Skip to main content

Cisco Meraki Discovery

The Infracast Cisco Meraki plugin connects to the Meraki Dashboard API to enumerate organizations, networks, devices (switches, access points, security appliances), and active network clients. Authentication uses a Meraki API key — no on-premises collector agent is required.

How It Works

  1. Infracast authenticates to api.meraki.com using your Meraki API key
  2. The plugin discovers all organizations the API key has access to (or the configured subset)
  3. For each organization, it enumerates networks and the devices assigned to them
  4. Active clients seen on each network (within the last 24 hours) are also collected
  5. Topology links between devices are discovered via the Meraki network topology endpoint

Prerequisites

  • A Meraki Dashboard account with Read Only or higher organization access
  • Meraki API access enabled on the organization (Organization → Settings → Dashboard API access → Enable access)
  • Infracast collector must have outbound HTTPS access to api.meraki.com (TCP/443)

Generating a Meraki API Key

  1. Log into the Meraki Dashboard
  2. Navigate to your profile: [user icon] → My profile
  3. Scroll to API access and click Generate new API key
  4. Copy and store the key securely — it is only shown once
tip

Create a dedicated Meraki Dashboard user (e.g. infracast-readonly@example.com) with Read Only organization access and generate the API key under that account. This limits blast radius if the key is ever compromised.

Registering the Credential in Infracast

infracast creds add \
  --plugin meraki \
  --name "meraki-prod" \
  --type api-key \
  --api-key-file /run/secrets/meraki-api-key

Configuring the Discovery Job

infracast.yaml
discovery:
  jobs:
    - name: meraki-org-discovery
      plugin: meraki
      credential: meraki-prod
      schedule: "0 */4 * * *"    # every 4 hours
      config:
        # Optional: limit to specific org IDs. Leave empty to discover all orgs.
        org_ids:
          - "123456"
          - "789012"

        # Optional: Meraki API base URL (default: https://api.meraki.com/api/v1)
        base_url: "https://api.meraki.com/api/v1"

        # Discover active clients seen in the last N seconds (default: 86400 = 24h)
        client_timespan_seconds: 86400

        # Discover network topology links
        discover_topology: true

What Gets Discovered

Resource TypeDescription
meraki.organizationMeraki organization (name, ID, URL)
meraki.networkNetwork within an org (name, product types, timezone, tags)
meraki.switchMS-series switch (model, serial, firmware, IP, ports)
meraki.apMR-series access point (model, serial, firmware, IP, radio config)
meraki.applianceMX-series security appliance (model, serial, firmware, IP)
meraki.cameraMV-series camera (model, serial, firmware)
meraki.deviceAny other Meraki device not matching above categories
meraki.clientNetwork client seen in last 24h (MAC, IP, VLAN, SSID, description)

Edges are created to represent containment relationships: clients → networks → organizations, devices → networks.

Troubleshooting

401 Unauthorized from API

Symptom: Error: API request failed: 401 Unauthorized

Checks:

  1. Verify the API key is correct and has not been revoked
  2. Confirm the API key user has access to the target organization
  3. Verify API access is enabled: Organization → Settings → Dashboard API access
# Test the API key manually
curl -s -H "X-Cisco-Meraki-API-Key: YOUR_API_KEY" \
  https://api.meraki.com/api/v1/organizations | jq '.[].name'

429 Too Many Requests (rate limiting)

Symptom: Logs show 429 responses; discovery is slow or incomplete

Cause: Meraki API is rate-limited to ~10 requests/second per org. Large deployments with many networks hit this easily.

Fix: Reduce job frequency and enable incremental mode:

config:
  api_rate_limit_rps: 5       # default: 10
  incremental: true

Clients not appearing

Symptom: Devices are discovered but no clients show up

Checks:

  1. Clients are only returned for networks with active devices
  2. Ensure client_timespan_seconds covers the expected activity window
  3. Verify the API key user has access to the specific networks

Some organizations missing

Symptom: Only a subset of organizations appears

Checks:

  1. Verify the API key user has the expected org access in the Meraki Dashboard
  2. If org_ids is configured, confirm the correct IDs are listed
# List all orgs accessible by your key
curl -s -H "X-Cisco-Meraki-API-Key: YOUR_KEY" \
  https://api.meraki.com/api/v1/organizations | jq '.[] | {id, name}'