Meraki MX ThousandEyes Configuration Guide
This document describes the general architecture and configuration of our ThousandEyes and Meraki integration.
Overview
ThousandEyes is a platform that brings deep visibility into customers' applications and WAN infrastructure. ThousandEyes uses active monitoring via various protocols to monitor applications and WAN performance like ICMP, DNS queries, and more. For further information on ThousandEyes and its offerings please check ThousandEyes Documentation.
This integration allows Cisco Meraki MX appliances to instantly activate ThousandEyes agents at unmatched speed, scale, and operational efficiency. This solution leverages the Meraki Insight (MI) feature which is designed to give Meraki customers an easy way to monitor the performance of web applications and WAN Links on their network and easily identify if any issues are likely caused by the network (LAN or WAN) or the application server. The data used by MI is based on end-user HTTP/S data that are already traversing the MX appliance and does not need synthetic probing.
With the ThousandEyes integration, customers can now benefit from enhanced visibility and alerting capabilities by creating a customized network and application testing for critical applications inside or outside their infrastructure. For example, customers can now monitor their internal DNS server response time and availability and measure the average resolution time for a specific domain.
Simplified Workflow to enable ThousandEyes Agents on MX
Solution Requirements
Firmware and Hardware
- Minimum Firmware: MX 18.104.
- Recommended Firmware: MX 18.107.2 or higher is strongly recommended.
- MX Models: MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX85, MX95, MX105, MX250, MX450.
- MX in NAT Mode. Devices running in Concentrator mode are not supported
- Connectivity to the ThousandEyes Platform cloud infrastructure. For a full list of required ports and subnets please refer to the Firewall Configuration for Enterprise Agents document in ThousandEyes documentation.
Meraki Licensing
Coterm Licensing
- SD-WAN+ or,
- Per Network SD-WAN+ or,
- Advanced Security
The full feature mapping for your licensing tier can be seen below:
Advanced Security-only | Advanced Security + MI | SDW+ | Per Network SDW+ | |
---|---|---|---|---|
Agent Deployment | Yes | Yes | Yes | Yes |
Test Templates | No | Yes | Yes | Yes |
Free ThousandEyes Tests | No | No | Yes (Up to 50) | Yes (Up to 50) |
Test Results Visualization | ThousandEyes | ThousandEyes | ThousandEyes | ThousandEyes |
Subscription Licensing
- Essentials Tier: Not Supported
- Advantage Tier: Same features as SDW+ licensing
For more information on Subscriptions licensing and the Meraki MX Appliance please refer to the Meraki MX Subscription Licensing document.
ThousandEyes Licensing
- Available Units in the ThousandEyes Account.
Changing the Configuration of Free Tests / Impact on ThousandEyes Units
Each Free Test (5-minute interval Web Server - HTTP tests) equals 22 monthly Thousandeyes Units. Under this offer, you may only receive a maximum of 1100(50*22) monthly ThousandEyes Units per Cisco HQID, which equals the 50 Free Tests mentioned above. If you change the configuration of the Free Test(s) via the ThousandEyes platform, the Free Test(s) may consume more or less ThousandEyes Units depending on your configuration. Such changes will impact the number of Free Tests available to you, as the maximum of 1100 monthly ThousandEyes Units per Cisco HQID will still apply. However, you may increase the number of ThousandEyes Units through a separate purchase of more ThousandEyes Units.
Meraki and ThousandEyes Accounts
- Meraki Dashboard account:
- At least two Full-Org admins are needed in the Meraki Dashboard.
- SSO/SAML is not supported for account linkage or agent onboarding.
- ThousandEyes account:
- At least the Account Admin role privilege.
- A New ThousandEyes account can be created as part of a Free Trial option via the Meraki Dashboard.
The ThousandEyes Integration is currently supported in the following regions:
- North America
- Europe, Middle East and Africa
- Asia Pacific and Japan
Your Meraki Dashboard Account and ThousandEyes Accounts must belong to the same region.
Since Meraki and ThousandEyes are not all available in the same regions, the following account linkage restrictions are enforced:
Meraki Region | ThousandEyes Region |
North America | North America |
Europe, Middle East and Africa | Europe, Middle East and Africa |
Asia Pacific and Japan | North America |
This means that a Meraki Dashboard, located in North America, can only be linked with a ThousandEyes account hosted in North America.
The ThousandEyes integration is not supported in China as Meraki Insight is not available in this region.
Technical Overview
The ThousandEyes application integrates deeply into the MX architecture and does not require external hardware or out-of-band activation. It uses ThousandEyes Enterprise Agents deployed on the MX via Meraki Dashboard as the vantage point monitoring customers’ data centers, cloud VPCs/VNETs, branch offices, and other internal or Internet-based network assets.
After the Enterprise Agent is deployed on the MX Appliance, it will register with the Meraki and ThousandEyes backend cloud to download all the test and management configurations using encrypted communication.
The ThousandEyes Test template feature uses predefined protocols, probing intervals, and alerts templates that simplify the monitoring configuration for the target applications. The Enterprise Agent behaves as a service inside the MX Appliance and uses the Appliance hardware and firmware as a base platform to perform the Agent monitoring tasks.
ThousandEyes Enterprise Agent Routing Considerations
The routing behavior for the Enterprise Agent running on an MX Appliance is similar to other MX Services, such as our Syslog implementation. Details can be found below:
- The agent networking stack is internal to the MX Appliance and does not interfere with Data Plane traffic
- The Agent is assigned an internal 198.51.x.x IP address. This subnet cannot be modified.
- The Agent traffic strictly follows the MX routing table, meaning no local breakout support exists.
- If the destination to monitor is across an AutoVPN tunnel, the source IP will be the IP address of the highest allowed VLAN in the tunnel.
- For route overlaps, it uses the MX Route Priority
Enabling ThousandEyes Monitoring on the MX Platform
For Advanced Security Licensing
Step 1: Select the “Active Application Monitoring” page under Meraki Insight. An educational page about the integration will be presented. The user clicks the Try it button to initiate the deployment. To view the onboarding video separately, please click here.
Step 2: Account linkage between Meraki and ThousandEyes
SAML/SSO Is currently not supported for either account or user linkage
- Log in:
- ThousandEyes log in with their existing account
- Select the account group you want to deploy Agents at from the drop-down menu
When using the Log in option the Meraki Dashboard Administrator's email address should also exist and be the same as your email address in the ThousandEyes Organization.
- Create a new account:
- A ThousandEyes login window will allow users to create a new account using the email from their Dashboard account
- This action will start a Free Trial
Depending on the options chosen, a different menu will be displayed. For Log in, we will request your ThousandEyes username and password. For creating an account, we will request creating a new password.
When using the Create new account option, the current Meraki Administrator email will be used as the email for the new ThousandEyes Trial account.
Step 3: Activate the Agents on the MX
This step will allow you to select the networks where the ThousandEyes monitoring will start. The networks shown comply with the minimum hardware and firmware requirements.
Networks bound to a Configuration Template (child networks) will appear as individual networks.
After choosing the desired Network(s), you can click Next. The next screen provides a Summary of the Network(s) to monitor.
Select Start Monitoring to complete the Onboarding process.
Step 4: Viewing the Agents List and Status
After completing the onboarding process, you will be redirected to the Monitored Networks page, where you can perform maintenance actions on the installed agents. This page lets you view the test results under the ThousandEyes Dashboard by clicking the View applications button.
The number of ThousandEyes remaining units can only be seen from the ThousandEyes Dashboard.
Step 5: To configure tests, please access the ThousandEyes Dashboard by either accessing it directly from your browser or by clicking the View applications button on the Monitored Networks page.
For SDW+ Licensing Licensing
Step 1: Select the “Active Application Monitoring” page under Meraki Insight. An educational page about the integration will be presented. The user clicks the Get Started button to initiate the deployment. To view the onboarding video separately, please click here.
Step 2: Account linkage between Meraki and ThousandEyes
SAML/SSO Is currently not supported for either account or user linkage
- Log in:
- ThousandEyes log in with their existing account
- Select the account group you want to deploy Agents at from the drop-down menu
When using the Log in option the Meraki Dashboard Administrator's email address should also exist and be the same as your email address in the ThousandEyes Organization.
- Create a new account:
- A ThousandEyes login window will allow users to create a new account using the email from their Dashboard account
- This action will start a Free Trial
Depending on the options chosen, a different menu will be displayed. For Log in, we will request your ThousandEyes username and password. For creating an account, we will request creating a new password.
When using the Create new account option, the current Meraki Administrator email will be used as the email for the new ThousandEyes Trial account.
SAML/SSO Is currently not supported for either account or user linkage
Step 3: Choose an Application to Monitor. A custom Application or continuing without one can also be selected.
This feature leverages Template Monitoring from ThousandEyes, which creates an Agent Web Server test for the selected application.
Some applications will require a tenant name or subdomain (unique ID for every application for the customer). For example, [company].office365.com.
Step 4: Activate the Agents on the MX
This step will allow you to select the networks where the ThousandEyes monitoring will start. The networks shown comply with the minimum hardware and firmware requirements.
Networks bound to a Configuration Template (child networks) will appear as individual networks.
After choosing the desired Network(s), you can click Next. The next screen provides a Summary of the Network(s) to monitor.
Select Start Monitoring to complete the Onboarding process.
Step 4: If you are entitled to claim free tests, a popup window will appear asking you to get them now or at a later date. For more information on the Free Test offer, please refer to the Free Test section in this document.
Step 5: Viewing the Results
After completing the onboarding process, you will be redirected to the Monitored Networks page, where you can perform maintenance actions on the installed agents. This page also lets you view the test results under the ThousandEyes Dashboard by clicking the View applications button.
The number of ThousandEyes remaining units can only be seen from the ThousandEyes Dashboard.
Free Test Claim Information
The number of free ThousandEyes 5-minute interval Web Server - HTTP Tests (referred to as the “Free Tests” in this document) available to claim on the Meraki Dashboard depends on several factors associated with your organization’s licensing model. (See the ThousandEyes Product Description for the terms and conditions applicable to the use of the ThousandEyes platform, including the Free Tests.) Please be aware that when you deploy a test via the Meraki Dashboard, this results in one ThousandEyes 5-minute interval Web Server - HTTP test being deployed. The number of Free Tests that you are entitled to receive is calculated as follows:
- If you have purchased an SD-WAN+ Licensing Entitlement, the number of Free Tests is calculated based on the number of supported licensed devices available on your licensing table. Each supported licensed Cisco Meraki MX device will entitle you to one Free Test.
- If you have purchased a Per Network SD-WAN Licensing Entitlement, the number of Free Tests is calculated based on the number of claimed per network SDW licenses on the organization license table. Each per network SDW license will entitle you to one Free Test.
In both licensing models, you may only receive a maximum of 50 Free Tests (the “Test Cap”). Also, in both licensing models, the calculation will start after the most recent new licensing purchase or renewal.
The Free Tests may not be available to you based upon your cloud instance, geography or region - see the Restrictions section below.
SD-WAN+ Licensing in Coterm Example
For example, in the organization below, there are seven Free Tests to claim because there are two MX68 and five MX85 devices (after a previous renewal) with an SD-WAN+ license.
Per Network SD-WAN Licensing Example
For example, in the organization below, there are five Free Tests to claim because there are five SDW-S licenses.
SDW-XS licenses are not counted when determining the number of Free Tests since they are used in MX appliances that cannot run the ThousandEyes integration, meaning the MX64 and MX65 Appliances and their variants, which are not supported.
Restrictions
The Free Tests are not currently available in every Meraki cloud instance (including the Cisco Meraki for Government cloud instance) and may not be available in all geographies and regions (including China, Hong Kong and Macau).
You will only receive Free Tests if your Meraki and ThousandEyes accounts are in the same geographical region and can be successfully connected. For example, if your Meraki Dashboard resides in the European Union, but your ThousandEyes Account Group belongs to North America, you cannot link the Meraki and ThousandEyes Dashboard and will not be entitled to receive Free Tests. Please refer to the table below for guidance on region mapping to confirm the availability of Free Tests:
Meraki Region | ThousandEyes Region |
---|---|
North America | North America |
Europe, Middle East and Africa | Europe, Middle East and Africa |
Asia Pacific and Japan | North America |
You only have the right to use or access the Free Tests in the cloud instances, geographies, and regions where they are commercially available.
Monitored Networks Table
After linking the account, the Monitored Networks table will be available in the Active Application Monitoring section under the Insight menu.
To successfully modify any settings on this page, the Dashboard user is required to connect their ThousandEyes account.
While in the Monitored Networks table, several actions can be performed under two different tabs:
Monitored Networks
- Removing a network: Removes the network from being monitored.
- Enabling/Disabling a network: Allows to pause or resume monitoring in the network.
- View applications button: Redirects the user to the ThousandEyes Dashboard for test results visualization.
- Add tests: Initiates the workflow to add a new test to new or existing networks.
- Applications > View: Allows to see which Applications are being monitored in the selected network
Settings
- Allow users to disconnect the current linked account.
Disconnecting an account deletes all the Networks Agents across your organization.
If the current user has not logged into their ThousandEyes account when accessing this page, the Meraki Dashboard will show a banner indicating the user to do so. Example below:
Network Topologies and Deployment Considerations
The Meraki + ThousandEyes integration can be deployed in several network topologies, depending on the application to monitor and its location in the network. The following scenarios provide insight on some considerations for such topologies, but it’s not an exhaustive and exclusive list.
Topology 1: Direct Internet Access
Characteristics:
- Most common deployment
- Test templates provide excellent coverage for most needed Apps
- Routing is extremely simple as the default route points to the WAN
Topology 2: AutoVPN Split Tunnel
Characteristics:
- Test templates provide flexibility for custom Application and No Application
- Routing to the Custom App server relies on the MX routing table
- DNS is tricky as the ThousandEyes agent uses the DNS servers from the MX WAN Interfaces
- Traffic to the Custom App server uses the overlay. We cannot provide underlay visibility
- Full ThousandEyes Path Visualization support for Applications over the AutoVPN tunnel is a work in progress
Topology 3: Full AutoVPN Tunnel
Characteristics:
- Hub MX propagates a default (0.0.0.0/0) route to the Branch MX
- Routing to the Custom Public App server relies on the Hub MX routing table
- Since all the traffic from the branch MX goes over the AutoVPN tunnel (Overlay), we cannot provide underlay visibility
- Since all the traffic to provision and manage the agent goes over the Hub, firewall rules are needed to allow the traffic in the hub and its upstream infrastructure
- Full ThousandEyes Path Visualization support for Applications over the AutoVPN tunnel is a work in progress
Topology 4: Full AutoVPN Tunnel to Secure Connect, Umbrella, or any Internet Gateway
Characteristics:
- The Umbrella/Secure Connect cloud propagates a default (0.0.0.0/0) route to the Branch MX
- Since all the traffic from the branch MX goes over the AutoVPN tunnel (Overlay), we cannot provide underlay visibility
- All the traffic to provision and manage the agent goes over to Umbrella
- Umbrella/SC needs firewall rules to allow agent traffic to the Internet.
- Traffic to the Meraki and ThousandEyes backend needs to be excluded from HTTPS Inspection
- Full ThousandEyes Path Visualization support for Applications over the AutoVPN tunnel is a work in progress
- The Meraki and ThousandEyes domains/endpoints to be allowed are:
- meraki.com
- registry.meraki-applications.com
- ThousandEyes Platform traffic
HA support & expected behavior
MX Appliances running in HA mode are supported with the ThousandEyes integration, but the Agent will only run on the primary MX. The Agent is downloaded on the spare MX but won’t be active until a failover event is triggered to avoid race conditions.
As expected, during a failover event, the Agent will show unreachable/down on the ThousandEyes Dashboard.
In a HA setup with VIPs (Virtual IP addresses), the ThousandEyes agent uses the individual WAN IP address for internet-bound testing and Dashboard communication. As such, after a failover event, the agent will appear as using a new IP address.
FAQs
Can the agent be deployed via API?
At this time, agent provisioning is not available via Dashboard API.
Can the ThousandEyes Agents be deployed using Templates?
The ThousandEyes agents can only be deployed using the network selection step under the activation wizard. Networks bound to a Configuration Template (child networks) will appear as individual networks where agents can be deployed.
Are event logs available?
Change and Event logs will be available for Agent provisioning and deletion at GA.
How much monitoring traffic is used by the MX and the ThousandEyes integration?
In addition to the usual amount of traffic used for management purposes as part of the Meraki Cloud connectivity, the ThousandEyes Agent generates additional traffic depending on the number of tests and test frequency configured. More information can be found here.
Why is my agent utilization high if their tests are failing?
Agent utilization depends on the duration and frequency of the tests. If network conditions change and the tests take longer to complete, agent utilization will increase. A failing test is considered an adverse network condition. Notes on agent utilization here
How does the MX route the test traffic sourced from the Agent?
This traffic will follow the MX routing table, but if the traffic destination is over an AutoVPN tunnel, it will be sourced from the MX IP address of the highest number VLAN allowed over the tunnel.
Is IPv6 Supported?
Yes. IPv6 testing will be available for this integration.
Can a Meraki Dashboard be associated with multiple ThousandEyes accounts?
No. A Meraki Dashboard organization can only be associated with one ThousandEyes account.
How long does it take before I start seeing reports on my ThousandEyes dashboard?
After the agent is configured on the Meraki Dashboard it might take up to 15 minutes for the reports to appear.
Do I open a case with Meraki Support or ThousandEyes Support?
If you need assistance with a Meraki Dashboard configuration, please contact Meraki Support. For any ThousandEyes configuration, please get in touch with ThousandEyes’ support.
Why are some Public DNS servers rejecting my lookup tests?
Neither ThousandEyes nor Meraki recommends using public DNS servers as a destination for DNS tests. These servers might reject our testing requests as a DDoS mitigation measure if the frequency of tests is too high (less than 2 minutes).
Depending on the configuration policies, this behavior can also be seen on internal DNS servers.
Does the ThousandEyes agent have any impact on the MX performance?
When no tests are performed, there’s no impact on the MX performance. The resource utilization when an agent runs does not impact the MX published throughput and performance metrics.
Which DNS Server does the agent use for internal queries?
The agent uses whichever DNS servers are present under the uplink configuration for the MX.
Why is the SSL time for MX-based agents tests higher than other platforms?
ThousandEyes Enterprise Agents running on the MX Platform with configured HTTP Servers test will experience higher SSL Time due to processing power limitations on the lower-end models.
To avoid false positives, we recommend using dynamic alert conditions based on the standard deviation of the SSL time. For more information on Dynamic Baselines, please consult the ThousandEyes configuration guide here.