Meraki

Community

Catalyst Switches - Hybrid Operating Mode - Questions and Concerns

FCU_JE
Here to help
3 weeks ago
3 weeks ago

Catalyst Switches - Hybrid Operating Mode - Questions and Concerns

I just learned about this change yesterday and have reviewed the available documentation. I have several questions around this seeing as Cisco looks to be wanting to move very quickly on this (terminating existing cloud monitoring end of Jan/2026).

 

  1. 17.15.3 is noted as the minimum required version but this version is still marked as Early Deployment. What is Cisco's timeline for this version (or a future interoperable version) to be GD/MD?
  2. The configuration documentation notes that the HTTP server is going to be enabled.
    1. Is this absolutely required for Meraki to manage the switch? From a purely "don't enable services you don't require" perspective I really don't like this configuration without strong justification. That webUI is bound to be exposed long-term to security vulnerabilities.
    2. If the HTTP server is required, can Meraki at least consider adding an access-class similar to the vty lines?
  3. One of the prerequisite configurations for cloud monitoring for Catalyst switch onboarding to Meraki is `ip routing` but this is not listed as a prereq in the configuration documentation. Can customers migrating to hybrid operating mode remove ip routing as a configuration, or is it recommended to maintain that configuration?

 

Thanks.

Labels:
0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

From Meraki's perspective, with the feature set that Meraki uses, 17.5.3 is the next stable release candidate.  It is listed as being released on April 8, 2025.

My personal guess - I would expect it to remain a candidate for between 3 and 6 months.

PhilipDAth_0-1746127689591.png

It won't transition to a stable candidate until 10% to 20% of the global fleet are running it and it is working with a low issue count.  This is not a hard-and-fast rule, but rather a general guideline.  You can read about the release process here.

https://documentation.meraki.com/General_Administration/Firmware_Upgrades/Meraki_Firmware_Release_Pr...

 

2. I am not entirely sure about this for IOS-XE, but usually, if you disable the local status page, it also disables the HTTP server.

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Me...

 

You could also put the switch management interface on a VLAN that no one can get to.

 

For onboarding, I would follow the instructions outlined in the document exactly.  The config is going to change when onboarded anyway.  🙂

In response to PhilipDAth
FCU_JE
Here to help
3 weeks ago
3 weeks ago

Separating my reply by rough topic. I'll add the disclaimer here I'm still extremely new to catalyst management/monitoring via Meraki so I operate from ignorance here.

 

Firmware:

 

That makes some sense. I guess I'm not clear on the connection of what Meraki considers stable vs what the IOS-XE Cisco devs consider stable/GD. I think I'm going to test/try it out and see how it goes.

 

Local Status Page/HTTP(S) server:

 

Don't think that article applies here, quote:

 

Catalyst switches onboarded for Cloud Monitoring will continue to run IOS firmware, which does not support access to the local status page. However, Catalyst switches operating in Meraki-managed mode will run CS firmware, which does support access to the local status page.

 

In this case we're not talking about CS firmware so I doubt that applies here. Yes, SVI will help but not truly minimize exposure. Again, some indication from Meraki why this is required/justified would be nice.

 

Onboarding/Migrating :

 

Without any other info to go on, I'll just leave `ip routing` untouched but all the same, would be nice to have clarity as currently neither of the following articles reference it.

 

https://documentation.meraki.com/MS/Cloud-Native_IOS_XE/Upgrading_Cloud-Monitored_Switches_to_Hybrid...

 

https://documentation.meraki.com/MS/Cloud-Native_IOS_XE/Hybrid_Operating_Mode_Switches_Configuration

 

0 Kudos
Paccers
Building a reputation
3 weeks ago
3 weeks ago

I connected a lab L2 9200L on 17.15.3 which just uses an ip default-gateway command instead of ip routing so I think that pre-requisite has been removed.

 

I echo the comment about not using an ACL at least if http server MUST be enabled.

 

I also found that after removing the switch from Dashboard the configs were not rolled back at all so I'd have to either manually remove the specific configs or reconfigure from scratch

In response to Paccers
FCU_JE
Here to help
3 weeks ago
3 weeks ago

Thanks for doing some testing. That doesn't inspire me with a lot of confidence that it's not a clean offboard experience. From your report it seems hybrid operating mode needs some more time in the oven. I hope to complete some of my own testing today - no guarantees if I'll be able to do that testing let alone report back.

0 Kudos
In response to Paccers
FCU_JE
Here to help
3 weeks ago
3 weeks ago

I've made a new post over at https://community.meraki.com/t5/Switching/Catalyst-Cloud-Monitoring-Offboarding-Feedback/m-p/271271#... with one result from my initial testing of offboarding from cloud monitoring specifically.

 

I have a lot more testing to do but generally over the last few work days I can only say that Meraki is really not impressing me with their Catalyst monitoring - very sluggish to respond to changes that I make to the switch stacks. Fingers crossed Cloud-Native/hybrid operating mode is a lot better.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.