In our previous blog, “Streamline Operations with Cisco Meraki and Red Hat Ansible Automation,” we introduced the powerful integration between Cisco Meraki’s cloud-managed networking and Red Hat Ansible Automation Platform for enhancing IT operations via automation at scale. Now that Ansible Automation Platform is available from Cisco, we’re diving deeper to explore how this combination delivers tangible benefits for common Meraki use cases.
Cisco Meraki offers a robust cloud-managed solution for centralized management of campus and branch network infrastructure.
For businesses with numerous branch locations , managing IT manually can be a recipe for human errors and inefficiency due to inconsistencies, usually intentional, that can create drifts and add complexity into the network operation. This is where automation becomes the only way to drive consistency and enhance operational governance.
Red Hat Ansible Automation Platform serves as a strong foundation for building and operating automation services at scale, providing all the necessary tools for end-to-end automation workflows across network infrastructure and edge devices, including audit capabilities and a centralized way to manage and document automation content. The Certified and Validated Ansible content collections for Cisco Meraki help users start automating and rapidly replace, provision and maintain new network gear as old gear nears its last day of service (LDOS). This included use cases such as branch provisioning, configuration management, health checks, and operational activities in a consistent way.
By automating these deployment and management use cases, users can see an increase in agility, consistency, scalability, and improved visibility and control across your Cisco Meraki organizations and networks.
The Power of Cisco Meraki and Automation at Scale
The Cisco Meraki Dashboard is a powerful solution for managing all of your Meraki devices. It’s excellent for day-to-day management and provides powerful templating capabilities for consistency.
However, when you combine the Cisco Meraki dashboard with the power of Red Hat Ansible Automation Platform you are able to take things a step further by driving consistency and managing the lifecycle of your network infrastructure at scale.
Consider these questions:
- How quickly could you provision and ensure consistent configurations for 10, 100, or even 1000 new sites if these tasks were fully automated?
- How long does it typically take to detect and correct drift across your sites, and what are the potential business impacts (security, downtime, compliance) during that period?
- How much manual effort is involved in generating comprehensive compliance reports to ensure all sites consistently meet internal security policies (e.g., specific firewall rules, firmware versions, wireless settings) or external regulatory requirements?
Key Advantages of Cisco Meraki and Red Hat Ansible Automation Platform
By combining Cisco Meraki with Ansible Automation Platform, your organization will achieve:
- Rapid Deployment: Efficiently provision, configure, and scale branches and remote edge devices, quickly responding to changing network conditions.
- Proactive Compliance: Proactively detect and enforce desired configurations, staying ahead of potential issues.
- Operational Stability: Reduce human error and maintain a consistent, reliable network state.
- Enhanced Security: Automate critical and recurrent security tasks like PSK rotation and configuration drift remediation across locations.
- Increased Agility: Respond rapidly to evolving business and market demands.
- Boosted Scalability: Automate edge connectivity at scale, adapting workflows to changing network requirements.
Automating Popular Meraki Use Cases with Red Hat Ansible Automation Platform
Let’s dive into some of the most popular use cases that become streamlined and robust when combining Cisco Meraki with Red Hat Ansible Automation Platform.
1. Branch Provisioning: Fast, Consistent, and Reliable
Problem: Deploying new sites (retail stores, remote offices) is challenging, it traditionally involves manual configuration per location, potentially leading to errors, inconsistencies, and security vulnerabilities. Each site requires consistent configurations for firewalls, switches, and Wi-Fi access points, among other devices, that align with company security policies and best practices.
Solution: Ansible Automation Platform allows you to create reusable Ansible Playbooks that define the desired state of your network. These playbooks interact with the Cisco Meraki Dashboard Controller API to perform configurations across all your devices. You can define a “golden configuration” for a typical branch and apply it consistently across all new sites, significantly speeding up site expansion, and you can extend the logic using automation workflows to add even more intelligence into your provisioning workflows.
Ansible Automation Platform also allows you to share securely your reusable Ansible Playbooks with other teams, enforce Role Based Access Control to define who can run each Playbook against which inventory/sites, and document what was changed or not changed as a result of each Playbook run.Use Ansible Automation Platform to create a Workflow automating the key Steps :
- Create networks and claim devices: Automatically provision networks and bring new devices per network into your Meraki dashboard.
- Configure gateway (firewall) and WAN settings: Set up the base appliance configuration, including WAN setup, policies IP addressing, and ports.
- Configure switches: Apply STP, MTU values, storm control, energy savings scheduling, and port settings.
- Configure access points and wireless networks: Manage Wi-Fi SSIDs with security settings and optimize AP radio settings.
- Automate documentation and reporting: Generate inventory reports, and update enterprise systems, including Sources of Truth and CMDBs.
Example: Creating a Network – example playbook to create a new Meraki network which is included in the Ansible Validated Collection – meraki.ops :
--- - name: Create a network hosts: meraki_servers connection: local gather_facts: no tasks: - name: Create Meraki Network cisco.meraki.meraki_network: organization_id: "{{ meraki_organization_id }}" name: "MyNewBranchNetwork" product_types: - wireless - appliance - switch state: present register: new_network_info - name: Print new network info ansible.builtin.debug: var: new_network_info.network
This playbook utilizes the cisco.meraki.meraki_network module to create a new network, specifying the organization ID, name, and product types.
For configuring devices (MX, MS, MR), you would use roles like network.meraki_ops.configure_devices , network.meraki_ops.configure_switch , and network.meraki_ops.configure_ssid . For example, configuring an MX firewall would involve defining VLANs and port configurations as data that the playbook then pushes.
All of the Ansible modules and sample Playbooks and Roles described in this blog are included in the Ansible Automation Platform network. meraki_ops Validated Collection.
2. Audit and Compliance Checks: Stay Ahead of the Curve
Problem: Maintaining consistency and ensuring compliance with internal policies and external regulations across a vast network is complex.
Solution: Ansible Automation Platform leverages the Cisco Meraki Dashboard API to compare an organization’s settings and status against best practices and predefined thresholds, uncovering configurations that need attention. This includes general checks, as well as Wi-Fi and switch compliance checks.
Example: Generating a Network Report The network.meraki_ops.report role can generate HTML reports containing network, device, and firewall data.
--- - name: Generate network and device report hosts: meraki_servers connection: local gather_facts: no roles: - role: network.meraki_ops.report category: all
This playbook generates a comprehensive HTML report.
For health-specific checks, the network.meraki_ops.health_checks role is specifically designed for validating the operational health and compliance of Meraki networks. This role can be used to invoke health checks over specific networks or across all networks under an organization. It performs critical validations, including checking firmware versions, switch settings, and wireless utilization. The output of these checks can contribute to generating HTML reports to validate network health.
For example, imagine a Meraki user with numerous branch offices needs to ensure that all their switches are running approved firmware versions and that wireless access point settings are consistently optimized across every location to maintain performance and security. Instead of the laborious manual process of checking each device or site dashboard, they could leverage the network.meraki_ops.health_checks role. An Ansible playbook utilizing this role could be configured to automatically scan their entire Meraki infrastructure. It would then identify any switches running outdated firmware or highlight wireless access points with suboptimal configurations, allowing the user to proactively address potential performance bottlenecks or security vulnerabilities across their distributed network.
Filter plugins like network.meraki_ops.health_check_view and network.meraki_ops.report_view can also be utilized for specific reporting needs.
3. Configuration Drift Audit: Maintain a Source of Truth for Your Firewall Policies
Problem: Configuration drift—unintended deviations from a desired baseline—can lead to unexpected network behavior and critical security vulnerabilities.
Solution: With Ansible Automation Platform, you establish a “golden network” baseline, which serves as your source of truth. Ansible Automation Platform can periodically compare your live network configurations to this baseline in check mode, identifying any deviations, particularly in critical areas like firewall policies. You can then decide whether Ansible Automation Platform automatically corrects these non-compliant configurations or creates a service ticket with all the details for manual review. This proactive approach significantly reduces risk and streamlines network operations.
Example: Reverting a Configuration Drift If someone accidentally changes a firewall rule from TCP to Any traffic on Port 80, re-running the Ansible Playbook for firewall configuration will detect this drift and revert it back to the desired TCP state due to idempotency.
--- - name: Deploy MX Firewall Configuration hosts: meraki_servers connection: local gather_facts: no tasks: - name: Ensure HTTP traffic is TCP only on Port 80 cisco.meraki.meraki_network_appliance_firewall_l3_firewall_rule: network_id: "your_network_id" # Replace with actual network ID rule_id: "your_rule_id" # You'd manage specific rules based on your data model protocol: "tcp" src_port: "Any" src_cidrs: - "Any" dst_port: "80" dst_cidrs: - "Any" policy: "allow" comment: "Allow HTTP traffic" state: present # ensures this rule exists and matches desired state
Running this playbook regularly will ensure the firewall configuration matches the “golden” definition. The network.meraki_ops.configure_firewall_rules role is specifically designed for deploying L3/L7 rules. For comparing policies, the network.meraki_ops.firewall_rtt.yaml playbook can be used.
4. Scheduled Rotation of Wi-Fi Pre-Shared Keys: Enhance Security
Problem: Regularly updating Wi-Fi Pre-Shared Keys (PSKs), especially for guest networks, is a critical security best practice. Static PSKs are security vulnerabilities, and manually changing them across multiple sites is tedious and error-prone.
Solution: Ansible Automation Platform can automate the generation of new, strong PSKs and push these keys to all your Meraki access points. This preventive operational task can be scheduled to run at regular intervals, ensuring timely and consistent updates without manual intervention, thereby enhancing security and freeing up valuable IT resources.
Example: Updating a Wi-Fi SSID with a new PSK
--- - name: Update Guest SSID with new PSK hosts: meraki_servers connection: local gather_facts: no vars: new_guest_psk: "GeneratedStrongPSK123!" # In a real scenario, this would be dynamically generated or retrieved securely tasks: - name: Configure Guest SSID cisco.meraki.meraki_network_wireless_ssid: network_id: "your_network_id" # Replace with actual network ID ssid_number: 3 # Assuming Guest SSID is number 3 name: "MyGuests" enabled: true authentication_mode: "psk" psk: "{{ new_guest_psk }}" state: present
This playbook leverages the cisco.meraki.meraki_network_wireless_ssid module. The network.meraki_ops.configure_ssid role is also available for managing SSIDs. This could be combined with a dynamic PSK generation mechanism and scheduled via Ansible Automation Platform’s automation controller.
