Cloud Monitoring for Catalyst Onboarding
Onboarding is the process of enabling cloud-monitoring functionality for an existing Catalyst switch. For background information regarding cloud monitoring for Catalyst, please refer to Cloud Monitoring Overview and FAQ.
Learn more with these free online training courses on the Meraki Learning Hub:
Eligible Catalyst Devices
Cloud monitoring for Catalyst currently supports the following hardware and software:
-
Catalyst 9200 series switches (including 9200L and 9200CX models).
-
Catalyst 9300 series switches (including 9300L and 9300X models).
-
Catalyst 9500 series switches.
-
The full list of supported Catalyst switches is available at Supported Catalyst 9000 Series Switches (Cloud Monitoring).
-
IOS-XE 17.3.1 - 17.9.4 (if an upgrade is needed, download is available at Cisco Software Downloads page).
To enable cloud monitoring for Catalyst, the Catalyst device must be connected to, registered and provisioned by the Meraki dashboard. The Cloud Monitoring Onboarding application was created to facilitate this process. This application will help configure your Catalyst device to establish a TLS connection to the Cisco cloud infrastructure and register it to your dashboard organization. To utilize Cloud Monitoring, all Catalyst switches that will be added to the dashboard must have an active DNA Essentials or DNA Advantage license. From there, dashboard will configure the necessary services on your Catalyst device to enable cloud monitoring. See Cloud Monitoring Detailed Device Configurations for additional details.
Pre-Onboarding
-
Confirm that the switch(es) designated for onboarding are one of the following:
-
Catalyst 9200, 9300, or 9500 series hardware.
-
Running IOS-XE 17.3.1 - 17.9.4.
IOS-XE upgrade instructions and release notes: Release Notes for Cisco Catalyst 9300 Series Switches
Current recommended IOS-XE release information can be found at: Recommended Releases for Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms
A full list of supported hardware can be found at: Supported Catalyst 9000 Series Switches (Cloud Monitoring)
- Have access to the Meraki dashboard:
-
Verify the ability to log in to the dashboard.
-
Or create a free account. Instructions are available at: Creating a dashboard Account and Organization.
-
In Organization > Configure > Settings verify that the checkbox for Dashboard API Access is selected and saved in the Dashboard API access section.
-
From My Profile, choose Generate new API key or use an existing key. Note that a full admin account must be used. SAML log-in is not supported for API key creation.
- The API key must have full read/write access for the organization to which switches will be onboarded.
- Additional documentation regarding enabling API access is available at Cisco Meraki Dashboard API: Enable API Access.
If an "invalid API key" error message appears, confirm the key and try again. API keys may take up to 15 minutes to become active in the onboarding application after creation.
-
The computer from which the onboarding application is run must be able to reach api.meraki.com and meraki-cloud-monitoring-onboarding-app.s3.amazonaws.com on TCP port 443.
-
Version updates for the application are automatically checked at meraki-cloud-monitoring-onboarding-app.s3.amazonaws.com.
-
The onboarding application is a stand-alone executable file; security settings on your local device must permit running this application and accessing the indicated hostnames above.
-
HTTPS proxy servers that modify the certificate in transit are not currently supported.
-
-
The Catalyst devices to onboard need access to the Cisco cloud:
-
Ensure any firewall rules in place allow communication with the gateway corresponding with the dashboard region on TCP port 443:
-
Americas: us.tlsgw.meraki.com.
-
EMEA: eu.tlsgw.meraki.com.
-
Asia Pacific and Japan: ap.tlsgw.meraki.com.
-
When translating ports through a firewall, the connection to the TLS gateway must be sourced from ephemeral ports TCP 1024 and above.
-
-
-
Telnet required for connectivity pre-check:
-
The onboarding application will test connectivity to the regional gateway on TCP 443 using a Telnet connection from the switch CLI, for example telnet us.tlsgw.meraki.com 443.
-
This requires that the "line vty" section of the configuration allows outgoing Telnet connections from the switch. The "transport output" line must contain "telnet" or "all" to allow this check to succeed.
-
- HTTPS proxies to access the API endpoint and the TLS gateway are not currently supported. If necessary, ensure rules are in place to allow direct HTTPS connections to each.
- Connectivity must be via a front-panel port (not the management interface).
- Only the default VRF is supported.
- Ensure routes are in place to reach external addresses including a default route (use of ip default-gateway is not supported).
- IP routing (ip routing) must be enabled on the switch or will be enabled as part of onboarding.
- Ensure DNS is enabled on the switch (ip name-server {DNS server IP} configured).
- Ensure DNS lookup is enabled (ip domain lookup).
- NTP needs to be enabled on the switch (ntp server {address}), and the switch clock must reflect the correct time.
- AAA on the switch must be configured using aaa new-model.
- RADIUS authentication is not currently supported.
- SSH access to the switch CLI must be enabled and accessible via the computer used for onboarding.
- The user account for onboarding must have privilege-15 level access on the switch.
- Determine which dashboard networks to put onboarded switches into:
- The network must be "switch" or "combined" type (Note: if "combined" then it must already include a "switch" network).
- If not already configured as such, the onboarding process will automatically enable "Unique Client Identifier" tracking method for that network.
Information about creating a new network is available at: https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Creating_and_Deleting_Dashboard_Networks#Creating_a_Network
When the tracking method is changed, clients may appear to be duplicated until previously collected data ages out and is no longer valid. For more information, see: https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client-Tracking_Options.
- Back up the current running configuration on the switch prior to beginning onboarding (i.e., copy run flash:config-backup.txt).
Downloading the Onboarding Application
The onboarding application can be downloaded from the following links:
Alternatively, the onboarding application is also available for download through the dashboard. To access it, go to Network-wide > Configure > Add Devices from the navigation on the left side. In this section, click on the link to add Catalyst switches to the dashboard.
From the pop-up select your operating system to download the version for your computer.
Onboarding
In order for a Catalyst device to be recognized and added to dashboard, that device must go through onboarding. The Onboarding application will assist in verifying device compatibility and connectivity, configure the device to build a secure TLS tunnel connection to the Cisco cloud infrastructure, and initiate registration to your dashboard organization. Once registered on dashboard all further configuration and updates to support cloud monitoring functions will be managed by dashboard and communicated to the device through the secure tunnel. See the section Onboarding Configuration Changes for additional details.
Note, once onboarded and as long as that device has an active TLS connection to the Cisco Meraki cloud infrastructure, it no longer needs the Onboarding application. Additional changes, features, or fixes will be managed by dashboard through the secure tunnel. Only if the TLS configuration were modified will you need to re-onboard that device.
Using the Onboarding Application
The onboarding tool is a stand-alone application that runs natively on Windows, MacOS, or Linux. If running on Linux, note that this is a GUI application, and a CLI version is not currently available.
We recommend making a backup of your existing running configuration on switches before making any changes.
Upon launching the onboarding application, it will automatically check and download the latest version. First-time users will also need to read and accept the terms and conditions for this cloud service.
On the main page, paste in the API key that you previously copied from the dashboard (refer to the checklist above if you do not have this saved).
To continue, a valid dashboard API key from an account with write access must be entered.
Step 1: Confirm the organization associated with the API key the switch(es) should be added to. The link can be used to access the dashboard for that organization. If you have multiple organizations you wish to onboard switches to, you will need to run the app separately for each organization.
Step 2: Enter the IPv4 address of the switch(es) to be onboarded. This should be the local address that is accessible from the computer on which the onboarding tool is run. A port number can be specified if other than the default (TCP 22). For example: 192.168.1.10:3421.
Note: As Cisco stacks share the same IP address across all members, the single IP should be entered which will onboard the entire stack.
Step 3: Enter the SSH credentials of the switch(es) to be onboarded. The credentials must be the same for all switches. If different credentials are required, the onboarding process must be restarted after completion.
Step 4: Pre-checks will be completed to verify that the hardware, software, and configuration is eligible for cloud monitoring.
Note that at this time, only "password" authentication is supported, to verify that connectivity is not using pubkey as the authentication type, verify you can SSH with ssh -o PubkeyAuthentication=no -p <port> <username>@<ip>
Step 5: The user is provided a list of networks in their organization and can select which one they would like to use for onboarding. Note that a switching network or combined network including switching must be used and a different network can be selected per switch being onboarded.
Step 6: The proposed configuration changes are presented to the user for review. The user must check the box next to each switch to confirm they would like to make the change.
Additional detail on the configurations that will be applied is available at: Cloud Monitoring Required Configuration.
Details of all changes can be seen using the “show details” link.
Step 7: The configuration is applied.
After completion, the switch may take a few minutes to appear in the dashboard. Additional data will take time to populate.
Dashboard page after onboarding:
Offboarding/Removing Switches from Cloud Monitoring
To remove a switch from the dashboard and cloud monitoring, follow the standard process for removing a device from a Meraki network seen in the article, Adding and Removing Devices from Dashboard Networks.
From the switches page, select the checkbox next to the desired switch(es) and then click Edit > Remove from network. You will be asked to confirm the removal of the selected switch(es). Once confirmed, this action will trigger an Embedded Event Manager (EEM) script on each affected switch. The script is designed to automatically clear all configurations previously applied for integration with the dashboard. This effectively severs any active tunnel connections to the cloud, ensuring that the switch(es) will no longer be managed by the Meraki Cloud.
For full details on the EEM script go to Dashboard Configuration Clean Up EEM Script
Cloud Monitoring Onboarding Error Messages
Invalid API key. A full (read/write) key is required. The API key is validated by the onboarding application by connecting to the API server at api.meraki.com.
This message indicates that the API key could not be validated with the server. Check that the key is entered correctly. If this still does not work, a new API key must be created following the instructions in our Dashboard API article.
Note that a full admin account is required and that the key must be read/write (not read-only). Accounts using SAML are unable to generate API keys, and a dashboard account with Meraki credentials should be used instead.
Unable to validate your API key. A full (read/write) key is required. Please try again.
Ensure connectivity from the local computer to api.meraki.com on TCP 443. HTTPS proxies in the path are not currently supported.
If connectivity has been validated and this error is still seen, a new key can be generated following the instructions above.
Error: Timed out while waiting for handshake. Confirm you can reach the switch via SSH from this computer.
The onboarding application will attempt to connect via SSH on the IP address and port provided. Confirm that the switch can be reached from the same computer using a terminal connection on the same IP address and port. Ensure there are no firewall rules in place preventing connections from the onboarding application.
Error: All configured authentication methods failed. Confirm your username and password are correct.
The credentials provided are returned as invalid from the switch. Ensure that the username and password are correct. If an enable password is required to have elevated rights (privilege level 15), this must be provided as well.
Device is not eligible for onboarding. Reason: [reason]
Review the reason shown. Confirm that the hardware, IOS-XE version, and DNA license are supported according to the onboarding documentation.
Error checking device [configuration]
Ensure the switch is reachable on the IP address and port provided. Confirm that the credentials provided have privilege level 15 to read all information from the switch.
The credentials you provided do not have permission to proceed with the onboarding process. Please provide an enable password.
An enable password must be provided if the username/password do not provide privilege level 15 rights.
A device with specified serial number and model already exists and is in use by different account.
Remove the switch from the existing dashboard network. Steps are available in the Offboarding/Removing Switches from Cloud Monitoring section of this article above.
It’s taking longer than usual to confirm your device is ready. Onboarding will continue in the cloud. Please check your dashboard later.
The onboarding process on the switch has been completed, but additional back-end processing in the cloud is required. The switch should be available in the dashboard after 15 minutes. If it does not appear after one hour, attempt onboarding again or contact support.
Device has not established a TLS connection to the cloud.
The TLS connection for the encrypted tunnel could not be established between the switch and the cloud. Review "Ensure reachability" in the pre-onboarding checklist.
Device tried to connect, but the tunnel did not stay up.
The tunnel was established successfully but disconnected before communication could be established. Review the switch log for additional information.
Cloud is not able to connect to the device through the tunnel.
The cloud has attempted to initiate a connection to the device over the tunnel but is unable to establish communication. Review the switch log (show log) on the switch for additional information.
Cloud is not able to login to device.
The cloud is not able to authenticate with the switch using the meraki-user account (MERAKI method list). AAA settings on the switch must permit the meraki-user account to authenticate. Additional information may be available in the switch log.
Cloud is not authorized to access the device.
The cloud has been able to authenticate with the switch using the meraki-user account (MERAKI method list) but is not authorized to access information needed for Cloud Monitoring. AAA authorization settings must allow the meraki-user account to run required commands. Review switch logs for additional information.
Device is connected, but remote access has not been verified.
Review the switch log for additional errors. Onboarding can be attempted again. Contact support if this error does not resolve.
Dashboard Error Messages
It’s taking longer than usual to confirm your device is ready. Onboarding will continue in the cloud. Please check your dashboard later.
The onboarding process on the switch has been completed, but additional back-end processing in the cloud is required. The switch should be available in the dashboard after 15 minutes. If it does not appear after one hour, attempt onboarding again or contact support.
Known Issues/Caveats for Onboarding
AAA/TACACS
-
Configuration of “aaa new-model” must be implemented in configuration prior to running onboarding. This will not be added automatically by the onboarding tool in order to prevent unexpected changes in the authentication process on the network.
-
RADIUS authentication is not currently supported (yields error 'Device auth mode is not supported')
-
For authorization only (not authentication), local must be first in the list to allow the local Meraki user to have sufficient permissions to establish the tunnel and connect.
-
This change will be presented for review prior to application in the onboarding tool
-
If command authorization is used (via "aaa authorization commands <level> ..."), authorization commands will be added to the cloud connection VTY line: authorization commands <level> MERAKI, where <level> is 0-15 inclusive.
-
HTTPS proxy
-
HTTPS proxies that perform TLS decryption are not currently supported. Both the onboarding tool and the switches enabled for cloud monitoring require direct access to the respective resources on TCP 443. For more detail, review the Cloud Monitoring Overview and FAQ.
Cisco DNA Center deployments
-
Cloud monitoring is not currently supported on switches attached to a Cisco DNA Center appliance. The additional telemetry feeds required for cloud monitoring may conflict with those needed for DNA Center. The onboarding tool will not prevent switches attached to DNA Center from being added for cloud monitoring. However, this configuration has not been fully tested and is not officially supported at this time.
Stealthwatch or other pre-existing NetFlow destination
-
To avoid conflicts or issues when onboarding a switch that has a pre-existing NetFlow configuration, the cloud monitoring NetFlow configuration will not be applied to the device. This means that traffic and application data will not be available in the dashboard.
Onboarding configuration changes
Once the tunnel is established, the cloud back end adds additional configuration to the switch to receive telemetry information. This process occurs automatically and does not require user intervention.
An example of the added IOS-XE configuration is:
! Clean up pre-existing configuration no crypto tls-tunnel MERAKI-PRIMARY no crypto pki trustpoint MERAKI_TLSGW_CA yes no interface Loopback55 yes ! Removing existing Line VTY Using Same Rotary no line vty 16 17 ! Certificates to trust for Cloud Connectivity crypto pki trustpoint MERAKI_TLSGW_CA enrollment terminal crypto pki authenticate MERAKI_TLSGW_CA -----BEGIN CERTIFICATE----- ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E A7sKPPcw7+uvTPyLNhBzPvOk… -----END CERTIFICATE----- quit yes ! Set trustpoint storage location and turn off certificate revocation check crypto pki trustpoint MERAKI_TLSGW_CA enrollment url flash://MERAKI_TLSGW_CA revocation-check none ! Create Loopback interface for TLS tunnel overlay interface Loopback55 description Meraki TLS Connection exit ! Enable routing (required for Netconf) ip routing ip route 18.232.x.x 255.255.255.255 Null 0 ! Create local auth group aaa authentication login MERAKI_VTY_AUTH_N local aaa authorization exec MERAKI_VTY_AUTH_Z local ! Create ACL for cloud SSH ingress ip access-list extended MERAKI_VTY_IN 10 permit tcp host 18.232.x.x any eq 2222 20 deny tcp any any ! Create ACL for cloud telemetry egress ip access-list extended MERAKI_VTY_OUT 10 permit tcp any host 18.232.x.x eq 2022 20 deny tcp any any ! Enable SSH to VTY lines line vty 16 17 access-class MERAKI_VTY_IN in access-class MERAKI_VTY_OUT out authorization exec MERAKI_VTY_AUTH_Z login authentication MERAKI_VTY_AUTH_N rotary 50 transport input ssh exit ! Configure SSH v2 with publickey authentication ip ssh version 2 ip ssh server algorithm authentication publickey password keyboard ip ssh port 2222 rotary 50 ! Configure a user for SSH and Netconf access username meraki-user privilege 15 secret 9 $9$1XUfj8vd… ip ssh pubkey-chain username meraki-user key-string AAAAB3N… exit exit exit ! enable NETCONF YANG globally netconf-yang ! enable LLDP for non-CDP network discovery lldp run ! Configure a TLS tunnel for Cloud Connectivity ! Using GigabitEthernet1/0/1 as the preferred source based on the current default route crypto tls-tunnel MERAKI-PRIMARY server url us.tlsgw.meraki.com port 443 overlay interface Loopback55 local-interface GigabitEthernet1/0/1 priority 1 pki trustpoint CISCO_IDEVID_SUDI sign pki trustpoint MERAKI_TLSGW_CA verify no shut exit
Example of full change in configuration following onboarding:
aaa authentication login MERAKI local
aaa authorization exec default local
aaa authorization exec MERAKI local
!
!
!
aaa session-id common
!
ip routing
!
device-tracking policy MERAKI_POLICY
security-level glean
no protocol udp
tracking enable
!
!
flow record MERAKI_AVC_HTTP_SSL_IPV4
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
match ipv4 protocol
match ipv4 version
collect application http host
collect application ssl common-name
collect connection client counter bytes network long
collect connection client counter packets long
collect connection initiator
collect connection new-connections
collect connection server counter bytes network long
collect connection server counter packets long
collect datalink mac source address input
collect datalink mac source address output
collect flow direction
collect timestamp absolute first
collect timestamp absolute last
!
!
flow exporter MERAKI_AVC
destination local file-export default
export-protocol ipfix
option interface-table timeout 300
option application-table
option application-attributes
!
!
flow monitor MERAKI_AVC_IPV4
exporter MERAKI_AVC
cache timeout inactive 60
cache timeout active 300
cache entries 65536
record MERAKI_AVC_HTTP_SSL_IPV4
!
flow file-export default
destination 18.232.x.x transport http dest-port 18088 up
file max-size 10
file max-count 2
file max-create-interval 5
crypto pki trustpoint MERAKI_TLSGW_CA
enrollment url flash://MERAKI_TLSGW_CA
revocation-check none
quit
crypto pki certificate chain MERAKI_TLSGW_CA
certificate ca 06D8D904D5584346F68A2FA754227EC4
308204BE 308203A6 A0030201 02021006 D8D904D5 584346F6 8A2FA
0D06092A 864886F7 0D01010B 05003061 310B3009 06035504 06130
13060355 040A130C 44696769 43657274 20496E63 31193017 06035
...
quit
!
username meraki-user privilege 15 secret 9 $9$lQXSZ...$
lldp run
!
!
!
crypto tls-tunnel MERAKI-PRIMARY
server url us.tlsgw.meraki.com port 443
overlay interface Loopback1000
local-interface GigabitEthernet1/0/1 priority 1
pki trustpoint CISCO_IDEVID_SUDI sign
pki trustpoint MERAKI_TLSGW_CA verify
interface Loopback1000
description Meraki TLS Connection
ip address 20.0.x.x 255.255.255.255
!
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
!
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
!
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY |
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
!
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY |
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
!
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
device-tracking attach-policy MERAKI_POLICY
ip flow monitor MERAKI_AVC_IPV4 input
ip flow monitor MERAKI_AVC_IPV4 output
ip route 18.232.x.x 255.255.255.255 Null0
ip ssh port 2222 rotary 50
ip ssh version 2
ip ssh pubkey-chain
username meraki-user
key-hash ssh-rsa 8CDF9A4C836A3D74673...
ip ssh server algorithm authentication publickey password key
!
ip access-list extended MERAKI_VTY_IN
10 permit tcp host 18.232.x.x any eq 2222
20 deny tcp any any
ip access-list extended MERAKI_VTY_OUT
10 permit tcp any host 18.232.x.x eq 2022
20 deny tcp any any
logging host 18.232.x.x
!
snmp-server enable traps smart-license
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server host 18.232.x.x version 2c public
!
> login local
> login local
line vty 16 17
access-class MERAKI_VTY_IN in
access-class MERAKI_VTY_OUT out
rotary 50
transport input ssh
line vty 18 19
access-class MERAKI_VTY_IN in
access-class MERAKI_VTY_OUT out
authorization exec MERAKI
login authentication MERAKI
rotary 50
transport input ssh
!
netconf-yang
telemetry ietf subscription 1001
encoding encode-tdl
filter tdl-uri /services;serviceName=sman_oper/control_proce
stream native
update-policy periodic 30000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1002
encoding encode-tdl
filter tdl-transform MERAKI_INTF_STATS_DELTA
stream native
update-policy periodic 30000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1003
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_d
stream native
update-policy on-change
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1004
encoding encode-tdl
filter nested-uri /services;serviceName=sman_oper/control_pr
stream native
update-policy periodic 30000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1007
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/platform_compo
stream native
update-policy periodic 30000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1011
encoding encode-tdl
filter tdl-uri /services;serviceName=smevent/sessionevent
stream native
update-policy on-change
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1012
encoding encode-tdl
filter tdl-uri /services;serviceName=sessmgr_oper/session_co
stream native
update-policy periodic 360000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1013
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/sisf_mac_oper_
stream native
update-policy on-change
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1014
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/sisf_db_wired_
stream native
update-policy periodic 360000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1015
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_port_detai
stream native
update-policy periodic 30000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1016
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/poe_module
stream native
update-policy periodic 60000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1018
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/cdp_neighbor_d
stream native
update-policy periodic 360000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1020
encoding encode-tdl
filter tdl-uri /services;serviceName=stkmevent/stkmevent
stream native
update-policy on-change
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1021
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_oper/switch_oper_in
stream native
update-policy on-change
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1030
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/platform_compo
stream native
update-policy on-change
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 1031
encoding encode-tdl
filter tdl-uri /services;serviceName=ios_emul_oper/entity_in
stream native
update-policy periodic 30000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry ietf subscription 2002
encoding encode-tdl
filter tdl-transform MERAKI_PORTCHANNEL_STATS_DELTA
stream native
update-policy periodic 30000
receiver ip address 18.232.x.x 25103 protocol cloud-nati
telemetry transform MERAKI_INTF_STATS_DELTA
input table tbl_interfaces_state
field ipv4
field name
field speed
field if_index
field description
field oper_status
field admin_status
field phys_address
field interface_type
field statistics.rx_pps
field statistics.tx_pps
field statistics.in_octets
field statistics.out_errors
field ether_state.media_type
field statistics.in_errors_64
field statistics.out_discards
field statistics.in_crc_errors
field statistics.out_octets_64
field intf_ext_state.error_type
field statistics.in_discards_64
field statistics.in_unicast_pkts
field statistics.out_unicast_pkts
field ether_stats.in_jabber_frames
field statistics.in_broadcast_pkts
field statistics.in_multicast_pkts
field statistics.out_broadcast_pkts
field statistics.out_multicast_pkts
field ether_stats.in_fragment_frames
field ether_stats.in_oversize_frames
field ether_stats.in_mac_pause_frames
field statistics.in_unknown_protos_64
field ether_stats.out_mac_pause_frames
field intf_ext_state.port_error_reason
field ether_state.negotiated_port_speed
field ether_state.negotiated_duplex_mode
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
field ether_stats.dot3_counters.dot3_error_counters_v2.dot3
join-key name
logical-op and
type mandatory
uri /services;serviceName=ios_emul_oper/interface
operation 1
output-field 1
field tbl_interfaces_state.name
output-field 2
field tbl_interfaces_state.if_index
output-field 3
field tbl_interfaces_state.interface_type
output-field 4
field tbl_interfaces_state.description
output-field 5
field tbl_interfaces_state.admin_status
output-field 6
field tbl_interfaces_state.oper_status
output-field 7
field tbl_interfaces_state.speed
output-field 8
field tbl_interfaces_state.ipv4
output-field 9
field tbl_interfaces_state.phys_address
output-field 10
field tbl_interfaces_state.statistics.in_unknown_protos_64
output-field 11
field tbl_interfaces_state.statistics.in_octets
output-field 12
field tbl_interfaces_state.statistics.out_octets_64
output-field 13
field tbl_interfaces_state.statistics.in_errors_64
output-field 14
field tbl_interfaces_state.statistics.out_errors
output-field 15
field tbl_interfaces_state.statistics.in_unicast_pkts
output-field 16
field tbl_interfaces_state.statistics.out_unicast_pkts
output-field 17
field tbl_interfaces_state.statistics.in_multicast_pkts
output-field 18
field tbl_interfaces_state.statistics.out_multicast_pkts
output-field 19
field tbl_interfaces_state.statistics.in_broadcast_pkts
output-field 20
field tbl_interfaces_state.statistics.out_broadcast_pkts
output-field 21
field tbl_interfaces_state.statistics.in_discards_64
output-field 22
field tbl_interfaces_state.statistics.out_discards
output-field 23
field tbl_interfaces_state.statistics.tx_pps
output-field 24
field tbl_interfaces_state.statistics.rx_pps
output-field 25
field tbl_interfaces_state.ether_state.media_type
output-field 26
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 27
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 28
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 29
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 30
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 31
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 32
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 33
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 34
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 35
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 36
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 37
field tbl_interfaces_state.ether_stats.dot3_counters.dot3_
output-field 38
field tbl_interfaces_state.ether_stats.in_mac_pause_frames
output-field 39
field tbl_interfaces_state.ether_stats.out_mac_pause_frame
output-field 40
field tbl_interfaces_state.ether_stats.in_oversize_frames
output-field 41
field tbl_interfaces_state.ether_stats.in_jabber_frames
output-field 42
field tbl_interfaces_state.ether_stats.in_fragment_frames
output-field 43
field tbl_interfaces_state.ether_state.negotiated_duplex_m
output-field 44
field tbl_interfaces_state.ether_state.negotiated_port_spe
output-field 45
field tbl_interfaces_state.statistics.in_crc_errors
output-field 46
field tbl_interfaces_state.intf_ext_state.error_type
output-field 47
field tbl_interfaces_state.intf_ext_state.port_error_reaso
specified
telemetry transform MERAKI_PORTCHANNEL_STATS_DELTA
input table tbl_interfaces_state
field ipv4
field name
field speed
field if_index
field description
field oper_status
field admin_status
field phys_address
field interface_type
field interface_class
field statistics.rx_pps
field statistics.tx_pps
field statistics.in_octets
field statistics.out_errors
field statistics.in_errors_64
field statistics.out_discards
field statistics.out_octets_64
field statistics.in_discards_64
field statistics.in_unicast_pkts
field statistics.out_unicast_pkts
field statistics.in_broadcast_pkts
field statistics.in_multicast_pkts
field statistics.out_broadcast_pkts
field statistics.out_multicast_pkts
field statistics.in_unknown_protos_64
join-key name
logical-op and
type mandatory
uri /services;serviceName=ios_emul_oper/interface
operation 1
filter 1
condition operator eq
condition value INTF_CLASS_UNSPECIFIED
field tbl_interfaces_state.interface_class
logical-op and
logical-op next and
filter 2
event on-change
field tbl_interfaces_state.name
logical-op next or
logical-op or
output-field 1
field tbl_interfaces_state.name
output-field 2
field tbl_interfaces_state.if_index
output-field 3
field tbl_interfaces_state.interface_type
output-field 4
field tbl_interfaces_state.description
output-field 5
field tbl_interfaces_state.admin_status
output-field 6
field tbl_interfaces_state.oper_status
output-field 7
field tbl_interfaces_state.speed
output-field 8
field tbl_interfaces_state.ipv4
output-field 9
field tbl_interfaces_state.phys_address
output-field 10
field tbl_interfaces_state.statistics.in_unknown_protos_64
output-field 11
field tbl_interfaces_state.statistics.in_octets
output-field 12
field tbl_interfaces_state.statistics.out_octets_64
output-field 13
field tbl_interfaces_state.statistics.in_errors_64
output-field 14
field tbl_interfaces_state.statistics.out_errors
output-field 15
field tbl_interfaces_state.statistics.in_unicast_pkts
output-field 16
field tbl_interfaces_state.statistics.out_unicast_pkts
output-field 17
field tbl_interfaces_state.statistics.in_multicast_pkts
output-field 18
field tbl_interfaces_state.statistics.out_multicast_pkts
output-field 19
field tbl_interfaces_state.statistics.in_broadcast_pkts
output-field 20
field tbl_interfaces_state.statistics.out_broadcast_pkts
output-field 21
field tbl_interfaces_state.statistics.in_discards_64
output-field 22
field tbl_interfaces_state.statistics.out_discards
output-field 23
field tbl_interfaces_state.statistics.tx_pps
output-field 24
field tbl_interfaces_state.statistics.rx_pps
specified