ├── Template: T_OFFICE │ └── Networks bound: 3 ├── Network: HQ └── Network: DC ``` --- ## 2. Administrator access + security Org > Settings + Org > Administrators: - **SAML SSO** enabled with your IdP (Okta/Entra/Google) via `SAML login`. Local admins are break-glass only. - **MFA** required — force on SAML side. - **Role-based access** — Org Admin only for 2–3 named individuals. Read-only for auditors. Network-level admins for on-site staff. - **Session timeout** 30 min idle. - **IP restriction for dashboard access** — optional but strong: restrict to corporate egress + VPN ranges. - **Audit log retention** — confirm 1 year minimum (Enterprise license). - **API keys** — per-human, rotated every 90 days. No shared service API keys. Local org-admin password policy: - Min 16 chars - Complexity on - Rotation 90 days - 4 password history --- ## 3. MX security appliance baseline ### 3.1 Mode - **Routed mode** for standalone sites. - **Concentrator mode** for VPN hubs. - **Warm-spare (HA)** for HQ / critical sites — two MXs with VRRP VIP. ### 3.2 Addressing + VLANs Define VLANs centrally: | VLAN | Name | Purpose | |---|---|---| | 10 | CORP | Staff workstations | | 20 | VOICE | IP phones (QoS priority) | | 30 | SERVER | On-site servers / NAS | | 40 | PRINTER | MFPs, POS printers | | 50 | IOT | Cameras, sensors, doors | | 60 | GUEST | Guest Wi-Fi only | | 70 | MGMT | Network device management | MX uplink: - Two WAN uplinks (primary + secondary). Load-balance or failover. - Cellular uplink on any site where a 15-minute outage is material. - SD-WAN flow preferences configured (see Section 8). ### 3.3 MX firewall rules (L3) Default **Deny all** inbound on WAN. Per-VLAN policy under Security Appliance > Firewall: - `CORP → IOT`: deny - `CORP → PRINTER`: allow tcp/udp 9100, 443, 631; deny rest - `CORP → SERVER`: allow per-app - `CORP → Internet`: allow 80/443/53 (over DNS filtering), deny rest - `IOT → Internet`: allow only to whitelisted FQDN list (MX supports FQDN group) - `GUEST → everywhere internal`: deny - `GUEST → Internet`: allow 80/443 + DNS only ### 3.4 L7 firewall + content filtering Under Security Appliance > Content Filtering + Threat Protection: - **URL category block:** malware, phishing, adult, gambling, C&C, cryptocurrency. - **AMP** enabled (Advanced Malware Protection). - **Intrusion detection + prevention:** mode = `Prevention`, ruleset = `Security` (balanced) for most sites; `Connectivity` for sites with known throughput concerns. - **Threat Grid integration** if licensed. ### 3.5 Uplink preferences (SD-WAN) Under Security Appliance > SD-WAN & traffic shaping: - **Flow preferences** for VoIP: primary = MPLS, fallback = 4G (never internet). - **Performance classes**: latency < 100ms for VoIP, packet loss < 1%. - **Traffic shaping** — define per-VLAN bandwidth limits where needed. - **Per-client bandwidth limit** on GUEST: 2 Mbps up/down. --- ## 4. MS switch baseline ### 4.1 Switch settings (per network) - **STP mode:** RSTP (default). - **Root bridge:** set priority on designated core/distribution. - **DHCP server options:** enable only if MS is the authoritative DHCP source (usually not). - **IGMP snooping:** on. - **Storm control:** broadcast + multicast thresholds set. ### 4.2 Port policy Port types with templates: | Type | Access | Voice VLAN | Security | |---|---|---|---| | `USER` | VLAN 10 CORP | VLAN 20 VOICE | 802.1X optional, BPDU guard on, MAC-based ACL | | `PRINTER` | VLAN 40 PRINTER | none | Port security: sticky MAC, max 1 | | `IOT` | VLAN 50 IOT | none | Port security: sticky MAC, max 1, violation = shutdown | | `AP` | Trunk, native VLAN 70 | none | Allowed VLANs 10, 20, 60 | | `UPLINK` | Trunk, native 70 | none | LACP where applicable | | `DISABLED` | no VLAN | disabled | Ports not in use | Apply via Dashboard `port > tag` to bind to config template. ### 4.3 Port security hardening - **Sticky MAC** on access ports. - **Port violation = shutdown** for IOT; `restrict` for USER. - **BPDU Guard** on all access ports. - **Storm control** on access ports. - **DHCP Snooping** enabled at network level with trusted uplinks marked. - **ARP Inspection** enabled. ### 4.4 Management - **Out-of-band management** — separate MGMT VLAN, dashboard reachable only via MGMT or over AutoVPN. - **Local service accounts disabled** — SSH disabled on switches (Meraki defaults fine). - **Uplink LLDP** — enabled for neighbour discovery. --- ## 5. MR wireless baseline ### 5.1 SSIDs | SSID | VLAN | Auth | Band | Min rate | |---|---|---|---|---| | `Corp-WPA3` | 10 | WPA3-Enterprise + Meraki Authentication / SAML | 5 + 6 GHz | 12 Mbps | | `Corp-WPA2` | 10 | WPA2-Enterprise fallback | 2.4 + 5 GHz | 12 Mbps | | `Guest` | 60 | Splash page, short PSK rotated weekly | 5 + 2.4 | 6 Mbps | | `IOT` | 50 | WPA2-PSK with unique per-site key | 2.4 | 6 Mbps | Disable `Corp-WPA2` once all endpoints are WPA3-capable. ### 5.2 Wireless settings - **Band steering:** on for dual-band clients. - **Minimum bitrate:** set per radio to disable 802.11b/g low rates. - **Client isolation:** on for `Guest` and `IOT` SSIDs. - **Fast roaming:** 802.11r on for `Corp-*`. - **Air Marshal:** enable rogue AP containment (check legal position first). - **Application visibility:** on. - **PCI mode:** on for sites in PCI scope. ### 5.3 RF profiles - **Dense** profile for offices with > 30 clients per AP. - **Warehouse** profile for open space with fewer APs, higher TX power. - **Retail** profile for POS coverage with denial of 2.4 GHz for corp SSID. --- ## 6. Content filtering + L7 Central content filter profile applied by template: - Blocked categories: malware, phishing, adult, gambling, drugs, weapons. - Allowed-list override for specific FQDNs per site. - Safe search enforced for Google, Bing, YouTube on `CORP` and `GUEST` networks. - Block file types: `.exe`, `.scr`, `.bat`, `.ps1`, `.vbs`, `.iso` on download. L7 firewall: - Block known P2P, anonymiser, game consoles (on corp networks). - Block non-approved messaging apps on GUEST (if policy). --- ## 7. Threat protection Threat Grid / AMP: - Scan every HTTP/HTTPS file download (if HTTPS inspection on) or file hash reputation lookups (if not). - Sandbox detonate unknown files. - Auto-block files marked malicious by retrospective analysis. IDS/IPS: - **Mode:** Prevention on MX for CORP/IOT VLANs; Detection-only on GUEST if false-positive-sensitive. - **Ruleset:** Security for most; Balanced for bandwidth-sensitive sites. - **Custom signatures:** via Threat Grid integration or Community feeds. --- ## 8. AutoVPN (site-to-site) - **Topology:** hub-and-spoke with 2 hubs (primary + DR). - **Subnet advertisement:** each site advertises CORP + SERVER VLANs; NOT IOT or GUEST. - **Split tunnel:** yes. Internet traffic out local break-out; application + internal traffic via AutoVPN. - **Full tunnel:** only where required by compliance. Set per-VLAN `Send all Internet traffic to concentrator`. - **AutoVPN routing:** Meraki handles IKEv2 + IPsec automatically. Check under `Security & SD-WAN > Site-to-site VPN`. ### 8.1 Non-Meraki VPN peers Where you need to connect to AWS / Azure / on-prem non-Meraki: - Use **Non-Meraki VPN peers** section; IKEv2 preferred. - Secret rotated every 90 days. - Monitor tunnel state via dashboard alerts. --- ## 9. Client VPN Two options: **AnyConnect VPN (preferred)** — requires AnyConnect licence add-on. SAML SSO, certificate auth, posture checks. **Legacy Client VPN** — acceptable only for interim / small deployments. L2TP/IPsec with RADIUS for auth. Restrictions: - Split tunnel: yes, with DNS for internal domain sent to internal resolver. - Per-user access controls via RADIUS groups. - Session idle timeout: 30 minutes. --- ## 10. Logging + API ### 10.1 Syslog Under Network > Monitor > Settings, enable syslog: - Events: Flows, URLs, Security events, Appliance events, Switch events. - Destination: SIEM receiver. - Use UDP 514 or TCP 1514 per your SIEM collector. Confirm all 4 Meraki syslog category boxes are ticked; URLs often omitted by default. ### 10.2 API - Read-only API key for monitoring/automation. - Per-human API keys for humans. - Webhook alerts to PagerDuty / Opsgenie for: - Device offline > 5 min - Uplink failover - Security event (threat detection, rogue AP, port security violation) ### 10.3 Key monitoring dashboards - Clients by SSID - Uplink performance (latency, loss, jitter) - Security center: top threats, top IDS signatures - Health score per site --- ## 11. Backups + DR Meraki stores config in cloud; your DR job is: - **Configuration export** — nightly via API (`/organizations/{orgId}/configTemplates` + per-network endpoints) to encrypted object storage. 90-day retention. - **Device inventory export** — weekly CSV. - **License snapshot** — monthly CSV. - **Dashboard screenshots** for critical templates — quarterly. If the dashboard is unreachable, pre-shared fallback WANs + local device firewall defaults keep sites reachable for up to 48 hours (MX behaviour when dashboard disconnects). --- ## 12. API-driven provisioning (reference snippets) ```bash # Set the org ORG="YOUR_ORG_ID" KEY="YOUR_API_KEY" BASE="https://api.meraki.com/api/v1" # List networks curl -sH "X-Cisco-Meraki-API-Key: $KEY" \ "$BASE/organizations/$ORG/networks" | jq '.[].name' # Bind a network to a template curl -sH "X-Cisco-Meraki-API-Key: $KEY" -H "Content-Type: application/json" \ -X POST "$BASE/networks/$NETWORK_ID/bind" \ -d '{"configTemplateId":"L_REPLACE","autoBind":true}' # Update VLAN curl -sH "X-Cisco-Meraki-API-Key: $KEY" -H "Content-Type: application/json" \ -X PUT "$BASE/networks/$NETWORK_ID/appliance/vlans/10" \ -d '{"name":"CORP","subnet":"10.10.10.0/24","applianceIp":"10.10.10.1"}' # Pull syslog servers curl -sH "X-Cisco-Meraki-API-Key: $KEY" \ "$BASE/networks/$NETWORK_ID/syslogServers" ``` Keep these snippets in a sibling script + store org/API key in a secret manager, never in the script. --- ## 13. Anti-patterns worth flagging - **Local admins with dashboard access** — SAML + IdP MFA is the way. - **Guest Wi-Fi with PSK that never rotates** — weekly rotation, posted in the office only. - **Corp and IOT on the same VLAN** — segment or it will bite you. - **Default VLAN 1 still in use** — rename + renumber. - **Same API key in every site's automation scripts** — per-human keys, not shared service keys. - **Alerts only to one person's email** — PagerDuty / Opsgenie / shared email at minimum. - **Template drift untracked** — reconcile override list quarterly. --- ## Attribution Built by **Hak** at **VantagePoint Networks**. Based on real multi-site Meraki deployments in retail + professional services. MIT licensed — fork, customise, ship.