Skip to main content

 

Cisco Meraki Documentation

Client-Tracking in IOS-XE

  1. Last updated
  2. Save as PDF

There are three different ways for Meraki devices to identify clients: Unique client identifier, Track by MAC, and Track by IP. These tracking methods are how key information like the clients list and network usage data is populated in the dashboard. The MX Security Appliance has the option to use any of the 3 options with details being found in Client-Tracking Options. Onboarding a Catalyst 9000 series switch will automatically enforce "Unique Client Identifier" as the tracking method for the network.

 

Note: The following ports don't support Client Tracking features on MS390 & C9300/L/X-M.

1. Ports with supported max speeds 25G, 40G, 100G.
2. Link Aggregation ports

Unique Client Identifier 

Unique client identifier is a Meraki technology that leverages network topology and device information to uniquely identify and track clients. It uses an algorithm that intelligently correlates client MAC and IP addresses seen across the Meraki stack, allowing the security appliance to generate a unique identifier for each client in a combined network with other Meraki devices. This is specifically useful when there are Meraki MS switches routing layer 3 between end clients and the security appliance, which segregates broadcast traffic containing the client's MAC address.

Tracking by unique client identifier also disables uplink sampling for clients, which can be helpful in certain scenarios where non-Meraki NAC solutions are deployed in mixed vendor environments.

Note: Some tools, such as client connectivity alerts and client ping, are based on ARP and will not be available when using Unique client identifier.

Requirements and Conditions

Please review the requirements and conditions below before enabling this feature on your network.

To see the Unique Client Identifier option in Addressing & VLANs, the following conditions must be met: 

  • There must be a security appliance with at least one Meraki MS or Meraki Managed/Monitored Catalyst L3 switch in the same network in the dashboard. To avoid incorrect tracking data, the devices in this dashboard network should also be in the same physical network.
  • This option is only shown if the MX firmware version is 9+ and the MS firmware version is 10+.
  • Do not use Unique Client Identifier in a dashboard network where the MX's WAN ports are connected to a Meraki switch in the same Dashboard network. If you need to use a Meraki switch in between your ISP and the MX WAN please isolate this switch into a separate Dashboard network.

Note: When modifying the 'Client tracking' the change will reset any client device with a manually configured group policy associated. Manual group policies are on the Network-Wide > Monitor > Clients page under the policy column. If a policy is needed for a particular associated device, it must be re-added once the change is made and the device populates on the client list.  

Screenshot from Dashboard Organization - Overview - and a Combine network command failed since the network was using the "track by IP' mode of client tracking.

 

 

Cloud Monitoring

Information further detailing Cloud Monitoring can be found in Cloud Monitoring for Catalyst Onboarding and Cloud Monitoring Required Configuration.

During the onboarding of a Cloud Monitored Catalyst 9000 switch, after dashboard communication is established, dashboard will access the device via the secure TLS tunnel using the meraki-user account over SSH and apply a policy configuration via NETCONF to collect client data such as IP Address and MAC Address.

Device Tracking Policy "MERAKI_POLICY"

Policy application

The device tracking policies named MERAKI_POLICY is added to each Layer 2 interface at the time of onboarding except the following:

  • Detected uplink interface
  • Interfaces known to connect directly to other devices in your dashboard network (including both Catalyst and Meraki hardware)
  • Device tracking explicitly disabled
  • If an interface has device-tracking policy already applied, then dashboard will not attach MERAKI_POLICY
  • In case of port-channel, the port channel will receive MERAKI_POLICY and the member interfaces of a port channel will not.
  • SVL interfaces

MERAKI_POLICY is applied to all eligible interfaces:  
device-tracking policy MERAKI_POLICY 
security-level glean 
no protocol udp 
tracking enable

Policy re-application

If the dashboard configuration that is applied to an interface is modified, Dashboard will change the configuration back to the required configuration to allow for clients to be gleaned in some instances;

  • If a configuration was applied by dashboard, such as Device Tracking & TA flow monitor, any user’s changes will be re-applied back to cloud expected configuration
  • If a configuration was not applied by dashboard, then dashboard will not modify, edit or re-apply any changes that are made locally on the device. 
Disable Device Tracking
Pre-Onboarding
  • To disable device tracking on interfaces before onboarding, please create and apply the following policy on the desired interfaces before connecting the switch to the Meraki Dashboard via the onboarding application:

device-tracking policy NO_TRACK
    security-level glean
    no protocol ndp
    no protocol dhcp6
    no protocol arp
    no protocol dhcp4
    no protocol udp
exit
interface <Interface to modify>
    device-tracking policy NO_TRACK
end

Post-Onboarding
  • Disabling device tracking on interfaces after the onboarding can only be performed device-wide. To do so, please edit the existing MERAKI_POLICY, by replacing the tracking settings with the configuration used in the above NO_TRACK policy example: 

device-tracking policy MERAKI_POLICY
    no protocol ndp
    no protocol dhcp6
    no protocol arp
    no protocol dhcp4
    no protocol udp
end

 

Cloud Management: Device Configuration

Information further detailing Cloud Management can be found in Cloud Management with IOS XE Overview

During the onboarding of a Cloud Managed: Device Configuration 9000 switch, CLI configuration will be applied to the device to collect client data such as IP Address and MAC Address. There are 3 types of policies that can be applied, Access, Trunk and Uplink. 

Device Tracking Policy

Access Ports 

device-tracking policy MERAKI_ACCESS_TRACK 
limit address-count 1000  
security-level glean  
tracking enable  

Uplink 

device-tracking policy MERAKI_NO_TRACK  
trusted-port security-level glean  
no protocol ndp  
no protocol dhcp6  
no protocol arp  
no protocol dhcp4  

Trunk 

device-tracking policy MERAKI_TRUNK_TRACK  
limit address-count 32000 security-level glean 


Disable Device Tracking

Device tracking can be disabled either before On-boarding at an interface level or after On-boarding at a switch level. To disable device tracking on an interface level for switches that are already On-boarded, the device must be Off-boarded, follow the Pre-Onboarding steps and On-board the switch again.  
 

Pre-Onboarding
  • To disable device tracking on interfaces before on-boarding, please create and apply the following policy on the desired interfaces before connecting the switch to the Meraki Dashboard via the onboarding application: 

device-tracking policy NO_TRACK 
    no protocol ndp 
    no protocol dhcp6 
    no protocol arp 
    no protocol dhcp4 
    no protocol udp 
exit 
interface <Interface to modify> 
    device-tracking policy NO_TRACK 
end 

Post-Onboarding
  • Disabling device tracking on interfaces after the on-boarding can only be performed device wide. To do so, please edit the existing policy:  

device-tracking policy <POLICY_NAME> 
    no protocol ndp 
    no protocol dhcp6 
    no protocol arp 
    no protocol dhcp4 
    no protocol udp 
exit