Hybrid Operating Mode Switches Configuration
The following configuration is an example of what will be added/updated on a switch enabled for hybrid mode. The exact configuration on your switch may vary from this example based on pre-existing configuration in IOS XE or additional features that have been enabled for hybrid mode.
AAA
aaa authentication login MERAKI local
aaa authorization exec MERAKI local
yang-interfaces aaa authorization method-list MERAKI
Only applied if Local method is not first in aaa authorization exec
username meraki-user privilege 15 secret 9 <unique random password> username meraki-tdluser privilege 1 secret 9 <unique random password>
Netflow for Traffic Analytics
Only applied for devices with DNA Advantage license enabled.
Global
flow record MERAKI_TA1_V4_IN description meraki_ta1_ingress match application name
match interface input
match ipv4 source address
collect counter bytes long
collect counter packets long
collect datalink mac source address input collect flow direction
collect datalink dot1q vlan input
flow record MERAKI_TA1_V4_OUT description meraki_ta1_egress match application name
match interface output
match ipv4 destination address
collect counter bytes long
collect counter packets long
collect datalink mac destination address output collect flow direction
collect datalink dot1q vlan output
flow monitor MERAKI_TA1_V4_IN exporter MERAKI_TA1
cache timeout inactive 300 cache timeout active 300 record MERAKI_TA1_V4_IN
flow monitor MERAKI_TA1_V4_OUT exporter MERAKI_TA1
cache timeout inactive 300 cache timeout active 300 record MERAKI_TA1_V4_OUT
flow exporter MERAKI_TA1
destination local file-export default export-protocol ipfix
option interface-table timeout 300
Interface
Interface GigabitEthernet1/0/X
ip flow monitor MERAKI_TA1_V4_IN input
ip flow monitor MERAKI_TA1_V4_OUT output
Access Control Lists
ip access-list standard MERAKI_MGMT_IP_IN
20 deny any
ip access-list extended MERAKI_MGMT_IP_OUT
20 deny tcp any any
ipv6 access-list MERAKI_MGMT_IPV6_IN
sequence 10 permit tcp FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64 eq 2222 sequence 20 deny tcp any any
ipv6 access-list MERAKI_MGMT_IPV6_OUT
sequence 20 deny tcp any any
SNMP and Logging
snmp-server enable traps config-copy snmp-server enable traps config
snmp-server enable traps config-ctid
logging history informational
logging snmp-trap errors
logging snmp-trap warnings
snmp-server enable traps syslog
snmp-server host FD0A:9B09:1F7:1:5B96:4C42:893E:6DFC version 2c MERAKI_TRAP_COMMUNITY udp-port 10062
logging snmp-trap emergencies logging snmp-trap alerts logging snmp-trap critical
IPv6 Route
ipv6 route FD0A:9B09:1F7:1::/64 Null0 2
HTTP Secure Server
ip http secure-server
ip http authentication local
VTY
vty 32 35
access-class MERAKI_MGMT_IP_IN in
access-class MERAKI_MGMT_IP_OUT out
no motd-banner
ipv6 access-class MERAKI_MGMT_IPV6_IN in
ipv6 access-class MERAKI_MGMT_IPV6_OUT out
authorization exec MERAKI
login authentication MERAKI
rotary 55
transport input ssh
Netconf
netconf-yang
SSH
ip ssh version 2
ip ssh server algorithm authentication publickey password keyboard
ip ssh port 2222 rotary 55
ip ssh pubkey-chain username meraki-user key-hash {KEY_HASH}
LLDP
lldp run
Device Classification Global
device classifier
device-tracking policy MERAKI_POLICY security-level glean
tracking enable
Interface
interface TenGigabitEthernet1/0/1 device-tracking attach-policy MERAKI_POLICY