|
Boundless
Book a demo
Boundless
⟵ Back to library

Catalyst to Meraki Migration Guide: What Breaks, What Transfers, and What Nobody Tells You

  • Blog
  • The Boundless Crew

Cisco’s Networking Cloud strategy is clear: cloud-managed networking is the future. For organizations running Catalyst switches, the question isn’t whether to migrate, it’s when and how.

The “how” is where things get interesting. A Catalyst-to-Meraki migration isn’t a firmware upgrade. It’s a platform change. The config syntax is different, the management model is different, and many features that exist in IOS/IOS-XE either work differently in Meraki or don’t exist at all.

This guide covers what we’ve learned from migrating enterprise environments ranging from 50 switches to 11,000, including the things that don’t show up in product documentation.

Understanding the Gap

A Catalyst switch running IOS-XE and a Meraki switch live in fundamentally different worlds. The Catalyst is configured through CLI commands stored in a running config. The Meraki switch is configured through the dashboard and managed via cloud APIs. There is no CLI.

This means migration isn’t “copy the config and apply it.” It’s “translate the intent of each configuration element into its Meraki equivalent.”

Some translations are straightforward. Others require design decisions. And some features simply don’t have a Meraki equivalent, which means you need a workaround or an acceptance that the feature goes away.

What Translates Cleanly

These configuration elements have direct or near-direct equivalents in Meraki:

  • VLANs and VLAN assignments. VLAN IDs, names, and port assignments transfer with minimal modification.
  • Port configurations. Access ports, trunk ports, and native VLAN settings have clear Meraki equivalents.
  • DHCP relay/helper addresses. These translate directly.
  • Basic QoS. DSCP markings and basic traffic prioritization are supported.
  • SNMP settings. Community strings and trap destinations transfer.
  • Spanning Tree. Meraki supports STP with automatic root bridge election, though the tuning options are more limited than IOS-XE.
  • Port security basics. Sticky MAC and MAC limits are available.

What Requires Design Decisions

These elements exist in Meraki but work differently enough that you need to make choices during migration:

ACLs and firewall rules. Catalyst ACLs are applied per interface. Meraki uses a different enforcement model with Layer 3 and Layer 7 firewall rules applied at the network or group policy level. You can’t simply port ACL lines; you need to rethink the security model for Meraki’s approach.

RADIUS/802.1X. Both platforms support RADIUS authentication, but the configuration and policy structure differ. Meraki’s group policy model replaces the per-VLAN RADIUS assignment you might use on Catalyst. Plan for testing cycles here.

Routing. Meraki switches support static routes and OSPF, but complex multi-area OSPF configurations or policy-based routing may need simplification. If your Catalyst deployment uses BGP or advanced routing at the access layer, this is a significant design discussion.

Port mirroring/SPAN. Available in Meraki but with different configuration and some limitations on remote SPAN.

What Doesn’t Exist in Meraki

Be upfront about these with stakeholders before migration begins:

  • IOS-XE CLI access. There is no CLI. All management is through dashboard or API. For teams accustomed to SSH-ing into switches, this is a cultural shift as much as a technical one.
  • Advanced STP tuning. Meraki handles STP automatically. If you rely on manual root bridge placement, priority tuning, or BPDU guard configurations, review Meraki’s approach before migrating.
  • Complex EEM scripts. Embedded Event Manager scripts don’t have a Meraki equivalent. If you use EEM for custom automation, those workflows need to be rebuilt using Meraki APIs or third-party automation.
  • Some Layer 3 features. VRF, PBR (policy-based routing), and advanced multicast configurations may not be fully supported. Verify against current Meraki documentation.

The Migration Workflow

Every successful large-scale migration follows the same general workflow, even if the details vary.

Phase 1: Discovery and Assessment

Before touching a single switch, inventory your current environment:

  • Export all Catalyst configs. Pull running configs from every in-scope switch. These are your source of truth.
  • Catalog unique config patterns. In a 500-site environment, you might have 8-12 distinct config templates with per-site variations. Identify the templates.
  • Flag unsupported features. Run each config through a compatibility check against Meraki’s feature set. Every unsupported command needs a decision: workaround, redesign, or accept the gap.
  • Count the exceptions. Sites with non-standard configs, custom ACLs, or legacy requirements need individual attention. Quantify these upfront so your project plan accounts for them.

Phase 2: Config Translation

This is where the heavy lifting happens. Each Catalyst config needs to be translated into its Meraki equivalent.

Manual approach: An engineer reads each config, identifies the intent, and manually creates the corresponding Meraki network configuration. At 2-3 hours per switch for straightforward configs, this works for small environments. For 200+ switches, the math breaks.

Automated approach: A config translation platform ingests the Catalyst configs, maps each element to its Meraki equivalent, and flags anything that can’t be automatically translated. The engineer then handles exceptions rather than processing every line.

The automated approach doesn’t eliminate engineering judgment. It focuses that judgment on the 10-15% of config elements that actually need human decisions, rather than the 85% that are routine translations.

Phase 3: Staging and Validation

Before any physical cutover, the target Meraki environment should be fully configured and validated:

  • Create the target networks in the Meraki dashboard with the translated configurations.
  • Validate config accuracy by comparing the Meraki config against the source Catalyst config. Every VLAN, every port assignment, every firewall rule.
  • Test in a lab if possible. Even migrating a single representative switch confirms that the translation is accurate.
  • Document the exceptions that were handled manually. These are your risk points during cutover.

Phase 4: Physical Cutover

The actual hardware swap. This is where operational planning matters more than technical skill.

Maintenance windows are the bottleneck. For retail, healthcare, or financial services environments, the available maintenance window might be 4 hours on a Sunday night. Your cutover process needs to fit within that window with margin for rollback.

Site-by-site vs. batch cutover. Small environments can cut over all sites in parallel. Large environments need a phased approach: start with low-risk sites, validate, then proceed to critical sites.

Rollback plan. If a cutover fails, can you reconnect the Catalyst switch and restore service? The rollback plan needs to be documented, tested, and available to the on-site team.

Verification checklist. After cutover, verify: all VLANs active, all ports up, DHCP functioning, client connectivity confirmed, monitoring active. This checklist should be standard, not improvised at each site.

Phase 5: Post-Migration Validation

The migration isn’t done when the switches are racked. It’s done when the environment is stable.

  • Monitor for 48-72 hours after each batch of cutovers.
  • Compare performance baselines against pre-migration metrics.
  • Decommission Catalyst switches only after validation is complete. Keep them available (but offline) for 30 days in case of late-discovered issues.

Timelines and Resourcing

Realistic timelines based on project experience:

Environment Size Discovery Translation Staging Cutover Total
50 switches 1 week 2 weeks 1 week 2 weeks 6 weeks
200 switches 2 weeks 3-4 weeks 2 weeks 4-6 weeks 11-14 weeks
500+ switches 3-4 weeks 4-6 weeks 2-3 weeks 8-16 weeks 17-29 weeks
1,000+ switches 4+ weeks 6-8 weeks 3-4 weeks 16-32 weeks 29-48 weeks

These ranges assume a mix of automated config translation and manual exception handling. Fully manual translation roughly doubles the timeline.

The Decisions That Actually Determine Success

Technical config translation is the most visible part of migration. It’s rarely the part that determines success or failure. These decisions matter more:

Executive sponsorship and maintenance window authority. Without someone who can approve downtime windows, migrations stall.

Clear RACI between migration partners. Who owns config translation? Who owns physical install? Who owns validation? When Cisco CX, your channel partner, and the migration tooling vendor are all involved, role clarity prevents dropped balls.

Change management for the network team. Moving from CLI to dashboard is a workflow change. Teams need time with the new platform before they’re responsible for supporting it in production.

Config Bridge automates the config translation phase, from Catalyst config ingestion through Meraki network provisioning. It’s available for organizations planning Catalyst-to-Cloud migrations at any scale. Contact Boundless for a scoping assessment.

Noel-Edouard Chenu is the CEO of Boundless. The company has supported Catalyst-to-Cloud migrations across enterprise environments including retail, financial services, and healthcare.

Learn More about Boundless Automation

You might also like

Stay up to speed.
Subscribe to our newsletter.

ProductS
PARTNERS
Company
AICPA SOC aicpa.org/soc4so
Boundless

1207 Delaware Ave #552, Wilmington, Delaware 19806

Americas: +1 (347) 464 6510 - EMEA: +33 (0) 181 22 12 80

Facebook-f Youtube Linkedin-in