Last update: 12 June 2017

Training Manual
Certified Meraki Networking Associate Program

(Remote Version)
 Introduction

You have recently been hired to manage the IT systems for a local,
doctors oce group in San Francisco. Nightingale Medical Associates
has managed to survive with a consumer ISP-provided gateway for
many years, but recent Electronic Medical Records (EMR) mandates,
HIPAA compliance, more patients, and the demand for guest Internet
access has them excited about an enterprise solution.
As their new IT admin, you suggest that Nightingale Medical Associates
try Cisco Meraki as a solution that will not only meet their needs now,
but can also scale with them as they grow their existing location or
expand to multiple locations.
In order to get started, youve decided to equip them with some Meraki
gear.

! 2 CMNA Technical Training !

 Network Diagram

Network Configuration Information

Subnet Information
Note: This is just an overview. Please
start the lab from page 4.
VLAN 100
Name: Corporate
Subnet: 10.0. [ 100 + n ] .0/24
Gateway (MX IP): 10.0. [100 + n ] .1
VLAN 200
Name: Voice
Subnet: 10.0. [ 200 + n ] .0/24
Gateway (MX IP): 10.0. [ 200 + n ] .1
VLAN 300
Name: Guest
Subnet: 10.0. [ n ] .0/24
Gateway (MX IP): 10.0. [ n ] .1
Where n is your lab station number

! 3 CMNA Technical Training !

 How to Perform Lab Work

1. Navigate to https://dashboard.meraki.com and login with the username and

password provided by the instructor.

2. You can use Cisco Meraki knowledge base articles and documentation to assist with
lab exercises. They can be found on the Internet at:
https://documentation.meraki.com

3. Access points and phones are oine by design, nothing is wrong with the lab. This
is a true demonstration of zero-touch deployment. You do not actually have to have
any equipment online in order to pre-configure it.

! 4 CMNA Technical Training !

LAB A | Small / Medium Site

To get started, lets set up your stack of Meraki gear and a Point-of-Sale
iPad. Meraki Support has already set up a Dashboard account and added
the gear to a network.
Also, some of the gear has already been powered up for you.

Product manuals are available at: https://documentation.meraki.com

! 5 CMNA Technical Training !

Exercise 1 Initial MX Security Appliance Setup (10 min)
1. Under the Security Appliance > Monitor > Appliance status page, verify that your
MX is operational (i.e. WAN uplinks are healthy, MX is green in dashboard, etc.).

2. Edit the configuration to change the name of your MX security appliance to Lab [n]
Security Appliance and update the physical address to your current city.

3. Since this network is pretty basic, you dont need to segment it into VLANs.
However, you will need to update the default addressing space to match the table
below:

Local LAN Subnet Local LAN (Default)

Subnet: 192.168.128.0/24
Gateway (MX IP): 192.168.128.1

4. Verify that DHCP is running on your Local LAN.

Exercise 2 Initial MS Switch Setup (10 min)

1. Navigate to the Switch > Switches page. Verify that your MS switch is operational
(green status, passing trac).

2. Rename the MS switch to Lab [n] Switch (where n is your lab station number) and
update the physical address to your current city.

3. On the Switch ports page, rename port 1 UPLINK and port 6-10 VOICE.

4. Perform a cable test and packet capture on port 1.

! 6 CMNA Technical Training !

Exercise 3 Initial MR Wireless Access Point Setup (5 min)
Note: Access points and phones are oine by design, nothing is wrong with the
lab. This is a true demonstration of zero-touch deployment. You do not actually
have to have any equipment online in order to pre-configure it.

1. Rename the access point Lab [n] AP and update the physical location to your
current city.

2. The AP will eventually be plugged in to port 24 on the switch. Make sure the port is
configured in trunk mode with native VLAN 1, all VLANs allowed.

Exercise 4 Guest WiFi Setup (15 min)

One of the most common requests the owner hears from their customers is for Guest
WiFi access when theyre in the oce.

1. On the Wireless > SSIDs tab, rename the only enabled SSID to Lab [n] GUEST.

2. Secure the SSID with a WPA2-PSK password California.

3. Create a click-through splash page so that guests have to acknowledge your terms
and conditions before they are allowed on the network.

4. The AP should handle DHCP for this SSID, so ensure NAT mode is enabled.

5. On the Wireless > Firewall and trac shaping page, apply a bandwidth limit of
500 Kbps per device to prevent guests from hogging all of the bandwidth.

6. Guests shouldnt have any access to internal resources, so Deny all trac to the
Local LAN with a layer 3 firewall rule.

The owners dont want guests to be able access the SSID outside business hours,
so you decide to take advantage of the SSID availability feature.

7. On the SSID availability page, enable Scheduled availability for business hours only
(8:00 - 19:00 (7 pm)) Monday through Friday.

! 7 CMNA Technical Training !

Exercise 5 Creating a Group Policy (10 min)
1. Navigate to the Network-wide > Group policies page and create a group policy.

2. Name the policy Guest Policy.

3. Guest group policies will only be turned on during working hours 08:00 17:00
Monday through Friday.

4. Guests will be restricted to 2Mbps per client.

5. No trac can communicate to North Korea.

6. All Online backup and Web file sharing applications should be completely blocked
(Hint: Use the Layer 7 firewall rules).

7. Add another content filtering category for all website deemed as Illegal.

Note: We wont apply the group policy to a client yet. That will come in a later
section.

Exercise 6 Basic MX Trac Shaping (10 min)

Because bandwidth is limited at the small site you dont want to rely on downstream
trac rules to ensure that you will not exceed your monthly bandwidth allotment from
your provider. You decide it would be best to enforce this in a global setting on the MX
at the edge of the network.

1. Navigate to Security Appliance > Configure > Trac Shaping and set the global
bandwidth limit for your Internet uplinks to 20 Mbps.

2. Enable HTTP content caching to improve end-user experience by reducing page

load times and file download times for frequently accessed web content.

! 8 CMNA Technical Training !

 Exercise 7 MAC Whitelisting on Access Ports (5 min)
Only authorized devices should be connected at the oce to the switch. Create a
MAC whitelist rule so that the only device that can pass trac on a particular port is
their company workstation.

1. Create a MAC Whitelist entry on ports 21-23 on your switch using a MAC address
of aa:bb:cc:aa:bb:cc.

Hint: The ports should be configured in access mode.

Great Job!
Youve completed the setup for your small, single location and have a full Meraki
network up and running. The workstation can get secure access via their wired
connections, and guests have isolated, Internet-only access. Feel free to move onto
the next section prior to the product overview section

! 9 CMNA Technical Training !

 LAB B | Large Site / Campus
Since deploying their enterprise network, Nightingale Medical Associates
has continued to grow. Theyve just acquired another medical group that
has a legacy private network interconnecting all of their sites. In order to
increase collaboration during the acquisition, Nightingale Medical
Associates has rolled out the private network to all sites. Also, to protect
their new Electronic Medical Records (EMR) system, Nightingale Medical
Associates wishes to increase the security of their wired and wireless
network.
Have a technical question or having issues? The Cisco Meraki
Knowledge Base is available at: https://documentation.meraki.com

! 10 CMNA Technical Training !

Exercise 1 Logically Segment the Corporate Network (10 min)
In order to segment the network for better control and security, you decide to use
VLANs to separate internal Corporate and Voice trac from network control trac on
the native VLAN.

Note: Do not remove VLAN 1 (native/untagged VLAN) which is configured by default.

1. Navigate to Security appliance > Addressing & VLANs and enable VLANs on the
Security Appliance. Create two additional new VLANs in addition to your Native
VLAN; Corporate and Voice, based on the subnet information below:

Corporate & Voice VLAN 100

VLAN Subnets Name: Corporate
Subnet: 10.0. [ 100 + n ] .0/24
Gateway (MX IP): 10.0. [ 100 + n ] .1
VLAN 200
Name: Voice
Subnet: 10.0. [ 200 + n ] .0/24
Gateway (MX IP): 10.0. [ 200 + n ] .1
Where n is your lab station number

2. Verify that all ports in the per-port VLAN configuration on the MX are enabled and
set as trunks for the native VLAN and all VLANs are allowed.

3. On the DHCP page, verify that DHCP is running for each of the new VLANs you set
up.

4. Youll want to make sure you save some IP addresses for your internal use. Reserve
DHCP addresses .1-.20 on the native (Default) VLAN for that use.

! 11 CMNA Technical Training !

Exercise 2 Switch Port Configuration (5 min)
1. Using the feature of virtual stacking, select ports 2-5 on your switch and configure
these selected ports as access ports on VLAN 100. Name each port DATA.

2. Now, select ports 6-10 on your switch and configure them as access ports on VLAN
200.

Note: We are not using the Voice VLAN field yet. We will use that in a later
exercise.

3. Select only the access ports labeled DATA and VOICE (ports 2-10) and enable BPDU
Guard to protect against non-authorized switches. Be sure that you do not enable
this on your trunk ports or on your uplink ports as it will break the connection
between your switches.

Hint: You can search for the ports by using a range (e.g: 2-10) or searching the name
of the ports.

Exercise 3 Configure STP / RSTP for Your Switch (5 min)

1. Verify that RSTP is enabled for your switch. For more information on RSTP, refer to
the Meraki RSTP Documentation.

2. Update the switch bridge priority to ensure that it will always remain the root switch
in the network.

3. Verify that your switch was indeed elected as the root switch for your campus.

Exercise 4 Voice VLAN & Quality of Service (10 min)

Nightingale Medical Associates recently purchased a top notch Cisco VoIP solution.
Normally, employees plug their laptops into the secondary Ethernet port of their phone.
It is your job to get the switch ready for the VoIP solution.

! 12 CMNA Technical Training !

1. Configure ports 15-20 on the switch as access ports to VLAN 100 with a Voice VLAN
configured as VLAN 200 and name them Workstation as these ports will be used
for desks using both a computer and a phone.

2. Navigate to the Switch > Configure > Switch settings page and locate the Quality
of service subsection.

3. Select Add a QoS rule for this network and configure a QoS rule for all VoIP trac
across the network.

VLAN: 200
QoS Settings
Protocol: Any
VoIP Precedence
Subnet: 46 class 3 (EF voice)

Exercise 5 Configure a Port Schedule for your VoIP Ports (5 min)

You want to save power and secure your environment after hours. Use the port
schedule feature to configure this functionality.

1. Navigate to Configure > Port Schedules.

Note: Be sure the correct local time zone is set on the network.

2. Create a new schedule named VoIP Power Saving to turn o ports during non-
business hours (assume a work schedule of (8:00 - 19:00 (7 pm)).

3. Apply the port schedule to ports 15-20 on your switch (your VoIP ports).
Do not apply to your switchs uplink ports.

Exercise 6 Corporate WiFi Setup (15 min)

Set up a new Corporate SSID on your wireless network. Name it Lab [n] CORP (where
n is your station number), enable the SSID, then navigate to Wireless > Access Control
and configure the following settings:

! 13 CMNA Technical Training !

1. Secure the SSID with a WPA2-PSK password ikarem123.

2. Enable a splash page with the Meraki Authentication option.

3. This network needs access to your internal resources, so put it in Bridge mode
under client IP assignment.

4. Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.

5. Disable bit rates below 12 Mbps (legacy bitrates).

6. Ensure all LAN access is permitted in the wireless firewall settings.

7. Restrict the per-client bandwidth to 2 Mbps.

8. Use Cisco Merakis trac shaping rules to set a 500 Kbps limit on software updates
to limit unnecessary background resource utilization and throttle YouTube trac to
20 Kbps up/down.

9. Take it one step further and show management Cisco Merakis layer 7 firewall rules.
Deny applications: iTunes and Peer-to-Peer. Finally, deny HTTP hostname of
espn.com.

10. Navigate to Network-wide > Users. The credentials you used to log into Dashboard
will be automatically populated. Authorize your lab [n] account to grant it the ability.

Exercise 7 Setup Air Marshal / Wireless IPS (5 min)

Set up Air Marshal in a way that it automatically contains any rogue access points seen
on the LAN and alert the network administrators.

1. Navigate to Wireless > Air Marshal and configure the access points to
automatically contain any rogue APs seen on the LAN.

2. Additionally configure the APs to automatically contain any SSIDs being

broadcasted with Nightingale in the name.

3. Make sure that administrators are alerted every time a rogue AP is detected (Hint:
Network-wide > Alerts & administration).

! 14 CMNA Technical Training !

Exercise 8 Trac Prioritization and Bandwidth Control (5 min)
Now that so many more devices are on the network you want to make sure certain
types of trac, like the VoIP and video conferencing solutions you are leveraging within
your environment, take priority over other types of trac

1. Navigate to the trac shaping section for the MX security appliance.

2. Create a new trac shaping rule to give VoIP and video trac unlimited bandwidth
and High priority on the network.

Note: The goal of this is not to limit VoIP trac but rather to prioritize it. For more
information on how the priority is calculated, refer to the Trac Priorities KB article.

Exercise 9 Increasing Network Security with the MX (15 min)

1. Many basic security threats can be taken care of simply by blocking access to risky
websites. Create content filtering rules to block the following categories: Bot Nets,
Confirmed Spam, Malware Sites, Spyware & Adware.

2. Additionally, some of the content on the site thehackerblog.com might inspire

malicious behavior. Create a Blocked URL pattern to block the site. Save the
changes and move on for now.

3. Peer-to-peer trac on the network presents a security threat and can also hog
valuable bandwidth on the network. Create a Layer 7 firewall rule on your MX to
block all Peer-to-peer and Web file sharing trac.

4. In order to cover threats that may be arriving via malicious methods, enable
Malware detection and Intrusion Detection and Prevention (IDS/IPS). For now, a
Balanced approach to blocking threats should be sucient.

Exercise 10 New Guest VLAN & Applying Group Policy (15 min)
A decision has been made to centralize the DHCP services on the MX security
appliance instead of hosting IP addressing for guest users on the APs.

! 15 CMNA Technical Training !

1. Create the following subnet on the MX security appliance:

Subnet Information VLAN 300

Name: Guest
Subnet: 10.0. [ n ] .0/24
Gateway (MX IP): 10.0. [ n ] .1

Where n is your lab station number

2. Change the Guest SSID from NAT mode to Bridge mode and tag the SSID for all all
APs.

3. Apply the Guest Policy group policy to this new guest VLAN on the MX.

Hint: Navigate to Security appliance > Addressing & VLANs.

Exercise 11 Configure Switch Access Policies (15 min)

Corporate policy now favors 802.1X port authentication in place of local MAC
whitelisting. We now need to configure an 802.1X access policy and place that on the
ports that originally had MAC whitelisting in place.

1. Navigate to Switch > Access policies and add an Access policy.

2. Name the access policy Lab [n] RADIUS where n is your lab station number.

3. Configure an access policy with the RADIUS server using the information below. The
access policy should have the following attributes:

Host 10.0.250.100
Port 1812
Secret meraki123
Access Policy Type 802.1X
Guest VLAN 300

! 16 CMNA Technical Training !

 Note: Theres no need to test it authentication to the RADIUS server at this time.

4. Add the settings such as phones are not required to authenticate and unauthorized
users are placed on the Guest VLAN 300.

5. Apply the Access Policy to ports 15-20.

Hint: The ports need to be configured in access mode.

Nice Work!
In that short amount of time you configured RSTP for your switch fabric to reduce
unnecessary broadcast overhead on the network and QoS policies rule to ensure
best performance for voice applications. You also created a port schedule and
configured port security for better power and port management.

Furthermore, you created a Corporate SSID to support the ever growing needs of
wireless devices on network.

Feel free to move onto the next lab if you are finished prior to the Distributed
Enterprise demo or you can add additional security to the network in the following
bonus exercise.

! 17 CMNA Technical Training !

 LAB C | Distributed Enterprise
Nightingale Medical Associates has been using their Meraki network for
an entire year now. Their Cloud Managed Network has helped them
rollout electronic medical records, ensure HIPAA compliance, and has
accommodated the demand for guest Internet.
To keep up with the growing number of doctors oces joining the group
and increase the level of performance and reliability required by a
growing distributed network, they will need to add centralized Data
Center services and interconnect the sites.
Looking for datasheets, whitepapers or solution guides? Check out the
Meraki Library at: http://meraki.cisco.com/library/

! 18 CMNA Technical Training !

Exercise 1 Site-to-Site VPN Configuration (10 min)
To make the pilot easier youve taken some gear from the campus for this deployment
which already has minimal configuration on it for Internet connectivity.

Your branch will connect via VPN back to the corporate campus and also leverage
services such as RADIUS that have been set up over the VPN connection. Lets get this
branch connected back to HQ via a site-to-site VPN tunnel.

1. Configure a hub-and-spoke, split-tunnel VPN with your branch MX as a spoke and

Data Center 1 as the primary hub and Data Center 2 as the secondary hub.

2. Make sure your Corporate and Voice VLANs are the only subnets being advertised
in the VPN.

3. Determine if other branch pilot labs are online using the Security Appliance >
Configure > Site-to-Site VPN page.

Note: You will find other VPN peers online in the remote VPN participants table of
this page.

4. Verify that you have connectivity to Data Center 1 and 2. Ping 10.0.251.1 and
10.0.252.2. Use the live tools.

5. Verify that you can ping the internal address of your neighbors MX from your own
MX. This address should be 10.0. [100 + n] .1 where n is their lab station number. Use
the live tools.

Exercise 2 Securing the Switch Fabric (10 min)

Now that we are connected via VPN to the HQ network, new policies need to be put
into place to deny certain types of trac across the switch fabric. In particular corporate
IP trac from the remote branch should not be able to access the human resources file
server. Configure an IPv4 ACL to block this trac.

1. Navigate to Switch > IPv4 ACL and add a rule.

2. Configure a rule to deny any trac from the Corporate IP subnet to the human
resources file server at 10.0.250.10. Be sure that the protocol drop-down is set to
any so that all trac will be blocked to the file server.

! 19 CMNA Technical Training !

Exercise 3 Securing Corporate Wireless (10 min)
Recent security concerns necessitate enabling WPA2-Enterprise for the corporate SSID
to bring an added layer of security to the network. You will need to configure the
Corporate SSID to authenticate against the Corporate RADIUS server over the VPN.

1. Navigate to the Access control settings for the Corporate SSID.

2. The Corporate SSID is currently set to have users associate with a pre-shared key
and sign into a splash page using Meraki authentication. Change this so that users
associate with WPA2-Enterprise & a RADIUS server and disable the sign on splash
page.

3. Configure the RADIUS server using the same information you used for port
authentication on the switch:

Host 10.0.250.100
Port 1812
Secret meraki123

Note: Theres no need to test it authentication to the RADIUS server at this time.

Exercise 4 Summary Reports (10 min)

As part of managing many more locations, reporting is more important than ever. You
will need to test network summary reporting from Dashboard. For this pilot you just want
to see information about switch port utilization.

1. Navigate to Network-wide > Summary report.

2. Set a search parameter in the dropdown at the top of the page for Lab[n] - Switch
with All devices. You also want to see information for the last week.

! 20 CMNA Technical Training !

 Note: You may not see any information when the report is generated given the
small amount of time your network has been online.

3. You also want these reports to be emailed on a scheduled basis, a week at a time to
the CEO of the company at ceo@nightingale.com.

Congratulations!
Thanks to you, Nightingale Medical Associates has been able to adopt an enterprise
solution that has scaled with the groups growth. Youve expanded their small
original location to a large enterprise and even helped the company support a multi-
site architecture.

Before you leave, theres just one last task to complete

Be sure your trainer has signed o on your lab before leaving for the day!

! 21 CMNA Technical Training !