Skip to main content

 

Cisco Meraki Documentation

Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations

 

Dashboard Provisioned Configurations

When the C9800 wireless controller is added to a dashboard network, the dashboard will then provision the following configurations required to allow the dashboard to monitor the wireless controller.

AAA

aaa authentication login MERAKI local

aaa authorization exec MERAKI local

username meraki-user privilege 15 secret 9 <unique random password>

username meraki-tdluser privilege 1 secret 9 <unique random password>

yang-interfaces aaa authorization method-list MERAKI

The yang-interface aaa authorization method is only applied if netconf-yang is enabled by dashboard and the wireless controllers default authorization exec authorization list does not include 'local'

Access Control Lists

ip access-list standard MERAKI_MGMT_IP_IN

    20 deny any

ip access-list extended MERAKI_MGMT_IP_OUT

    20 deny tcp any any

ipv6 access-list MERAKI_MGMT_IPV6_IN

    sequence 10 permit tcp FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64 eq 2222

    sequence 30 deny tcp any any

ipv6 access-list MERAKI_MGMT_IPV6_OUT

    sequence 20 deny tcp any any

HTTP Secure Server

ip http secure-server

ip http authentication local

There needs to be at least one ip http authentication <> configuration present on the controller for cloud monitoring to function. The command ip http authentication local will only be pushed to the controller if no ip http authentication <> configuration is present when a controller is onboarded. 

Once the cloud has pushed ip http authentication local to a controller, it will overwrite any changes a user attempts to make to ip http authentication <> while the controller is onboarded.

If a user wishes to make changes (such as enabling AAA) after the cloud has previously pushed ip http authentication local, the controller needs to be offboarded first. After the intended changes are applied, the controller can be onboarded once again. Since the controller now has ip http authentication <> defined when onboarding, the cloud will not overwrite it with ip http authentication local.

VTY

login authentication MERAKI

authorization exec MERAKI

rotary 55

transport input ssh

access-class MERAKI_MGMT_IP_IN in

access-class MERAKI_MGMT_IP_OUT out

ipv6 access-class MERAKI_MGMT_IPV6_IN in

ipv6 access-class MERAKI_MGMT_IPV6_OUT out

Netconf

netconf-yang

SSH

ip ssh version 2

ip ssh server algorithm authentication publickey password keyboard

ip ssh port 2222 rotary 55

 ip ssh pubkey-chain

    username meraki-user

        key-hash {KEY_HASH}

LLDP

lldp run

Telemetry Subscriptions

telemetry ietf subscription 10000

 encoding encode-tdl

 filter tdl-uri /services;serviceName=stkm_oper/stack_info

 receiver-type pullmode

 source-vrf Mgmt-vrf

 stream native

 update-policy periodic 6000

 receiver name meraki_stack_info

 

telemetry ietf subscription 10001

 encoding encode-tdl

 filter tdl-uri /services;serviceName=ewlcevent/wsaclientevent

 receiver-type pullmode

 source-vrf Mgmt-vrf

 stream native

 update-policy periodic 4500

 receiver name meraki_wsa_client_event

 

telemetry receiver pullmode meraki_stack_info

 size 1000000

 

telemetry receiver pullmode meraki_wsa_client_event

 size 196650000

Maintaining Cloud Monitoring Services

During normal operations, the dashboard will monitor devices at regular intervals for any changes to the required configurations for Cloud Monitoring operations. If required configurations are missing, or if the device configuration was changed, the Cloud Monitoring service will apply the appropriate configurations to ensure the device can be monitored properly within the dashboard.

  • Was this article helpful?