Skip to main content
Cisco Meraki Documentation

Cloud Monitoring Required Configuration

This guide is for Cloud Monitoring for Catalyst Switches. See Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations for detailed information on configurations applied to Catalyst 9800 wireless controllers.


In order to enable Catalyst devices to be monitored by Dashboard, limited configuration changes are required, such as those performed by the Cloud Monitoring Onboarding application to initiate Cisco cloud services connectivity. Additional configuration changes are necessary post-onboarding to enable devices to send status and telemetry information. Finally, some configuration commands are required for certain Dashboard live tools, such as Port Cycling.

These configuration changes are performed by our cloud services using NETCONF or IOS-XE CLI commands to the devices through the TLS tunnel established during the onboarding process.

To help you better understand the purpose and scope of these configuration changes, we have outlined the types of commands we could issue and their purpose. We have also implemented safeguards within our configuration push services to limit the device commands that could be configured by our service. No configurations to the devices can be run on devices unless they are in the Allowed Commands List.

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

When Will Dashboard Modify Device Configurations?

During Onboarding

When running the local onboarding application, configurations are pushed to the device over SSH from the onboarding application to establish communication with Dashboard.

These configurations include:

  • NETCONF for device configuration from Dashboard
  • LLDP for Dashboard Network Topology
  • SSH v2 with publickey authentication for cloud authentication
  • Null static IP route for cloud IP address to prevent traffic that should be in the tunnel from falling back to default route when the tunnel is down
  • Local authentication group for Dashboard device access for SSH CLI and NETCONF through the TLS tunnel
  • ACL for cloud ingress VTY access via SSH and allow only port 2222 for SSH
  • ACL for cloud telemetry egress. Allow only port 2022 for SFTP to the cloud
  • SSH rotary for the Dashboard VTY lines to listen port 2222 for Dashboard initiated SSH sessions
  • VTY lines dedicated to device access from Dashboard and enable SSH to those VTY lines
  • Local Meraki user with SSH Keys for SSH and NETCONF access from Dashboard
  • Crypto TLS Tunnel for secure device access from Dashboard

After Dashboard communication is established, Dashboard will access the device via the secure TLS tunnel using the meraki-user account over SSH and apply the following configurations via NETCONF:

  • Device Tracking Policy for collecting client data such as IP Address and MAC Address

The device tracking policies named MERAKI_POLICY is added to each Layer 2 interface at the time of onboarding except the following:

  • Detected uplink interface
  • Interfaces known to connect directly to other devices in your Dashboard network (including both Catalyst and Meraki hardware)
  • Device tracking explicitly disabled
  • Interfaces already configured with a device tracking policy other than MERAKI_POLICY
  • Member interfaces of a port channel
  • SVL interfaces
  • Syslog server (logging host) to allow Dashboard to receive device logs
  • SNMP Server host to receive traps from devices
  • SNMP Traps to aide Dashboard monitoring
  • NetFlow records, monitors and exporters
  • Model Driven Telemetry subscriptions that provide Dashboard with device operational data
  • Interface Configurations:
    • Assign the Device Tracking Policy 
    • Assign the Flow monitors (IPv4 and IPv6)  

NetFlow configurations are only included for devices with DNA Advantage license. If a device license level is changed from DNA Essentials to Advantage, the NetFlow configurations will be pushed to the device when cloud connectivity is resumed after device restart.


See Cloud Monitoring Detailed Device Configurations for the full commands of  device configurations applied during onboarding.

Maintaining Cloud Monitoring Services

During normal operations, Dashboard will monitor devices at regular intervals for any changes to the configurations that are required for Cloud Monitoring operations. When required configurations are missing or if the device configuration was changes, the Cloud Monitoring service will re-assess and apply the appropriate configurations to ensure the device can properly be monitored in Dashboard.

Interface Updates and Route Changes

Dashboard will periodically monitor devices for new interfaces (including port-channels) configurations on the device and if detected will update these interface configurations with the necessary device tracking policy and flow monitors (if applicable).

As an interface is changed in status or configuration, device tracking policies will be updated according to the conditions noted above.

For example, if the uplink is modified from one interface to another, upon next detection, the device tracking policy will be removed from the newly detected uplink interface and added to the previous uplink interface, provided no other exceptions apply.

If an interface has a device tracking policy other than MERAKI_POLICY applied, no changes will be made to the device tracking configuration on that interface.


Off-boarding Devices From Cloud Monitoring

If a monitored Catalyst device is removed from Dashboard, all onboarding and telemetry configurations will be removed from the device by configuring and running an EEM Script. The allowed commands list includes the "no" versions of the configurations that were performed on the device for onboarding and telemetry in order to remove all cloud monitoring configurations from the device.


Allowed Commands

For the allowed NETCONF paths both "merge" and "remove" command operations are permitted. For CLI commands the "no" form of the CLI commands are permitted. The "remove" and "no" functions allow Dashboard to remove Dashboard device configuration when the device is removed from Dashboard


This is a list of allowed NETCONF paths and CLI commands that can be configured on monitored Catalyst devices.

Model Driven Telemetry

Used to provide Dashboard with telemetry data, including bytes, packets and frame counters for all interfaces, CDP Neighbor Details, and Interface Client MAC address. See Full Telemetry Configuration for a detailed telemetry configuration.

NETCONF paths: /edit-config/config/mdt-config-data.*

CLI commands:

telemetry ietf subscription <id>
 encoding ...
 filter ...
 update-policy ...
 receiver ip address <cloud ip address>
telemetry transform <transform name>
 input table ...
  field ...
  logical -op and
  type ...
  uri ...
 operation ... 
  filter ...
   condition ...
   field ...
   logical-op and
   logical-op next and
   event ...
   field ...
telemetry receiver protocol ...


A syslog server is configured through the tunnel to receive events from the device. 

NETCONF paths: 


CLI command:

logging host <cloud ip address>


SNMP configurations are used to inform the cloud when configuration changes occur to ensure that this is kept current in Dashboard and that monitoring required missing changes can be detected.

NETCONF paths: 

edit-config/config/native/snmp-server/enable/enable-choice/traps/{ config-copy|config-ctid|config|smart-licenseing/smart-license }
edit-config/config/native/snmp-server/host-config/ip-community/{ community-or-user|ip-address|version }

CLI commands:

snmp-server enable traps smart-license
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server host <cloud ip address> version 2c public 

Device Tracking

Device tracking is used to collect client information for devices connected to the switch.

NETCONF paths: 

/edit-config/config/native/device-tracking/policy/{ tracking/enable|security-level/glean }

CLI commands:

device-tracking policy MERAKI_POLICY
 security-level glean
 no protocol udp
 tracking enable


For 9200 and 9300 series switches with Advantage licenses, NetFlow is used to provide AVC/client-level application data in Dashboard.

NETCONF paths: 


CLI commands:

flow record <monitor name>
 match ... 
 collect ... 
flow monitor <record name>
 exporter ...
 cache ...
 record ...
flow exporter <exporter name>
 destination ...
 export-protocol ...
 option ...
flow file-export default
 destination <cloud ip address>
 file ...


Interfaces include device tracking policy to collect client information, as well as NetFlow monitors when applicable.

NETCONF paths:

/edit-config/config/native/interface/{ interface }/device-tracking/attach-policy
/edit-config/config/native/interface/{ interface }/ip(v6) /flow/monitor-new/{ name|direction }
/edit-config/config/native/interface/{ interface }/name
/edit-config/config/native/interface/{ interface }/shutdown

CLI commands:

interface {*GigabitEthernet | *GigE | Port-channel } [range]
 device-tracking attach-policy <policy name>
 ip flow monitor <monitor name> input
 ip flow monitor <monitor name> output
 ipv6 flow monitor <monitor name> input
 ipv6 flow monitor <monitor name> output

Interface shutdown command is allowed as it is sent to the device when using the Dashboard Cycle Port tool to disable and re-enable a port.

The "no" command s NOT permitted for interface {*GigabitEthernet | *GigE | Port-channel } [range]

IP Route

This route ensures that any traffic to Dashboard is not sent unless the TLS tunnel is established.

NETCONF paths: 

/rpc/edit-config/config/native/ip/route/ip-route-interface-forwarding-list/{ prefix|mask } 

CLI commands:

ip route <cloud ip address> Null0

Shell CLI Commands

These commands are used to enter configuration mode when required to apply the relevant configurations.

conf t (lock)
config terminal (lock)
config t  (lock)
write memory
do-exec clear line

TLS Tunnel

These commands are performed by the onboarding application during device setup to remove extraneous configuration from previous connections to Cloud Monitoring. They are also included in the allowed commands list for offboarding devices from Cloud Monitoring.

CLI commands:

no crypto tls-tunnel <cloud tunnel>
no crypto pki trustpoint <cloud CA trustpoint>

Users and AAA

CLI commands:

no username meraki-user
no authorization exec MERAKI
no login authentication MERAKI


CLI commands:

no ip ssh port <port_rotary> 50
ip ssh pubkey-chain

Access List

CLI commands:

no ip access-list extended <dashboard access-list>


CLI commands:

no interface Loopback <number>


CLI commands:

line vty <dashboard vty lines>
no rotary 50
no access-class <acl name> (in|out)

EEM Scripts

Allowed EEM Script Commands

event manager environment _match default
event manager applet MERAKI-DASHBOARD-CLEANUP authorization bypass
 event none
 event timer { watchdog|countdown } time [seconds] maxrun [seconds]
 action [ name ] { if | else | end | exit | continue | elseif | wait | puts }
 action [ name ] string match
 action [ name ] string replace
 action [ name ] foreach
 action [ name ] regexp
 action [ name ] syslog msg
 action [ name ] set
 action [ name ] cli command "show"
 action [ name ] cli command "enable"
 action [ name ] cli command "monitor capture meraki_capture export flash:meraki_capture_{}_event_pub_sec.pcap"
 action [ name ] cli command "config terminal"
 action [ name ] cli command "end"
 action [ name ] cli command "config terminal lock"
 action [ name ] cli command "configure replace flash:[file name] force"
 action [ name ] cli command "ping"
 action [ name ] cli command "pnpa serv internal [service-control]"
 action [ name ] cli command "pnpa service reload as-is asap\"
 action [ name ] cli command "dir .*"
 action [ name ] cli command "confirm \\yes"
 action [ name ] cli command "(do-exec) delete /force /recursive flash:MERAKI-DASHBOARD-CLEANUP.log"
 action [ name ] cli command "do-exec show logging last 200  | redirect flash:MERAKI-DASHBOARD-CLEANUP.log\"
 action [ name ] cli command "no event manager appletMERAKI-DASHBOARD-CLEANUP "

Dashboard Configuration Clean Up EEM Script

When you remove your Catalyst device from Dashboard, an EEM script will configured and executed on the device to remove all previous configurations that were applied to the device for Dashboard operations.

Example Clean Up EEM Script

event manager applet MERAKI-DASHBOARD-CLEANUP authorization bypass
 event timer watchdog time 10 maxrun 600
 action 000A cli command "enable"
 action 000B cli command "show event manager policy active | s MERAKI-DASHBOARD-CLEANUP"
 action 000C string match "*MERAKI-DASHBOARD-CLEANUP*MERAKI-DASHBOARD-CLEANUP*" "$_cli_result"
 action 000D if $_string_result eq "1"
 action 000E  exit 0
 action 000F end
 action 002A cli command "show event manager statistics policy | i MERAKI-DASHBOARD-CLEANUP"
 action 002B regexp ".*applet\s+([0-9]+)\s+.*" "$_cli_result" _match _run_times
 action 002C if $_regexp_result eq "1"
 action 002D  if $_run_times gt "60" goto 1000
 action 002E end
 action 0040 string replace "$_string_result" 0 0 "!Start running%config terminal lock !retry_regex*is locked by*!%!Removing brownfield device config%no snmp-server enable traps smart-license%no snmp-server enable traps config-copy%no snmp-server  "
 action 0041 string replace "$_string_result" 196 196 "enable traps config-ctid%no snmp-server enable traps config%no telemetry ietf subscription 1030%no telemetry ietf subscription 1031%no telemetry ietf subscription 1001%no telemetry ietf subscripti "
 action 0042 string replace "$_string_result" 392 392 "on 1002%no telemetry ietf subscription 1003%no telemetry ietf subscription 1004%no telemetry ietf subscription 1007%no telemetry ietf subscription 2002%no telemetry ietf subscription 1011%no telem "
 action 0043 string replace "$_string_result" 588 588 "etry ietf subscription 1012%no telemetry ietf subscription 1013%no telemetry ietf subscription 1014%no telemetry ietf subscription 1015%no telemetry ietf subscription 1016%no telemetry ietf subscr "
 action 0044 string replace "$_string_result" 784 784 "iption 1018%no telemetry ietf subscription 1020%no telemetry ietf subscription 1021%no telemetry transform MERAKI_INTF_STATS_DELTA%no telemetry transform MERAKI_PORTCHANNEL_STATS_DELTA%no device-t "
 action 0045 string replace "$_string_result" 980 980 "racking policy MERAKI_POLICY%interface range GigabitEthernet1/0/1-36,TenGigabitEthernet1/0/37-47,TenGigabitEthernet1/1/1-4 !exit!% no ip flow monitor MERAKI_AVC_IPV4 output% no ipv6 flow monitor M "
 action 0046 string replace "$_string_result" 1176 1176 "ERAKI_AVC_IPV6 input% no ipv6 flow monitor MERAKI_AVC_IPV6 output% no ip flow monitor MERAKI_AVC_IPV4 input%exit%no flow monitor MERAKI_AVC_IPV4%no flow monitor MERAKI_AVC_IPV6%no flow record MERA "
 action 0047 string replace "$_string_result" 1372 1372 "KI_AVC_HTTP_SSL_IPV4%no flow record MERAKI_AVC_HTTP_SSL_IPV6%no flow exporter MERAKI_AVC%no flow file-export default%no snmp-server host traps version 2c public%no logging host 18.2 "
 action 0048 string replace "$_string_result" 1568 1568 "32.244.158%no ip route Null0%!Removing tls config%no crypto tls-tunnel MERAKI-PRIMARY%no crypto pki trustpoint MERAKI_TLSGW_CA%!Removing user config%no username mera "
 action 0049 string replace "$_string_result" 1764 1764 "ki-user%ip ssh pubkey-chain !exit!%no username meraki-user%exit%no ip ssh port 2222 rotary 50%no ip access-list extended MERAKI_VTY_IN%no ip access-list extended MERAKI_VTY_OUT%no interface Loopba "
 action 004A string replace "$_string_result" 1960 1960 "ck1000%!Clearing VTY lines%do-exec clear line 32%do-exec clear line 33%!Removing VTY config%line vty 32 33 !exit!%no rotary 50%no access-class MERAKI_VTY_IN in%no access-class MERAKI_VTY_OUT out%n "
 action 004B string replace "$_string_result" 2156 2156 "o authorization exec MERAKI%no login authentication MERAKI%exit%no event manager applet MERAKI-DASHBOARD-CLEANUP%end%write memory%!Finish running "
 action 0060 set _exit_able "0"
 action 0061 set _has_error "0"
 action 0064 foreach _cmd_data "$_string_result" "%"
 action 0065  regexp "^\s*(!.*)" "$_cmd_data" _match _msg
 action 0066  if $_regexp_result eq "1"
 action 0067   syslog msg "$_msg"
 action 0068  else
 action 0069   regexp ".*!exit!*." "$_cmd_data" _match
 action 006A   set _exit_flag "$_regexp_result"
 action 006B   regexp ".*!retry_regex([^!]+).*" "$_cmd_data" _match _retry_regex
 action 006C   set _retry_able "$_regexp_result"
 action 006D   regexp "([^!]+).*" "$_cmd_data" _match _cmd
 action 006E   if $_cmd eq "exit"
 action 006F    if $_exit_able ne "1"
 action 0070     syslog msg "skip run 'exit'"
 action 0071     continue
 action 0072    else
 action 0073     set _exit_able "0"
 action 0074    end
 action 0075   end
 action 0076   syslog msg "$_cmd"
 action 0077   cli command "$_cmd" pattern "confirm|yes|#"
 action 0078   regexp ".*(yes|confirm).*" "$_cli_result" _match
 action 0079   if $_regexp_result eq "1"
 action 007A    syslog msg "y"
 action 007B    cli command "y" pattern "confirm|yes|#"
 action 007C   elseif $_retry_able eq 1
 action 007D    string match "$_retry_regex" "$_cli_result"
 action 007E    if $_string_result eq "1"
 action 007F     syslog msg "Exit with error, will start to retry after 10~20 seconds\n$_cli_result"
 action 0080     wait 10
 action 0081     exit 1
 action 0082    end
 action 0083   end
 action 0084   string match nocase "*%*" "$_cli_result"
 action 0085   if $_string_result eq "1"
 action 0086    syslog msg "$_cli_result"
 action 0087    string match nocase "*^*" "$_cli_result"
 action 0088    if $_string_result eq "1"
 action 0089     set _has_error "1"
 action 008A    end
 action 008B   elseif $_exit_flag eq 1
 action 008C    set _exit_able "1"
 action 008D   end
 action 008E  end
 action 0200 end
 action 0201 cli command "del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 0202 if $_has_error ne "0" goto 1105
 action 0203 exit 0
 action 1000 syslog msg "force exit, as script looping over max times"
 action 1101 cli command "end"
 action 1102 cli command "config terminal lock"
 action 1103 cli command "no event manager applet MERAKI-DASHBOARD-CLEANUP"
 action 1104 cli command "do-exec del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 1105 cli command "do-exec show logging last 200 | redirect flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 1200 exit 0

  • Was this article helpful?