Skip to main content
Cisco Meraki Documentation

Cloud Monitoring for Catalyst Eligibility and Requirements for Onboarding

This guide is for Cloud Monitoring for Catalyst Switches. See Cloud Monitoring for Catalyst Wireless Requirements for detailed information on Catalyst 9800 wireless controllers requirements.


Onboarding is the process of enabling cloud-monitoring functionality for an existing Catalyst switch. For background information regarding cloud monitoring for Catalyst, please refer to Cloud Monitoring Overview and FAQ.

Learn more with these free online training courses on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Eligible Catalyst Devices

Cloud monitoring for Catalyst currently supports the following hardware and software:

To enable cloud monitoring for Catalyst, the Catalyst device must be connected to, registered and provisioned by Meraki Dashboard. The Cloud Monitoring Onboarding application was created to facilitate this process. This application will help configure your Catalyst device to establish a TLS connection to the Cisco cloud infrastructure and register it to your dashboard organization. From there, dashboard will configure the necessary services on your Catalyst device to enable cloud monitoring. To utilize Cloud Monitoring, all Catalyst switches that will be added to the Meraki Dashboard must have an active DNA Essentials or DNA Advantage license. See Cloud Monitoring for Catalyst Onboarding for additional details.


  1. Meraki Dashboard Account

The Dashboard Account used to onboard Catalyst devices must have full read/write access for the organization to which switches will be onboarded.

  1. Get your organization's dashboard API key. To find or generate an API key:
  • In Organization -> Settings verify that the checkbox for “Dashboard API Access” is selected and saved in the “Dashboard API access” section

  • From My Profile, choose "Generate new API key" or use an existing key. Note that a full admin account must be used. SAML log-in is not supported for API key creation

If an "invalid API key" error message appears, confirm the key and try again. API keys may take up to 15 minutes to become active in the onboarding application after creation.

  1. Ensure Dashboard Reachability
  • The computer from which the onboarding application is run must be able to reach and on TCP port 443

    • The onboarding application is a stand-alone executable file; security settings on your local device must permit running this application and accessing the host names listed above

    • Onboarding Application software updates are automatically checked at

  • The Catalyst devices to onboard need access to the Cisco cloud

    • Ensure any firewall rules in place allow communication with the gateway corresponding with the dashboard region on TCP port 443:

      • Americas:

      • EMEA: 

      • Asia Pacific and Japan:

HTTPS proxies to access the API endpoint and the TLS gateway are not currently supported. If necessary, ensure rules are in place to allow direct HTTPS connections to each.

  1. Determine which dashboard networks to assign switches to
  1. Back up the current running configuration on the switch prior to beginning onboarding (i.e., copy run flash:config-backup.txt)

Device Configuration Requirements


Connectivity to Meraki dashboard must be accessible via a front-panel switch port (not the management port).

SSH Connection

To perform these actions the onboarding application must connect to the device(s) over SSH. This connection must be successful in order to  proceed any further as a failure to establish an SSH connection will stop the device eligibility check process entirely. 

Onboarding does not support Telnet

  1. The onboarding application SSH client initiates the connection with the device and negotiates the secure tunnel setup.

  2. Authenticate to the device using the user provided device credentials

  3. Verify device user privilege level. The device user credentials provided must have IOS-XE privilege-15 access.

Device Pre-checks

Once the SSH session connection is open, the rest of the pre-checks can be performed. The onboarding application will perform all checks regardless if any checks fail.

The following items are not directly configured by the Onboarding application since they can be specific to your network environment. Please consider these requirements carefully.

IOS-XE Versions
  • Devices must be running IOS-XE 17.3.1 - 17.9.4

Network Payload Encryption (NPE) Required
  • Devices must be running IOS-XE image WITH payload encryption

Device Clock
  • An NTP server is configured on the device - ntp server {address}

  • The device clock must reflect the correct current time in order to establish the TLS tunnel to Dashboard

IP routing Enabled
  • IP routing must be enabled on the device - ip routing 

  • IP routing is required for NETCONF and Telemetry streaming to function on Catalyst devices.

Default IP route
  • Only the default VRF is supported

  • Along with IP routing enabled, the device also must have a default route. Use of ip default-gateway is not supported

IP domain name-server
  • The device must have a DNS server configured - ip name-server {Domain server IP address}

  • DNS is required for hostname resolution of the Dashboard TLS tunnel IP address.

IP domain lookup Enabled
  • The device must allow domain lookup to connect to the dashboard via the DNS host name - ip domain lookup 

AAA new-model and authorization
  • The device must have AAA enabled with aaa new-model 

  • AAA authorization must be set to start an exec shell with aaa authorization exec default local or aaa group name

  • If the aaa authorization exec default specifies a aaa server-group name first in the list, a aaa group server tacacs+ {server-group name} server group with that group name must be configured

Loopback Interface Available
  • A dedicated loopback interface will be configured on the device used to communicate with the dashboard. The device must have loopback interface numbers 1000 or 2000 available

VTY Slots Available
  • For dashboard to communicate with the device, two VTY lines will be configured. The device must have at least two unused consecutive VTY slot numbers between 16 and 98

Access Control Lists
  • Two IP access-lists will be configured on the device and applied to the VTY lines to permit only the dashboard IP address on port 2222 inbound and outbound

  • There can be no existing ACL names that include the text : "MERAKI_BLOCK", "MERAKI_VTY_IN", or "MERAKI_VTY_OUT"

TLS Gateway Connectivity check
  • To confirm the dashboard TLS Gateway is reachable, the device must be able to open a telnet session on port 443 to the TLS Gateway

  • Ensure that outbound telnet connections are allowed on the line VTY - transport output all or telnet

  • The outbound telnet connection is only established to verify that port 443 is accessible. No data is from the device to the TLS gateway over this telnet sessions. 

Downloading the Onboarding Application

The onboarding application can be downloaded from the following links:

Alternatively, the onboarding application is also available for download through the Meraki dashboard. To access it, go to Network-wide > Add Devices from the navigation on the left side. In this section, click on the link to add Catalyst switches to the dashboard.


From the pop-up select your operating system to download the version for your computer.



Once you have completed the pre-requisites and confirmed your devices eligibility and configuration and installed the Onboarding Application, you are now ready to Cloud Monitoring for Catalyst Switch Onboarding

  • Was this article helpful?