Skip to main content

 

Cisco Meraki Documentation

Cloud Management with Device Configuration Required Modifications

  1. Last updated
  2. Save as PDF

Click 日本語 for Japanese

The following lines from the IOS running configuration are examples of what will be added/updated on a switch enabled for cloud management with device configuration. The exact configuration on your switch may vary from this example based on pre-existing configuration in IOS XE or additional features that have been enabled for cloud management.

All changes to configuration made by Dashboard will be logged in Organization > Monitor > Change Log and associated with the default administrator for the Dashboard organization.

 

AAA

aaa authentication login MERAKI local

aaa authorization exec MERAKI local

yang-interfaces aaa authorization method-list MERAKI

Only applied if Local method is not first in aaa authorization exec

username meraki-user privilege 15 secret 9 <unique random password> username meraki-tdluser privilege 1 secret 9 <unique random password>

 

Access Control Lists

ip access-list standard MERAKI_MGMT_IP_IN 
    20 deny any

ip access-list extended MERAKI_MGMT_IP_OUT 
    20 deny tcp any any

ipv6 access-list MERAKI_MGMT_IPV6_IN
      sequence 10 permit tcp FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64 eq 2222

sequence 20 deny tcp any any

ipv6 access-list MERAKI_MGMT_IPV6_OUT 
    sequence 20 deny tcp any any

 

SNMP and Logging

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

logging history informational

logging snmp-trap errors

logging snmp-trap warnings

snmp-server enable traps syslog
snmp-server host FD0A:9B09:1F7:1:5B96:4C42:893E:6DFC version 2c MERAKI_TRAP_COMMUNITY udp-port 10062

logging snmp-trap emergencies logging snmp-trap alerts logging snmp-trap critical

 

IPv6 Route

ipv6 route FD0A:9B09:1F7:1::/64 Null0 2

 

HTTP Secure Server

ip http secure-server
ip http authentication local

 

Line VTY

line vty 32 35
access-class MERAKI_MGMT_IP_IN in 

access-class MERAKI_MGMT_IP_OUT out
no motd-banner
ipv6 access-class MERAKI_MGMT_IPV6_IN in 

ipv6 access-class MERAKI_MGMT_IPV6_OUT out 

authorization exec MERAKI
login authentication MERAKI
rotary 55
transport input ssh

 

Netconf

netconf-yang

 

SSH

ip ssh version 2
ip ssh server algorithm authentication publickey password keyboard

ip ssh port 2222 rotary 55

 

ip ssh pubkey-chain username meraki-user key-hash {KEY_HASH}

 

LLDP

lldp run

 

Interface

interface TenGigabitEthernet1/0/1
    device-tracking attach-policy <Meraki Policy Name>

NetFlow

Cisco Meraki Dashboard will apply IOS-XE NetFlow configuration to supported Catalyst switches enabled for Cloud Management with Configuration Source: Device. The exact NetFlow configuration depends on the active license level, Dashboard Traffic Analysis settings, platform support, and interface role.

NetFlow configuration used for Cloud Management is applied for Dashboard client visibility and traffic analytics. If customer NetFlow export is enabled, Dashboard may also configure flow export toward the customer-defined collector.

License and Feature Summary:
License and Dashboard setting Expected behavior Typical flow monitor family

Network Essentials + DNA Essentials

Basic client visibility with non-AVC flow records

MERAKI_ESSENTIALS_V4_*

Network Advantage + DNA Advantage

AVC-capable client and traffic analytics

MERAKI_TA1_V4_*

Network Advantage + DNA Advantage with Dashboard Traffic Analysis set to Detailed

Detailed application / destination traffic analytics and optional customer NetFlow export

MERAKI_TA2_IPV4, in addition to TA1

 

Dashboard Traffic Analysis set to Detailed is not a separate license level. It is a Dashboard setting that controls the level of traffic analytics collected or exported. The underlying AVC / NetFlow v10 capability requires the appropriate platform and Advantage license support.

AVC stands for Application Visibility and Control. AVC-capable NetFlow records use IOS XE application recognition, based on NBAR/AVC, to include application identity in flow telemetry. Non-AVC records do not include application classification and are used for client visibility/basic flow tracking.

Meraki Dashboard ip flow monitor records will not be attached to interfaces that have existing flow monitor configurations.

Essentials License:

Switches using Network Essentials + DNA Essentials use non-AVC flow records for basic client visibility.

Expected global configuration:

flow record MERAKI_ESSENTIALS_V4_IN
 description meraki_essentials_ingress
 match datalink mac source address input
 match interface input
 match ipv4 source address
 collect counter bytes long
 collect counter packets long

flow record MERAKI_ESSENTIALS_V4_OUT
 description meraki_essentials_egress
 match datalink mac destination address output
 match interface output
 match ipv4 destination address
 collect counter bytes long
 collect counter packets long

flow exporter MERAKI_ESSENTIALS_V4_EXPORTER
 destination local file-export default
 export-protocol ipfix
 option interface-table timeout 300

flow monitor MERAKI_ESSENTIALS_V4_MONITOR_IN
 exporter MERAKI_ESSENTIALS_V4_EXPORTER
 cache timeout inactive 300
 cache timeout active 300
 record MERAKI_ESSENTIALS_V4_IN

flow monitor MERAKI_ESSENTIALS_V4_MONITOR_OUT
 exporter MERAKI_ESSENTIALS_V4_EXPORTER
 cache timeout inactive 300
 cache timeout active 300
 record MERAKI_ESSENTIALS_V4_OUT
 

Expected interface configuration on eligible client-facing ports:

interface GigabitEthernet1/0/X
 ip flow monitor MERAKI_ESSENTIALS_V4_MONITOR_IN input
 ip flow monitor MERAKI_ESSENTIALS_V4_MONITOR_OUT output
 

Advantage License: 

Switches using Network Advantage + DNA Advantage support AVC-capable traffic analytics.

Expected global configuration:

flow record MERAKI_TA1_V4_IN
 description meraki_ta1_ingress
 match application name
 match interface input
 match ipv4 source address
 collect counter bytes long
 collect counter packets long
 collect datalink mac source address input
 collect flow direction
 collect datalink dot1q vlan input

flow record MERAKI_TA1_V4_OUT
 description meraki_ta1_egress
 match application name
 match interface output
 match ipv4 destination address
 collect counter bytes long
 collect counter packets long
 collect datalink mac destination address output
 collect flow direction
 collect datalink dot1q vlan output

flow exporter MERAKI_TA1
 destination local file-export default
 export-protocol ipfix
 option interface-table timeout 300

flow monitor MERAKI_TA1_V4_IN
 exporter MERAKI_TA1
 cache timeout inactive 300
 cache timeout active 300
 record MERAKI_TA1_V4_IN

flow monitor MERAKI_TA1_V4_OUT
 exporter MERAKI_TA1
 cache timeout inactive 300
 cache timeout active 300
 record MERAKI_TA1_V4_OUT
 

Expected interface configuration on eligible client-facing ports:

interface GigabitEthernet1/0/X
 ip flow monitor MERAKI_TA1_V4_IN input
 ip flow monitor MERAKI_TA1_V4_OUT output
 

Advantage License with Dashboard Traffic Analysis Set to Detailed:

When the switch is licensed for Network Advantage + DNA Advantage and Dashboard Traffic Analysis is set to Detailed, Dashboard may apply TA2 flow monitors in addition to TA1. TA2 provides more detailed application and connection-level traffic analytics. It may also be used when customer NetFlow export is enabled.

Expected global configuration:

flow record MERAKI_TA2_HTTP_SSL_IPV4
 match application name
 match connection client ipv4 address
 match connection server ipv4 address
 match connection server transport port
 match flow observation point
 match ipv4 protocol
 match ipv4 version
 collect connection client counter bytes network long
 collect connection client counter packets long
 collect connection initiator
 collect connection new-connections
 collect connection server counter bytes network long
 collect connection server counter packets long
 collect flow direction
 collect interface input
 collect interface output
 collect timestamp absolute first
 collect timestamp absolute last

flow exporter MERAKI_TA2
 destination local file-export default
 export-protocol ipfix
 option interface-table timeout 300

flow monitor MERAKI_TA2_IPV4
 exporter MERAKI_TA2
 cache timeout inactive 300
 cache timeout active 300
 cache entries 65536
 record MERAKI_TA2_HTTP_SSL_IPV4

Expected interface configuration on eligible ports:

interface GigabitEthernet1/0/X
 ip flow monitor MERAKI_TA2_IPV4 input
 ip flow monitor MERAKI_TA2_IPV4 output
 

Device Tracking

Cisco Meraki Dashboard will apply the following device tracking policies on interfaces, based on their role in the network.
Information further detailing device tracking can be found in Client-Tracking in IOS-XE.

device-tracking policy MERAKI_ACCESS_TRACK
 limit address-count 1000
 security-level glean
 tracking enable

device-tracking policy MERAKI_NO_TRACK
 trusted-port
 security-level glean
 no protocol ndp
 no protocol dhcp6
 no protocol arp
 no protocol dhcp4

device-tracking policy MERAKI_TRUNK_TRACK
 limit address-count 32000
 security-level glean
 

Offboarding/Removal from Dashboard

When removing a switch from Dashboard, EEM scripts will be executed on the switch to remove the applied configuration.

EEM scripts are dynamically generated based on the specific configuration on your device. The scripts below are examples of what will be executed.

In order to maintain device connectivity while the scripts are processing, line VTY configurations are not removed automatically. After offboarding, line VTY configurations can be removed using no line vty [x] [y]. The exact values for the line numbers will vary but will contain four total lines inclusive in the range. Those lines will contain configuration similar to:

line vty <start> <end>
login authentication MERAKI
 authorization exec MERAKI
 rotary 55
 no motd-banner
 transport input ssh
 access-class MERAKI_MGMT_IP_IN in
 access-class MERAKI_MGMT_IP_OUT out
 ipv6 access-class MERAKI_MGMT_IPV6_IN in
 ipv6 access-class MERAKI_MGMT_IPV6_OUT out
Example MERAKI-DASHBOARD-CLEANUP EEM script
event manager applet MERAKI-DASHBOARD-CLEANUP authorization bypass
 event timer watchdog time 10 maxrun 600
 action 000A cli command "enable"
 action 000B cli command "show event manager policy active | s MERAKI-DASHBOARD-CLEANUP"
 action 000C string match "*MERAKI-DASHBOARD-CLEANUP*MERAKI-DASHBOARD-CLEANUP*" "$_cli_result"
 action 000D if $_string_result eq "1"
 action 000E  exit 0
 action 000F end
 action 002A cli command "show event manager statistics policy | i MERAKI-DASHBOARD-CLEANUP"
 action 002B regexp ".*applet\s+([0-9]+)\s+.*" "$_cli_result" _match _run_times
 action 002C if $_regexp_result eq "1"
 action 002D  if $_run_times gt "60" goto 1000
 action 002E end
 action 0040 string replace "$_string_result" 0 0 "!Start running%config terminal lock !retry_regex*is locked by*!%!Removing brownfield device config%no snmp-server enable traps smart-license%no snmp-server enable traps config-copy%no snmp-server  "
 action 0041 string replace "$_string_result" 196 196 "enable traps config-ctid%no snmp-server enable traps config%no telemetry ietf subscription 1030%no telemetry ietf subscription 1031%no telemetry ietf subscription 1001%no telemetry ietf subscripti "
 action 0042 string replace "$_string_result" 392 392 "on 1002%no telemetry ietf subscription 1003%no telemetry ietf subscription 1004%no telemetry ietf subscription 1007%no telemetry ietf subscription 2002%no telemetry ietf subscription 1011%no telem "
 action 0043 string replace "$_string_result" 588 588 "etry ietf subscription 1012%no telemetry ietf subscription 1013%no telemetry ietf subscription 1014%no telemetry ietf subscription 1015%no telemetry ietf subscription 1016%no telemetry ietf subscr "
 action 0044 string replace "$_string_result" 784 784 "iption 1018%no telemetry ietf subscription 1020%no telemetry ietf subscription 1021%no telemetry transform MERAKI_INTF_STATS_DELTA%no telemetry transform MERAKI_PORTCHANNEL_STATS_DELTA%no device-t "
 action 0045 string replace "$_string_result" 980 980 "racking policy MERAKI_POLICY%interface range GigabitEthernet1/0/1-36,TenGigabitEthernet1/0/37-47,TenGigabitEthernet1/1/1-4 !exit!% no ip flow monitor MERAKI_AVC_IPV4 output% no ipv6 flow monitor M "
 action 0046 string replace "$_string_result" 1176 1176 "ERAKI_AVC_IPV6 input% no ipv6 flow monitor MERAKI_AVC_IPV6 output% no ip flow monitor MERAKI_AVC_IPV4 input%exit%no flow monitor MERAKI_AVC_IPV4%no flow monitor MERAKI_AVC_IPV6%no flow record MERA "
 action 0047 string replace "$_string_result" 1372 1372 "KI_AVC_HTTP_SSL_IPV4%no flow record MERAKI_AVC_HTTP_SSL_IPV6%no flow exporter MERAKI_AVC%no flow file-export default%no snmp-server host 18.232.244.158 traps version 2c public%no logging host 18.2 "
 action 0048 string replace "$_string_result" 1568 1568 "32.244.158%no ip route 18.232.244.158 255.255.255.255 Null0%!Removing tls config%no crypto tls-tunnel MERAKI-PRIMARY%no crypto pki trustpoint MERAKI_TLSGW_CA%!Removing user config%no username mera "
 action 004B string replace "$_string_result" 2156 2156 "o authorization exec MERAKI%no login authentication MERAKI%exit%no event manager applet MERAKI-DASHBOARD-CLEANUP%end%write memory%!Finish running "
 action 0060 set _exit_able "0"
 action 0061 set _has_error "0"
 action 0064 foreach _cmd_data "$_string_result" "%"
 action 0065  regexp "^\s*(!.*)" "$_cmd_data" _match _msg
 action 0066  if $_regexp_result eq "1"
 action 0067   syslog msg "$_msg"
 action 0068  else
 action 0069   regexp ".*!exit!*." "$_cmd_data" _match
 action 006A   set _exit_flag "$_regexp_result"
 action 006B   regexp ".*!retry_regex([^!]+).*" "$_cmd_data" _match _retry_regex
 action 006C   set _retry_able "$_regexp_result"
 action 006D   regexp "([^!]+).*" "$_cmd_data" _match _cmd
 action 006E   if $_cmd eq "exit"
 action 006F    if $_exit_able ne "1"
 action 0070     syslog msg "skip run 'exit'"
 action 0071     continue
 action 0072    else
 action 0073     set _exit_able "0"
 action 0074    end
 action 0075   end
 action 0076   syslog msg "$_cmd"
 action 0077   cli command "$_cmd" pattern "confirm|yes|#"
 action 0078   regexp ".*(yes|confirm).*" "$_cli_result" _match
 action 0079   if $_regexp_result eq "1"
 action 007A    syslog msg "y"
 action 007B    cli command "y" pattern "confirm|yes|#"
 action 007C   elseif $_retry_able eq 1
 action 007D    string match "$_retry_regex" "$_cli_result"
 action 007E    if $_string_result eq "1"
 action 007F     syslog msg "Exit with error, will start to retry after 10~20 seconds\n$_cli_result"
 action 0080     wait 10
 action 0081     exit 1
 action 0082    end
 action 0083   end
 action 0084   string match nocase "*%*" "$_cli_result"
 action 0085   if $_string_result eq "1"
 action 0086    syslog msg "$_cli_result"
 action 0087    string match nocase "*^*" "$_cli_result"
 action 0088    if $_string_result eq "1"
 action 0089     set _has_error "1"
 action 008A    end
 action 008B   elseif $_exit_flag eq 1
 action 008C    set _exit_able "1"
 action 008D   end
 action 008E  end
 action 0200 end
 action 0201 cli command "del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 0202 if $_has_error ne "0" goto 1105
 action 0203 exit 0
 action 1000 syslog msg "force exit, as script looping over max times"
 action 1101 cli command "end"
 action 1102 cli command "config terminal lock"
 action 1103 cli command "no event manager applet MERAKI-DASHBOARD-CLEANUP"
 action 1104 cli command "do-exec del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 1105 cli command "do-exec show logging last 200 | redirect flash:MERAKI-DASHBOARD-CLEANUP.log"
 action 1200 exit 0
 Example MERAKI_OFFBOARD_CLEANUP EEM script
event manager applet MERAKI_OFFBOARD_CLEANUP authorization bypass
  event timer watchdog time 5 maxrun 600
  action 0001 cli command "enable"
  action 0002 cli command "config terminal"
  action 0003 syslog msg "start MERAKI_OFFBOARD_CLEANUP"
  action 0060 cli command "no ip http authentication local"
  action 0061 cli command "no ip http secure-server"
  action 0062 cli command "no ip http access-class ipv6 MERAKI_MGMT_IPV6_IN"
  action 0063 cli command "no ipv6 unicast-routing"
  action 0064 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_OUT"
  action 0065 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_IN"
  action 0066 cli command "no ip access-list extended MERAKI_MGMT_IP_OUT"
  action 0067 cli command "no ip access-list standard MERAKI_MGMT_IP_IN"
  action 012E cli command "no yang-interfaces aaa authorization method-list MERAKI"
  action 012F cli command "no netconf-yang"
  action 0130 cli command "ip ssh pubkey-chain"
  action 0131 cli command "no username meraki-user"
  action 0132 cli command "exit"
  action 0143 cli command "no ip ssh version 2"
  action 0144 cli command "no ip ssh port 2222 rotary 55"
  action 04C6 cli command "no aaa authentication login MERAKI local"
  action 04C7 cli command "no aaa authorization exec MERAKI local"
  action 04C8 cli command "no aaa authorization commands 1 MERAKI local"
  action 04C9 cli command "no aaa authorization commands 15 MERAKI local"
  action 04FB cli command "no username meraki-user" pattern ".*[confirm].*"
  action 04FC cli command "y"
  action 04FD cli command "no username meraki-tdluser" pattern ".*[confirm].*"
  action 04FE cli command "y"
  action 04E8 cli command "no event manager applet MERAKI_OFFBOARD_CLEANUP"
  action 04E9 cli command "do-exec write memory"
  action 04EA syslog msg "stop MERAKI_OFFBOARD_CLEANUP"
end
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.