Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations
Dashboard Provisioned Configurations
When the C9800 wireless controller is added to a dashboard network, the dashboard will then provision the following configurations required to allow the dashboard to monitor the wireless controller.
AAA
aaa authentication login MERAKI local
aaa authorization exec MERAKI local
username meraki-user privilege 15 secret 9 <unique random password>
username meraki-tdluser privilege 1 secret 9 <unique random password>
yang-interfaces aaa authorization method-list MERAKI
The yang-interface aaa authorization method is only applied if netconf-yang is enabled by dashboard and the wireless controllers default authorization exec authorization list does not include 'local'
Access Control Lists
ip access-list standard MERAKI_MGMT_IP_IN
20 deny any
ip access-list extended MERAKI_MGMT_IP_OUT
20 deny tcp any any
ipv6 access-list MERAKI_MGMT_IPV6_IN
sequence 10 permit tcp FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64 eq 2222
sequence 30 deny tcp any any
ipv6 access-list MERAKI_MGMT_IPV6_OUT
sequence 20 deny tcp any any
HTTP Secure Server
ip http secure-server
ip http authentication local
There needs to be at least one ip http authentication <> configuration present on the controller for cloud monitoring to function. The command ip http authentication local will only be pushed to the controller if no ip http authentication <> configuration is present when a controller is onboarded.
Once the cloud has pushed ip http authentication local to a controller, it will overwrite any changes a user attempts to make to ip http authentication <> while the controller is onboarded.
If a user wishes to make changes (such as enabling AAA) after the cloud has previously pushed ip http authentication local, the controller needs to be offboarded first. After the intended changes are applied, the controller can be onboarded once again. Since the controller now has ip http authentication <> defined when onboarding, the cloud will not overwrite it with ip http authentication local.
VTY
login authentication MERAKI
authorization exec MERAKI
rotary 55
transport input ssh
access-class MERAKI_MGMT_IP_IN in
access-class MERAKI_MGMT_IP_OUT out
ipv6 access-class MERAKI_MGMT_IPV6_IN in
ipv6 access-class MERAKI_MGMT_IPV6_OUT out
Netconf
netconf-yang
SSH
ip ssh version 2
ip ssh server algorithm authentication publickey password keyboard
ip ssh port 2222 rotary 55
ip ssh pubkey-chain
username meraki-user
key-hash {KEY_HASH}
LLDP
lldp run
Telemetry Subscriptions
telemetry ietf subscription 10000
encoding encode-tdl
filter tdl-uri /services;serviceName=stkm_oper/stack_info
receiver-type pullmode
source-vrf Mgmt-vrf
stream native
update-policy periodic 6000
receiver name meraki_stack_info
telemetry ietf subscription 10001
encoding encode-tdl
filter tdl-uri /services;serviceName=ewlcevent/wsaclientevent
receiver-type pullmode
source-vrf Mgmt-vrf
stream native
update-policy periodic 4500
receiver name meraki_wsa_client_event
telemetry receiver pullmode meraki_stack_info
size 1000000
telemetry receiver pullmode meraki_wsa_client_event
size 196650000
Maintaining Cloud Monitoring Services
During normal operations, the dashboard will monitor devices at regular intervals for any changes to the required configurations for Cloud Monitoring operations. If required configurations are missing, or if the device configuration was changed, the Cloud Monitoring service will apply the appropriate configurations to ensure the device can be monitored properly within the dashboard.