Skip to main content
Cisco Meraki Documentation

Connecting Catalyst 9800 Wireless Controller to Dashboard

Cloud Monitoring for Catalyst Wireless is a Meraki Dashboard Early Access Feature. Before you can add your wireless controller to dashboard you have to Opt-in to Cloud Monitoring for Catalyst Wireless. Go to Organization > Early access to enable. 

Meraki Tunnel for Wireless Controllers

Cisco Catalyst Wireless LAN Controller can register with your Meraki Dashboard since firmware version IOS XE 17.12.3 or 17.15.1 or later. The Meraki device-to-cloud connectivity architecture has been crafted from the ground up to provide security and simplicity for connecting network devices to the Meraki dashboard, which now includes Catalyst wireless Controllers.

The Meraki Tunnel uses TLS 1.2 with AES-256 for encryption and enforces mutual TLS authentication to securely connect C9800 wireless controllers to the Meraki cloud infrastructure. Device-to-cloud connectivity with the Meraki Tunnel communicates on TCP port 443. This simplifies upstream firewall configurations, as C9800 wireless controllers are usually behind  Firewalls that may already allow outbound connections to port 443.

This feature serves a common use-case where the Catalyst Access Points continue to be managed by C9800 Wireless Controller and the C9800 also lives in Meraki Dashboard, this would allow for a co-existence of a Catalyst Wireless deployment and the possible migration to an all Meraki Access Points deployment.  

Your controller will register with dashboard to obtain its Cloud ID (Meraki Serial Number) over a secure HTTPS connection when Meraki Service Connect is initiated:

C9800 wireless controller registering to the Meraki Server

Once the C9800 has been registered with dashboard, it will securely connect to the dashboard Tunnel Config server to fetch its Meraki Tunnel configuration:

C9800 wireless controller connecting to the dashboard to fetch the tunnel configuration

Finally, with the Meraki Tunnel configuration, the C9800 will create a secure tunnel to dashboard on TCP Port 443:

C9800 having a secure tunnel to the Meraki Server

Considerations

  • The Meraki Tunnel on C9800 wireless controllers does NOT support HTTP Web Proxy servers and requires the controller to have direct outbound access to the Meraki Cloud Infrastructure.

  • It is recommended for Meraki Tunnel traffic to be exempt from TLS/SSL traffic inspection in order to avoid potential connectivity issues.

Connecting the C9800 to dashboard is the first stage of onboarding. Follow the Adding Catalyst 9800 Wireless Controller and Access Points to Dashboard document to claim your C9800 into your dashboard organization after you have connected the C9800.

Make sure your Wireless Controller and Access Points meet the requirements. More information about Firmware, Licence and other aspects are covered in this document: Cloud Monitoring for Catalyst Wireless Requirements.

Meraki Tunnel Prerequisites

Before the Meraki Tunnel is enabled the C9800 Controller the following is required:

  • IP Routing is enabled. IP routing mode is required for the Meraki Tunnel services on the wireless controller.

  • The Meraki Tunnel only supports the Global VRF.

  • Domain Name Lookup is required for hostname resolution to the dashboard Registration and Meraki Tunnel services.

  • The Wireless controller clock must reflect the correct current time in order to establish a mutual TLS tunnel with the Registration and Meraki Tunnel services by enabling NTP services.

Connect the Wireless Controller to Dashboard (Web UI)

Navigate to Configuration > Services > Cloud Services > Meraki in the Web UI to connect the C9800 wireless controller to the dashboard:

 

Connecting the C9800 wireless controller to dashboard from the web user interface

 

Click the Meraki Connect button to ENABLE the Tunnel and click Apply.

Use the same Web UI page to confirm the C9800 wireless controller has successfully registered and the Meraki Tunnel is connected:

 

 confirming the C9800 wireless controller has successfully registered and the Meraki Tunnel is connected

Connect the Wireless Controller to Dashboard (CLI)

Connecting the C9800 wireless controller to dashboard from the command line interface is done with the configuration command service meraki connect

C9800-meraki-mon#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

C9800-meraki-mon(config)#service meraki connect

 

To confirm the C9800 wireless controller has successfully registered and the Meraki Tunnel is connected use the show meraki connect command: 

C9800-meraki-mon#sh meraki connect 

Service meraki connect: enable

Meraki Tunnel Config

------------------------------------

  Fetch State:                Config fetch succeeded

  Fetch Fail:                 no failure

  Last Fetch(UTC):            2023-10-13 18:43:26

  Next Fetch(UTC):            2023-10-13 19:44:41

  Config Server:              cs253-2037.meraki.com

  Primary:                    usw.nt.meraki.com

  Secondary:                  use.nt.meraki.com

  Client IPv6 Addr:           FD0A:9B09:1F7:1:4E42:1EFF:FEBE:9360

 

Meraki Tunnel State

------------------------------------

  Primary:                    Up

  Secondary:                  Up

  Primary Last Change(UTC):   2023-10-13 18:43:37

  Secondary Last Change(UTC): 2023-10-13 18:43:37

  Client Last Restart(UTC):   2023-10-13 18:43:26

 

Meraki Tunnel Interface

------------------------------------

  Status:                     Enable

  Rx Packets:                 1221

  Tx Packets:                 1090

  Rx Errors:                  0

  Tx Errors:                  0

  Rx Drop Packets:            0

  Tx Drop Packets:            0

 

Meraki Device Registration

------------------------------------

  url:                        https://catalyst.meraki.com/nodes/register

  Device Number:              1

  PID:                        C9800-40-K9

  Serial Number:              TTM270100L8

  Cloud ID:                  Q2ZZ-2SK3-UHQD

  Mac Address:                4C:42:1E:BE:93:60

  Status:                     Registered

  Timestamp(UTC):             2023-10-13 18:43:14

 

Access Point Registration

Access points must be registered with dashboard in order to be onboarded and will also receive their own unique Cloud ID (serial number). When the Meraki Connect service is enabled on the controller, the controller will instruct all joined access points to begin to register with dashboard over a secure HTTPS connection: 
 

Access point registartion

 

The access point registration process will automatically begin when the service is enabled on the controller and requires no additional configuration.

Access Point Registration Prerequisites

  • Access Points must be able to reach the following Meraki Dashboard IP ranges to register with dashboard:
    • 209.206.48.0/20 TCP/443

      216.157.128.0/20 TCP/443

      158.115.128.0/19 TCP/443

  • Access Points must be able to perform a domain name lookup is required for hostname resolution to the dashboard Registration service.
    • For access points obtaining IP address configuration from DHCP, ensure DHCP Option 6—DNS server option is enabled to specify the DNS server IP address to be assigned to the access points.

 

Only dashboard supported access point models will register. For the list of supported access points, view the Cloud Monitoring for Catalyst Wireless Requirements document.

To confirm access points have successfully registered in dashboard use the show ap meraki monitoring summary command:

C9800-meraki-mon#show ap meraki monitoring summary 

Meraki Monitoring          : Enabled

Number of Supported APs    : 2

AP Name                          AP Model             Radio MAC      MAC Address    AP Serial Number       Cloud ID        Status                   

-----------------------------------------------------------------------------------------------------------------------------------------------------

AP-C9130AXE-01                   C9130AXE-B           5c64.f112.c720 6c8d.7738.2130 FJC271123CQ            Q2ZZ-8SWV-NZ7A  Registered                               

AP-CW9166I-01                    CW9166I-B            e438.7e43.bd20 6849.9275.9060 FJC271122H0            Q5AP-WBAV-2SSY   Registered            

 

Access point registration status can also be seen in the the C9800 Web UI by navigating to Configuration > Wireless > access points:

 

        Access point registration status  seen in the C9800 Web UI

 

Note: You may need to select the Meraki monitoring columns to see the AP Meraki registration information: 

select the Meraki monitoring columns to see the AP Meraki registration information

 

Access points need to communicate to dashboard on TCP port 443 ONLY during registration. Access points do not communicate directly to dashboard during normal operations.

 

As long as the Meraki Connect service remains enabled, any access points that join the C9800 wireless controller that are supported will automatically register to dashboard.

  • Was this article helpful?