Skip to main content

 

Cisco Meraki Documentation

Cloud CLI for Cloud-Native IOS XE

  1. Last updated
  2. Save as PDF

Note: Cloud CLI is an Early Access feature for cloud-native IOS XE devices. To enable Cloud CLI go to Organization > Configure > Early Access to opt-in your dashboard organization.

Cloud CLI terminal

The cloud CLI is a fully interactive CLI terminal hosted right in the Meraki dashboard for your cloud-native IOS XE Catalyst switches and wireless controllers.  When launching the cloud CLI terminal, dashboard will initiate a secure direct terminal session inside the Meraki Tunnel to your Catalyst device. Once connected, you will have the same terminal CLI experience you would have if you were to open your own direct VTY session.

Cloud CLI requirements

  • Cloud CLI terminal is only supported on cloud-native IOS XE switches and wireless controllers
  • Supported models and IOS XE versions:
    • Catalyst 9200 and 9300 series switches with IOS XE 17.15.3
    • Catalyst 9800 wireless controllers with IOS XE 17.15.1 and higher
  • Cloud-native IOS XE dashboard operating mode support:
    • Hybrid operating mode
      • Cloud-native IOS XE devices on 17.15 support both Read-only and Configuration mode CLI terminal
    • Cloud operating mode
      • Cloud-native IOS XE switches on 17.15 support ONLY Read-only CLI terminal
  • Hybrid operating mode clock time must be accurate. Configuration mode CLI requirements

How to access cloud CLI terminal

When you opt-in to Early Access, all cloud-native IOS XE switches and wireless controllers will have a new Cloud CLI page added to the device page. 

Note: For cloud-native IOS XE switches, the Cloud CLI experience can only be used in the new version of the switch page, make sure to select try new version in the top right corner of the switch page if you do not see the cloud CLI tab.

Select the Cloud CLI tab. Select launch terminal to access the terminal in the cloud CLI page or detach terminal to open in a separate browser window/tab.

This image displays the CLI Terminal page.

Cloud-native IOS XE devices can have a maximum of 3 total CLI sessions from dashboard regardless dashboard administrator. If dashboard cannot establish a terminal session it will error with Unable to establish a terminal connection. Please make sure the device is online, or contact support for assistance.

Session Capture

Select Capture the session to output a text file to capture all the terminal session output to a text file that can be downloaded directly in your browser. 

You can download the session output text file from the session history. Session history will update after the CLI terminal session is disconnected/closed. Please allow a few minutes for the session history table to update and for the download link to become available. 

This image displays the Session History. Session history will update after the CLI terminal session is disconnected.

Note: The terminal session capture will log all characters / non-printable characters that can be interpreted differently depending on your viewer application.

CLI terminal modes

When launching the CLI terminal your access permissions are determined by your dashboard administrator authorization level. Depending on your dashboard administrator access, the CLI terminal will launch in one of two modes. 

Read-only mode

Cloud CLI terminal read-only mode provides administrators with IOS XE User Exec view, with the ability to run most IOS XE show commands as well as ping and trace route.

This image displays the Cloud CLI terminal read-only mode. It provides administrators with IOS XE User Exec view, with the ability to run most IOS XE show commands as well as ping and traceroute.

Read-only mode permissions 

Dashboard administrators with the following roles/access will be in read-only mode when launching the CLI terminal:

  • Observer/read-only: Organization scope
  • Observer/read-only: Network scope
Read-only mode restrictions
  • Dashboard administrators cannot enter privileged Exec (enable) mode
  • Dashboard administrators cannot enter Configuration commands mode 
  • Dashboard administrators cannot download session logs from configuration mode sessions
  • SSH or telnet to other LAN devices from the CLI terminal is not permitted
  • To ensure a low-latency experience for the live interactive CLI terminal, the following show commands are excluded. In the future, we will provide administrators the capability to download these command outputs directly to a log file from dashboard:
    • Show memory
    • Show tech-support

Note: Cloud operating mode IOS XE switches ONLY support read-only mode CLI terminal

Configuration mode

Cloud CLI terminal configuration mode provides administrators with IOS XE Privileged Exec view, with the ability to run most IOS XE configuration commands.

This image displays Cloud CLI terminal configuration mode. It provides administrators with IOS XE Privileged Exec view, with the ability to run most IOS XE configuration commands.

Configuration mode permissions 

Dashboard administrators with the following roles/access will be in configuration mode when launching the CLI terminal:

  • Full Access: Organization scope
  • Full Access: Network scope

Additionally, before Full Access role administrators can launch the CLI terminal in configuration mode, administrators must re-authenticate their dashboard password when launching the terminal.

This image displays Verify password. To access CLI terminal in configuration mode, re-enter your dashboard password.

 

Note: Dashboard administrators authenticated with external authentication via SAML integration will not have to re-authenticate.

Configuration mode requirements 
  • Dashboard will configure the required CLI terminal IOS XE configurations when devices are added to a dashboard Network Cloud CLI for cloud-native IOS XE
  • Before configuration mode CLI terminal can be launched in dashboard, dashboard will verify the following in IOS XE:
    • IOS XE clock time must be in sync with dashboard. Recommend using NTP to ensure accurate time in IOS XE.
    • Config archive log
    • Telemetry subscription 10002

Note: If device clock time or any of these configuration are not present in IOS XE, the CLI terminal will be launched in read-only mode.

Configuration mode restrictions
  • When using the cloud CLI terminal in configuration mode, to help ensure configuration command auditing, the following configurations are excluded from the cloud CLI terminal:
    • parser
    • archive
    • ntp
    • timezone
    • clock
    • guestshell
  • SSH or telnet client connections to other devices from the CLI terminal is not permitted
  • To ensure a low-latency experience for the live interactive CLI terminal, the following show commands are excluded. In the future, we will provide administrators the capability to download these command outputs directly to a log file from dashboard:

    • Show memory

    • Show tech-support

Configuration archive logging

Configuration archive logging is only applicable to CLI terminal configuration mode. Configuration mode is only available for cloud-native IOS XE switches in hybrid operating mode.

Note:

  • For accurate archive log timestamps, you must ensure the IOS XE system time is accurate. Please ensure your clock time is in sync by using NTP.
  • Early access users can experience a short delay for logging configuration commands entered within 30 seconds of the initial launch of the terminal. While our teams work to address this delay, please wait up to 30 seconds after launching the terminal before performing configuration commands.
  • Configuration archiving logging for CLI terminal on Catalyst switch stacks is not available yet for Early Access.

Dashboard changes are tracked in IOS XE with archive config logging and dashboard will collect IOS XE syslog %PARSER-5-CFGLOG_LOGGEDCMD events to audit the changes made by the dashboard administrator. The changes can be viewed in the CLI session history (see below) as well as in the Organization change log. To view the changes in the change log, navigate to Organization > Monitor > Change Log.

This image displays the Change Log. The changes can be viewed in the CLI session history.

This image displays the cloud CLI Configuration Terminal.

In addition to logging configuration commands in the Organization change log, a log file of all configuration commands performed during a session are available to download from the session history table.

This image displays the Session History. In addition to logging configuration commands in the Organization change log, a log file of all configuration commands performed during a session are available to download from the session history table.

Note: Config archive file download or change log entries will only appear if configuration commands have been performed during the terminal session.

Session history

Any time the cloud CLI terminal is accessed, the session will be logged in the session history log on the Cloud CLI page. The session history will log the following:    

  • Time (UTC): The date, day and time in UTC when the CLI terminal was started.
    • Session timestamp is in UTC in order to ensure it is correlated to the change timestamp in the Organization-wide change log.
  • User: The dashboard administrator username that accessed the terminal
  • Type: The CLI terminal mode that was used: configuration mode or read-only mode.
  • Status: Indicates if the session output was enabled.
  • Session Log: Click the link to download the text file of the session output.
  • Config Archive: If any configuration commands were entered during the session, you can download an audit log file of the commands that were performed during the terminal session.

Note: The session log file only contains the terminal session output. The log file name for the archive log or session output log will include a timestamp of when the session was started. The config archive log will contain timestamps for each configuration command entered but not the username. Refer to session history table or Organization change log for the dashboard administrator that and performed the configuration commands.

Hybrid mode IOS XE configurations

Cloud-native IOS XE devices in hybrid operating mode will be configured with the following IOS XE CLI configurations to support the cloud CLI terminal.

 

username meraki-cli-rw privilege 15 view MERAKI-CONFIG

username meraki-cli-ro view MERAKI-MONITOR

 

ip ssh pubkey-chain

 username meraki-cli-ro

  key-hash ssh-rsa

 username meraki-cli-rw

  key-hash ssh-rsa

 

parser view MERAKI-CONFIG inclusive

 ... 

parser view MERAKI-MONITOR

...

 

archive

 log config

  logging enable

  notify syslog contenttype xml

 

telemetry ietf subscription 10002
 encoding encode-tdl
 filter tdl-uri /services;serviceName=iosevent/syslog_msg
 receiver-type pullmode
 stream native
 update-policy on-change
 receiver name meraki_syslog_msg
 

 

Suppress archive log from IOS XE logging buffer

If you want to remove %PARSER-5-CFGLOG_LOGGEDCMD events from your IOS XE buffer log to prevent over saturation from these events, you can configure a logging discriminator to drop these events from the buffer log. Dashboard will still be able to collect these events.

 

logging discriminator config_arch_drop mnemonics drops CFGLOG_LOGGEDCMD

logging buffered discriminator config_arch_drop

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.