Académique Documents
Professionnel Documents
Culture Documents
Training Manual
Certified Meraki Networking Associate Program
(Remote Version)
Introduction
You have recently been hired to manage the IT systems for a local,
doctors oce group in San Francisco. Nightingale Medical Associates
has managed to survive with a consumer ISP-provided gateway for
many years, but recent Electronic Medical Records (EMR) mandates,
HIPAA compliance, more patients, and the demand for guest Internet
access has them excited about an enterprise solution.
As their new IT admin, you suggest that Nightingale Medical Associates
try Cisco Meraki as a solution that will not only meet their needs now,
but can also scale with them as they grow their existing location or
expand to multiple locations.
In order to get started, youve decided to equip them with some Meraki
gear.
2. You can use Cisco Meraki knowledge base articles and documentation to assist with
lab exercises. They can be found on the Internet at:
https://documentation.meraki.com
3. Access points and phones are oine by design, nothing is wrong with the lab. This
is a true demonstration of zero-touch deployment. You do not actually have to have
any equipment online in order to pre-configure it.
To get started, lets set up your stack of Meraki gear and a Point-of-Sale
iPad. Meraki Support has already set up a Dashboard account and added
the gear to a network.
Also, some of the gear has already been powered up for you.
2. Edit the configuration to change the name of your MX security appliance to Lab [n]
Security Appliance and update the physical address to your current city.
3. Since this network is pretty basic, you dont need to segment it into VLANs.
However, you will need to update the default addressing space to match the table
below:
2. Rename the MS switch to Lab [n] Switch (where n is your lab station number) and
update the physical address to your current city.
3. On the Switch ports page, rename port 1 UPLINK and port 6-10 VOICE.
1. Rename the access point Lab [n] AP and update the physical location to your
current city.
2. The AP will eventually be plugged in to port 24 on the switch. Make sure the port is
configured in trunk mode with native VLAN 1, all VLANs allowed.
1. On the Wireless > SSIDs tab, rename the only enabled SSID to Lab [n] GUEST.
3. Create a click-through splash page so that guests have to acknowledge your terms
and conditions before they are allowed on the network.
4. The AP should handle DHCP for this SSID, so ensure NAT mode is enabled.
5. On the Wireless > Firewall and trac shaping page, apply a bandwidth limit of
500 Kbps per device to prevent guests from hogging all of the bandwidth.
6. Guests shouldnt have any access to internal resources, so Deny all trac to the
Local LAN with a layer 3 firewall rule.
The owners dont want guests to be able access the SSID outside business hours,
so you decide to take advantage of the SSID availability feature.
7. On the SSID availability page, enable Scheduled availability for business hours only
(8:00 - 19:00 (7 pm)) Monday through Friday.
3. Guest group policies will only be turned on during working hours 08:00 17:00
Monday through Friday.
6. All Online backup and Web file sharing applications should be completely blocked
(Hint: Use the Layer 7 firewall rules).
7. Add another content filtering category for all website deemed as Illegal.
Note: We wont apply the group policy to a client yet. That will come in a later
section.
1. Navigate to Security Appliance > Configure > Trac Shaping and set the global
bandwidth limit for your Internet uplinks to 20 Mbps.
1. Create a MAC Whitelist entry on ports 21-23 on your switch using a MAC address
of aa:bb:cc:aa:bb:cc.
Great Job!
Youve completed the setup for your small, single location and have a full Meraki
network up and running. The workstation can get secure access via their wired
connections, and guests have isolated, Internet-only access. Feel free to move onto
the next section prior to the product overview section
1. Navigate to Security appliance > Addressing & VLANs and enable VLANs on the
Security Appliance. Create two additional new VLANs in addition to your Native
VLAN; Corporate and Voice, based on the subnet information below:
2. Verify that all ports in the per-port VLAN configuration on the MX are enabled and
set as trunks for the native VLAN and all VLANs are allowed.
3. On the DHCP page, verify that DHCP is running for each of the new VLANs you set
up.
4. Youll want to make sure you save some IP addresses for your internal use. Reserve
DHCP addresses .1-.20 on the native (Default) VLAN for that use.
2. Now, select ports 6-10 on your switch and configure them as access ports on VLAN
200.
Note: We are not using the Voice VLAN field yet. We will use that in a later
exercise.
3. Select only the access ports labeled DATA and VOICE (ports 2-10) and enable BPDU
Guard to protect against non-authorized switches. Be sure that you do not enable
this on your trunk ports or on your uplink ports as it will break the connection
between your switches.
Hint: You can search for the ports by using a range (e.g: 2-10) or searching the name
of the ports.
2. Update the switch bridge priority to ensure that it will always remain the root switch
in the network.
3. Verify that your switch was indeed elected as the root switch for your campus.
2. Navigate to the Switch > Configure > Switch settings page and locate the Quality
of service subsection.
3. Select Add a QoS rule for this network and configure a QoS rule for all VoIP trac
across the network.
VLAN: 200
QoS Settings
Protocol: Any
VoIP Precedence
Subnet: 46 class 3 (EF voice)
Note: Be sure the correct local time zone is set on the network.
2. Create a new schedule named VoIP Power Saving to turn o ports during non-
business hours (assume a work schedule of (8:00 - 19:00 (7 pm)).
3. Apply the port schedule to ports 15-20 on your switch (your VoIP ports).
Do not apply to your switchs uplink ports.
3. This network needs access to your internal resources, so put it in Bridge mode
under client IP assignment.
4. Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.
8. Use Cisco Merakis trac shaping rules to set a 500 Kbps limit on software updates
to limit unnecessary background resource utilization and throttle YouTube trac to
20 Kbps up/down.
9. Take it one step further and show management Cisco Merakis layer 7 firewall rules.
Deny applications: iTunes and Peer-to-Peer. Finally, deny HTTP hostname of
espn.com.
10. Navigate to Network-wide > Users. The credentials you used to log into Dashboard
will be automatically populated. Authorize your lab [n] account to grant it the ability.
1. Navigate to Wireless > Air Marshal and configure the access points to
automatically contain any rogue APs seen on the LAN.
3. Make sure that administrators are alerted every time a rogue AP is detected (Hint:
Network-wide > Alerts & administration).
2. Create a new trac shaping rule to give VoIP and video trac unlimited bandwidth
and High priority on the network.
Note: The goal of this is not to limit VoIP trac but rather to prioritize it. For more
information on how the priority is calculated, refer to the Trac Priorities KB article.
3. Peer-to-peer trac on the network presents a security threat and can also hog
valuable bandwidth on the network. Create a Layer 7 firewall rule on your MX to
block all Peer-to-peer and Web file sharing trac.
4. In order to cover threats that may be arriving via malicious methods, enable
Malware detection and Intrusion Detection and Prevention (IDS/IPS). For now, a
Balanced approach to blocking threats should be sucient.
Exercise 10 New Guest VLAN & Applying Group Policy (15 min)
A decision has been made to centralize the DHCP services on the MX security
appliance instead of hosting IP addressing for guest users on the APs.
2. Change the Guest SSID from NAT mode to Bridge mode and tag the SSID for all all
APs.
3. Apply the Guest Policy group policy to this new guest VLAN on the MX.
2. Name the access policy Lab [n] RADIUS where n is your lab station number.
3. Configure an access policy with the RADIUS server using the information below. The
access policy should have the following attributes:
Host 10.0.250.100
Port 1812
Secret meraki123
Access Policy Type 802.1X
Guest VLAN 300
4. Add the settings such as phones are not required to authenticate and unauthorized
users are placed on the Guest VLAN 300.
Nice Work!
In that short amount of time you configured RSTP for your switch fabric to reduce
unnecessary broadcast overhead on the network and QoS policies rule to ensure
best performance for voice applications. You also created a port schedule and
configured port security for better power and port management.
Furthermore, you created a Corporate SSID to support the ever growing needs of
wireless devices on network.
Feel free to move onto the next lab if you are finished prior to the Distributed
Enterprise demo or you can add additional security to the network in the following
bonus exercise.
Your branch will connect via VPN back to the corporate campus and also leverage
services such as RADIUS that have been set up over the VPN connection. Lets get this
branch connected back to HQ via a site-to-site VPN tunnel.
2. Make sure your Corporate and Voice VLANs are the only subnets being advertised
in the VPN.
3. Determine if other branch pilot labs are online using the Security Appliance >
Configure > Site-to-Site VPN page.
Note: You will find other VPN peers online in the remote VPN participants table of
this page.
4. Verify that you have connectivity to Data Center 1 and 2. Ping 10.0.251.1 and
10.0.252.2. Use the live tools.
5. Verify that you can ping the internal address of your neighbors MX from your own
MX. This address should be 10.0. [100 + n] .1 where n is their lab station number. Use
the live tools.
2. Configure a rule to deny any trac from the Corporate IP subnet to the human
resources file server at 10.0.250.10. Be sure that the protocol drop-down is set to
any so that all trac will be blocked to the file server.
2. The Corporate SSID is currently set to have users associate with a pre-shared key
and sign into a splash page using Meraki authentication. Change this so that users
associate with WPA2-Enterprise & a RADIUS server and disable the sign on splash
page.
3. Configure the RADIUS server using the same information you used for port
authentication on the switch:
Host 10.0.250.100
Port 1812
Secret meraki123
Note: Theres no need to test it authentication to the RADIUS server at this time.
2. Set a search parameter in the dropdown at the top of the page for Lab[n] - Switch
with All devices. You also want to see information for the last week.
3. You also want these reports to be emailed on a scheduled basis, a week at a time to
the CEO of the company at ceo@nightingale.com.
Congratulations!
Thanks to you, Nightingale Medical Associates has been able to adopt an enterprise
solution that has scaled with the groups growth. Youve expanded their small
original location to a large enterprise and even helped the company support a multi-
site architecture.
Be sure your trainer has signed o on your lab before leaving for the day!