Académique Documents
Professionnel Documents
Culture Documents
Training Manual
Introduction
You have recently been hired to manage the IT systems for a local,
family-owned coffee and sandwich shop in San Francisco. Mission
Sandwiches has managed to survive with a consumer ISP-provided
gateway for many years, but the recent rise in online orders, increased
sales, and the demand for guest Internet access has them excited
about an enterprise solution.
As their new IT admin, you suggest that Mission Sandwiches try Cisco
Meraki as a solution that will not only fit their needs now, but can
also scale with them as they grow their existing location or expand to
multiple locations.
In order to get started, youve decided to equip them with some
Meraki gear.
Your Site
1 x MX80 - Security Gateway
1 x MS220-24P - 24 port Gigabit PoE Switch (with 4 SFP ports)
1 x MR32 (or MR26) - triple-radio 802.11ac (or 802.11n) wireless access point
4 x CAT5e Cable - 3 Ethernet patch cable
1 x iPad - Apple iPad tablet
Dashboard Access
Your Dashboard login credentials (where n is your lab station number):
Site: dashboard.meraki.com
Username: labn@meraki.com.test
Password: meraki123
Apple ID Information
The iPad may ask you to login with Apple ID credentials when installing apps:
Username: partner.training@meraki.com
Password: Meraki2016
Important note: Be sure you are selecting the correct Organization for your CMNA session.
Your instructor will provide the correct session number.
Please take note of how your lab station is arranged and keep all the components to your lab station as you will be asked to reset it to exactly the way you
found it.
Network Diagram
VLAN 1
Name: Native
Subnet: 10.0. [ n ] .0/24
Gateway (MX IP): 10.0. [ n ] .1
VLAN 100
Name: Corporate
Subnet: 10.0. [ 100 + n ] .0/24
Gateway (MX IP): 10.0. [ 100 + n ] .1
VLAN 200
Name: Voice
Subnet: 10.0. [ 200 + n ] .0/24
Gateway (MX IP): 10.0. [ 200 + n ] .1
Where n is your lab station number
Make sure you are connected to the CMNA wireless network (DO NOT connect
your computer to MX via Ethernet yet). Disable any client VPN software running
on your laptop.
2.
3.
Under the Security Appliance > Monitor > Appliance status tab, edit the
configuration to change the name of your MX security appliance to Lab [n]
Security Appliance and update the physical address to your current city.
4.
Blink the LEDs of the MX to make sure youre configuring the correct stack.
5.
Since this network is pretty basic, you dont need to segment it into VLANs.
However, you will need to update the default addressing space to match the
table below:
6.
Note: Make sure you disable your wireless card before testing the step below.
7.
Plug your computer into LAN port 4 on the MX and confirm that you get a DHCP
lease in the IP space you configured previously. You can do this by navigating to
wired.meraki.com, the local status page hosted on the MX.
Note: The Access switch you are setting up is the bottom switch in your stack.
1.
Navigate to the Switch > Switches page. Select your switch and rename it
ACCESS and update the physical address to your current city.
2.
On the Switch ports page, rename port 1 WIRELESS and port 24 UPLINK.
3.
Using one of your patch cables, connect port 24 on your switch to port 2 on the
MX Security Appliance.
2.
Rename the access point Lab [n] AP and update the physical location to your
current city.
3.
On the AP details page, you should be able to see how the AP is connected back
into the network. Confirm the AP is plugged into port 1, and click the port. This
should bring you to the details page for port 1 on your switch.
4.
Ensure that your AP is connected at 1 Gbps to a trunk port with native VLAN 1,
all VLANs allowed.
On the Wireless > SSIDs tab, rename the only enabled SSID to Lab [n] GUEST.
2.
3.
4.
The AP itself should handle DHCP for this SSID, so ensure NAT mode is enabled.
5.
On the Wireless > Firewall and traffic shaping page, apply a bandwidth limit of
500 Kbps per device to prevent guests from hogging all of the bandwidth.
6.
Guests shouldnt have any access to internal resources, so Deny all traffic to the
Local LAN.
The owners dont want guests to be able access the SSID outside business hours, so
you decide to take advantage of the SSID availability feature.
Note: Make sure to set & verify your local network time zone.
7.
On the SSID availability page, enable Scheduled availability for business hours
only (8:00 - 19:00 (7 pm)).
8.
Disconnect the Ethernet cable from your laptop. Connect to your new guest
SSID.
9.
Confirm the bandwidth limit you set in Step 5 is functioning using a site like
speedtest.net and check your IP information.
Note: After testing, make sure you connect back to the CMNA SSID so your laptop
isnt subject to the 500 Kbps limit for the rest of the lab.
In order to better track sales and make transactions more efficient, the owners have
expressed interest in utilizing an iPad as a Point-of-Sale system. You will enroll the
iPad and set up a group policy to test the viability of this solution.
Cisco Merakis Systems Manager mobile device management (MDM) platform is
an enterprise-grade solution that will allow you to manage the iPad from the same
Dashboard you use to manage the rest of your Meraki networking gear.
On your iPad, make sure you are connected to the CMNA SSID. Open the
Safari browser. Navigate to m.meraki.com, and enter your network ID from
Dashboard.
Hint: Your Network ID can be found by clicking the blue Add devices button in the
clients section.
2.
3.
Verify that you can see your iPad client in Dashboard under Monitor > Clients.
Click on your device and check the available battery and storage space.
4.
When prompted to install the Meraki SM app on your iPad, click Install.
2.
Set up a Custom firewall and shaping rule to block all Social web and Gaming
websites.
3.
We wont apply the group policy to a client yet. That will come in a later section.
Great Job!
Youve completed the setup for your small, single location and have a full Meraki
network up and running. The cash register and credit card machine can get secure
access via their wired connections, and guests have isolated, Internet-only access.
Feel free to move onto the next section prior to the product overview section or
feel free to complete the following bonus exercise:
10
Create a MAC Whitelist entry on ports 2-10 on the access switch using a MAC
address of aa:bb:cc:aa:bb:cc. Test it by plugging your laptop into one of those
switch ports. Your laptop shouldnt get an IP address or be able to pass any
traffic.
CMNA technical training
Note: To connect back to Dashboard connect your laptop back to port 4 on the MX.
1.
Enable VLANs on the Security Appliance. Create two new VLANs: Corporate and
Voice, based on the subnet information below:
VLAN 100
Name: Corporate
Subnet: 10.0. [ 100 + n ] .0/24
Gateway (MX IP): 10.0. [ 100 + n ] .1
VLAN 200
Name: Voice
Subnet: 10.0. [ 200 + n ] .0/24
Gateway (MX IP): 10.0. [ 200 + n ] .1
Where n is your lab station number
2.
Verify that all ports in the per-port VLAN configuration on the MX are enabled
and set as trunks for the native VLAN and all VLANs are allowed.
3.
On the DHCP page, verify that DHCP is running for each of the new VLANs you
set up.
4.
Youll want to make sure you save some IP addresses for your internal use.
Reserve DHCP addresses .1-.20 on the native VLAN for that use.
12
Navigate to settings in your Systems Manager network found on the left side of
Dashboard in the network listing.
2.
On the Settings tab, click the large + icon to create a New Meraki managed
profile.
3.
Name the profile Cashier iPads and define the Scope to apply the profile to
devices with any of the following tags.
4.
In the Device tags section, create a cashier tag and Save Changes at the bottom
of the page.
Hint: To create the tag, you will need to select the add option link after typing in the
desired tag string.
5.
Navigate to Systems Manager > Settings and add a simple value, alphanumeric passcode with a minimum length of 6 characters, and at least 1
complex character on the device.
6.
Since the iPad will only be used for transactions, make sure that the camera is
disabled and that screenshots are not allowed.
7.
Apply the cashier tag to the iPad you enrolled previously to push the profile to
the device.
8.
Navigate to the home screen. When prompted, set the passcode to abc123!
without the quotes. Make sure you cannot take a screenshot on the iPad.
Note: The Core switch you are setting up is the top switch in your gear stack.
CMNA technical training
1.
On the Switch > Switches page, click the Add Switches button on the top right,
above the list of available switches.
2.
Now on the Inventory page, claim your Core switch into the Organization using
the serial number on the front or back of the device. This option can be found at
the right of the page.
3.
Select your switch and add it to your Lab station switching network.
4.
Rename your new switch CORE and update the physical address to your
current city.
On the Monitor > Switch ports page, rename port 24 on your Core switch to
MX80. This is the port youll use to uplink your new core switch directly to the
MX Security Appliance.
Hint: Use the search bar to easily find the ports for your newly-named Core switch.
2.
You also want increased throughput from your Access switch to the Core.
Aggregate ports 20 and 21 on your Core switch and rename the aggregate port
to Access.
Hint: You can use the help link next to the search box on the Switch ports page to
learn the syntax neccesary to search only for ports 20 and 21.
3.
Using the same search string, aggregate ports 20 and 21 on the Access switch.
Rename the aggregate port to Core.
4.
Physically connect ports 20/21 on both switches, and disconnect the uplink from
the MX to your Access switch. Going forward, traffic from the access layer should
flow through the Core before getting to the Security Appliance, so connect port
24 on your Core switch to port 3 on the MX.
5.
On the port status page in Dashboard, verify that youre getting 2Gb/s between
your switches rather than the standard 1Gb/s.
14
In the same manner that you searched for ports using virtual stacking in Exercise
4, select ports 2-5 on your Access switch and configure these selected ports as
access ports on VLAN 100. Name each port DATA.
2.
Now, select ports 6-10 on your Access switch and configure them as access ports
on VLAN 200, with each port named as VoIP.
3.
Note: We are not using the Voice VLAN field yet. We will use that in a later exercise.
Select only the access ports labeled DATA and VoIP (ports 2-10) and enable
BPDU Guard to protect against non-authorized switches. Be sure that you do
not enable this on your trunk ports or on your uplink ports as it will break the
connection between your switches.
Hint: You can search for is:access to fnd all of your access ports.
Verify that RSTP is enabled for your switch. For more information on RSTP, refer
to the Meraki RSTP Documentation.
2.
Update the Core switch bridge priority to ensure that it will always remain the
root switch in the network.
3.
Verify that Core was indeed elected as the root switch for your campus.
15
Configure ports 11-15 on the Access switch as access ports to VLAN 100 with
a Voice VLAN configured as VLAN 200 and name them Workstation as these
ports will be used for desks using both a computer and a phone.
2.
Once configured, plug your laptop into port 11 on the Access switch to bring the
port up.
3.
4.
Use the live packet capture tool to stream a high verbosity packet capture on
port 11 to Dashboard with a filter expression of:
This capture should contain evidence that your voice VLAN is working properly.
Hint: The filter expression will filter for LLDP advertisements that show the switch is
advertising the Voice VLAN for the applicable ports. Once the capture is complete,
search the page for the Application Type field under the Network Policy subtype. If
nothing appears, try the capture again. If you still dont see anything, verify your port
configuration with your instructor.
2.
Create a new schedule named Power Saving to turn off ports during nonbusiness hours (assume a work schedule of (8:00 - 19:00 (7 pm)).
3.
Apply the port schedule to ports 6-10 on your Access switch (your VoIP ports).
Do not apply to your switchs uplink ports.
16
Note: Be sure the correct local time zone is set on the network.
2.
3.
This network needs access to your internal resources, so put it in Bridge mode
under client IP assignment.
4.
Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.
5.
6.
7.
8.
Use Cisco Merakis traffic shaping rules to set a 500 Kbps limit on software
updates to limit unnecessary background resource utilization and throttle
YouTube traffic to 20 Kbps up/down.
9.
Take it one step further and show management Cisco Merakis layer 7 firewall
rules. Deny applications: iTunes and Peer-to-Peer. Finally, deny HTTP hostname
of espn.com.
10. Navigate to Network-wide > Users. The credentials you used to log into
Dashboard will be automatically populated. Authorize your lab [n] account to
grant it the ability to be used to login on the configured splash page.
11. Connect to your new Corporate SSID and confirm that the YouTube site is very
slow to load.
17
2.
Create a new traffic shaping rule to give VoIP and video traffic unlimited
bandwidth and High priority on the network.
Note: The goal of this is not to limit VoIP traffic but rather to prioritize it. For more
information on how the priority is calculated, refer to the Traffic Priorities KB article.
In Systems Manager, push the Square Register app to any device with the
cashier tag.
Many basic security threats can be taken care of simply by blocking access to
risky websites. Create content filtering rules to block the following categories:
Bot Nets, Confirmed Spam, Malware Sites, Spyware & Adware.
2.
3.
Peer-to-peer traffic on the network presents a security threat and can also hog
valuable bandwidth on the network. Create a Layer 7 firewall rule on your MX to
block all Peer-to-peer and Web file sharing traffic.
4.
In order to cover threats that may be arriving via malicious methods, enable
Malware detection and Intrusion Detection and Prevention (IDS/IPS). For now, a
Balanced approach to blocking threats should be sufficient.
5.
18
Nice Work!
In that short amount of time you connected a core switch, setup link aggregation for
higher switch capacity and density in the corporate environment and configured
RSTP for your switch fabric to reduce unnecessary broadcast overhead on the
network. You also created a port schedule and configured port security for better
power and port management.
Furthermore, you created a Corporate SSID to support the ever growing needs of
wireless devices on network.
Feel free to move onto the next lab if you are finished prior to the Distributed
Enterprise presentation or you can add additional security to the network in the
following bonus exercises:
10.0. [ n ] .2/24
Access
10.0. [ n ] .3/24
1.
Set the static IP addresses on the Access switch first and then the Core switch
and verify both still have connectivity to the cloud.
2.
19
Corporate policy now favors 802.1X port authentication in place of local MAC
whitelisting. We now need to configure an 802.1X access policy and place
that on the ports that originally had MAC whitelisting in place.
2.
3.
Name the access policy Lab [n] RADIUS where n is your lab station number.
4.
Configure an access policy with two RADIUS servers using the information
below. The access policy should have the following attributes:
Host (1)
10.0.60.10
Host (2)
10.0.70.10
Port (1 & 2) 1812
Secret (1 & 2) meraki123
Access Policy Type 802.1X
Guest VLAN
Disabled
5.
Upon successful configuration apply this access policy to ports configured for
MAC whitelisting if you did the last bonus, if not, configure this on your DATA
ports.
Note: You can find all ports with a MAC whitelist applied by using the omnibox to
search for the term: mac_whitelist:*
20
Connect your laptop to an MX port and verify you get a DHCP address and still
have an internet connection.
2.
3.
Make sure your Default (Native) and Corporate VLANs are the only subnets
being advertised in the VPN.
4.
Determine if other branch pilot labs are online using the Security Appliance >
Monitor > VPN Status Page.
Note: The VPN status page will not populate until you have configured your site-tosite VPN. If you dont not see this option, try refreshing your browser page.
5.
Verify that you can ping the internal address of your neighbors MX. This address
should be 10.0.[n].1 where n is their lab station number.
2.
Add a new group policy MDM scope and select your Systems Manager network
from the Dashboard network listing on the left side of the page.
22
3.
Elect to have the Cashier iPads group policy you created in Part A applied to
any device with the cashier Systems Manager tag. This setting will associate
the Cashier iPads group policy to your device because it is tagged with the
cashier tag.
4.
5.
Verify that the cashier iPads group policy applied to the iPad correctly.
Move your laptop connection from the MX to an access port on the access
switch and verify you get an IP address in the Corporate VLAN & internet access.
2.
3.
Configure a rule to deny any traffic from the Corporate IP subnet to the human
resources file server at 10.0.50.100. Be sure that the protocol drop down is
set to any so that all traffic will be blocked to the file server.
4.
Attempt to ping the HR file server from your computer, this should fail.
2.
The Corporate SSID is currently set to have users associate with a pre-shared key
and sign into a splash page using Meraki authentication. Change this so that
users associate with WPA2-Enterprise & a RADIUS server and disable the sign on
splash page.
23
3.
Configure the RADIUS server using the same information you used for port
authentication on the switch:
Host (1)
10.0.60.10
Host (2)
10.0.70.10
Port (1 & 2) 1812
Secret (1 & 2) meraki123
4.
Test authentication to the RADIUS server again with the following credentials:
User lab[n]@meraki.com.test
Password meraki123
5.
If the test was successful, connect to the Corporate SSID again and this time
you should be prompted to login. Use the above credentials to associate.
Navigate to Systems Manager > Geofencing and select Add new, located at
the right side of the page.
2.
3.
This Geofence should apply to devices with the cashier tag and should
encompass the area around your current location.
4.
After you save the configuration, navigate to Systems Manager > Alerts and
configure Dashboard to alert you if a device violates a Geofence policy.
2.
3.
Set a search parameter in the dropdown at the top of the page for Lab[n] Switch with All devices. You also want to see information for the last week.
Note: You may not see any information when the report is generated given the
small amount of time your network has been online.
You also want these reports to be emailed on a scheduled basis, a week at a time
to the CEO of the company at ceo@missionsandwiches.com.
Navigate to your Systems Manager network and locate the Clients page.
2.
3.
Completely erase the iPad so that it is set back to factory default settings.
25
Congratulations!
Thanks to you, Mission Sandwiches has been able to adopt an enterprise solution
that has scaled with the companys growth. Youve expanded their small original
location to a large enterprise and even helped the company support a multi-site
architecture.
Before you leave, theres just one last task to complete...
Be sure your trainer has signed off on your lab before leaving for the day!
Reset the lab station to the way it was when you found it (bundled cables, neat
and tidy, power off your APs). Your station should look exactly the way it was
when you found it.
2.
Confirm that you properly wiped your iPad in the final step of the System
Manager exercises and plug the iPad into a charger and have your lab checked
by your trainer before leaving.
26