Cloud Monitoring Required Configuration

In order to enable Catalyst devices to be monitored by Dashboard, limited configuration changes are
required, such as those performed by the Cloud Monitoring Onboarding application to initiate Cisco cloud
services connectivity. Additional configuration changes are necessary post-onboarding to enable devices to
send status and telemetry information. Finally, some configuration commands are required for certain
Dashboard live tools, such as Port Cycling.

These configuration changes are performed by our cloud services using NETCONF or IOS-XE CLI
commands to the devices through the TLS tunnel established during the onboarding process.

To help you better understand the purpose and scope of these configuration changes, we have outlined the types of commands we could issue and their
purpose. We have also implemented safeguards within our configuration push services to limit the device commands that could be configured by our service. No
configurations to the devices can be run on devices unless they are in the Allowed Commands List.

Learn more with these free online training courses on the Meraki Learning Hub:

• The Journey to Cloud Management for Catalyst

• Cloud Monitoring for Catalyst

Sign in with your Cisco SSO or create a free account to start training.

When Will Dashboard Modify Device Configurations?

During Onboarding
When running the local onboarding application, configurations are pushed to the device over SSH from the onboarding application to establish communication
with Dashboard.

These configurations include:

• NETCONF for device configuration from Dashboard

• LLDP for Dashboard Network Topology
• SSH v2 with publickey authentication for cloud authentication
• Null static IP route for cloud IP address to prevent traffic that should be in the tunnel from falling back to default
route when the tunnel is down
• Local authentication group for Dashboard device access for SSH CLI and NETCONF through the TLS tunnel
• ACL for cloud ingress VTY access via SSH and allow only port 2222 for SSH
• ACL for cloud telemetry egress. Allow only port 2022 for SFTP to the cloud
• SSH rotary for the Dashboard VTY lines to listen port 2222 for Dashboard initiated SSH sessions
• VTY lines dedicated to device access from Dashboard and enable SSH to those VTY lines
• Local Meraki user with SSH Keys for SSH and NETCONF access from Dashboard

1
 • Crypto TLS Tunnel for secure device access from Dashboard

After Dashboard communication is established, Dashboard will access the device via the secure TLS tunnel using the meraki-user account over SSH and apply
the following configurations via NETCONF:

• Device Tracking Policy for collecting client data such as IP Address and MAC Address
• Syslog server (logging host) to allow Dashboard to receive device logs
• SNMP Server host to receive traps from devices
• SNMP Traps to aide Dashboard monitoring
• NetFlow records, monitors and exporters
• Model Driven Telemetry subscriptions that provide Dashboard with device operational data
• Interface Configurations:
◦ Assign the Device Tracking Policy
◦ Assign the Flow monitors (IPv4 and IPv6)

NetFlow configurations are only included for devices with DNA Advantage license. If a device license level is changed from DNA Essentials to
Advantage, the NetFlow configurations will be pushed to the device when cloud connectivity is resumed after device restart.

See Cloud Monitoring Detailed Device Configurations for the full commands of device configurations applied during onboarding.

Maintaining Cloud Monitoring Services

During normal operations, Dashboard will monitor devices at regular intervals for any changes to the configurations that are required for Cloud Monitoring
operations. When required configurations are missing or if the device configuration was changes, the Cloud Monitoring service will re-assess and apply the
appropriate configurations to ensure the device can properly be monitored in Dashboard.

Interface Updates
Dashboard will periodically monitor devices for new interfaces (including port-channels) configurations on the device and if detected will update these interface
configurations with the necessary device tracking policy and flow monitors (if applicable).

Off-boarding Devices From Cloud Monitoring

If a monitored Catalyst device is removed from Dashboard, all onboarding and telemetry configurations will be removed from the device by configuring and
running an EEM Script. The allowed commands list includes the "no" versions of the configurations that were performed on the device for onboarding and
telemetry in order to remove all cloud monitoring configurations from the device.

Allowed Commands

For the allowed NETCONF paths both "merge" and "remove" command operations are permitted. For CLI commands the "no" form of the CLI
commands are permitted. The "remove" and "no" functions allow Dashboard to remove Dashboard device configuration when the device is removed

2
 from Dashboard

This is a list of allowed NETCONF paths and CLI commands that can be configured on monitored Catalyst devices.

Model Driven Telemetry

Used to provide Dashboard with telemetry data, including bytes, packets and frame counters for all interfaces, CDP Neighbor Details, and Interface Client MAC
address. See Full Telemetry Configuration for a detailed telemetry configuration.

NETCONF paths: /edit-config/config/mdt-config-data.*

CLI commands:

telemetry ietf subscription <id>

encoding ...
filter ...
update-policy ...
receiver ip address <cloud ip address>
telemetry transform <transform name>
input table ...
field ...
join-key
logical -op and
type ...
uri ...
operation ...
filter ...
condition ...
field ...
logical-op and
logical-op next and
event ...
output-field
field ...
telemetry receiver protocol ...

Logging
A syslog server is configured through the tunnel to receive events from the device.

NETCONF paths:

/edit-config/config/native/logging/host
/edit-config/config/native/logging/host/ipv4-host-list

CLI command:

logging host <cloud ip address>

SNMP
SNMP configurations are used to inform the cloud when configuration changes occur to ensure that this is kept current in Dashboard and that monitoring

3
required missing changes can be detected.

NETCONF paths:

edit-config/config/native/snmp-server/enable/enable-choice/traps/{ config-copy|config-ctid|config|smart-licenseing/smart-license }
edit-config/config/native/snmp-server/host-config/ip-community/{ community-or-user|ip-address|version }

CLI commands:

snmp-server enable traps smart-license

snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server host <cloud ip address> version 2c public

Device Tracking
Device tracking is used to collect client information for devices connected to the switch.

NETCONF paths:

/edit-config/config/native/device-tracking/policy/{ tracking/enable|security-level/glean }
/edit-config/config/native/device-tracking/policy/protocol/udp
/edit-config/config/native/device-tracking/policy/word

CLI commands:

device-tracking policy MERAKI_POLICY

security-level glean
no protocol udp
tracking enable

NetFlow
For 9200 and 9300 series switches with Advantage licenses, NetFlow is used to provide AVC/client-level application data in Dashboard.

NETCONF paths:

/edit-config/config/native/flow
/edit-config/config/native/flow/exporter
/edit-config/config/native/flow/monitor
/edit-config/config/native/flow/file-export
/edit-config/config/native/flow/record

CLI commands:

flow record <monitor name>

match ...
collect ...
flow monitor <record name>
exporter ...
cache ...
record ...
flow exporter <exporter name>
destination ...
export-protocol ...
option ...
flow file-export default

4
 destination <cloud ip address>
file ...

Interfaces
Interfaces include device tracking policy to collect client information, as well as NetFlow monitors when applicable.

NETCONF paths:

/edit-config/config/native/interface/{ interface }/device-tracking/attach-policy

/edit-config/config/native/interface/{ interface }/ip(v6) /flow/monitor-new/{ name|direction }
/edit-config/config/native/interface/{ interface }/name
/edit-config/config/native/interface/{ interface }/shutdown

CLI commands:

interface {*GigabitEthernet | *GigE | Port-channel } [range]

device-tracking attach-policy <policy name>
ip flow monitor <monitor name> input
ip flow monitor <monitor name> output
ipv6 flow monitor <monitor name> input
ipv6 flow monitor <monitor name> output
shutdown
exit

Interface shutdown command is allowed as it is sent to the device when using the Dashboard Cycle Port tool to disable and re-enable a port.

The "no" command s NOT permitted for interface {*GigabitEthernet | *GigE | Port-channel } [range]

IP Route
This route ensures that any traffic to Dashboard is not sent unless the TLS tunnel is established.

NETCONF paths:

/rpc/edit-config/config/native/ip/route/ip-route-interface-forwarding-list/{ prefix|mask }
/edit-config/config/native/ip/route/ip-route-interface-forwarding-list

CLI commands:

ip route <cloud ip address> 255.255.255.255 Null0

Shell CLI Commands

These commands are used to enter configuration mode when required to apply the relevant configurations.

enable
exit
end
conf t (lock)
config terminal (lock)
config t (lock)
write memory

5
 y|yes
do-exec clear line

TLS Tunnel
These commands are performed by the onboarding application during device setup to remove extraneous configuration from previous connections to Cloud
Monitoring. They are also included in the allowed commands list for offboarding devices from Cloud Monitoring.

CLI commands:

no crypto tls-tunnel <cloud tunnel>

no crypto pki trustpoint <cloud CA trustpoint>

Users and AAA

CLI commands:

no username meraki-user
no authorization exec MERAKI
no login authentication MERAKI

SSH
CLI commands:

no ip ssh port <port_rotary> 50

ip ssh pubkey-chain

Access List
CLI commands:

no ip access-list extended <dashboard access-list>

Loopback
CLI commands:

no interface Loopback <number>

VTY
CLI commands:

line vty <dashboard vty lines>

no rotary 50
no access-class <acl name> (in|out)

EEM Scripts
Allowed EEM Script Commands

event manager environment _match default

event manager applet MERAKI-DASHBOARD-CLEANUP authorization bypass

6
 event none
event timer { watchdog|countdown } time [seconds] maxrun [seconds]
action [ name ] { if | else | end | exit | continue | elseif | wait | puts }
action [ name ] string match
action [ name ] string replace
action [ name ] foreach
action [ name ] regexp
action [ name ] syslog msg
action [ name ] set
action [ name ] cli command "show"
action [ name ] cli command "enable"
action [ name ] cli command "monitor capture meraki_capture export flash:meraki_capture_{}_event_pub_sec.pcap"
action [ name ] cli command "config terminal"
action [ name ] cli command "end"
action [ name ] cli command "config terminal lock"
action [ name ] cli command "configure replace flash:[file name] force"
action [ name ] cli command "ping"
action [ name ] cli command "pnpa serv internal [service-control]"
action [ name ] cli command "pnpa service reload as-is asap\"
action [ name ] cli command "dir .*"
action [ name ] cli command "confirm \\yes"
action [ name ] cli command "(do-exec) delete /force /recursive flash:MERAKI-DASHBOARD-CLEANUP.log"
action [ name ] cli command "do-exec show logging last 200 | redirect flash:MERAKI-DASHBOARD-CLEANUP.log\"
action [ name ] cli command "no event manager appletMERAKI-DASHBOARD-CLEANUP "

Dashboard Configuration Clean Up EEM Script

When you remove your Catalyst device from Dashboard, an EEM script will configured and executed on the device to remove all previous configurations that
were applied to the device for Dashboard operations.

Example Clean Up EEM Script

event manager applet MERAKI-DASHBOARD-CLEANUP authorization bypass

event timer watchdog time 10 maxrun 600
action 000A cli command "enable"
action 000B cli command "show event manager policy active | s MERAKI-DASHBOARD-CLEANUP"
action 000C string match "*MERAKI-DASHBOARD-CLEANUP*MERAKI-DASHBOARD-CLEANUP*" "$_cli_result"
action 000D if $_string_result eq "1"
action 000E exit 0
action 000F end
action 002A cli command "show event manager statistics policy | i MERAKI-DASHBOARD-CLEANUP"
action 002B regexp ".*applet\s+([0-9]+)\s+.*" "$_cli_result" _match _run_times
action 002C if $_regexp_result eq "1"
action 002D if $_run_times gt "60" goto 1000
action 002E end
action 0040 string replace "$_string_result" 0 0 "!Start running%config terminal lock !retry_regex*is locked
by*!%!Removing brownfield device config%no snmp-server enable traps smart-license%no snmp-server enable traps
config-copy%no snmp-server "
action 0041 string replace "$_string_result" 196 196 "enable traps config-ctid%no snmp-server enable traps
config%no telemetry ietf subscription 1030%no telemetry ietf subscription 1031%no telemetry ietf subscription
1001%no telemetry ietf subscripti "
action 0042 string replace "$_string_result" 392 392 "on 1002%no telemetry ietf subscription 1003%no telemetry
ietf subscription 1004%no telemetry ietf subscription 1007%no telemetry ietf subscription 2002%no telemetry
ietf subscription 1011%no telem "
action 0043 string replace "$_string_result" 588 588 "etry ietf subscription 1012%no telemetry ietf

7
subscription 1013%no telemetry ietf subscription 1014%no telemetry ietf subscription 1015%no telemetry ietf
subscription 1016%no telemetry ietf subscr "
action 0044 string replace "$_string_result" 784 784 "iption 1018%no telemetry ietf subscription 1020%no
telemetry ietf subscription 1021%no telemetry transform MERAKI_INTF_STATS_DELTA%no telemetry transform
MERAKI_PORTCHANNEL_STATS_DELTA%no device-t "
action 0045 string replace "$_string_result" 980 980 "racking policy MERAKI_POLICY%interface range
GigabitEthernet1/0/1-36,TenGigabitEthernet1/0/37-47,TenGigabitEthernet1/1/1-4 !exit!% no ip flow monitor
MERAKI_AVC_IPV4 output% no ipv6 flow monitor M "
action 0046 string replace "$_string_result" 1176 1176 "ERAKI_AVC_IPV6 input% no ipv6 flow monitor
MERAKI_AVC_IPV6 output% no ip flow monitor MERAKI_AVC_IPV4 input%exit%no flow monitor MERAKI_AVC_IPV4%no flow
monitor MERAKI_AVC_IPV6%no flow record MERA "
action 0047 string replace "$_string_result" 1372 1372 "KI_AVC_HTTP_SSL_IPV4%no flow record
MERAKI_AVC_HTTP_SSL_IPV6%no flow exporter MERAKI_AVC%no flow file-export default%no snmp-server host
18.232.244.158 traps version 2c public%no logging host 18.2 "
action 0048 string replace "$_string_result" 1568 1568 "32.244.158%no ip route 18.232.244.158 255.255.255.255
Null0%!Removing tls config%no crypto tls-tunnel MERAKI-PRIMARY%no crypto pki trustpoint
MERAKI_TLSGW_CA%!Removing user config%no username mera "
action 0049 string replace "$_string_result" 1764 1764 "ki-user%ip ssh pubkey-chain !exit!%no username meraki-
user%exit%no ip ssh port 2222 rotary 50%no ip access-list extended MERAKI_VTY_IN%no ip access-list extended
MERAKI_VTY_OUT%no interface Loopba "
action 004A string replace "$_string_result" 1960 1960 "ck1000%!Clearing VTY lines%do-exec clear line 32%do-
exec clear line 33%!Removing VTY config%line vty 32 33 !exit!%no rotary 50%no access-class MERAKI_VTY_IN in%no
access-class MERAKI_VTY_OUT out%n "
action 004B string replace "$_string_result" 2156 2156 "o authorization exec MERAKI%no login authentication
MERAKI%exit%no event manager applet MERAKI-DASHBOARD-CLEANUP%end%write memory%!Finish running "
action 0060 set _exit_able "0"
action 0061 set _has_error "0"
action 0064 foreach _cmd_data "$_string_result" "%"
action 0065 regexp "^\s*(!.*)" "$_cmd_data" _match _msg
action 0066 if $_regexp_result eq "1"
action 0067 syslog msg "$_msg"
action 0068 else
action 0069 regexp ".*!exit!*." "$_cmd_data" _match
action 006A set _exit_flag "$_regexp_result"
action 006B regexp ".*!retry_regex([^!]+).*" "$_cmd_data" _match _retry_regex
action 006C set _retry_able "$_regexp_result"
action 006D regexp "([^!]+).*" "$_cmd_data" _match _cmd
action 006E if $_cmd eq "exit"
action 006F if $_exit_able ne "1"
action 0070 syslog msg "skip run 'exit'"
action 0071 continue
action 0072 else
action 0073 set _exit_able "0"
action 0074 end
action 0075 end
action 0076 syslog msg "$_cmd"
action 0077 cli command "$_cmd" pattern "confirm|yes|#"
action 0078 regexp ".*(yes|confirm).*" "$_cli_result" _match
action 0079 if $_regexp_result eq "1"
action 007A syslog msg "y"
action 007B cli command "y" pattern "confirm|yes|#"
action 007C elseif $_retry_able eq 1
action 007D string match "$_retry_regex" "$_cli_result"
action 007E if $_string_result eq "1"

8
action 007F syslog msg "Exit with error, will start to retry after 10~20 seconds\n$_cli_result"
action 0080 wait 10
action 0081 exit 1
action 0082 end
action 0083 end
action 0084 string match nocase "*%*" "$_cli_result"
action 0085 if $_string_result eq "1"
action 0086 syslog msg "$_cli_result"
action 0087 string match nocase "*^*" "$_cli_result"
action 0088 if $_string_result eq "1"
action 0089 set _has_error "1"
action 008A end
action 008B elseif $_exit_flag eq 1
action 008C set _exit_able "1"
action 008D end
action 008E end
action 0200 end
action 0201 cli command "del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
action 0202 if $_has_error ne "0" goto 1105
action 0203 exit 0
action 1000 syslog msg "force exit, as script looping over max times"
action 1101 cli command "end"
action 1102 cli command "config terminal lock"
action 1103 cli command "no event manager applet MERAKI-DASHBOARD-CLEANUP"
action 1104 cli command "do-exec del /f /r flash:MERAKI-DASHBOARD-CLEANUP.log"
action 1105 cli command "do-exec show logging last 200 | redirect flash:MERAKI-DASHBOARD-CLEANUP.log"
action 1200 exit 0