Home > zMeraki Internal > Training > Meraki CMNP Lab Procedure

Meraki CMNP Lab Procedure

Table of contents
  1. Introduction 
    1. Branch Office Hardware
    2. Lab Tips and Best Practices
  2. Lab A: Small/Medium Site
    1. Exercise 1 - Initial MX Security Appliance Setup (10 mins)
    2. Exercise 2 - Verify the MX is checked into the Cloud in Dashboard (5 mins)
    3. Exercise 3 - Configure MX LAN Settings (20 mins)
    4. Exercise 4 - Initial MS Switch Setup (15 mins)
    5. Exercise 5 - Initial MR Wireless Access Point Setup (5 mins)
    6. Exercise 6 - Configuring the Guest WiFi with Scheduled Availability (20 mins)
    7. Exercise 7 - Initial MC Phone Setup (10 mins)
    8. Exercise 8 - Initial MV Security Camera Setup (10 mins)
    9. Exercise 9 - Verifying the Configuration (20 mins)
  3. Lab B: Large Site / Campus
    1. Exercise 1 - Configuring the Security Appliances for High Availability (15 mins)
    2. Exercise 2 - Physically Stacking the Core Switches (15 mins)
    3. Exercise 3 - Segmenting the Corporate Network (20 mins)
    4. Exercise 4 - Configuring Dynamic OSPF routing on the L3 Switch Stack (10 mins)
    5. Exercise 5 - Building device group policies with Active Directory integration (15 mins)
    6. Exercise 6 - Configuring Phone Features and IVR (10 mins)
    7. Exercise 7 - Securing the Network with MS Hybrid Port Authentication (10 mins)
    8. Exercise 8 - Configuring the Corporate SSID with Enterprise 802.1X (10 mins)
    9. Exercise 9 - SM Enrollment SSID Configuration (5 mins)
    10. Exercise 10 - Enrollment and Pushing Applications with Systems Manager (10 mins)
    11. Exercise 11 - Building a Video Wall (5 mins)
    12. Exercise 12 - Verifying the Configurations (20 mins)
  4. Lab C: Distributed Enterprise
    1. Exercise 1 - Meraki AutoVPN (5 mins)
    2. Exercise 2 - Meraki SD-WAN (15 mins)
    3. Exercise 3 - AMP/Security Center (5 mins)
    4. Exercise 4 - Configuring the Network for Voice over IP Precedence (10 mins)
    5. Exercise 5 - Verifying the Configuration (5 mins)
    6. Exercise 6 - Resetting the Lab Station (5 mins)

Introduction 

 

Welcome to Cisco Meraki! 

 

This lab is designed to guide you through most of the advanced features and integration available on the Cisco Meraki platform. This is achieved through a top down installation and configuration of the Cisco Meraki full stack. At the end of the training, you would have a fully configured full stack and would have gone through the process of configuring three different architectures - the small/mid-size business, the campus, and the distributed enterprise. 

 

At Cisco Meraki, we continuously strive to make the management and configuration as easy as possible. That being said, please be sure to ask plenty of questions and work with your peers to accomplish your objectives. If you are stuck, please make sure you check our documentation page for help and of course, we are here to help you as well.

 

Good luck and enjoy the lab.

Branch Office Hardware

Each branch has the following equipment:

 

2 x MX84 security appliances (MX84 overview and specs)

2 x MS350-48 switches (MS350-48 overview and specs)

1 x MS350-24P switch (MS350-24P overview and specs)

1 x MR53 access point (MR53 overview and specs)

1 x MC74 phone (MC74 overview and specs)

1 x MV21 security camera (MV21 overview and specs)

6 x Ethernet patch cables 

2 x Stacking cables 

1 x iPad

Lab Tips and Best Practices

  • Please take note of how your lab station is arranged and keep all the components to your lab station as you will be asked to reset it to exactly the way you found it.
  • Credentials, passwords and network information are contained in this guide.
  • You can use Cisco Meraki knowledge base articles and documentation to assist with lab exercises. The documentation portal is located at: documentation.meraki.com
  • Take careful note of instructions in the lab guide where you will have to replace a number with your lab station. For example, if you see branch[n]@meraki.com.test, this means you need to replace the [n] with your lab station number. Your lab station number can be identified by the labels applied on your equipment or you may ask any of the instructors in the room for clarification.
  • If you get stuck, work with your neighbors and feel free to collaborate with the rest of your classmates in the room.
  • If the Dashboard UI does not match something in the lab guide, check both versions (old and new) of the Dashboard to see if you can locate it.

Lab A: Small/Medium Site


The initial deployment starts out as a relatively small site with <100 clients with basic internet connectivity requirements. The network is configured to operate from a single subnet with guest wireless capabilities. Optional features (future-proofing) have been planned for this deployment through the deployment of a L3-capable core switch and multi-gigabit-capable switch and access points.

Exercise 1 - Initial MX Security Appliance Setup (10 mins)

 

Steps:

  1. Power on both of your MX Security appliances and connect your laptop to the port labeled Management on the top MX (MX 1) in your stack.

  2. At this point, you will have an IP address that was assigned from the management port. Go ahead and temporarily disable your WiFi connection.

  3. Go to wired.meraki.com in your web browser.

  4. Click the "Configure" tab and sign in using the serial number of the MX as the username and the password blank. (The username is case sensitive and requires the dashes.) You can copy the serial number from the back of the device or from your Appliance status page in Dashboard.

  5. Configure the Internet ports with static IP addresses as outlined below and remember to replace [n] with your lab number.
     

WAN 1
IP Address 192.168.15.[n]
Netmask 255.255.255.0
Gateway IP 192.168.15.254
DNS Servers 8.8.8.8 and 8.8.4.4
WAN 2
IP Address 192.168.16.[n]
Netmask 255.255.255.0
Gateway IP 192.168.16.254
DNS Servers 8.8.8.8 and 8.8.4.4

We will use the WAN2 connection in a later lab section. 

  1. After saving your IP settings, verify that the green check box appears on the "Connection" tab with an indication of "Healthy". If you are seeing a yellow warning/error message on this page, it is advised that you do a power cycle (of the MX appliance) to help the IP address change take into effect sooner.

  2. The management port does not have access to the Internet, so re-enable your WiFi connection and unplug from the management port.

Exercise 2 - Verify the MX is checked into the Cloud in Dashboard (5 mins)

 

Steps:

  1. Make sure your laptop is connected to the “Meraki Masters” SSID and has been disconnected from the MX in the previous exercise. Ensure all client VPN software is disabled during the labs.

  2. Sign in to dashboard.meraki.com using the credentials provided below:

Username: branch[n]@meraki.com.test

Password: meraki123

Organization: Meraki CMNP Lab

  1. From the network drop-down at the top of the page, choose your “LAB [n]” network.

  2. Under the Security Appliance > Monitor > Appliance status tab, edit the configuration to change the name of your MX security appliance to “Branch [n] Security Appliance” and update the physical address to your current city.

  3. Verify the MX shows a green icon. Use the Live Tools ping utility to ping the MX from the Cloud.

  4. Under the Network-wide > Configure > General tab, configure your local time zone.

Exercise 3 - Configure MX LAN Settings (20 mins)

 

Steps:

  1. Navigate to Security Appliance > Configure > Addressing & VLANs. Verify the Mode is set to Network Address Translation (NAT) and Client tracking to Track clients by MAC address.
  2. Enable VLANs and configure the following VLAN below by modifying the existing VLAN (click on the row) to be your first VLAN.
     
VLAN 1
Name Management
Subnet 172.16.[n].0/24
IP 172.16.[n].1
VLAN ID 1
  1. Configure all LAN ports as Type: trunk, with Native VLAN: 1
  2. Ensure your branch MX is providing DHCP for VLAN 1. The DHCP settings for this VLAN should be as follows:

Lease time: 1 day

DNS nameservers: Use Google Public DNS

Reserve addresses between hosts: .1 and .10

Be sure to save the configurations before proceeding and navigating away from this page. 

  1. Navigate to the Security Appliance > Monitor > Appliance status page and verify that the configuration status shows as "Up to date".
  2. Navigate to the Network-wide > Configure > Alerts & adminstration page and set an alert to notify all of the network admins if a DHCP pool runs out of addresses.

Exercise 4 - Initial MS Switch Setup (15 mins)

 

Steps:

  1. Connect MX 1 LAN port 10 to switch L3 1 port 48. Verify the status light on the switch changes from orange to white after a few moments.

  2. Under the Switch > Monitor > Switches page, find the switch you just connected using the serial number, or wait for one of the icons to change to green.

  3. Select this switch and change its name to “Layer 3 - 1” and address to your current location. Make sure to save your changes.

  4. Change the management IP address of “Layer 3 - 1” per below. Look for and click on the pencil icon next to LAN IP and then switch it from DHCP to Static to gain access to these fields:

 

IP 172.16.[n].2
VLAN 1
Subnet mask 255.255.255.0
Gateway 172.16.[n].1
DNS 8.8.8.8, 8.8.4.4
  1. Verify that your switch successfully assigns the static IP address (it should say "statically assigned"). The power LED may change from white to orange, then back to white indicating a successful connection to the Meraki Dashboard.

  2. Navigate to the Live tools tab of your appliance and ping the switches from the cloud to confirm connectivity.

  3. Connect the Layer 3 - 1 switch port 26 and Access switch (MS350-24) port 1 together.

  4. Using the same steps as for switch Layer 3 - 1, rename this newly-connected switch "Access" in Dashboard and configure its IP address to be 172.16.[n].4.

 

IP 172.16.[n].4
VLAN 1
Subnet mask 255.255.255.0
Gateway 172.16.[n].1
DNS 8.8.8.8, 8.8.4.4
  1. Under the Switch > Configure > Switch settings tab, set the Layer 3 - 1 switch to a bridge priority of 0.

Exercise 5 - Initial MR Wireless Access Point Setup (5 mins)

 

Steps:

  1. Under the Wireless > Monitor > Access points page, select your access point, rename the device “Branch [n] AP” and change the address to your current location (ensure the “move marker” box is checked).

  2. Change the management IP address of “Branch [n] AP” per below. You can set this from the detailed status page by clicking on the pencil button next to the LAN IP and switching it from DHCP to Static IP.
     
IP 172.16.[n].9
VLAN leave blank (explicit tag for untagged traffic
Subnet mask 255.255.255.0
Gateway 172.16.[n].1
DNS 8.8.8.8, 8.8.4.4
  1. Before moving on, navigate to the Wireless > Configure > Radio Settings page and adjust the power for each radio to 1 dBm and the default channel width to 20 MHz (this is to avoid congestion in the lab environment.). Click on the row in the table to open up the configurable options on the right-hand side.
  2. Connect your MR53 wireless access point from its Multigigabit Ethernet port (labeled with PoE) to Access switch port 23.

  3. Wait a few minutes then check the AP's details page to observe the negotiated connection speed of your access point as well as the switch port providing upstream connectivity (you should be able to find this directly under the Ethernet 1 connection information). Click the switch port to be taken to the switch port details and verify it is configured as a trunk port with native VLAN 1.

Exercise 6 - Configuring the Guest WiFi with Scheduled Availability (20 mins)

Management wants to allow for guest wireless access, but wants some security and bandwidth restrictions in place.  After a brief discussion, you have come up with the following:

 

Guest Network Details:

  • Want guests to have to check-in at front-desk before they are given access, but don’t want the front-desk secretary to have to create accounts on a per-user basis. The secretary does not have access to the Meraki Dashboard.

  • SSID should be unavailable during non-office hours

  • Want all traffic on this SSID to be rate-limited to 5 Mbps and further restrict each user to only 500kbps

  • Guests are not allowed to stream YouTube or Netflix video

  • Will need to support both 2.4 and 5 GHz clients

 

Steps:

  1. Under the Wireless > Configure > SSIDs page, rename the first SSID to “Branch[n]-Guest”, where [n] is your lab station number. Enable this SSID and save changes.

  2. Under the Wireless > Configure > Access control page, select the newly created "Branch[n]-Guest" from the SSID drop-down menu at the top and proceed to configure it as follows:

    • Association Requirements: Open

    • Splash page: Sign-on splash with Meraki authentication

    • Captive portal strength:  block all access until sign-on is complete (this is to prevent unauthorized guest network access)

    • Self-registration: Allow users to create accounts

    • Client IP assignment: NAT mode: Use Meraki DHCP

    • Wireless Options: Dual Band Operation with Band Steering

Be sure to save the configurations before proceeding and navigating away from this page. 

  1. Navigate to Network-wide > Configure > Users, search for your branch[n]@meraki.com.test user and authorize it.

  2. Navigate to Wireless > Configure > Firewall & traffic shaping and make the following configurations:

    • Deny LAN access using the Layer 3 Firewall rule

    • Add a Layer 7 Firewall rule to block YouTube and Netflix

    • Set the Per Client bandwidth limit to 500kbps and a SSID limit of 5 Mbps to prevent bandwidth hogging guests

    • Enable speed burst to allow webpages to load faster during periods of low utilization and improve overall performance

  3. Navigate to Wireless > Configure > SSID availability and set the “Scheduled Availability” option to enabled. Configure the SSID to only be available from 8AM to 5PM, Monday through Friday.

Exercise 7 - Initial MC Phone Setup (10 mins)

 

Steps:

  1. Connect your MC74 to port 11 of your access switch.

  2. Rename the phone “Branch [n] Phone” where [n] represents your lab station number.

  3. On the Phones > Configure > Directory page, create a new contact for “Branch [n]” and save it. Then create a contact with your own name, and add your cell phone number as an other number.

  4. Go to the phone details page under Phone > Monitor > Phones. Assign your newly created “Branch [n]” contact to this phone, as well as a phone number that has already been provided by the carrier. Choose any of the provided numbers in the drop down list. Set the extension as the last four digits of your public phone number.

  5. Tag this phone with a “Branch_Phone” tag. You may have to press the 'Enter' key to create the tag before you are allowed to save the new tag.

  6. Place a call from your "Branch [n] Phone" to the head-end phone for at least 10 seconds. The phone number for the head-end phone is 313-209-5927.

Exercise 8 - Initial MV Security Camera Setup (10 mins)

 

Steps:

  1. Connect your security camera to port 13 on your access switch and your computer into port 15 on your switch. It is advised that you disable wireless on your computer to ensure that it is using the wired connection.
  2. Verify your camera by its serial number or MAC address and rename the it “Branch [n] MV” and then proceed to also update the physical location to your current address on the Network tab (you can verify this geo-location information as presented via Google Maps on the Location tab).

You should notice a small green check mark in the lower-left corner of the video which indicates the feed being displayed is a local stream. If you see a cloud icon, it means it is a cloud proxy stream and you should double-check your laptop’s wired connection.

  1. You may notice that the current orientation of the camera results in an upside-down image – fix this by changing the rotation (Settings > Zoom and Focus tab of the camera details page) from 0 to 180 degrees and fine tuning the zoom/focus/aperture as needed for a clear image.
  2. A back office is fairly small so there is not the need for a high frame rate and we want to retain recorded footage for a longer period of time. Change the quality and retention to the standard quality (20 days) setting for 530 Kbps and 8fps.

Exercise 9 - Verifying the Configuration (20 mins)

So far, you have already set up VLANs on the primary MX, configured a core L3-capable switch and access layer switch, and provisioned an access point with a scheduled Guest SSID. Take a moment to step through and observe the network is functioning as you would expect.

 

Verification checks:

  1. Connect your laptop to a LAN port on the MX in and verify that your IP address is in VLAN 1.

    • IP?
    • Subnet?
    • DNS?
  2. Turn off your WiFi connection, then ping 8.8.8.8 from your laptop to verify connectivity.

    • For Mac: Open Terminal. Type "ping 8.8.8.8"
    • For PC: Open a cmd prompt. Type "ping 8.8.8.8 -t"
  3. Turn your WiFi on and connect your laptop to your Branch Guest SSID.

    • What IP address are you provided?
    • What subnet is this a part of?
    • Why?
  4. Navigate to the Clients page again. Select “Security Appliance” and search for your laptop. In a separate tab/window, run a speed test (speedof.me, speedtest.net, etc.) from your browser.

    1. What is your client’s current bandwidth limit and why?

    2. Under Device policy, change your client’s policy to “Whitelisted”, wait a moment, and test again. What is your speed now?

    3. Change the "Whitelist" policy for your client back to "Normal".

  5. If anything happens to your communication system, you want to be sure you can address issues remotely.

    1. In Dashboard, go to the Branch [n] Phone, and take a screenshot of the screen.

    2. Pull up the detailed jitter and loss statistics for your previous call from your initial call by clicking into the call statistics.

    3. Reboot the phone through the Dashboard.

 

Lab B: Large Site / Campus


The organization’s original headquarters location has now expanded to multiple floors in building. The IT team has designed the network and provisioned additional IP addresses from the ISP for HA (high-availability) configuration of MX appliances. Redundancy has also been enabled at the core/distribution layers through the addition of L3 switches that are capable of physical stacking. Proper network topology best practices have been implemented through the segmenting of networks into VLANs and offloading inter-VLAN routing to the core. Finally, NPS/AD services are properly leveraged and accessed through a dedicated MPLS link. 

Exercise 1 - Configuring the Security Appliances for High Availability (15 mins)

Now that we’ve grown, we’ll need to make our network more resilient against unexpected outages. Management has permitted the purchase of an additional MX84 for a redundant pair.

 

Steps:

  1. Begin by taking note of your branch MX 2’s serial number.

  2. Under the Security Appliance > Configure > Addressing & VLANs page, navigate to the Warm Spare section, enable warm spare, enter the secondary MX Serial Number, and select “Use MX uplink IPs”.

  3. Ensure both of your MX Security appliances are powered on and connect your laptop to the port labeled Management on the bottom MX (MX 2) in your stack.

  4. At this point, you will have an IP address that was assigned from the management port. Go ahead and temporarily disable your WiFi connection.

  5. Go to wired.meraki.com in your web browser.

  6. Click the "Configure" tab and sign in using the serial number of the MX as the username and the password blank. (The username is case sensitive and requires the dashes.) You can copy the serial number from the back of the device or from your Appliance status page in Dashboard.

  7. Configure the Internet ports with static IP addresses as outlined below and remember to replace [n] with your lab number.

 

WAN 1
IP Address 192.168.15.[100+n]
Netmask 255.255.255.0
Gateway IP 192.168.15.254
DNS Servers 8.8.8.8 and 8.8.4.4
WAN 2
IP Address 192.168.16.[100+n]
Netmask 255.255.255.0
Gateway IP 192.168.16.254
DNS Servers 8.8.8.8 and 8.8.4.4
  1. After saving your IP settings, verify that the green check box appears on the "Connection" page with an indication of "Healthy".

  2. The management port does not have access to the Internet, so re-enable your WiFi connection connecting to the "Masters" SSID and unplug from the management port of the MX.

  3. Connect a patch cable from port 9 on "MX 1" to port 9 on "MX 2" to facilitate a quick heartbeat response in the event of a failover. Please note that the secondary MX's "HA" LED may flash amber. This is normal and will resolve once heartbeat communication is established over the local link between the MX's.

Exercise 2 - Physically Stacking the Core Switches (15 mins)

 

Steps:

  1. Connect stacking cables between the switches that have been labeled as "L3 1" and "L3 2" on the back faceplate. Use the following knowledge base article as a reference for the physical ring topology connection: Bringing Your Stack Online

  2. Navigate to the Switch > Monitor > Switches page and look for the remaining switch that is identified by a mac address. Change its name to “Layer 3 - 2”. Also update the physical address to your current location.

  3. Set a static management IP address for the "Layer 3 - 2" switch. Use the following static IP addressing information:
     
IP 172.16.[n].3
VLAN 1
Subnet mask 255.255.255.0
Gateway 172.16.[n].1
DNS 8.8.8.8, 8.8.4.4
  1. Navigate to the Switch > Monitor > Switch Stacks page and choose the option to add a stack.

  2. Name the stack “Branch [n] Stack” and add "Layer 3 - 1" and "Layer 3 - 2" as members and click “Create”.

  3. Perform a manual reboot of the newly created switch stack. Once the switches have come back up and registered with Dashboard, verify the stack is healthy from the switch stack management interface.

  4. Connect a cable from "MX 2" port 10 to "Layer 3 - 2" switch port 48.

Exercise 3 - Segmenting the Corporate Network (20 mins)

 

Steps:

  1. Under Switch > Switch Stacks select the “Branch [n] Stack” and select “Layer 3 routing”.  Enable Layer 3 routing and configure the following layer 3 interfaces with the subnet information and characteristics below:

 

Name Management
Subnet 172.16.[n].0/24
Interface IP 172.16.[n].10
VLAN 1
Multicast Support Disabled
Default gateway 172.16.[n].1
Client addressing Do not respond to DHCP requests
Name Data
Subnet 10.0.[100+n].0/24
Interface IP 10.0.[100+n].1
VLAN 100
Multicast Support Disabled
Client addressing Run a DHCP Server (use the default settings)
Name Voice
Subnet 10.0.[200+n].0/24
Interface IP 10.0.[200+n].1
VLAN 200
Multicast Support Disabled
Client addressing Run a DHCP Server (use the default settings)
  1. Save the configuration and verify that all of these layer 3 interfaces have been successfully created.

Navigate to Switch > Monitor > Switch stacks and select the newly created stack, then click on Layer 3 routing to see the interfaces and static routes.

  1. Now navigate to Security Appliance > Configure > Addressing & VLANs and add the following static routes that will point incoming traffic to the newly created VLANs on the Layer 3 switch stack:

 

Static route 1
Enabled Yes
Name Data
Subnet 10.0.[100+n].0/24
Next hop IP 172.16.[n].10
Active Always
Static route 2
Enabled Yes
Name Voice
Subnet 10.0.[200+n].0/24
Next hop IP 172.16.[n].10
Active Always
Static route 3
Enabled Yes
Name Active Directory
Subnet 10.0.50.0/24
Next hop IP 172.16.[n].10
Active While host responds to ping
Host IP to ping 10.0.50.100
  1. Navigate to the Switch > Monitor > Switch ports page.  Configure ports 2-22 on the "Access" switch as access ports in VLAN 100.  

You can configure these ports in bulk by entering “Access port:2-22” in the search bar.  Click the top checkbox to select all ports and click the Edit button.

  1. Connect you laptop to port 15 on the "Access" switch and disable your WiFi.  Verify you get a DHCP address in the VLAN 100 subnet.

Exercise 4 - Configuring Dynamic OSPF routing on the L3 Switch Stack (10 mins)

 

Steps:

  1. Configure port 25 on your “Layer 3 - 1” switch as an access port on VLAN 600. This will be the interface used for MPLS connectivity to the data center. Turn off RSTP on this port.

  2. Take the newly-provisioned MPLS hand-off cable and connect it to the port on "Layer 3 - 1" specified above.

This black CAT5 cable should be connected directly to the floor panel beneath your table.

  1. Navigate to the Switch > Monitor > Switch stacks page and then the Layer 3 routing tab and proceed to add a layer 3 interface:
     

Switch or stack Branch [n] Stack
Name MPLS
Subnet 172.21.0.0/24
Interface IP 172.21.0.[n]
VLAN 600
Multicast Support Disabled
Client addressing Do not respond to DHCP requests
  1. Navigate to the Switch > Configure > OSPF routing page. Enable OSPF on the switches to meet the following criteria:

    • Enable the Data, Management, and MPLS interfaces in Area 0 with a cost of 1 and not passively participating in OSPF

    • The default route must not be advertised to OSPF neighbors

    • OSPF routes must be preferred over the default route

  2. After enabling OSPF and saving the configuration, navigate to either “Layer 3 - 1” or “Layer 3 - 2” switch. Look under the L3 routing tab and scroll down to the OSPF neighbors table to look for new OSPF routes. This will take a few moments.

Both “Layer 3 - 1” and “Layer 3 - 2” will have all routes but only one will display the OSPF neighbors.

  1. Verify connectivity to the core services from the Access switch by initiating a ping (Live Tools tab) to 10.0.50.100 respectively.

Exercise 5 - Building device group policies with Active Directory integration (15 mins)

 

Steps:

  1. Navigate to the Network-wide > Configure > Group policies page. Create a group policy called “Branch[n] Corp” for the Corp network blocking traffic to/from Ireland as well as blocking any other layer 7 rules you choose.

  2. Under “Blocked website categories” choose to “Append” an additional category. Choose any category you wish and have a website in mind that you can use to verify that the content is blocked. Save your changes.

Changes here will not affect existing flows until they time out. If you need inspiration for a category to choose, navigate to Brightcloud and use the URL lookup to determine what category the website you wish to block is in.

  1. Navigate to the Security appliance > Configure > Active Directory page and configure the following:

    • Set the Active Directory drop down to Authenticate users via Active Directory.

    • Require splash login for Unauthenticated users on the Management subnet.

    • Add an Active Directory domain server using the server and admin credentials below:
       

Short domain Meraki_Lab
Server IP 10.0.50.100
Domain admin Administrator
Password ikarem1
  1. Refresh LDAP Groups and add a group policy mapping that maps the Windows group “LabUsers” to the Group Policy “Branch[n ] Corp.”
  2. Connect your laptop to one of the LAN ports on "MX 1" and open new web browser session. Attempt to navigate to any website. When prompted to sign into the splash page, use the following credentials:

    • Username: lab[n]

    • Password: meraki123

  3. Since the lab[n] user is a member of the Active Directory "LabUsers" group, verify that the "Branch[n] Corp" policy was applied to your client device by running the following tests:

    • Try to reach www.discoverireland.ie (ireland.ie is actually being hosted out of Great Britain while discoverireland.ie is in fact, hosted out of Ireland)

    • Try to reach a URL in the blocked category that was added

    • Try to reach a service that is part of a Layer 7 rule you chose

  4. Connect your laptop back to a port on the Access switch and remove the the requirement for unauthenticated users to hit a splash page on the management VLAN but do not disable Active Directory authentication on the MX.

Exercise 6 - Configuring Phone Features and IVR (10 mins)

 

Steps:

  1. On the MC74 touchscreen, navigate to Settings and then Portal Sign Up. Sign up with a personal email address that you have access to and click on the activation link within the system generated email that will be sent to you.

If you ever get logged out, you can retrieve your domain and login information from the MC74 phone by going to Settings > Portal Login Information.

  1. Log into and access the Phone Portal and proceed with setting up your Voicemail to Email by clicking on Settings in the upper-right corner of the portal.
  2. Continue by enabling and configuring Call Forwarding to forward all incoming calls to your mobile phone.
  3. Return to Dashboard and navigate to Phones > Configure > IVR menus. Create a new IVR and name it "Welcome Menu" as this will be the default greeting for customers calling into your business.
  4. Provision an internal extension for this IVR (we will skip assigning a public number to this IVR in this lab). You may choose any 4-6 digit combination as long as it has not already been taken/used by another lab station.
  5. Download and use the following audio file as the main greeting for your IVR menu - http://cs.co/missiongreeting

If you run into issues while downloading the file to your local machine or when uploading it to the IVR, try using Chrome as the web browser to perform these actions.

  1. Configure/add a menu option to play this recording - http://cs.co/missionhours
  2. Configure/add a second menu option to transfer the caller to your MC74 phone
  3. Configure/add a third menu option to transfer the caller to your mobile phone (external number)

Remember to save your IVR menu options before leaving the page.

Exercise 7 - Securing the Network with MS Hybrid Port Authentication (10 mins)

 

Steps:

  1. Navigate to Switch > Configure > Routing and DHCP and create a VLAN 150 interface on the L3 switch stack with the following information:

 

Name Remediation VLAN
Subnet 192.168.150.0/24
Interface IP 192.168.150.1
VLAN 150
Multicast Support Disabled
Client addressing Run a DHCP server (use the default settings)
  1. Navigate to Security appliance > Configure > Addressing & VLANs and create a static route on the MX for this remediation VLAN with the following information:

 

Enabled Yes
Name Remediation VLAN
Subnet 192.168.150.0/24
Next Hop IP 172.16.[n].10
Active Always
  1.  ​​​​Navigate to Switch > Configure > Access policies and click on "Add an access policy" to configure a hybrid 802.1x security policy with a remediation VLAN with the following information:
     
Name Hybrid Auth
RADIUS servers  
Host: 10.0.50.100
Port 1812
Secret Meraki123
Access policy type Hybrid authentication
Guest VLAN 150
Voice VLAN Cliens Bypass Authentication
  1. Navigate to Switch > Monitor > Switch ports and identify two “access” type ports on the Access switch. Proceed to assign (configure them using Edit near the top) "Hybrid Auth" as the access policy.

Exercise 8 - Configuring the Corporate SSID with Enterprise 802.1X (10 mins)

 

Corporate Network Details:

  • A requirement is in place for employees to use Meraki cloud authentication in order to access Corporate LAN wirelessly

  • SSID should be available at all hours

  • iPads and Android devices should be blocked

  • Want to restrict for each user all traffic on this SSID not work-related to only 500kbps

  • Want to contain all rogue APs seen bridging clients onto the LAN

  • Will need to support both 2.4 and 5 GHz clients

 

Steps:

  1. Navigate to Wireless > Configure > SSIDs and create a new SSID (rename one of the Unconfigured SSIDs) and name it “Branch[n]-Corp”. Enable this SSID and remember to save the changes.
  2. Navigate to the Wireless > Configure > Access control page and select the newly created "Branch[n]-Corp" SSID from the drop down. Configure this SSID with the following settings:
    • Association requirements: WPA-2 Enterprise with Meraki authentication.
    • WPA Encryption Mode: WPA2 Only
    • Assign group policies by device type: Enabled
    • Client IP assignment : Bridge mode
    • VLAN tagging: use VLAN tagging
    • VLAN ID: 100
    • Add 2 group policies: block Android and iPad devices
    • Band selection: Dual band operation
    • Minimum bitrate (Mbps): 12 Mbps
  3. After saving your previous configurations, enable Systems Manager Sentry Wi-fi Security and allow all devices that are in your SM network.
  4. Navigate to the Wireless > Configure > Firewall & traffic shaping page and enable traffic shaping (Shape traffic on this SSID) and proceed to add a new rule with definitions for “All Social web & photo sharing”, “All Sports”, “All Gaming”, and “All Video & music”. Enforce a per-client bandwidth limit of 500 kbps for this rule.
  5. Navigate to the Wireless > Monitor > Air Marshal page and enable LAN containment (Contain rogue APs seen on the LAN). 
  6. Navigate to the Network Wide > Configure > Users page and authorize a personal user email for Corp access.

Exercise 9 - SM Enrollment SSID Configuration (5 mins)

There are a variety of different ways in which you can enroll devices into Systems Manager. In this example, we will automate the process using the power of the Cisco Meraki Full Stack integration. This section will guide you through the steps of configuring SM Sentry SSID and enrolling your device.

 

Steps:

  1. Navigate to the Wireless > Configure > SSIDs page and proceed to configure a 3rd SSID. Name it as "SM[n]-Enroll" where [n] is your lab station number. Enable the SSID and save changes.
  2. Navigate to the Wireless > Configure > Access control page and select "SM[n]-Enroll" from the SSID drop-down menu.
  3. Configure this SSID to be an open, NAT mode SSID with a Systems Manager Sentry enrollment splash page.
  4. Choose your Branch Systems Manager network for the enrollment network. Ensure strength is set to Strict.

Exercise 10 - Enrollment and Pushing Applications with Systems Manager (10 mins)

Steps:

  1. Navigate to the Systems Manager > Configure > General page and under Enrollment Settings, add the default tag “Corp” to the SM Network.

  2. Under “User authentication settings”, set up pre-enrollment user authentication. The following configuration will force clients trying to enroll in your SM network to authenticate via AD:

    • Authentication Settings: Active Directory: Use your own AD server

    • Email domain name: Username@Ikarem.local

    • AD gateway type: Meraki: Use an existing MX network

    • Gateway Network: Choose your Branch MX

    • Check the "Allow multi-user authentication" box

  3. Create a Security Policy under Systems Manager > Configure > Policies with the following settings:
    • Name: "Secure"
    • Passcode lock
    • Device is not compromised
    • Require that devices check in at least every week.
  4. Navigate to Systems Manager > MDM > Apps. Verify the Systems Manager iOS App is present. Adjust the scope to apply to devices that have the “Corp” tag.

  5. Add the Cisco Jabber iOS app. Set the scope of the app to be for devices with the "Corp" tag that are also compliant with the security policy created above.

 

Enrollment:

If your iPad has not been fully provisioned yet (i.e. it is in the factory default state with a "Hello" message) please proceed first by completing the initial setup process:

1.) Select an open SSID (such as Meraki Masters or Meraki Champions)

2.) If prompted, enable Location Services

3.) Skip the process of creating a passcode

4.) On the Apps & Data page, set up the device as a new iPad with the following account: partner.training@meraki.com and password: Meraki2017

 

  1. Go to the Settings page of your iPad and connect to the SM SSID - you should be prompted with the enrollment steps

    Be sure you are using Safari during the enrollment process and triggering the enrollment by navigating to a non HTTPS site such as google.com or cnn.com.

  2. When prompted for a username and password, use the credentials below.

    • Domain User: lab[n]user

    • Password: meraki123

  3. Once enrollment is complete, navigate to Systems Manager > Monitor > Clients to verify that the iPad is now listed. Note the Active Directory auto-tag that was applied to the client and the assigned owner.

Exercise 11 - Building a Video Wall (5 mins)

A dynamic video wall interface can be useful to observe multiple camera feeds in a tiled and consolidated view. These video wall layouts can be rearranged in logical layouts and be saved for quick browsing.

 

Steps:

  1. Navigate to Cameras > Monitor > Video wall and proceed to create a new layout named “Branch [n] Video Wall”.

  2. Click on your lab’s MV to add the stream to your wall. Drag (using the lower right corner of the camera video feed) to resize and expand this video source to the desired size. You may also choose to drag & drop the video source anywhere within the grid lines.

Typical physical security deployments will have multiple cameras that better demonstrate the functional benefits of a video wall. For the purposes of the lab you will create a one-camera video wall to explore the interface.

  1. Save the layout when you have completed adding the desired video source, resizing, and repositioning. Your video wall should appear as a new tab on the page.

Exercise 12 - Verifying the Configurations (20 mins)

Perform the following verification steps:

 

Verification checks:

  1. Verify that your iPad has been properly enrolled into your lab instance of Systems Manager by navigating to Systems Manager > Clients. You should be able to see that your device is is showing up on the device list.

  2. Verify that the apps that you've pushed (SM and Cisco Jabber) were successful. They should show up on the iPad as well as be listed on the Systems Manager > Apps page.

  3. Navigate to the Network-wide > Monitor > Event log page and observe your AP's event log.

  4. Attempt to connect using your station's iPad or personal Android device to the corporate SSID and observe the behavior.

  5. Leave a voicemail and check your email for it.

  6. Call into the IVR menu and go through the prompts to make sure they all follow the order and functions as configured.

Lab C: Distributed Enterprise


The organization’s growth has expanded to multiple, geographically-dispersed locations and site of varying sizes. The network administrators have decided to install an additional ISP circuit to dedicate to SD-WAN for improved network intelligence. There has also been a push to build persistent remote VPN tunnels to all sites, including to the key NPS/AD services being hosted at various datacenters. The newly formed voice team has also installed MC phones at all locations utilizing the existing network infrastructure for remote collaboration. The company has also recently opened up the organization’s BYOD policy with backing from the security team via a joint effort enforced through System Manager Sentry (using group policies pushed from MX appliances via tags).

Exercise 1 - Meraki AutoVPN (5 mins)

 

Steps:

  1. Navigate to the Security Appliance > Configure > Site-to-site VPN page and enable site-to-site VPN by configure your MX security appliance to act as a spoke.

  2. For redundancy, the MX security appliance is required to build VPN tunnels to two available hubs:

    • “DC 1 - San Francisco Concentrator” as the primary hub

    • “DC 2 - New York Concentrator” as the secondary hub

  3. Scroll down a bit and in the local networks section, include only the local Management and the Data subnets in the VPN (Use VPN) and save your settings before leaving the page.

Exercise 2 - Meraki SD-WAN (15 mins)

 

Steps:

  1. Navigate to the Security Appliance > Configure > Traffic shaping page and complete enable some SD-WAN functions by making the following configurations:
    • Disable load balancing - this will force all of the traffic out the primary MX uplink
    • Under “Flow preferences”, add a VPN traffic preference that matches any traffic destined for the 10.0.50.0/24 subnet and sends matched traffic over its preferred uplink WAN 2 while ensure that the link will fail over if there is poor performance for VoIP devices.
  2. Add 10.0.50.100 to the Uplink Statistics section - this will cause metrics for 10.0.50.100 to show up on the Appliance status page.
  3. Begin a continuous ping to 10.0.50.100 from your client.
  4. Navigate to the Security Appliance > Monitor > Appliance status page and select the 10.0.50.100 option from the Network usage "Connectivity to". The MX will now track connectivity statistics for this IP address.

Exercise 3 - AMP/Security Center (5 mins)

 

Steps:

  1. Navigate to the Security Appliance > Configure > Threat protection page and enable Advanced Malware Protection.

  2. Set Intrusion detection and prevention to “Prevention” with a “Balanced” ruleset. Remember to save the configuration changes that have been made before leaving this page.

Exercise 4 - Configuring the Network for Voice over IP Precedence (10 mins)

 

Steps:

  1. Navigate to Switch > Monitor > Switch ports and configure switch ports 15-18 of the "Access" switch for future VoIP phone connections by giving those ports the following characteristics:
    • Tags: VoIP
    • Access policy: Hybrid Auth (created previously)
    • VLAN (data): 100
    • Voice VLAN: 200
  2. Navigate to the Switch > Configure > Switch settings page and locate the Quality of service subsection. Add a QoS rule and configure it for all VoIP traffic across the network by meeting the following criteria:
    • VLAN: 200
    • Protocol: Any
    • Set DSCP to: 46 → class 3 (EF voice)
  3. Connect the Meraki MC phone to one of the ports configured for VoIP phone connections. Observe the IP address the device is assigned by navigating to that switch port in Dashboard.

Exercise 5 - Verifying the Configuration (5 mins)

At this point, you have provisioned inter-network connectivity to the data centers and all other remote sites through Meraki Auto VPN. The branch site has been secured with advance malware protection. Moreover, SD-WAN and QoS policies were also set up to provide reliable performance of mission-critical services such as voice. Now take some time to verify that the configurations put in place is working as intended.

 

Verification checks:

  1. Navigate to the Security Appliance > Configure > VPN status page and verify the tunnel reports “connected” for DC San Francisco Concentrator and DC 2 New York Concentrator.

  2. Navigate to the Security Appliance > Monitor > Route table page to ensure that all routes to the Data Centers are in the up (green) state. 

  3. Connect your laptop to a Data VLAN port on your Access switch and verify that you can ping the File Server that resides on the “DC San Francisco Concentrator” LAN (10.0.50.100) from your computer.

    • What were the RTT (round trip time) of your pings in ms?

  4. Unplug the MPLS cable from the "Layer 3 - 1" switch. Note that once the OSPF neighbor relationship goes down, the switch will remove the OSPF routes and fail over to the Site to Site VPN to stay connected to the file server.

    • Why did we have to wait for this failover to occur?

    • What is the RTT of your pings now?

  5. As part of the security auditing team, your job is to also verify that the network is protected against threats and malwares. Complete the following steps:

    1. Connect your laptop to a Data VLAN port on your Access switch. Open Safari/Internet Explorer, navigate to eicar.org, and download the anti-malware test file to generate security event. Alternately, wicar.org/test-malware.html is another option.

    2. Note: Make sure you completed Exercise 3 from Lab C.
      Navigate to the Security Appliance > Monitor > Security center page. 

    • Observe the security event you have generated.

    • Click the respective event bar to dive into more detail for that 2 hour span.

    • Select the entry under "Most prevalent threats" and click "Rule details" under Actions. Observe the SNORT definition (Sid) for this entry.

  6. Take a packet capture on the switch port where the Meraki MC phone is connected and observe that the DSCP settings have taken effect for all Voice VLAN 200 traffic per the QoS rule configured on the previous exercise.

Exercise 6 - Resetting the Lab Station (5 mins)

Check with your Instructor before resetting your lab station!

 

Steps:

  1. Unplug the two internet cables for each MX. 

  2. Unplug the AP and all of the cables used during the lab.

  3. Wrap the cables and place them on top of the lab station.

  4. Reset your iPad back to factory defaults (either use Systems Manager MDM commands to Erase Device or directly on the iPad going to Settings > General > Reset > Erase All Content and Settings)

 

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 2675

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community