How to Use Cloud CLI for Cloud-Managed IOS XE Devices
Overview
This article explains how to enable, access, and use Cloud CLI, an Early Access feature for Cloud Management with IOS XE devices.
Cloud CLI is an Early Access feature for Cloud Management with IOS XE devices. To enable Cloud CLI, go to Organization > Configure > Early Access and opt in your dashboard organization.
Cloud CLI is a fully interactive CLI terminal hosted in the Meraki dashboard for your Cloud Management with IOS XE Catalyst switches and wireless controllers. When you launch the Cloud CLI terminal, the dashboard initiates a secure direct terminal session inside the Meraki Tunnel to your Catalyst device. Once connected, you get the same terminal CLI experience you would have if you opened your own direct VTY session.
CLI terminal modes
When you launch the CLI terminal, your dashboard administrator authorization level determines your access permissions. The CLI terminal launches in one of two modes.
Cloud CLI organization access mode
By default, the Cloud CLI launches in read-only access mode for your Meraki dashboard organization. In this mode, the Cloud CLI terminal supports only read-only access for troubleshooting and show commands.
To enable configuration mode, go to Organization > Settings > Cloud-native IOS-XE Cloud CLI.
If you do not want dashboard full-access administrators to re-authenticate when accessing Cloud CLI configuration mode, disable Require authentication.

Read-only mode
Read-only mode provides administrators with the IOS XE User Exec view. In this view, you can run most IOS XE show commands, as well as ping and traceroute.

Read-only mode permissions
Dashboard administrators with the following roles/access launch the CLI terminal in read-only mode:
- Observer/read-only: Organization scope
- Observer/read-only: Network scope
Read-only mode restrictions
- Administrators cannot enter privileged Exec (enable) mode.
- Administrators cannot enter configuration commands mode.
- Administrators cannot download session logs from configuration mode sessions.
- SSH or telnet to other LAN devices from the CLI terminal is not permitted.
- Cloud operating mode IOS XE switches support only read-only mode CLI terminal.
To ensure a low-latency experience for the live interactive CLI terminal, the following show commands are excluded. In the future, administrators will be able to download these command outputs directly to a log file from the dashboard:
- show memory
- show tech-support
Configuration mode
Configuration mode provides administrators with the IOS XE Privileged Exec view. In this view, you can run most IOS XE configuration commands.
Configuration mode permissions
Dashboard administrators with the following roles/access launch the CLI terminal in configuration mode:
- Full Access: Organization scope
- Full Access: Network scope
Before Full Access administrators can launch the CLI terminal in configuration mode, they must re-authenticate their dashboard password when launching the terminal. Administrators authenticated through external authentication via SAML integration do not have to re-authenticate.
Configuration mode restrictions
To help ensure configuration command auditing, the following configurations are excluded from the configuration mode CLI terminal:
- parser
- archive
- ntp
- timezone
- clock
- guestshell
SSH or telnet client connections to other devices from the CLI terminal is not permitted.
To ensure a low-latency experience, the following show commands are excluded. In the future, administrators will be able to download these command outputs directly to a log file from the dashboard:
- show memory
- show tech-support
Prerequisites
The Cloud CLI terminal is supported only on cloud-managed IOS XE switches and wireless controllers. Confirm the following before you begin.
Supported models and IOS XE versions
- Catalyst 9000 series switches on Cloud Management with IOS XE 17.15.3+
- Catalyst 9800 wireless controllers with IOS XE 17.15.1 and higher
Conversion and migration requirements
- Cloud monitoring switches must be converted to cloud management using IOS XE 17.15.3 with either device or cloud configuration. Refer to Enable Cloud Management for Catalyst Switches with Device Configuration.
- 9300-M switches on CS firmware must migrate to Cloud Management with IOS XE 17.15.3+. Refer to Upgrade Steps for Cloud-managed Catalyst Switches.
Dashboard operating mode support
- Device configuration mode: Cloud Management with IOS XE devices on 17.15.x support both read-only and configuration mode CLI terminal. This mode also allows a configuration history to be saved on the dashboard.
- Cloud configuration mode: Cloud Management with IOS XE switches on 17.15.x+ support only read-only CLI terminal.
Switches operating in device configuration mode must have an accurate local clock time.
Configuration mode requirements
The dashboard configures the required CLI terminal IOS XE configurations when devices are added to a dashboard network. Before configuration mode can launch, the dashboard verifies the following in IOS XE:
- IOS XE clock time must be in sync with the dashboard. Use NTP to ensure accurate time in IOS XE.
- Config archive log
- Telemetry subscription 10002
If the device clock time or any of these configurations are not present in IOS XE, the CLI terminal launches in read-only mode.
Early Access opt-in
To enable Cloud CLI, go to Organization > Configure > Early Access and opt in your dashboard organization. When you opt in, all Cloud Management with IOS XE switches and wireless controllers get a new Cloud CLI page added to the device page.
Step-by-step instructions
How to access the Cloud CLI terminal
-
Go to Organization > Configure > Early Access and opt in.
-
Open the device page for your Cloud Management with IOS XE switch or wireless controller.
-
For IOS XE switches, select try new version in the top right corner of the switch page if you do not see the Cloud CLI tab. The Cloud CLI experience is only available in the new version of the switch page.
-
Select the Cloud CLI tab.
-
Select launch terminal to access the terminal in the Cloud CLI page, or select detach terminal to open it in a separate browser window/tab.

Cloud Management with IOS XE devices support a maximum of 3 total CLI sessions from the dashboard, regardless of the dashboard administrator.
How to capture a session
-
Select Capture the session to output a text file that captures all terminal session output.
-
Download the session output text file directly in your browser, or download it later from the session history.

Session history updates after the CLI terminal session is disconnected or closed. Allow a few minutes for the session history table to update and for the download link to become available.
The terminal session capture logs all characters and non-printable characters, which can be interpreted differently depending on your viewer application.
Verification
Session history
Any time the Cloud CLI terminal is accessed, the session is logged in the session history log on the Cloud CLI page. The session history logs the following:
- Time (UTC): The date, day, and time in UTC when the CLI terminal started. The timestamp is in UTC to correlate it with the change timestamp in the Organization-wide change log.
- Config Archive: If you entered any configuration commands during the session, download an audit log file of the commands performed during the terminal session.
- Session Log: Select the link to download the text file of the session output.
- Status: Indicates whether the session output was enabled.
- Type: The CLI terminal mode used — configuration mode or read-only mode.
- User: The dashboard administrator username that accessed the terminal.

The session log file contains only the terminal session output. The log file name for the archive log or session output log includes a timestamp of when the session started. The config archive log contains timestamps for each configuration command entered, but not the username. Refer to the session history table or Organization change log for the administrator who performed the configuration commands.
Configuration archive logging
Configuration archive logging applies only to configuration mode CLI terminal. Configuration mode CLI is only available for switches with device configuration.
For accurate archive log timestamps, ensure the IOS XE system time is accurate. Use NTP to keep clock time in sync.
The dashboard tracks changes in IOS XE with archive config logging and collects IOS XE syslog %PARSER-5-CFGLOG_LOGGEDCMD events to audit the changes made by the dashboard administrator. You can view the changes in the CLI session history and in the Organization change log. To view the changes in the change log, go to Organization > Monitor > Change Log.

In addition to logging configuration commands in the Organization change log, a log file of all configuration commands performed during a session is available to download from the session history table.

Config archive file downloads or change log entries appear only if configuration commands were performed during the terminal session.
Troubleshooting
Terminal connection errors
If the dashboard cannot establish a terminal session, it displays the error: "Unable to establish a terminal connection. Please make sure the device is online, or contact support for assistance." Confirm the device is online, or contact support for assistance.
Terminal launches in read-only mode unexpectedly
If the device clock time or the required configurations (config archive log, telemetry subscription 10002) are not present in IOS XE, the CLI terminal launches in read-only mode instead of configuration mode. Verify IOS XE time sync and required configurations.
Delay logging early configuration commands
Early Access users can experience a short delay logging configuration commands entered within 30 seconds of the initial terminal launch. Wait up to 30 seconds after launching the terminal before performing configuration commands.
Archive logging on switch stacks
Configuration archive logging for the CLI terminal on Catalyst switch stacks is not yet available for Early Access.
Archive logs not being collected
For archive logging to work, IOS XE must have accurate time. If archive logs are not being collected, ensure the IOS XE clock is accurate. Ideally, the customer has enabled NTP.
Configuration sync alerts
The dashboard provisions the required configurations. If a customer removes them, the dashboard provides a configuration sync alert to notify the customer and allow them to re-apply the configurations. The Cloud CLI window displays if the device is not in compliance.
Suppress archive log from IOS XE logging buffer
To remove %PARSER-5-CFGLOG_LOGGEDCMD events from your IOS XE buffer log and prevent over-saturation, configure a logging discriminator to drop these events from the buffer log. The dashboard can still collect these events.
logging discriminator config_arch_drop mnemonics drops CFGLOG_LOGGEDCMD logging buffered discriminator config_arch_drop
Device configuration mode IOS XE configurations
Cloud-native IOS XE devices in device configuration mode will be configured with the following IOS XE CLI configurations to support the cloud CLI terminal.
username meraki-cli-rw privilege 15 view MERAKI-CONFIG
username meraki-cli-ro view MERAKI-MONITOR
ip ssh pubkey-chain
username meraki-cli-ro
key-hash ssh-rsa
username meraki-cli-rw
key-hash ssh-rsa
parser view MERAKI-CONFIG inclusive
...
parser view MERAKI-MONITOR
...
archive
log config
logging enable
notify syslog contenttype xml
telemetry ietf subscription 10002
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/syslog_msg
receiver-type pullmode
stream native
update-policy on-change
receiver name meraki_syslog_msg
event manager applet MERAKI_SHOW_RUN_EXEC
...

