This document describes the general architecture and configuration of our ThousandEyes and Meraki integration.
ThousandEyes is a platform that brings deep visibility into customers' applications and WAN infrastructure. ThousandEyes uses active monitoring via various protocols to monitor applications and WAN performance like ICMP, DNS queries, and more. For further information on ThousandEyes and its offerings please check ThousandEyes Documentation.
At Public Beta, this integration allows Cisco Meraki MX appliances to instantly activate ThousandEyes agents at unmatched speed, scale, and operational efficiency with dual dashboard experience (Meraki + ThousandEyes). At General Availability, coming later this calendar year, you will get an integrated Meraki dashboard experience.
User workflow to enable ThousandEyes Agents on MX
Meraki Insight (MI) is designed to give Meraki customers an easy way to monitor the performance of web applications and WAN Links on their network and easily identify if any issues are likely caused by the network (LAN or WAN) or the application server. The data used by MI is based on end-user HTTP/S data that are already traversing the MX appliance and does not need synthetic probing.
With the ThousandEyes integration, customers can now benefit from enhanced visibility and alerting capabilities by creating a customized network and application testing for critical applications inside or outside their infrastructure. For example, customers can now monitor their internal DNS server response time and availability and measure the average resolution time for a specific domain.
Firmware and Hardware Requirements
- Minimum Firmware: MX 18.104.
- Recommended Firmware: MX 18.107.2 or higher is strongly recommended.
- MX Models: MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450.
- MX in NAT Mode. Devices running in Concentrator mode are not supported,
- Connectivity to the ThousandEyes Platform cloud infrastructure. For a full list of required ports and subnets please refer to the Firewall Configuration for Enterprise Agents document in ThousandEyes documentation.
- SD-WAN+ or,
- Per Network SD-WAN or,
- Advanced Security + MI License.
- Available Units in the ThousandEyes Account.
- Meraki Dashboard account:
- At least two Full-Org admins are needed in the Meraki Dahsboard.
- SSO/SAML is not supported for account linkage or agent onboarding.
- ThousandEyes account:
- At least the Account Admin role privilege.
- A New ThousandEyes account can be created as part of a Free Trial option via the Meraki Dashboard.
The ThousandEyes application integrates deeply into the MX architecture and does not require external hardware or out-of-band activation. It uses Enterprise Agents deployed on the MX via Meraki Dashboard as the vantage point monitoring customers’ data centers, cloud VPCs/VNETs, branch offices, and other internal or Internet-based network assets.
After the Enterprise Agent is deployed on the MX Appliance, it will register with the Meraki and ThousandEyes backend cloud to download all the test and management configurations using encrypted communication.
For devices or organizations using either SDW+ or Advanced Security + MI license the Agent Management and Test Template configuration will be done via the Meraki Dashboard using the built-in Wizard. Please see an example image below.
How to enable ThousandEyes Monitoring
The ThousandEyes integration workflow will be available under the Active Application Monitoring page on the Meraki Insight dashboard menu.
Step 1: Select the “Active Application Monitoring” page under Meraki Insight. An educational page about the integration will be presented. The user clicks the Try it button to initiate the deployment. To view the onboarding video separately, please click here.
Step 2: Account linkage between Meraki and ThousandEyes
Select either of the two options
- Log in:
- ThousandEyes log in with their existing account
- Select the account group you want to deploy Agents at from the drop-down menu
- Create a new account:
- A ThousandEyes login window will allow users to create a new account using the email from their Dashboard account
- This action will start a Free Trial
Depending on the options chosen, a different menu will be displayed. For Log in, we will request your ThousandEyes username and password. For creating an account, we will request creating a new password.
When using the Create new account option, the current Meraki Administrator email will be used as the email for the new ThousandEyes account.
SAML/SSO Is currently not supported for either account or user linkage
Step 3: Choose an Application to Monitor
This feature leverages Template Monitoring from ThousandEyes, which creates an Agent Web Server test for the selected application.
Some applications will require a tenant name or subdomain (unique ID for every application for the customer). For example,
Step 4: Activate the Agents on the MX
This step will allow you to select the networks where the ThousandEyes monitoring will start. The networks shown comply with the minimum hardware and firmware requirements.
Networks bound to a Configuration Template (child networks) will appear as individual networks.
After choosing the desired Network(s), you can click Next. The next screen provides a Summary of the Network(s) and Application to monitor.
Select Start Monitoring to complete the Onboarding process.
Step 5: Viewing the Results
After completing the onboarding process, you will be redirected to the Monitored Networks page, where you can perform maintenance actions on the installed agents. This page also lets you view the test results under the ThousandEyes Dashboard by clicking the View applications button.
The number of ThousandEyes remaining units can only be seen from the ThousandEyes Dashboard.
Limitations on Account Linkage
When linking ThousandEyes and Meraki Dashboard accounts, certain limitations are enforced. Please review them below:
- Only accounts in the same Geographical Region can be successfully connected. If your Meraki Dashboard resides in the European Union, but your ThousandEyes Account Group belongs to North America, the linking process will fail.
- When creating a ThousandEyes account via the Meraki Dashboard, the ThousandEyes Account Group region will be chosen from the Meraki Dashboard Region. The exception is that for an APJC Meraki region, the ThousandEyes region will be mapped to North America.
- When linking a ThousandEyes account with multiple ThousandEyes Organizations (not Account Groups), the Meraki Dashboard will only connect with the default Login Account Group. Please refer to the Working with Account Settings document on the ThousandEyes documentation.
- The ThousandEyes account email used during the linking step needs to match the email used by the Meraki Dashboard Administrator performing the linkage process.
Monitored Networks Table
After linking the account, the Monitored Networks table will be available in the Active Application Monitoring section under the Insight menu.
To successfully modify any settings on this page, the Dashboard user is required to connect their ThousandEyes account.
While in the Monitored Networks table, several actions can be performed under two different tabs:
- Removing a network: Removes the network from being monitored.
- Enabling/Disabling a network: Allows to pause or resume monitoring in the network.
- View applications button: Redirects the user to the ThousandEyes Dashboard for test results visualization.
- Add tests: Initiates the workflow to add a new test to new or existing networks.
- Applications > View: Allows to see which Applications are being monitored in the selected network
- Allow users to disconnect the current linked account.
Disconnecting an account deletes all the Networks Agents across your organization.
If the current user has not logged into their ThousandEyes account when accessing this page, the Meraki Dashboard will show a banner indicating the user to do so. Example below:
Agent Utilization on the MX Appliance
The ThousandEyes Agent configuration exclusively dictates the maximum number of tests configured on an MX. Not only is the number of tests taken into account, but their frequency as well, as referenced in the Agent Utilization documentation. Please refer to the ThousandEyes Agent Utilization article.
HA support & expected behavior
MX Appliances running in HA mode are supported with the ThousandEyes integration, but the Agent will only run on the primary MX. The Agent is downloaded on the spare MX but won’t be active until a failover event is triggered to avoid race conditions.
As expected, during a failover event, the Agent will show unreachable/down on the ThousandEyes Dashboard.
In a HA setup with VIPs (Virtual IP addresses), the ThousandEyes agent uses the individual WAN IP address for internet-bound testing and Dashboard communication. As such, after a failover event, the agent will appear as using a new IP address.
Can the agent be deployed via API?
At this time, agent provisioning is not available via Dashboard API.
Can the ThousandEyes Agents be deployed using Templates?
The ThousandEyes agents can only be deployed using the network selection step under the activation wizard. Networks bound to a Configuration Template (child networks) will appear as individual networks where agents can be deployed.
Are event logs available?
Change and Event logs will be available for Agent provisioning and deletion at GA.
How much monitoring traffic is used by the MX and the ThousandEyes integration?
In addition to the usual amount of traffic used for management purposes as part of the Meraki Cloud connectivity, the ThousandEyes Agent generates additional traffic depending on the number of tests and test frequency configured. More information can be found here.
Why is my agent utilization high if their tests are failing?
Agent utilization depends on the duration and frequency of the tests. If network conditions change and the tests take longer to complete, agent utilization will increase. A failing test is considered an adverse network condition. Notes on agent utilization here
How does the MX route the test traffic sourced from the Agent?
This traffic will follow the MX routing table, but if the traffic destination is over an AutoVPN tunnel, it will be sourced from the MX IP address of the highest number VLAN allowed over the tunnel.
Is IPv6 Supported?
Yes. IPv6 testing will be available for this integration.
Can a Meraki Dashboard be associated with multiple ThousandEyes accounts?
No. A Meraki Dashboard organization can only be associated with one ThousandEyes account.
How long does it take before I start seeing reports on my ThousandEyes dashboard?
After the agent is configured on the Meraki Dashboard it might take up to 15 minutes for the reports to appear.
Do I open a case with Meraki Support or ThousandEyes Support?
If you need assistance with a Meraki Dashboard configuration, please contact Meraki Support. For any ThousandEyes configuration, please get in touch with ThousandEyes’ support.
Why are some Public DNS servers rejecting my lookup tests?
Neither ThousandEyes nor Meraki recommends using public DNS servers as a destination for DNS tests. These servers might reject our testing requests as a DDoS mitigation measure if the frequency of tests is too high (less than 2 minutes).
Depending on the configuration policies, this behavior can also be seen on internal DNS servers.
Does the ThousandEyes agent have any impact on the MX performance?
When no tests are performed, there’s no impact on the MX performance. The resource utilization when an agent runs does not impact the MX published throughput and performance metrics.
Which DNS Server does the agent use for internal queries?
The agent uses whichever DNS servers are present under the uplink configuration for the MX.
Why is the SSL time for MX-based agents tests higher than other platforms?
ThousandEyes Enterprise Agents running on the MX Platform with configured HTTP Servers test will experience higher SSL Time due to processing power limitations on the lower-end models.
To avoid false positives, we recommend using dynamic alert conditions based on the standard deviation of the SSL time. For more information on Dynamic Baselines, please consult the ThousandEyes configuration guide here.