Skip to main content

 

Cisco Meraki Documentation

Cloud Monitoring Required Configuration

  1. Last updated
  2. Save as PDF

This guide is for Cloud Monitoring for Catalyst Switches. See Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations for detailed information on configurations applied to Catalyst 9800 wireless controllers.

In order to enable Catalyst devices to be monitored by the Cisco Meraki dashboard, limited configuration changes are required, such as those performed by the Cloud Monitoring Onboarding application to initiate Cisco cloud services connectivity. Additional configuration changes are necessary post-onboarding to enable devices to send status and telemetry information. Finally, some configuration commands are required for certain dashboard live tools, such as Port Cycling.

These configuration changes are performed by our cloud services using NETCONF or IOS-XE CLI commands to the devices through the TLS tunnel established during the onboarding process.

To help you better understand the purpose and scope of these configuration changes, we have outlined the types of commands we could issue and their purpose. We have also implemented safeguards within our configuration push services to limit the device commands that could be configured by our service. No configurations to the devices can be run on devices unless they are in the Allowed Commands List.

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

When Will Dashboard Modify Device Configurations?

During Onboarding

When running the local onboarding application, configurations are pushed to the device over SSH from the onboarding application to establish communication with dashboard.

These configurations include:

  • NETCONF for device configuration from dashboard
  • LLDP for dashboard Network Topology
  • SSH v2 with publickey authentication for cloud authentication
  • Null static IP route for cloud IP address to prevent traffic that should be in the tunnel from falling back to default route when the tunnel is down
  • Local authentication group for dashboard device access for SSH CLI and NETCONF through the TLS tunnel
  • ACL for cloud ingress VTY access via SSH and allow only port 2222 for SSH
  • ACL for cloud telemetry egress. Allow only port 2022 for SFTP to the cloud
  • SSH rotary for the dashboard VTY lines to listen port 2222 for dashboard initiated SSH sessions
  • VTY lines dedicated to device access from dashboard and enable SSH to those VTY lines
  • Local Meraki user with SSH Keys for SSH and NETCONF access from dashboard
  • Crypto TLS Tunnel for secure device access from dashboard

After dashboard communication is established, dashboard will access the device via the secure TLS tunnel using the meraki-user account over SSH and apply the following configurations via NETCONF:

  • Device Tracking Policy for collecting client data such as IP Address and MAC Address

See Client-Tracking in IOS-XE for the further information on Device Tracking in Cloud Monitoring.

The device tracking policies named MERAKI_POLICY is added to each Layer 2 interface at the time of onboarding except the following:

  • Detected uplink interface
  • Interfaces known to connect directly to other devices in your dashboard network (including both Catalyst and Meraki hardware)
  • Device tracking explicitly disabled
  • Interfaces already configured with a device tracking policy other than MERAKI_POLICY
  • Member interfaces of a port channel
  • SVL interfaces
  • Syslog server (logging host) to allow dashboard to receive device logs
  • SNMP Server host to receive traps from devices
  • SNMP Traps to aide dashboard monitoring
  • NetFlow records, monitors and exporters
  • Model Driven Telemetry subscriptions that provide dashboard with device operational data
  • Interface Configurations:
    • Assign the Device Tracking Policy 
    • Assign the Flow monitors (IPv4 and IPv6)  

NetFlow configurations are only included for devices with DNA Advantage license. If a device license level is changed from DNA Essentials to Advantage, the NetFlow configurations will be pushed to the device when cloud connectivity is resumed after device restart.

See Cloud Monitoring Detailed Device Configurations for the full commands of  device configurations applied during onboarding.

Maintaining Cloud Monitoring Services

During normal operations, dashboard will monitor devices at regular intervals for any changes to the configurations that are required for Cloud Monitoring operations. When required configurations are missing or if the device configuration was changes, the Cloud Monitoring service will re-assess and apply the appropriate configurations to ensure the device can properly be monitored in dashboard.

Interface Updates and Route Changes

Dashboard will periodically monitor devices for new interfaces (including port-channels) configurations on the device and if detected will update these interface configurations with the necessary device tracking policy and flow monitors (if applicable).

As an interface is changed in status or configuration, device tracking policies will be updated according to the conditions noted above.

For example, if the uplink is modified from one interface to another, upon next detection, the device tracking policy will be removed from the newly detected uplink interface and added to the previous uplink interface, provided no other exceptions apply.

If an interface has a device tracking policy other than MERAKI_POLICY applied, no changes will be made to the device tracking configuration on that interface.

 

Off-boarding Devices From Cloud Monitoring

If a monitored Catalyst device is removed from dashboard, all onboarding and telemetry configurations will be removed from the device by configuring and running an EEM Script. The allowed commands list includes the "no" versions of the configurations that were performed on the device for onboarding and telemetry in order to remove all cloud monitoring configurations from the device.

 

Allowed Commands

For the allowed NETCONF paths both "merge" and "remove" command operations are permitted. For CLI commands the "no" form of the CLI commands are permitted. The "remove" and "no" functions allow dashboard to remove dashboard device configuration when the device is removed from dashboard.

 

This is a list of allowed NETCONF paths and CLI commands that can be configured on monitored Catalyst devices.

Model Driven Telemetry

Used to provide dashboard with telemetry data, including bytes, packets and frame counters for all interfaces, CDP Neighbor Details, and Interface Client MAC address. See Full Telemetry Configuration for a detailed telemetry configuration.

NETCONF paths: /edit-config/config/mdt-config-data.*

CLI commands:

telemetry ietf subscription <id>
 encoding ...
 filter ...
 update-policy ...
 receiver ip address <cloud ip address>
telemetry transform <transform name>
 input table ...
  field ...
  join-key
  logical -op and
  type ...
  uri ...
 operation ... 
  filter ...
   condition ...
   field ...
   logical-op and
   logical-op next and
   event ...
 output-field
   field ...
telemetry receiver protocol ...

Logging

A syslog server is configured through the tunnel to receive events from the device. 

NETCONF paths: 

/edit-config/config/native/logging/host
/edit-config/config/native/logging/host/ipv4-host-list

CLI command:

logging host <cloud ip address>

SNMP

SNMP configurations are used to inform the cloud when configuration changes occur to ensure that this is kept current in dashboard and that monitoring required missing changes can be detected.

NETCONF paths: 

edit-config/config/native/snmp-server/enable/enable-choice/traps/{ config-copy|config-ctid|config|smart-licenseing/smart-license }
edit-config/config/native/snmp-server/host-config/ip-community/{ community-or-user|ip-address|version }

CLI commands:

snmp-server enable traps smart-license
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server host <cloud ip address> version 2c public 

Device Tracking

Device tracking is used to collect client information for devices connected to the switch.

NETCONF paths: 

/edit-config/config/native/device-tracking/policy/{ tracking/enable|security-level/glean }
/edit-config/config/native/device-tracking/policy/protocol/udp
/edit-config/config/native/device-tracking/policy/word

CLI commands:

device-tracking policy MERAKI_POLICY
 security-level glean
 no protocol udp
 tracking enable

NetFlow

For 9200 and 9300 series switches with Advantage licenses, NetFlow is used to provide AVC/client-level application data in dashboard.

NETCONF paths: 

/edit-config/config/native/flow
/edit-config/config/native/flow/exporter
/edit-config/config/native/flow/monitor
/edit-config/config/native/flow/file-export
/edit-config/config/native/flow/record

CLI commands:

flow record <monitor name>
 match ... 
 collect ... 
flow monitor <record name>
 exporter ...
 cache ...
 record ...
flow exporter <exporter name>
 destination ...
 export-protocol ...
 option ...
flow file-export default
 destination <cloud ip address>
 file ...

Interfaces

Interfaces include device tracking policy to collect client information, as well as NetFlow monitors when applicable.

NETCONF paths:

/edit-config/config/native/interface/{ interface }/device-tracking/attach-policy
/edit-config/config/native/interface/{ interface }/ip(v6) /flow/monitor-new/{ name|direction }
/edit-config/config/native/interface/{ interface }/name
/edit-config/config/native/interface/{ interface }/shutdown

CLI commands:

interface {*GigabitEthernet | *GigE | Port-channel } [range]
 device-tracking attach-policy <policy name>
 ip flow monitor <monitor name> input
 ip flow monitor <monitor name> output
 ipv6 flow monitor <monitor name> input
 ipv6 flow monitor <monitor name> output
 shutdown
 exit

Interface shutdown command is allowed as it is sent to the device when using the dashboard Cycle Port tool to disable and re-enable a port.

The "no" command s NOT permitted for interface {*GigabitEthernet | *GigE | Port-channel } [range]

IP Route

This route ensures that any traffic to dashboard is not sent unless the TLS tunnel is established.

NETCONF paths: 

/rpc/edit-config/config/native/ip/route/ip-route-interface-forwarding-list/{ prefix|mask } 
/edit-config/config/native/ip/route/ip-route-interface-forwarding-list

CLI commands:

ip route <cloud ip address> 255.255.255.255 Null0

Shell CLI Commands

These commands are used to enter configuration mode when required to apply the relevant configurations.

enable
exit
end
conf t (lock)
config terminal (lock)
config t  (lock)
write memory
y|yes
do-exec clear line

TLS Tunnel

These commands are performed by the onboarding application during device setup to remove extraneous configuration from previous connections to Cloud Monitoring. They are also included in the allowed commands list for offboarding devices from Cloud Monitoring.

CLI commands:

no crypto tls-tunnel <cloud tunnel>
no crypto pki trustpoint <cloud CA trustpoint>

Users and AAA

CLI commands:

no username meraki-user
no authorization exec MERAKI
no login authentication MERAKI

SSH

CLI commands:

no ip ssh port <port_rotary> 50
ip ssh pubkey-chain

Access List

CLI commands:

no ip access-list extended <dashboard access-list>

Loopback

CLI commands:

no interface Loopback <number>

VTY

CLI commands:

line vty <dashboard vty lines>
no rotary 50
no access-class <acl name> (in|out)

EEM Scripts

Allowed EEM Script Commands

event manager environment _match default
event manager applet MERAKI-DASHBOARD-CLEANUP authorization bypass
 event none
 event timer { watchdog|countdown } time [seconds] maxrun [seconds]
 action [ name ] { if | else | end | exit | continue | elseif | wait | puts }
 action [ name ] string match
 action [ name ] string replace
 action [ name ] foreach
 action [ name ] regexp
 action [ name ] syslog msg
 action [ name ] set
 action [ name ] cli command "show"
 action [ name ] cli command "enable"
 action [ name ] cli command "monitor capture meraki_capture export flash:meraki_capture_{}_event_pub_sec.pcap"
 action [ name ] cli command "config terminal"
 action [ name ] cli command "end"
 action [ name ] cli command "config terminal lock"
 action [ name ] cli command "configure replace flash:[file name] force"
 action [ name ] cli command "ping"
 action [ name ] cli command "pnpa serv internal [service-control]"
 action [ name ] cli command "pnpa service reload as-is asap\"
 action [ name ] cli command "dir .*"
 action [ name ] cli command "confirm \\yes"
 action [ name ] cli command "(do-exec) delete /force /recursive flash:MERAKI-DASHBOARD-CLEANUP.log"
 action [ name ] cli command "do-exec show logging last 200  | redirect flash:MERAKI-DASHBOARD-CLEANUP.log\"
 action [ name ] cli command "no event manager appletMERAKI-DASHBOARD-CLEANUP "

Dashboard Configuration Clean Up EEM Script (Manual Removal)

The following Embedded Event Manager (EEM) scripts need to be configured and executed on Catalyst IOS XE switches manually to remove all Cloud Monitoring residual configurations. This script will remove all configurations including AAA configurations. 

Note: Scripts automatically discover and remove the cloud IP configuration. If the cloud IP cannot be confirmed, it must be removed manually. See the Manual Cleanup section for details. 

The cleanup is split into two scripts that must be run sequentially. The first handles interface and global configuration, and the second addresses cloud IP routes and AAA settings. Both scripts log all configuration changes to syslog for audit purposes. Logging is automatically removed as part of each script’s self-cleanup, so it does not persist after execution. After both scripts are complete, manual verification is required to confirm all configurations have been successfully removed. 

 

Scripts

Purpose 

Runtime 

Script 1: MERAKI-CLEANUP-PHASE1 

 
 

All Meraki configurations except AAA and cloud/shard IP configs 

2–15 minutes 

Runtime depends on stack members and interfaces including Port-channel 

Script 2: MERAKI-CLEANUP-PHASE2 

 

Cloud IP discovery/removal and AAA method lists 

 

30-60 seconds 

Before You Begin

  1. Ensure you have console or SSH access at privilege 15 (do not use a Merak-managed VTY session).

  2. Take a configuration backup before proceeding (optional).

copy running-config flash:pre-cleanup-backup.cfg 

Running the Scripts

Note: The full scripts are included at the end. 

  • Load Script 1  

config terminal
! Paste the MERAKI-CLEANUP-PHASE1 applet (in chunks if terminal stalls)
end
show run | section event manager applet MERAKI-CLEANUP-PHASE1

  • Run Script 1

event manager run MERAKI-CLEANUP-PHASE1

  • Verify completion 

show logging | include MERAKI-CLEANUP-PHASE1 

  • Expected final log entry 

MERAKI-CLEANUP-PHASE1: Completed. Run MERAKI-CLEANUP-PHASE2 to remove AAA and cloud configs. 

  • Wait 2-5 minutes to confirm the switch is stable before proceeding. 

  • Spot-check – only AAA method lists and any shard-related (logging host, snmp-server host, ip route) should remain. 

show run | include MERAKI 

  • Load Script 2

config terminal

! Paste the MERAKI-CLEANUP-PHASE2 applet

end

  • Run Script 2

event manager run MERAKI-CLEANUP-PHASE2

  • Verify completion 

show logging | include MERAKI-CLEANUP-PHASE2 

  • Expected final log entry 

MERAKI-CLEANUP-PHASE2: Completed. Meraki cleanup finished. 

  • Final verification – all Meraki references should be gone 

show run | include MERAKI  

show run | include ^aaa  

show run | section line vty  

show ip access-lists | include MERAKI  

show run | section event manager  

show run | section log config 

Manual Cleanup (If Needed) 

Script 2 automatically discovers and removes the cloud IP configuration. If it could not confirm the cloud IP, the following items must be removed manually.  

Note: The steps below are only needed if the script fails to identify and clean the cloud IP configuration.

  • Verify Script 2 completed: show logging | include MERAKI-CLEANUP-PHASE2
  • If you do not see Cloud IP confirmed in the output, remove the following manually, replacing <shard_ip> with the actual IP. 

SNMP host:

config terminal
no snmp-server host <shard_ip> version 2c public
end
write memory

Logging host: 

config terminal
no logging host <shard_ip>
end
write memory

Static route to shard:

config terminal
no ip route <shard_ip> 255.255.255.255 Null0
end
write memory

IPv6 ND Cache:
(Optional to remove)

config terminal
no ipv6 nd cache expire refresh
end
write memory

If needed, identify the shard IP from show run | include snmp-server host or show run | section crypto tls-tunnel (before Script 1 removes the tunnel). 

Script 1: MERAKI-CLEANUP-PHASE1 

event manager applet MERAKI-CLEANUP-PHASE1 authorization bypass
 event none sync no maxrun 900
 action 0001 syslog msg "MERAKI-CLEANUP-PHASE1: Starting - Discovery"
 action 0002 cli command "enable"
 action 0010 cli command "show run | include ^interface|flow monitor MERAKI|device-tracking attach-policy MERAKI|description.*eraki"
 action 0011 set _intf_data "$_cli_result"
 action 0020 cli command "show run | include ^line vty|login authentication MERAKI"
 action 0021 set _vty_data "$_cli_result"
 action 0100 syslog msg "MERAKI-CLEANUP-PHASE1: Interface cleanup"
 action 0101 cli command "config terminal"
 action 0102 cli command "archive"
 action 0103 cli command "log config"
 action 0104 cli command "logging enable"
 action 0105 cli command "notify syslog contenttype plaintext"
 action 0106 cli command "exit"
 action 0107 cli command "exit"
 action 0108 set _current_intf ""
 action 0109 set _meraki_lb ""
 action 010A foreach _line "$_intf_data" "\n"
 action 010B  regexp "action [0-9]" "$_line"
 action 010C  if $_regexp_result ne "1"
 action 010D   regexp "^(interface [^ ]+)" "$_line" _match _intf
 action 010E   if $_regexp_result eq "1"
 action 010F    set _current_intf "$_intf"
 action 0110   end
 action 0111   regexp "^ *(ip[^ ]*) flow monitor ([^ ]*MERAKI[^ ]*) (input|output)" "$_line" _match _ipver _monitor _dir
 action 0112   if $_regexp_result eq "1"
 action 0113    cli command "$_current_intf"
 action 0114    cli command "no $_ipver flow monitor $_monitor $_dir"
 action 0115    cli command "exit"
 action 0116   end
 action 0117   regexp "device-tracking attach-policy (MERAKI[^ ]*)" "$_line" _match _dt_policy
 action 0118   if $_regexp_result eq "1"
 action 0119    cli command "$_current_intf"
 action 011A    cli command "no device-tracking attach-policy $_dt_policy"
 action 011B    cli command "exit"
 action 011C   end
 action 011D   regexp "description.*eraki" "$_line"
 action 011E   if $_regexp_result eq "1"
 action 011F    regexp "Loopback" "$_current_intf"
 action 0120    if $_regexp_result eq "1"
 action 0121     set _meraki_lb "$_current_intf"
 action 0122    end
 action 0123   end
 action 0124  end
 action 0125 end
 action 0200 syslog msg "MERAKI-CLEANUP-PHASE1: Global config cleanup"
 action 0210 cli command "no snmp-server enable traps smart-license"
 action 0211 cli command "no snmp-server enable traps config-copy"
 action 0212 cli command "no snmp-server enable traps config-ctid"
 action 0213 cli command "no snmp-server enable traps config"
 action 0220 cli command "no telemetry ietf subscription 1001"
 action 0221 cli command "no telemetry ietf subscription 1002"
 action 0222 cli command "no telemetry ietf subscription 1003"
 action 0223 cli command "no telemetry ietf subscription 1004"
 action 0224 cli command "no telemetry ietf subscription 1007"
 action 0225 cli command "no telemetry ietf subscription 1011"
 action 0226 cli command "no telemetry ietf subscription 1012"
 action 0227 cli command "no telemetry ietf subscription 1013"
 action 0228 cli command "no telemetry ietf subscription 1014"
 action 0229 cli command "no telemetry ietf subscription 1015"
 action 022A cli command "no telemetry ietf subscription 1016"
 action 022B cli command "no telemetry ietf subscription 1017"
 action 022C cli command "no telemetry ietf subscription 1018"
 action 022D cli command "no telemetry ietf subscription 1020"
 action 022E cli command "no telemetry ietf subscription 1021"
 action 022F cli command "no telemetry ietf subscription 1024"
 action 0230 cli command "no telemetry ietf subscription 1030"
 action 0231 cli command "no telemetry ietf subscription 1031"
 action 0232 cli command "no telemetry ietf subscription 2002"
 action 0240 cli command "no telemetry transform MERAKI_INTF_STATS_DELTA"
 action 0241 cli command "no telemetry transform MERAKI_PORTCHANNEL_STATS_DELTA"
 action 0250 cli command "no device-tracking policy MERAKI_POLICY"
 action 0260 cli command "no flow monitor MERAKI_AVC_IPV4"
 action 0261 cli command "no flow monitor MERAKI_AVC_IPV6"
 action 0270 cli command "no flow record MERAKI_AVC_HTTP_SSL_IPV4"
 action 0271 cli command "no flow record MERAKI_AVC_HTTP_SSL_IPV6"
 action 0280 cli command "no flow exporter MERAKI_AVC"
 action 0281 cli command "no flow file-export default"
 action 02A0 cli command "no crypto tls-tunnel MERAKI-PRIMARY"
 action 02B0 cli command "no crypto pki trustpoint MERAKI_TLSGW_CA" pattern "yes/no|#"
 action 02B1 regexp "yes" "$_cli_result"
 action 02B2 if $_regexp_result eq "1"
 action 02B3  cli command "yes" pattern "#"
 action 02B4 end
 action 02C0 if $_meraki_lb ne ""
 action 02C1  syslog msg "MERAKI-CLEANUP-PHASE1: Removing loopback: $_meraki_lb"
 action 02C2  cli command "no $_meraki_lb"
 action 02C3 end
 action 0300 syslog msg "MERAKI-CLEANUP-PHASE1: VTY cleanup"
 action 0301 set _meraki_vty ""
 action 0302 set _vty_start ""
 action 0303 set _vty_end ""
 action 0304 set _candidate ""
 action 0305 set _cand_start ""
 action 0306 set _cand_end ""
 action 0307 foreach _line "$_vty_data" "\n"
 action 0308  regexp "^(line vty ([0-9]+) *([0-9]*))" "$_line" _match _hdr _s _e
 action 0309  if $_regexp_result eq "1"
 action 030A   set _candidate "$_hdr"
 action 030B   set _cand_start "$_s"
 action 030C   set _cand_end "$_e"
 action 030D  end
 action 030E  regexp "login authentication MERAKI" "$_line"
 action 030F  if $_regexp_result eq "1"
 action 0310   regexp "action [0-9]" "$_line"
 action 0311   if $_regexp_result ne "1"
 action 0312    set _meraki_vty "$_candidate"
 action 0313    set _vty_start "$_cand_start"
 action 0314    set _vty_end "$_cand_end"
 action 0315   end
 action 0316  end
 action 0317 end
 action 0320 if $_meraki_vty ne ""
 action 0321  syslog msg "MERAKI-CLEANUP-PHASE1: Found VTY: $_meraki_vty"
 action 0322  if $_vty_end ne ""
 action 0323   set _vty_stop "$_vty_end"
 action 0324  else
 action 0325   set _vty_stop "$_vty_start"
 action 0326  end
 action 0327  set _vty_cur "$_vty_start"
 action 0328  while $_vty_cur le $_vty_stop
 action 0329   cli command "do-exec clear line vty $_vty_cur" pattern "confirm|#"
 action 032A   regexp "confirm" "$_cli_result"
 action 032B   if $_regexp_result eq "1"
 action 032C    cli command "y" pattern "#"
 action 032D   end
 action 032E   increment _vty_cur
 action 032F  end
 action 0330  cli command "$_meraki_vty"
 action 0331  cli command "no rotary 50"
 action 0332  cli command "no access-class MERAKI_VTY_IN in"
 action 0333  cli command "no access-class MERAKI_VTY_OUT out"
 action 0334  cli command "no authorization exec MERAKI"
 action 0335  cli command "no authorization exec MERAKI_VTY_AUTH_Z"
 action 0336  cli command "no login authentication MERAKI"
 action 0337  cli command "no login authentication MERAKI_VTY_AUTH_N"
 action 0338  cli command "no transport input ssh"
 action 0340  cli command "no authorization commands 0 MERAKI"
 action 0341  cli command "no authorization commands 1 MERAKI"
 action 0342  cli command "no authorization commands 2 MERAKI"
 action 0343  cli command "no authorization commands 3 MERAKI"
 action 0344  cli command "no authorization commands 4 MERAKI"
 action 0345  cli command "no authorization commands 5 MERAKI"
 action 0346  cli command "no authorization commands 6 MERAKI"
 action 0347  cli command "no authorization commands 7 MERAKI"
 action 0348  cli command "no authorization commands 8 MERAKI"
 action 0349  cli command "no authorization commands 9 MERAKI"
 action 034A  cli command "no authorization commands 10 MERAKI"
 action 034B  cli command "no authorization commands 11 MERAKI"
 action 034C  cli command "no authorization commands 12 MERAKI"
 action 034D  cli command "no authorization commands 13 MERAKI"
 action 034E  cli command "no authorization commands 14 MERAKI"
 action 034F  cli command "no authorization commands 15 MERAKI"
 action 0350  cli command "exit"
 action 0351 end
 action 0400 syslog msg "MERAKI-CLEANUP-PHASE1: ACLs, SSH, users"
 action 0410 cli command "ip ssh pubkey-chain"
 action 0411 cli command "no username meraki-user"
 action 0412 cli command "exit"
 action 0420 cli command "no ip access-list extended MERAKI_VTY_IN"
 action 0421 cli command "no ip access-list extended MERAKI_VTY_OUT"
 action 0430 cli command "no ip ssh port 2222 rotary 50"
 action 0440 cli command "no username meraki-user" pattern "confirm|#"
 action 0441 regexp "confirm" "$_cli_result"
 action 0442 if $_regexp_result eq "1"
 action 0443  cli command "y" pattern "#"
 action 0444 end
 action 04F0 cli command "archive"
 action 04F1 cli command "log config"
 action 04F2 cli command "no logging enable"
 action 04F3 cli command "exit"
 action 04F4 cli command "exit"
 action 0500 cli command "no event manager applet MERAKI-CLEANUP-PHASE1"
 action 0501 cli command "end"
 action 0502 cli command "write memory"
 action 0503 syslog msg "MERAKI-CLEANUP-PHASE1: Completed. Run MERAKI-CLEANUP-PHASE2 to remove AAA and cloud configs."

Script 2: MERAKI-CLEANUP-PHASE2

event manager applet MERAKI-CLEANUP-PHASE2 authorization bypass
 event none sync no maxrun 180
 action 0001 syslog msg "MERAKI-CLEANUP-PHASE2: Starting - Cloud IP discovery"
 action 0002 cli command "enable"
 action 0003 set _cloud_ip ""
 action 0004 set _route_ip ""
 action 0010 cli command "show run | include ^snmp-server host"
 action 0011 set _snmp_data "$_cli_result"
 action 0012 cli command "show run | include ^logging host"
 action 0013 set _log_data "$_cli_result"
 action 0014 cli command "show run | include ^ip route.*Null0"
 action 0015 set _route_data "$_cli_result"
 action 0016 regexp "ip route ([0-9]+[.][0-9]+[.][0-9]+[.][0-9]+) 255.255.255.255 Null0" "$_route_data" _match _route_ip
 action 0017 if $_route_ip ne ""
 action 0018  string match "*$_route_ip*" "$_snmp_data"
 action 0019  if $_string_result eq "1"
 action 001A   string match "*$_route_ip*" "$_log_data"
 action 001B   if $_string_result eq "1"
 action 001C    set _cloud_ip "$_route_ip"
 action 001D    syslog msg "MERAKI-CLEANUP-PHASE2: Cloud IP confirmed: $_cloud_ip"
 action 001E   end
 action 001F  end
 action 0020 end
 action 0030 cli command "config terminal"
 action 0031 cli command "archive"
 action 0032 cli command "log config"
 action 0033 cli command "logging enable"
 action 0034 cli command "notify syslog contenttype plaintext"
 action 0035 cli command "exit"
 action 0036 cli command "exit"
 action 0037 if $_cloud_ip ne ""
 action 0038  syslog msg "MERAKI-CLEANUP-PHASE2: Removing cloud IP configs: $_cloud_ip"
 action 0039  cli command "no snmp-server host $_cloud_ip version 2c public"
 action 003A  cli command "no logging host $_cloud_ip"
 action 003B  cli command "no ip route $_cloud_ip 255.255.255.255 Null0"
 action 003C end
 action 0040 syslog msg "MERAKI-CLEANUP-PHASE2: AAA cleanup"
 action 0041 cli command "no aaa authentication login MERAKI local"
 action 0042 cli command "no aaa authentication login MERAKI_VTY_AUTH_N local"
 action 0043 cli command "no aaa authorization exec MERAKI local"
 action 0044 cli command "no aaa authorization exec MERAKI_VTY_AUTH_Z local"
 action 0050 cli command "no aaa authorization commands 0 MERAKI local"
 action 0051 cli command "no aaa authorization commands 1 MERAKI local"
 action 0052 cli command "no aaa authorization commands 2 MERAKI local"
 action 0053 cli command "no aaa authorization commands 3 MERAKI local"
 action 0054 cli command "no aaa authorization commands 4 MERAKI local"
 action 0055 cli command "no aaa authorization commands 5 MERAKI local"
 action 0056 cli command "no aaa authorization commands 6 MERAKI local"
 action 0057 cli command "no aaa authorization commands 7 MERAKI local"
 action 0058 cli command "no aaa authorization commands 8 MERAKI local"
 action 0059 cli command "no aaa authorization commands 9 MERAKI local"
 action 005A cli command "no aaa authorization commands 10 MERAKI local"
 action 005B cli command "no aaa authorization commands 11 MERAKI local"
 action 005C cli command "no aaa authorization commands 12 MERAKI local"
 action 005D cli command "no aaa authorization commands 13 MERAKI local"
 action 005E cli command "no aaa authorization commands 14 MERAKI local"
 action 005F cli command "no aaa authorization commands 15 MERAKI local"
 action 0060 syslog msg "MERAKI-CLEANUP-PHASE2: MGMT ACLs"
 action 0061 cli command "no ip access-list extended MERAKI_MGMT_IP_IN"
 action 0062 cli command "no ip access-list extended MERAKI_MGMT_IP_OUT"
 action 0063 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_IN"
 action 0064 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_OUT"
 action 0070 cli command "archive"
 action 0071 cli command "log config"
 action 0072 cli command "no logging enable"
 action 0073 cli command "exit"
 action 0074 cli command "exit"
 action 0080 cli command "no event manager applet MERAKI-CLEANUP-PHASE2"
 action 0081 cli command "end"
 action 0082 cli command "write memory"
 action 0083 syslog msg "MERAKI-CLEANUP-PHASE2: Completed. Meraki cleanup finished." 

 

Important Notes

  • Pasting large scripts: If the terminal stalls during paste, split the script into smaller chunks and wait for the prompt between chunks. 
  • Self-cleanup: Each script removes its own applet and the log config section after execution. 
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Draft
  2. Tags
    This page has no tags.