Connecting Catalyst 9800 Wireless Controller to Dashboard
Cloud Monitoring for Catalyst Wireless is a Meraki Dashboard Early Access Feature. Before you can add your wireless controller to dashboard you have to Opt-in to Cloud Monitoring for Catalyst Wireless. Go to Organization > Early access to enable.
Meraki Tunnel for Wireless Controllers
Cisco Catalyst Wireless LAN Controller can register with your Meraki Dashboard since firmware version IOS XE 17.12.3 or 17.15.1 or later. The Meraki device-to-cloud connectivity architecture has been crafted from the ground up to provide security and simplicity for connecting network devices to the Meraki dashboard, which now includes Catalyst wireless Controllers.
The Meraki Tunnel uses TLS 1.2 with AES-256 for encryption and enforces mutual TLS authentication to securely connect C9800 wireless controllers to the Meraki cloud infrastructure. Device-to-cloud connectivity with the Meraki Tunnel communicates on TCP port 443. This simplifies upstream firewall configurations, as C9800 wireless controllers are usually behind Firewalls that may already allow outbound connections to port 443.
This feature serves a common use-case where the Catalyst Access Points continue to be managed by C9800 Wireless Controller and the C9800 also lives in Meraki Dashboard, this would allow for a co-existence of a Catalyst Wireless deployment and the possible migration to an all Meraki Access Points deployment.
Your controller will register with dashboard to obtain its Cloud ID (Meraki Serial Number) over a secure HTTPS connection when Meraki Service Connect is initiated:
Once the C9800 has been registered with dashboard, it will securely connect to the dashboard Tunnel Config server to fetch its Meraki Tunnel configuration:
Finally, with the Meraki Tunnel configuration, the C9800 will create a secure tunnel to dashboard on TCP Port 443:
Considerations
-
The Meraki Tunnel on C9800 wireless controllers does NOT support HTTP Web Proxy servers and requires the controller to have direct outbound access to the Meraki Cloud Infrastructure.
-
It is recommended for Meraki Tunnel traffic to be exempt from TLS/SSL traffic inspection in order to avoid potential connectivity issues.
Connecting the C9800 to dashboard is the first stage of onboarding. Follow the Adding Catalyst 9800 Wireless Controller and Access Points to Dashboard document to claim your C9800 into your dashboard organization after you have connected the C9800.
Make sure your Wireless Controller and Access Points meet the requirements. More information about Firmware, Licence and other aspects are covered in this document: Cloud Monitoring for Catalyst Wireless Requirements.
Meraki Tunnel Prerequisites
Before the Meraki Tunnel is enabled the C9800 Controller the following is required:
-
IP Routing is enabled. IP routing mode is required for the Meraki Tunnel services on the wireless controller.
-
The Meraki Tunnel only supports the Global VRF.
-
Domain Name Lookup is required for hostname resolution to the dashboard Registration and Meraki Tunnel services.
ip name-server {Domain server IP address}
ip domain lookup
-
The Wireless controller clock must reflect the correct current time in order to establish a mutual TLS tunnel with the Registration and Meraki Tunnel services by enabling NTP services.
ntp server {ntp server IP address}
Connect the Wireless Controller to Dashboard (Web UI)
Navigate to Configuration > Services > Cloud Services > Meraki in the Web UI to connect the C9800 wireless controller to the dashboard:
Click the Meraki Connect button to ENABLE the Tunnel and click Apply.
Use the same Web UI page to confirm the C9800 wireless controller has successfully registered and the Meraki Tunnel is connected:
Connect the Wireless Controller to Dashboard (CLI)
Connecting the C9800 wireless controller to dashboard from the command line interface is done with the configuration command service meraki connect:
C9800-meraki-mon#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C9800-meraki-mon(config)#service meraki connect
To confirm the C9800 wireless controller has successfully registered and the Meraki Tunnel is connected use the show meraki connect command:
C9800-meraki-mon#sh meraki connect
Service meraki connect: enable
Meraki Tunnel Config
------------------------------------
Fetch State: Config fetch succeeded
Fetch Fail: no failure
Last Fetch(UTC): 2023-10-13 18:43:26
Next Fetch(UTC): 2023-10-13 19:44:41
Config Server: cs253-2037.meraki.com
Primary: usw.nt.meraki.com
Secondary: use.nt.meraki.com
Client IPv6 Addr: FD0A:9B09:1F7:1:4E42:1EFF:FEBE:9360
Meraki Tunnel State
------------------------------------
Primary: Up
Secondary: Up
Primary Last Change(UTC): 2023-10-13 18:43:37
Secondary Last Change(UTC): 2023-10-13 18:43:37
Client Last Restart(UTC): 2023-10-13 18:43:26
Meraki Tunnel Interface
------------------------------------
Status: Enable
Rx Packets: 1221
Tx Packets: 1090
Rx Errors: 0
Tx Errors: 0
Rx Drop Packets: 0
Tx Drop Packets: 0
Meraki Device Registration
------------------------------------
url: https://catalyst.meraki.com/nodes/register
Device Number: 1
PID: C9800-40-K9
Serial Number: TTM270100L8
Cloud ID: Q2ZZ-2SK3-UHQD
Mac Address: 4C:42:1E:BE:93:60
Status: Registered
Timestamp(UTC): 2023-10-13 18:43:14
Access Point Registration
Access points must be registered with dashboard in order to be onboarded and will also receive their own unique Cloud ID (serial number). When the Meraki Connect service is enabled on the controller, the controller will instruct all joined access points to begin to register with dashboard over a secure HTTPS connection:
The access point registration process will automatically begin when the service is enabled on the controller and requires no additional configuration.
Access Point Registration Prerequisites
- Access Points must be able to reach the following Meraki Dashboard IP ranges to register with dashboard:
-
209.206.48.0/20 TCP/443
216.157.128.0/20 TCP/443
158.115.128.0/19 TCP/443
-
- Access Points must be able to perform a domain name lookup is required for hostname resolution to the dashboard Registration service.
-
For access points obtaining IP address configuration from DHCP, ensure DHCP Option 6—DNS server option is enabled to specify the DNS server IP address to be assigned to the access points.
-
Only dashboard supported access point models will register. For the list of supported access points, view the Cloud Monitoring for Catalyst Wireless Requirements document.
To confirm access points have successfully registered in dashboard use the show ap meraki monitoring summary command:
C9800-meraki-mon#show ap meraki monitoring summary
Meraki Monitoring : Enabled
Number of Supported APs : 2
AP Name AP Model Radio MAC MAC Address AP Serial Number Cloud ID Status
-----------------------------------------------------------------------------------------------------------------------------------------------------
AP-C9130AXE-01 C9130AXE-B 5c64.f112.c720 6c8d.7738.2130 FJC271123CQ Q2ZZ-8SWV-NZ7A Registered
AP-CW9166I-01 CW9166I-B e438.7e43.bd20 6849.9275.9060 FJC271122H0 Q5AP-WBAV-2SSY Registered
Access point registration status can also be seen in the the C9800 Web UI by navigating to Configuration > Wireless > access points:
Note: You may need to select the Meraki monitoring columns to see the AP Meraki registration information:
Access points need to communicate to dashboard on TCP port 443 ONLY during registration. Access points do not communicate directly to dashboard during normal operations.
As long as the Meraki Connect service remains enabled, any access points that join the C9800 wireless controller that are supported will automatically register to dashboard.