Cisco Meraki TSA separation is the work of standing up a Newco dashboard organization, moving the MX, MS, and MR devices into Newco networks, rebuilding the Auto VPN topology and policy, and cutting the sites onto Newco management before the seller's organization still controls Newco's network. The work sits inside the broader carve-out advisory program and is a Day One readiness item, because the network is the path every site and user depends on from the first minute.
Meraki separation starts with an inventory of the seller dashboard organization. The buyer needs the device footprint across MX security appliances, MS switches, MR access points, and any MV cameras or MT sensors, the network structure and templates, the license model whether per device or the newer subscription, the Auto VPN topology that connects the sites, and the administrator and SAML configuration that governs access to the dashboard.
The clean end state is a dedicated Newco organization that holds only Newco's devices, networks, and policy. Meraki is cloud managed, so the separation is less about hardware swaps and more about moving devices between organizations and rebuilding the network and VPN configuration that the shared organization carried. A shared seller organization keeps Newco's network under seller administration and seller visibility, which is unacceptable beyond a short bridge.
Target strategy treats the network as a Day One readiness item. The Newco organization, the network structure, and the license assignment stand up before close so that on Day One, Newco sites are managed in Newco's organization rather than the seller's. Device claiming and license transfer require coordination with the seller and with Cisco, so the moves are planned early.
A clean inventory and a settled organization design drive the downstream sequence: the device move, the Auto VPN rebuild, the policy reconstruction, and the administrator cutover. The pattern aligns with the broader carve-out network plan and the Day One readiness control set.
Meraki is sold per device under co termination licensing or under the newer subscription model, and the licenses are held by the organization. In a carve-out, the seller license does not transfer automatically. Newco arranges license assignment to its own organization, sized to the devices Newco actually retains, rather than inheriting the seller's pooled co termination date and quantity.
A carve-out reads to the vendor as a buyer with a Day One deadline, which is real leverage on the sell side. The buyer offsets that by opening the licensing conversation with Cisco early, before the deadline removes optionality, and by confirming which devices move to Newco so the license count matches the real footprint. Where devices are aging, the separation is the moment to decide refresh rather than carrying old hardware forward.
Where the seller manages the network through a TSA window, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA states how Newco device counts are metered. The seller cannot mark up license costs it does not separately incur. Because the network is a Day One control, the TSA tail here is usually short.
Where a partner is engaged for the move, the contract is fixed fee for defined deliverables with disciplined change control. The license audit runs through the broader TSA license consolidation work so Newco aligns its co termination date and device count at exit rather than inheriting the seller's pool.
The core mechanic is moving devices from the seller organization to the Newco organization. Each MX, MS, MR, and sensor is unclaimed from the seller organization and claimed into the correct Newco network, or moved through the organization change process where the seller cooperates. The buyer maps each device to its target Newco site before the move so that nothing lands in the wrong network or loses its configuration intent.
The network and template structure is rebuilt for Newco. Configuration templates that mirrored the seller's regional layout are reconstructed around Newco's sites, and per network settings for switching, wireless, and security are reapplied. Where the seller used network wide objects and group policies, those are recreated in the Newco organization rather than referenced across the boundary.
Wireless deserves attention because SSIDs, RADIUS configuration, and the splash or authentication settings carry identity dependencies. The Newco SSIDs are rebuilt and pointed at Newco's RADIUS and identity provider so that wireless authentication resolves against Newco identity rather than the seller's directory.
Switching and routing configuration, including VLANs, access policies, and any layer three interfaces, are reconstructed per site so the local network behaves the same after the move. The buyer validates each site's configuration against its pre move baseline so that the device move does not silently drop a setting.
Auto VPN is the more involved workstream because it stitches the sites together. The seller organization's Auto VPN topology connects all sites under one organization, and that topology does not span organizations. The Newco MX appliances are configured into a Newco Auto VPN topology with the hub and spoke or mesh design Newco needs, and the routes are rebuilt so Newco sites reach Newco data centers and applications.
Where Newco sites still need to reach applications that remain with the seller under a separate TSA, the connectivity is handled deliberately through a defined interconnect rather than left depending on the seller's Auto VPN. The interconnect is scoped, secured, and given an exit date so it does not become a permanent dependency after the network separates.
Security policy on the MX, including the firewall rules, content filtering, intrusion prevention, and any AMP configuration, is rebuilt for Newco's posture. The seller policy is a reference, but it carries seller specific exceptions that Newco reviews rather than inherits. The threat and filtering settings are tuned to Newco's actual traffic after cutover.
Identity integration binds the dashboard and the wireless. Dashboard administrator access is moved to Newco SAML so administrators authenticate against Newco identity, and wireless RADIUS is pointed at Newco's identity provider. The administrator cutover is gated on the identity boundary being live so that dashboard access resolves against Newco identity on Day One.
Cutover completes the device move and brings each site live under Newco management. The runbook covers the device claim into the Newco network, the configuration apply, the Auto VPN join, the administrator SAML change, and the validation gate. Because Meraki devices reconnect to the cloud after the move, the cutover is staged by site so that a problem at one site does not affect the others.
Validation confirms continuity at each site. Switch ports and VLANs are confirmed, wireless SSIDs and authentication are tested, the MX internet breakout and Auto VPN routes are tested against Newco applications, and the security policy is confirmed not to block legitimate traffic. Because the network is a Day One control, a pilot site is moved and validated before the broad rollout so the pattern is proven.
Stabilization runs thirty to sixty days. Connectivity issues, wireless authentication problems, and routing gaps are triaged within agreed service-level commitments. Policy and threat settings are tuned as real Newco traffic patterns emerge, and any device that lost a setting in the move is corrected against its baseline.
Decommissioning is explicit. Once Newco sites operate in the Newco organization, the seller removes the moved devices and Newco networks from its organization, revokes Newco administrator access, and confirms that Newco's network no longer appears in the seller's dashboard or its visibility.
Meraki separation cost is driven by the device count Newco retains, the license model and co termination alignment, and the rebuild effort across networks, Auto VPN, and wireless. The discipline is to confirm the real device footprint and to align licensing to it rather than inheriting the seller's pooled quantity and date. A license pool sized for the combined organization is a recurring cost the separation should correct.
The common failure mode is underestimating the Auto VPN rebuild. Because the topology does not span organizations, every intersite route has to be reconstructed in the Newco organization, and a site moved without its VPN routes loses reach to Newco applications. Buyers that map the topology and rebuild it deliberately avoid a Day One outage between sites.
The second failure mode is the wireless identity dependency. SSIDs moved without repointing RADIUS to Newco identity leave users unable to authenticate, and dashboard access left on the seller's SAML keeps Newco administration under seller control. The fix is to sequence the identity boundary ahead of the wireless and administrator cutover. A PMO maintains the dependency map across the network, identity, and the sites, escalating blocks inside forty eight hours.
A clean Meraki separation produces a Newco that owns its own dashboard organization, its own network and VPN topology, and its own administration, with the optionality to evolve its network on its own timeline. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Yes. The clean end state is a dedicated Newco organization that holds only Newco's devices, networks, and policy. A shared seller organization keeps Newco's network under seller administration and seller visibility, which is unacceptable beyond a short bridge. Devices are moved out of the seller organization into Newco's.
Meraki manages the switching, wireless, and security appliances every site depends on. If Newco devices stay in the seller organization on Day One, the seller administers and can see Newco's network. The Newco organization and the device moves must be ready by Day One even if tuning continues afterward.
Auto VPN does not span organizations, so the topology is rebuilt in the Newco organization. The Newco MX appliances are configured into a Newco hub and spoke or mesh topology, and the intersite routes are reconstructed so Newco sites reach Newco data centers and applications.
The Newco organization and a pilot site can stand up in weeks for Day One, but moving every device, rebuilding the Auto VPN topology, and reconstructing wireless and security policy usually run two to four months as sites are validated and migrated.
FortiGate and FortiManager split, FortiGuard subscriptions, and the Day One perimeter boundary.
Read the article →NGFW and Panorama split, Prisma Access tenant, and the GlobalProtect cutover.
Read the article →The network workstream and how site connectivity fits the Day One plan.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →