Skip to main content

 

Cisco Meraki Documentation

How to Use Cloud CLI for Cloud-Managed IOS XE Devices

Overview 

This article explains how to enable, access, and use Cloud CLI, an Early Access feature for Cloud Management with IOS XE devices. 

Cloud CLI is an Early Access feature for Cloud Management with IOS XE devices. To enable Cloud CLI, go to Organization > Configure > Early Access and opt in your dashboard organization. 

Cloud CLI is a fully interactive CLI terminal hosted in the Meraki dashboard for your Cloud Management with IOS XE Catalyst switches and wireless controllers. When you launch the Cloud CLI terminal, the dashboard initiates a secure direct terminal session inside the Meraki Tunnel to your Catalyst device. Once connected, you get the same terminal CLI experience you would have if you opened your own direct VTY session. 

CLI terminal modes 

When you launch the CLI terminal, your dashboard administrator authorization level determines your access permissions. The CLI terminal launches in one of two modes. 

Cloud CLI organization access mode 

By default, the Cloud CLI launches in read-only access mode for your Meraki dashboard organization. In this mode, the Cloud CLI terminal supports only read-only access for troubleshooting and show commands. 

To enable configuration mode, go to Organization > Settings > Cloud-native IOS-XE Cloud CLI. 

If you do not want dashboard full-access administrators to re-authenticate when accessing Cloud CLI configuration mode, disable Require authentication. 

clipboard_e9e9234530dcb258c2527f4ea635bff79.png

Read-only mode 

Read-only mode provides administrators with the IOS XE User Exec view. In this view, you can run most IOS XE show commands, as well as ping and traceroute. 

This image displays the Cloud CLI terminal read-only mode. It provides administrators with IOS XE User Exec view, with the ability to run most IOS XE show commands as well as ping and traceroute.

Read-only mode permissions 

Dashboard administrators with the following roles/access launch the CLI terminal in read-only mode: 

  • Observer/read-only: Organization scope 
  • Observer/read-only: Network scope 
Read-only mode restrictions 
  • Administrators cannot enter privileged Exec (enable) mode. 
  • Administrators cannot enter configuration commands mode. 
  • Administrators cannot download session logs from configuration mode sessions. 
  • SSH or telnet to other LAN devices from the CLI terminal is not permitted. 
  • Cloud operating mode IOS XE switches support only read-only mode CLI terminal. 

To ensure a low-latency experience for the live interactive CLI terminal, the following show commands are excluded. In the future, administrators will be able to download these command outputs directly to a log file from the dashboard: 

  • show memory 
  • show tech-support 

Configuration mode 

Configuration mode provides administrators with the IOS XE Privileged Exec view. In this view, you can run most IOS XE configuration commands. 

Configuration mode permissions 

Dashboard administrators with the following roles/access launch the CLI terminal in configuration mode: 

  • Full Access: Organization scope 
  • Full Access: Network scope 

Before Full Access administrators can launch the CLI terminal in configuration mode, they must re-authenticate their dashboard password when launching the terminal. Administrators authenticated through external authentication via SAML integration do not have to re-authenticate. 

Configuration mode restrictions 

To help ensure configuration command auditing, the following configurations are excluded from the configuration mode CLI terminal: 

  • parser 
  • archive 
  • ntp 
  • timezone 
  • clock 
  • guestshell 

SSH or telnet client connections to other devices from the CLI terminal is not permitted. 

To ensure a low-latency experience, the following show commands are excluded. In the future, administrators will be able to download these command outputs directly to a log file from the dashboard: 

  • show memory 
  • show tech-support 

Prerequisites 

The Cloud CLI terminal is supported only on cloud-managed IOS XE switches and wireless controllers. Confirm the following before you begin. 

Supported models and IOS XE versions 

  • Catalyst 9000 series switches on Cloud Management with IOS XE 17.15.3+ 
  • Catalyst 9800 wireless controllers with IOS XE 17.15.1 and higher 

Conversion and migration requirements 

Dashboard operating mode support 

  • Device configuration mode: Cloud Management with IOS XE devices on 17.15.x support both read-only and configuration mode CLI terminal. This mode also allows a configuration history to be saved on the dashboard. 
  • Cloud configuration mode: Cloud Management with IOS XE switches on 17.15.x+ support only read-only CLI terminal. 

Switches operating in device configuration mode must have an accurate local clock time. 

Configuration mode requirements 

The dashboard configures the required CLI terminal IOS XE configurations when devices are added to a dashboard network. Before configuration mode can launch, the dashboard verifies the following in IOS XE: 

  • IOS XE clock time must be in sync with the dashboard. Use NTP to ensure accurate time in IOS XE. 
  • Config archive log 
  • Telemetry subscription 10002 

If the device clock time or any of these configurations are not present in IOS XE, the CLI terminal launches in read-only mode. 

Early Access opt-in 

To enable Cloud CLI, go to Organization > Configure > Early Access and opt in your dashboard organization. When you opt in, all Cloud Management with IOS XE switches and wireless controllers get a new Cloud CLI page added to the device page. 

Step-by-step instructions 

How to access the Cloud CLI terminal 

  1. Go to Organization > Configure > Early Access and opt in. 

  1. Open the device page for your Cloud Management with IOS XE switch or wireless controller. 

  1. For IOS XE switches, select try new version in the top right corner of the switch page if you do not see the Cloud CLI tab. The Cloud CLI experience is only available in the new version of the switch page. 

  1. Select the Cloud CLI tab. 

  1. Select launch terminal to access the terminal in the Cloud CLI page, or select detach terminal to open it in a separate browser window/tab. 

This image displays the CLI Terminal page.

Cloud Management with IOS XE devices support a maximum of 3 total CLI sessions from the dashboard, regardless of the dashboard administrator. 

How to capture a session 

  1. Select Capture the session to output a text file that captures all terminal session output. 

  1. Download the session output text file directly in your browser, or download it later from the session history. 

This image displays the Session History. Session history will update after the CLI terminal session is disconnected.

Session history updates after the CLI terminal session is disconnected or closed. Allow a few minutes for the session history table to update and for the download link to become available. 

The terminal session capture logs all characters and non-printable characters, which can be interpreted differently depending on your viewer application. 

Verification 

Session history 

Any time the Cloud CLI terminal is accessed, the session is logged in the session history log on the Cloud CLI page. The session history logs the following: 

  • Time (UTC): The date, day, and time in UTC when the CLI terminal started. The timestamp is in UTC to correlate it with the change timestamp in the Organization-wide change log. 
  • Config Archive: If you entered any configuration commands during the session, download an audit log file of the commands performed during the terminal session. 
  • Session Log: Select the link to download the text file of the session output. 
  • Status: Indicates whether the session output was enabled. 
  • Type: The CLI terminal mode used — configuration mode or read-only mode. 
  • User: The dashboard administrator username that accessed the terminal. 

This image displays the Session History. In addition to logging configuration commands in the Organization change log, a log file of all configuration commands performed during a session are available to download from the session history table.

The session log file contains only the terminal session output. The log file name for the archive log or session output log includes a timestamp of when the session started. The config archive log contains timestamps for each configuration command entered, but not the username. Refer to the session history table or Organization change log for the administrator who performed the configuration commands. 

Configuration archive logging 

Configuration archive logging applies only to configuration mode CLI terminal. Configuration mode CLI is only available for switches with device configuration. 

For accurate archive log timestamps, ensure the IOS XE system time is accurate. Use NTP to keep clock time in sync. 

The dashboard tracks changes in IOS XE with archive config logging and collects IOS XE syslog %PARSER-5-CFGLOG_LOGGEDCMD events to audit the changes made by the dashboard administrator. You can view the changes in the CLI session history and in the Organization change log. To view the changes in the change log, go to Organization > Monitor > Change Log. 

This image displays the Change Log. The changes can be viewed in the CLI session history.

In addition to logging configuration commands in the Organization change log, a log file of all configuration commands performed during a session is available to download from the session history table. 

This image displays the cloud CLI Configuration Terminal.

Config archive file downloads or change log entries appear only if configuration commands were performed during the terminal session. 

Troubleshooting 

Terminal connection errors 

If the dashboard cannot establish a terminal session, it displays the error: "Unable to establish a terminal connection. Please make sure the device is online, or contact support for assistance." Confirm the device is online, or contact support for assistance. 

Terminal launches in read-only mode unexpectedly 

If the device clock time or the required configurations (config archive log, telemetry subscription 10002) are not present in IOS XE, the CLI terminal launches in read-only mode instead of configuration mode. Verify IOS XE time sync and required configurations.

Delay logging early configuration commands 

Early Access users can experience a short delay logging configuration commands entered within 30 seconds of the initial terminal launch. Wait up to 30 seconds after launching the terminal before performing configuration commands. 

Archive logging on switch stacks 

Configuration archive logging for the CLI terminal on Catalyst switch stacks is not yet available for Early Access. 

Archive logs not being collected 

For archive logging to work, IOS XE must have accurate time. If archive logs are not being collected, ensure the IOS XE clock is accurate. Ideally, the customer has enabled NTP. 

Configuration sync alerts 

The dashboard provisions the required configurations. If a customer removes them, the dashboard provides a configuration sync alert to notify the customer and allow them to re-apply the configurations. The Cloud CLI window displays if the device is not in compliance. 

Suppress archive log from IOS XE logging buffer 

To remove %PARSER-5-CFGLOG_LOGGEDCMD events from your IOS XE buffer log and prevent over-saturation, configure a logging discriminator to drop these events from the buffer log. The dashboard can still collect these events. 

logging discriminator config_arch_drop mnemonics drops CFGLOG_LOGGEDCMD logging buffered discriminator config_arch_drop

Device configuration mode IOS XE configurations

Cloud-native IOS XE devices in device configuration mode will be configured with the following IOS XE CLI configurations to support the cloud CLI terminal.

username meraki-cli-rw privilege 15 view MERAKI-CONFIG

username meraki-cli-ro view MERAKI-MONITOR

ip ssh pubkey-chain

 username meraki-cli-ro

  key-hash ssh-rsa

 username meraki-cli-rw

  key-hash ssh-rsa

parser view MERAKI-CONFIG inclusive

 ... 

parser view MERAKI-MONITOR

...

archive

 log config

  logging enable

  notify syslog contenttype xml

telemetry ietf subscription 10002
 encoding encode-tdl
 filter tdl-uri /services;serviceName=iosevent/syslog_msg
 receiver-type pullmode
 stream native
 update-policy on-change
 receiver name meraki_syslog_msg

 

event manager applet MERAKI_SHOW_RUN_EXEC

...