Skip to main content

 

Cisco Meraki Documentation

Cloud Management with Device Configuration Required Modifications

  1. Last updated
  2. Save as PDF

Click 日本語 for Japanese

The following lines from the IOS running configuration are examples of what will be added/updated on a switch enabled for cloud management with device configuration. The exact configuration on your switch may vary from this example based on pre-existing configuration in IOS XE or additional features that have been enabled for cloud management.

All changes to configuration made by Dashboard will be logged in Organization > Monitor > Change Log and associated with the default administrator for the Dashboard organization.

 

AAA

aaa authentication login MERAKI local

aaa authorization exec MERAKI local

yang-interfaces aaa authorization method-list MERAKI

Only applied if Local method is not first in aaa authorization exec

username meraki-user privilege 15 secret 9 <unique random password> username meraki-tdluser privilege 1 secret 9 <unique random password>

 

Netflow for Traffic Analytics

Only applied for devices with DNA Advantage license enabled.

 

Global

flow record MERAKI_TA1_V4_IN description meraki_ta1_ingress match application name
match interface input

match ipv4 source address
collect counter bytes long
collect counter packets long
collect datalink mac source address input collect flow direction

collect datalink dot1q vlan input

flow record MERAKI_TA1_V4_OUT description meraki_ta1_egress match application name
match interface output

match ipv4 destination address
collect counter bytes long
collect counter packets long
collect datalink mac destination address output collect flow direction

collect datalink dot1q vlan output

flow monitor MERAKI_TA1_V4_IN exporter MERAKI_TA1
cache timeout inactive 300 cache timeout active 300 record MERAKI_TA1_V4_IN

flow monitor MERAKI_TA1_V4_OUT exporter MERAKI_TA1
cache timeout inactive 300 cache timeout active 300 record MERAKI_TA1_V4_OUT

flow exporter MERAKI_TA1
destination local file-export default export-protocol ipfix
option interface-table timeout 300

 

Interface

Interface GigabitEthernet1/0/X
ip flow monitor MERAKI_TA1_V4_IN input 

ip flow monitor MERAKI_TA1_V4_OUT output

The MERAKI_TA flow monitor will not be attached to interfaces that have existing flow monitor configurations.

Access Control Lists

ip access-list standard MERAKI_MGMT_IP_IN 

20 deny any

ip access-list extended MERAKI_MGMT_IP_OUT 

20 deny tcp any any

ipv6 access-list MERAKI_MGMT_IPV6_IN
sequence 10 permit tcp FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64 eq 2222 sequence 20 deny tcp any any

ipv6 access-list MERAKI_MGMT_IPV6_OUT 

sequence 20 deny tcp any any

 

SNMP and Logging

snmp-server enable traps config-copy snmp-server enable traps config

snmp-server enable traps config-ctid

logging history informational

logging snmp-trap errors

logging snmp-trap warnings

snmp-server enable traps syslog
snmp-server host FD0A:9B09:1F7:1:5B96:4C42:893E:6DFC version 2c MERAKI_TRAP_COMMUNITY udp-port 10062

logging snmp-trap emergencies logging snmp-trap alerts logging snmp-trap critical

 

IPv6 Route

ipv6 route FD0A:9B09:1F7:1::/64 Null0 2

 

HTTP Secure Server

ip http secure-server
ip http authentication local

 

VTY

vty 32 35
access-class MERAKI_MGMT_IP_IN in 

access-class MERAKI_MGMT_IP_OUT out
no motd-banner
ipv6 access-class MERAKI_MGMT_IPV6_IN in 

ipv6 access-class MERAKI_MGMT_IPV6_OUT out 

authorization exec MERAKI
login authentication MERAKI
rotary 55
transport input ssh

 

Netconf

netconf-yang

 

SSH

ip ssh version 2
ip ssh server algorithm authentication publickey password keyboard

ip ssh port 2222 rotary 55

 

ip ssh pubkey-chain username meraki-user key-hash {KEY_HASH}

 

LLDP

lldp run

 

Device Classification Global

device classifier

device-tracking policy MERAKI_POLICY security-level glean
tracking enable

Interface

interface TenGigabitEthernet1/0/1
device-tracking attach-policy MERAKI_POLICY

NetFlow

Cisco Meraki Dashboard will apply the following ip flow monitor configuration on interfaces, based on their role in the network.

flow monitor MERAKI_TA1_NO_AVC_V4_IN
 <flow montror configuration>
!
flow monitor MERAKI_TA1_NO_AVC_V4_OUT
 <flow montror configuration>
!
flow monitor MERAKI_TA1_V4_IN
 <flow montror configuration>
!
flow monitor MERAKI_TA1_V4_OUT
 <flow montror configuration>
!
flow monitor MERAKI_TA2_IPV4
 <flow montror configuration>

Device Tracking

Cisco Meraki Dashboard will apply the following device tracking policies on interfaces, based on their role in the network.
Information further detailing device tracking can be found in Client-Tracking in IOS-XE.

device-tracking policy MERAKI_ACCESS_TRACK
 limit address-count 1000
 security-level glean
 tracking enable

device-tracking policy MERAKI_NO_TRACK
 trusted-port
 security-level glean
 no protocol ndp
 no protocol dhcp6
 no protocol arp
 no protocol dhcp4

device-tracking policy MERAKI_TRUNK_TRACK
 limit address-count 32000
 security-level glean
 

Offboarding/Removal from Dashboard

When removing a switch from Dashboard, EEM scripts will be executed on the switch to remove the applied configuration.

EEM scripts are dynamically generated based on the specific configuration on your device. The scripts below are examples of what will be executed.

In order to maintain device connectivity while the scripts are processing, VTY line configurations are not removed automatically. After offboarding, VTY configurations can be removed using no line vty [x] [y]. The exact values for the line numbers will vary but will contain four total lines inclusive in the range. Those lines will contain configuration similar to:

line vty <start> <end>
login authentication MERAKI
 authorization exec MERAKI
 rotary 55
 no motd-banner
 transport input ssh
 access-class MERAKI_MGMT_IP_IN in
 access-class MERAKI_MGMT_IP_OUT out
 ipv6 access-class MERAKI_MGMT_IPV6_IN in
 ipv6 access-class MERAKI_MGMT_IPV6_OUT out
Example MERAKI-DASHBOARD-CLEANUP EEM script
event manager applet MERAKI-DASHBOARD-CLEANUP authorization bypass
 event timer watchdog time 10 maxrun 600
 action 000A cli command "enable"
 action 000B cli command "show event manager policy active | s MERAKI-DASHBOARD-CLEANUP"
 action 000C string match "*MERAKI-DASHBOARD-CLEANUP*MERAKI-DASHBOARD-CLEANUP*" "$_cli_result"
 action 000D if $_string_result eq "1"
 action 000E  exit 0
 action 000F end
 action 002A cli command "show event manager statistics policy | i MERAKI-DASHBOARD-CLEANUP"
 action 002B regexp ".*applet\s+([0-9]+)\s+.*" "$_cli_result" _match _run_times
 action 002C if $_regexp_result eq "1"
 action 002D  if $_run_times gt "60" goto 1000
 action 002E end
 action 0040 string replace "$_string_result" 0 0 "!Start running%config terminal lock !retry_regex*is locked by*!%!Removing brownfield device config%no snmp-server enable traps smart-license%no snmp-server enable traps config-copy%no snmp-server  "
 action 0041 string replace "$_string_result" 196 196 "enable traps config-ctid%no snmp-server enable traps config%no telemetry ietf subscription 1030%no telemetry ietf subscription 1031%no telemetry ietf subscription 1001%no telemetry ietf subscripti "
 action 0042 string replace "$_string_result" 392 392 "on 1002%no telemetry ietf subscription 1003%no telemetry ietf subscription 1004%no telemetry ietf subscription 1007%no telemetry ietf subscription 2002%no telemetry ietf subscription 1011%no telem "
 action 0043 string replace "$_string_result" 588 588 "etry ietf subscription 1012%no telemetry ietf subscription 1013%no telemetry ietf subscription 1014%no telemetry ietf subscription 1015%no telemetry ietf subscription 1016%no telemetry ietf subscr "
 action 0044 string replace "$_string_result" 784 784 "iption 1018%no telemetry ietf subscription 1020%no telemetry ietf subscription 1021%no telemetry transform MERAKI_INTF_STATS_DELTA%no telemetry transform MERAKI_PORTCHANNEL_STATS_DELTA%no device-t "
 action 0045 string replace "$_string_result" 980 980 "racking policy MERAKI_POLICY%interface range GigabitEthernet1/0/1-36,TenGigabitEthernet1/0/37-47,TenGigabitEthernet1/1/1-4 !exit!% no ip flow monitor MERAKI_AVC_IPV4 output% no ipv6 flow monitor M "
 action 0046 string replace "$_string_result" 1176 1176 "ERAKI_AVC_IPV6 input% no ipv6 flow monitor MERAKI_AVC_IPV6 output% no ip flow monitor MERAKI_AVC_IPV4 input%exit%no flow monitor MERAKI_AVC_IPV4%no flow monitor MERAKI_AVC_IPV6%no flow record MERA "
 action 0047 string replace "$_string_result" 1372 1372 "KI_AVC_HTTP_SSL_IPV4%no flow record MERAKI_AVC_HTTP_SSL_IPV6%no flow exporter MERAKI_AVC%no flow file-export default%no snmp-server host 18.232.244.158 traps version 2c public%no logging host 18.2 "
 action 0048 string replace "$_string_result" 1568 1568 "32.244.158%no ip route 18.232.244.158 255.255.255.255 Null0%!Removing tls config%no crypto tls-tunnel MERAKI-PRIMARY%no crypto pki trustpoint MERAKI_TLSGW_CA%!Removing user config%no username mera "
 action 004B string replace "$_string_result" 2156 2156 "o authorization exec MERAKI%no login authentication MERAKI%exit%no event manager applet MERAKI-DASHBOARD-CLEANUP%end%write memory%!Finish running "
 action 0060 set _exit_able "0"
 action 0061 set _has_error "0"
 action 0064 foreach _cmd_data "$_string_result" "%"
 action 0065  regexp "^\s*(!.*)" "$_cmd_data" _match _msg
 action 0066  if $_regexp_result eq "1"
 action 0067   syslog msg "$_msg"
 action 0068  else
 action 0069   regexp ".*!exit!*." "$_cmd_data" _match
 action 006A   set _exit_flag "$_regexp_result"
 action 006B   regexp ".*!retry_regex([^!]+).*" "$_cmd_data" _match _retry_regex
 action 006C   set _retry_able "$_regexp_result"
 action 006D   regexp "([^!]+).*" "$_cmd_data" _match _cmd
 action 006E   if $_cmd eq "exit"
 action 006F    if $_exit_able ne "1"
 action 0070     syslog msg "skip run 'exit'"
 action 0071     continue
 action 0072    else
 action 0073     set _exit_able "0"
 action 0074    end
 action 0075   end
 action 0076   syslog msg "$_cmd"
 action 0077   cli command "$_cmd" pattern "confirm|yes|#"
 action 0078   regexp ".*(yes|confirm).*" "$_cli_result" _match
 action 0079   if $_regexp_result eq "1"
 action 007A    syslog msg "y"
 action 007B    cli command "y" pattern "confirm|yes|#"
 action 007C   elseif $_retry_able eq 1
 action 007D    string match "$_retry_regex" "$_cli_result"
 action 007E    if $_string_result eq "1"
 action 007F     syslog msg "Exit with error, will start to retry after 10~20 seconds\n$_cli_result"
 action 0080     wait 10
 action 0081     exit 1
 action 0082    end
 action 0083   end
 action 0084   string match nocase "*%*" "$_cli_result"
 action 0085   if $_string_result eq "1"
 action 0086    syslog msg "$_cli_result"
 action 0087    string match nocase "*^*" "$_cli_result"
 action 0088    if $_string_result eq "1"
 action 0089     set _has_error "1"
 action 008A    end
 action 008B   elseif $_exit_flag eq 1
 action 008C    set _exit_able "1"
 action 008D   end
 action 008E  end
 action 0200 end
 action 0201 cli command "del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 0202 if $_has_error ne "0" goto 1105
 action 0203 exit 0
 action 1000 syslog msg "force exit, as script looping over max times"
 action 1101 cli command "end"
 action 1102 cli command "config terminal lock"
 action 1103 cli command "no event manager applet MERAKI-DASHBOARD-CLEANUP"
 action 1104 cli command "do-exec del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 1105 cli command "do-exec show logging last 200 | redirect flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 1200 exit 0
 Example MERAKI_OFFBOARD_CLEANUP EEM script
event manager applet MERAKI_OFFBOARD_CLEANUP authorization bypass
  event timer watchdog time 5 maxrun 600
  action 0001 cli command "enable"
  action 0002 cli command "config terminal"
  action 0003 syslog msg "start MERAKI_OFFBOARD_CLEANUP"
  action 0060 cli command "no ip http authentication local"
  action 0061 cli command "no ip http secure-server"
  action 0062 cli command "no ip http access-class ipv6 MERAKI_MGMT_IPV6_IN"
  action 0063 cli command "no ipv6 unicast-routing"
  action 0064 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_OUT"
  action 0065 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_IN"
  action 0066 cli command "no ip access-list extended MERAKI_MGMT_IP_OUT"
  action 0067 cli command "no ip access-list standard MERAKI_MGMT_IP_IN"
  action 012E cli command "no yang-interfaces aaa authorization method-list MERAKI"
  action 012F cli command "no netconf-yang"
  action 0130 cli command "ip ssh pubkey-chain"
  action 0131 cli command "no username meraki-user"
  action 0132 cli command "exit"
  action 0143 cli command "no ip ssh version 2"
  action 0144 cli command "no ip ssh port 2222 rotary 55"
  action 04C6 cli command "no aaa authentication login MERAKI local"
  action 04C7 cli command "no aaa authorization exec MERAKI local"
  action 04C8 cli command "no aaa authorization commands 1 MERAKI local"
  action 04C9 cli command "no aaa authorization commands 15 MERAKI local"
  action 04FB cli command "no username meraki-user" pattern ".*[confirm].*"
  action 04FC cli command "y"
  action 04FD cli command "no username meraki-tdluser" pattern ".*[confirm].*"
  action 04FE cli command "y"
  action 04E8 cli command "no event manager applet MERAKI_OFFBOARD_CLEANUP"
  action 04E9 cli command "do-exec write memory"
  action 04EA syslog msg "stop MERAKI_OFFBOARD_CLEANUP"
end
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.