Skip to content
Network as Code

Unified Branch CVD Aligned Templates with Network as Code

This document is an important component of this guide, as it provides a foundational understanding of the structure of the code.

Fundamentals of Unified Branch CVD Aligned Templates with NaC

Section titled “Fundamentals of Unified Branch CVD Aligned Templates with NaC”

The Unified Branch CVD (Cisco Validated Design) aligned templates represent a comprehensive Infrastructure as Code (IaC) approach for deploying standardized branch network configurations using Network as Code (NaC) principles. These templates are designed to implement Cisco’s best practices and validated designs for branch office deployments while maintaining consistency, scalability, and operational efficiency.

Key Principles

Section titled “Key Principles”

Template-Driven Architecture: The solution leverages a template-driven approach where network configurations are abstracted into reusable templates that can be parameterized for different deployment scenarios. This approach ensures consistency across deployments while allowing for site-specific customizations.

CVD Alignment: All templates are aligned with Cisco Validated Designs, ensuring that the configurations follow proven architectural patterns and best practices. This includes proper VLAN segmentation, security policies, QoS implementations, and high availability designs.

Declarative Configuration: Templates define the desired end state of the network infrastructure rather than the procedural steps to achieve it. This declarative approach simplifies management and reduces the risk of configuration drift.

Variable-Driven Parameterization: Templates use variable substitution (${variable_name}) to allow for site-specific customizations without modifying the core template logic. Variables are centrally managed in the pods_variables.nac.yaml file.

Modular Design: The template structure is modular, with separate templates for different functional areas (appliance, switching, wireless, WAN, etc.), allowing for selective deployment and easier maintenance.

Template Categories and Design Intent

Section titled “Template Categories and Design Intent”

The template collection covers all aspects of a unified branch deployment:

  • Security Foundation: Comprehensive appliance templates implementing defense-in-depth security policies

  • Network Connectivity: WAN templates supporting diverse connectivity scenarios from simple DHCP to complex enterprise VLAN configurations

  • Access Control: 802.1x authentication templates with RADIUS integration for both wired and wireless access

  • Quality of Service: Traffic shaping and prioritization templates ensuring optimal application performance

  • Operational Management: Network management templates providing monitoring, logging, and troubleshooting capabilities

Understanding Repository File Structure

Section titled “Understanding Repository File Structure”
nac-branch/
├── data/
├── .rules/
├── tests/
├── docs/
├── workspaces/
├── Readme.md
└── main.tf

data/

Section titled “data/”

Contains YAML configuration files used for Network as Code. This includes organization-wide settings, templates, and variable definitions.

Contents:

data/
├── org_global.nac.yaml
├── pods_variables.nac.yaml
├── templates-*.nac.yaml

For the latest templates always refer to - Central Branch as Code Repository

  • org_global.nac.yaml Defines organization-level settings such as login security, policy objects, SNMP settings, etc.

  • pods_variables.nac.yaml Contains branch-specific variables like Branch Name, Hostnames, IP addressing, etc. In ideal scenario of deploying provided template, this is only file you need to modify.

  • templates-*-.nac.yaml Define reusable templates for appliance, inventory, and network components.

    The templates are split as follows:

    Template FileDescription
    templates-appliance.nac.yamlSecurity appliance configurations
    templates-internet-policies.nac.yamlSD-WAN Internet traffic policies
    templates-inventory.nac.yamlDevice inventory configurations
    templates-network-related.nac.yamlNetwork setup and management
    templates-switch.nac.yamlSwitch configurations
    templates-wan-connectivity.nac.yamlWAN connectivity monitoring
    templates-wan-ts.nac.yamlWAN traffic shaping
    templates-wan-uplinks.nac.yamlWAN uplink configurations
    templates-wireless.nac.yamlWireless configurations

workspaces/

Section titled “workspaces/”

Contains environment-specific configuration files and is used for branch template resolution.

The Terraform module invoked in this folder will:

  • Load templates and variable values from /data
  • Merge them into a single file: merged_configuration.nac.yaml

main.tf

Section titled “main.tf”

Primary Terraform configuration file. It defines infrastructure resources and modules for the NAC deployment.

Understanding Variables used in Branch as Code

Section titled “Understanding Variables used in Branch as Code”

Branch as Code utilizes two distinct types of variables to achieve both security and flexibility in network deployments. Understanding these variable types is crucial for proper implementation and maintenance of your branch infrastructure.

Template Variables $variable_name

Section titled “Template Variables $variable_name”

Template variables use the $variable_name syntax and are used for configuration parameters that can vary between deployments but are not sensitive in nature. These variables are defined in the pods_variables.nac.yaml file and allow for site-specific customizations without modifying the core template logic.

Examples of Template Variables:

  • Network addressing: ${vlan10_subnet}, ${vlan10_appliance_ip}
  • Device naming: ${appliance_01_name}, ${access_switch_01_name}
  • Network settings: ${time_zone}, ${network_notes}
  • RADIUS servers: ${radius_server1_host}, ${radius_server1_port}
  • Geographic coordinates: ${lat}, ${lng}, ${address}

How Template Variable Substitution Works:

Templates define placeholders using the variable syntax:

vlans:
  - vlan_id: 10
    name: "Data"
    subnet: ${vlan10_subnet}
    appliance_ip: ${vlan10_appliance_ip}

Variables are then assigned values in the pods_variables.nac.yaml file:

variables:
  vlan10_subnet: 10.2.10.0/24
  vlan10_appliance_ip: 10.2.10.1

When the template is processed, the variables are substituted with their actual values:

vlans:
  - vlan_id: 10
    name: "Data"
    subnet: 10.2.10.0/24
    appliance_ip: 10.2.10.1

These variables provide the flexibility to deploy standardized templates across multiple sites while accommodating site-specific requirements such as IP addressing schemes, device naming conventions, and local settings.

Environment Variables (!env)

Section titled “Environment Variables (!env)”

Environment variables use the !env syntax and are specifically designed for sensitive information that should never be stored in configuration files or committed to version control systems. This approach ensures that credentials, serial numbers, and other sensitive data remain secure.

Examples of Environment Variables:

  • Device credentials: !env radius_server1_secret, !env radius_accounting_server1_secret
  • Device serial numbers: !env Appliance, !env Switch1, !env AP
  • Organization details: !env domain, !env org_name
  • SNMP credentials: !env v3_auth_pass, !env v3_priv_pass

Usage Pattern:

# In template files
secret: !env radius_server1_secret
appliance_01_serial: !env Appliance


# In environment file (.env)
export RADIUS_SERVER1_SECRET="MySecretPassword"
export APPLIANCE="Q2XX-XXXX-XXXX"

Environment variables are typically set in a .env file (which is excluded from version control) or through your deployment pipeline’s secret management system. This ensures that sensitive information is managed securely and separately from the infrastructure code.

Note on External Secret Management: For enterprise deployments, consider integrating with external secret management systems like CyberArk Conjur, HashiCorp Vault, Azure Key Vault, or AWS Secrets Manager instead of using local environment variables. These systems provide enhanced security features such as secret rotation, audit trails, fine-grained access controls, and centralized secret management across multiple environments. The !env syntax can be adapted to work with these systems through CI/CD pipeline integrations or custom secret retrieval mechanisms.

Best Practices for Variable Management

Section titled “Best Practices for Variable Management”
  1. Template Variables: Use for non-sensitive configuration that varies between sites
  2. Environment Variables: Use for all sensitive data including passwords, secrets, and device serial numbers
  3. Version Control: Never commit .env files or files containing sensitive information
  4. Documentation: Maintain clear documentation of required environment variables for each deployment

Branch as Code Environmental Variables

Section titled “Branch as Code Environmental Variables”

The following is a comprehensive list of environment variables that are used throughout the Branch as Code repository templates. These variables contain sensitive information such as device serial numbers, credentials, and configuration secrets that must be customized for your specific deployment.

Important: This list represents example values used in the repository for demonstration purposes. Customers must set their own values for these variables according to their environment and security requirements. These values can be configured through:

  • Local environment variables (.env file)
  • External secret management platforms (Conjur, Vault, etc.)
  • CI/CD pipeline secret management
  • Any other secure method that fits your organizational security policies

v1.0.0 Initial release - November 2025:

        Appliance                                               // Serial number of the security appliance device
        AP1                                                     // Serial number of the first access point
        AP2                                                     // Serial number of the second access point
        Switch1                                                 // Serial number of the first switch
        Switch2                                                 // Serial number of the second switch
        org_name                                                // Meraki organization name
        domain                                                  // Meraki domain identifier
        org_admin                                               // Organization administrator username
        org_admin_email                                         // Administrator email address
        v3_auth_pass                                            // SNMPv3 authentication password
        v3_priv_pass                                            // SNMPv3 privacy password
        local_status_page_username                              // Local device status page username
        local_page_username                                     // Local device page username
        local_status_page_password                              // Local device status page password
        local_page_password                                     // Local device page password
        radius_accounting_server1_secret                        // RADIUS accounting server shared secret
        radius_server1_secret                                   // RADIUS authentication server shared secret
        snmp_username                                           // SNMP username for device monitoring
        snmp_passphrase                                         // SNMP passphrase for device access
        MERAKI_API_KEY                                          // Meraki API key for dashboard access