Escolar Documentos
Profissional Documentos
Cultura Documentos
Training Manual
Certified Meraki Networking Associate Program
Introduction
You are the senior network administrator for a rapidly expanding San
Francisco-based coffee and sandwich chain. Mission Sandwiches has
decided to support their new growth initiatives with a Cisco Meraki
network at its many retail locations and the corporate office in San
Francisco. The executive team still need to be bought into the idea of
using a cloud-based architecture and you have decided to run a pilot
to demonstrate how a Cisco Meraki deployment can help the business
grow and scale while still providing many different avenues for a return
on the investment.
Dashboard Access
Your Dashboard login credentials (where n is your lab station number):
Site: dashboard.meraki.com
Username: labn@meraki.com.test
Password: meraki123
Apple ID Information
The iPad may ask you to login with Apple ID credentials when installing apps:
Username: partner.training@meraki.com
Password: Meraki2017
Important note: Be sure you are selecting the correct Organization for you CMNA
session. Your instructor will provide the correct session ID.
Campus Stack
WAN 1
MR42 MV21
MC74
MX84
MS225 (Switch 2)
WAN 1 WAN 2
Branch Stack
MX65
to port 21
to port 1 to port 11 to port 6
MR42 MV21
MC74
MR42
iPad
Note that this is the overall topology of your assigned lab station.
The ISP stack is the Meraki hardware setup in front of the room to
aggregate and provide Internet connectivity to all branch lab stations.
From the Network list, you will find three separate networks:
You have just arrived on-site at the branch Mission Sandwiches flagship
location. The branch equipment listed above has already been delivered
to the site and is ready for configuration.
To get started, let’s set up your stack of Meraki gear and a Point-of-Sale
iPad. Meraki Support has already set up a Dashboard account and added
the gear to a network.
Also, some of the gear has already been powered up for you.
1. Make sure you are connected to the CMNA wireless network (DO NOT connect
your computer to the MX via Ethernet yet). Disable any client VPN software running
on your computer.
3. Under Security Appliance > Monitor > Appliance status, edit the configuration to
change the name of your MX security appliance to “Lab [n] Branch Security
Appliance” and update the street address to your current city.
4. Enable VLANs under the Security Appliance > Configure > Addressing & VLANs
page and update the default addressing space to match the table below:
Note: Make sure VLAN is enabled before proceeding to the next step.
5. Ensure that all LAN ports on the MX65 are set to trunk ports with native VLAN 1
allowing all VLANs.
6. Verify that DHCP is running on your Local LAN and reserve DHCP addresses .1 - .20
for internal use on VLAN 1.
Note: Be sure you disable your wireless card before testing the step below.
7. Plug your laptop into LAN port #3 on the MX65 and confirm that you get a DHCP
lease in the IP space of VLAN 1 configured previously. You can do this by navigating
to wired.meraki.com, the local status page hosted on the MX.
Note: Disconnect your laptop from the LAN port of the MX65 and connect back to
the CMNA wireless network.
1. Name the policy “Cashier iPads” and set up a Custom firewall and shaping rule to
block all Social web and Gaming websites with L7 firewall rules.
2. Additionally, you don’t want the cashier to be shopping on the payment terminal so
in the ‘security appliance only’ section append ‘shopping’ to the blocked website
categories.
Note: Blocking this traffic through the use of a group policy allows us to dynamically
assign this policy to multiple devices based on posture, rather than statically on the
MX or MR. We will not apply this group policy until later in the lab.
Note: You will need to navigate to your Campus network from the network drop-
down on the left side of the page.
2. The Dashboard should present your SM “network ID” and instruct you to open an
internet browser (Safari) on your iPad to complete the setup process.
! 9 CMNA Technical Training !
Hint: Make sure to accept all pop-ups on your iPad during enrollment to trust and
accept the MDM policy.
3. Verify that you can see your iPad client on Systems Manager’s client list page
(Systems manager > Monitor > Clients). Click on your device and check the
available battery and storage space.
4. Verify that the Meraki SM app has also been properly installed on your iPad.
Hint: You may be prompted by the iPad for the iTunes password during the Meraki
SM app installation - if so, use:
Username: partner.training@meraki.com
Password: Meraki2017
Now that you have successfully brought the branch store online, it’s
time to configure the campus infrastructure pilot. As previously stated,
you will do this deployment remotely from the branch store using gear
that another network administrator has connected in the San
Francisco office at your request.
3. Enable VLANs and modify your existing default VLAN with a name of “Infrastructure”
and set the subnet information to the configuration below:
4. Add separate VLANs for corporate user data, cameras, voice and a static route for
active directory traffic:
6. Under Security Appliance > Configure > DHCP, verify DHCP is running for all of the
configured VLANs and not the static route.
1. Many basic security threats can be taken care of simply by blocking access to risky
websites. Navigate to Security appliance > Configure > Content filtering and
create content filtering rules to block the following categories: Bot Nets, Confirmed
SPAM Sources, Spyware & Adware, and Malware sites
1. Navigate to Switch > Monitor > Switch stacks and you may notice that Dashboard
has already identified your two switches as a potential stack. Rather than provision
the stack manually let's have Dashboard do it for us. Select ‘Provision this stack’
under the Detected potential stacks section. If you do not see this option simply
select the ‘add one’ link on the page above and select both available switches.
2. Name the new stack “Lab [n] Campus Stack” and select Create.
3. Once the stack has been created, select it and verify both switches are configured
as Members in the stack under the ‘Overview’ tab.
4. From your switch stack, select the uplink port (this is denoted as an arrow in the
port). This should be port 24. This will bring you to the switch status page. Name
the switch “Lab [n] Campus Switch 1” and update the street address to the Campus
location:
1. Navigate to Switch > Configure > Routing and DHCP page to create the layer-3
interfaces or SVIs on the switch stack with the following configuration (leave DHCP
and multicast support disabled):
2. Navigate back to Switch > Monitor > Switches and select your Switch 1. Click on
the ‘L3 Routing’ tab and scroll to the bottom of the page to verify that the interfaces
you added appear in the routing table.
4. Clear the search bar to view all ports from both switches.
5. Configure the following port parameters on both switches using the search
functionality on the Virtual Stacking page.
Ports: 6-10
Name: Camera
Type: Access
VLAN: 150
Ports: 11-20
Name: Workstation
Type: Access
VLAN: 100
Voice VLAN: 200
Switch Port Configuration
Port: 21
ONLY switch 2 Name: Active Directory
Type: Access
VLAN: 50
6. Using the large + icon in the top-right corner of the Virtual Stacking (Switch ports)
page add the ‘CDP/LLDP’ Details option to the table and then drag the column to
the left so it is next to the Switch/Port column. Using the search bar find port 1 on
Switch 1 and select the Cisco Meraki MR42 AP from the CDP/LLDP field. This will
take you to the access point status page and now you’re ready to move onto the
next exercise.
4. This network needs access to your internal resources, so put it in Bridge mode
under client IP assignment.
5. Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.
6. Ensure all LAN access is permitted in the wireless firewall & traffic shaping settings.
8. Set up Wireless firewall & traffic shaping rules to set a 500 Kbps limit on software
updates to limit unnecessary background resource utilization and throttle YouTube
traffic to 20 Kbps up/down.
9. Take it one step further by creating layer 7 firewall rules. Deny applications: iTunes
and Peer-to-peer. Finally, deny the HTTP hostname of “espn.com”.
2. You can view the live feed under the ‘Video’ tab. You may notice a grey cloud in the
lower left corner indicating the camera is cloud streaming to your PC, eliminating the
need for a VPN to view remote video footage.
3. Rename the security camera to “Campus Security Camera [n]” by clicking on the
pencil icon next to the default name of the camera, which is the MAC address.
4. Corporate policy dictates that camera footage need not be archived in a continuous
format and only footage with motion should be stored. Enable the camera to always
record at the highest quality but delete footage with no motion.
2. For remote troubleshooting, the Meraki switches are equipped with a cable testing
feature. Click on port 11 and run a cable test. You can also reboot any PoE devices
connected to the switch by cycling the port. In this case, cycle port 11.
3. Scroll down to the CDP/LLDP section and select the MC74 link which will take you to
the device details page for your phone.
Note: If you do not see any CDP/LLDP information you can alternatively copy the
MAC address of the active client on the port, navigate to your ‘Phones’ network in
the network drop-down on the left side of the page and go to Phones > Monitor >
Phones and use the search bar with your MAC address to identify your phone.
Note: You may notice you are in a phones-only network in the network pane on the
left side of Dashboard. Meraki phones work best in their own network within the
Organization when making extension to extension calls or using services like IVRs
and Call Groups.
4. On the Phones > Configure > Directory page, create a new contact named “Lab [n]
Campus Phone” (title is optional) and save it.
1. Navigate to Phones > Configure > Conference rooms and add a persistent
conference room with a name of “Lab [n] Conference” and designate an internal
extension of 5000 + [n]. Similar to the phone extension format, lab station 5 would
use an extension of “5005” whereas lab station 15 would be extension “5015”. We
also want to secure the conference room, so specify a security pin of 1234.
2. Navigate to Phones > Configure > IVR menus and create a new IVR menu with a
name of “Lab [n] Welcome Menu” with an extension of 6000 +[n] and it should be
active always.
4. Download the following file and set it as menu option 1 to play this recording:
http://cs.co/missionhours
Note: Be sure to use a recommended web browser such as Chrome and Firefox if
you’re unable to set the audio file as an option on the IVR menu.
7. Verify that you have setup your phone network correctly by placing a call from the
MC74 VoIP phone at the front of the training room to the three numbers (Your
individual phone extension, IVR, and conference room) you configured.
Note: When joining the conference room you will not get an audio indication that
you have joined.
1. Navigate back to your campus network and go to Switch > Configure > Port
Schedules.
Note: Be sure the correct local time zone is set on the network.
2. Create a new schedule named “VoIP Power Saving” to turn on ports only during
business hours (assume a work schedule of 8:00-19:00 Monday through Friday).
3. Apply the port schedule to ports 11-20 on both switches (your VoIP ports). You
should use the virtual stacking interface to bulk configure these ports across
switches. Do not apply to your switch’s uplink ports.
1. Navigate to Network-wide > Monitor > Packet capture and stream a high verbosity
packet capture on port 11 of Switch 2 to Dashboard with a filter expression of:
2. Validate that you successfully configured your VoIP ports with a voice VLAN of 200.
Hint: The filter expression will filter for LLDP advertisements that show the switch is
advertising the Voice VLAN for the applicable ports. Once the capture is complete,
search the page for the Application Type field under the Network Policy Subtype. If
nothing appears, try the capture again. If you still don’t see anything, verify your
port configuration with your instructor.
2. Configure a site-to-site VPN with your campus MX as a hub and advertise all local
subnets over the VPN except the infrastructure subnet. Also advertise the Active
Directory static route over the VPN.
3. Move back to your branch network via the network drop-down on the left side of
Dashboard.
4. Configure your branch network as a split-tunnel site-to-site VPN with your branch
MX as a spoke pointing to your campus MX as the hub. Be sure to advertise your
only one local subnet of the branch under VPN settings (flip from “no” to “yes”).
Note: You may be able to see other Campus Hub MX's. These are other concurrent
deployments and you should set only the Hub MX that you configured previously.
5. Once you have saved your configuration and refreshed your page, navigate to
Security Appliance > Monitor > VPN status to verify your VPN connection is
running properly. You should be able to verify if you connected to your hub MX.
Hint: If you do not see any information try selecting the ‘view old version’ link in the
top right corner of the page.
1. From the branch MX65, verify under Security Appliance > Monitor > Appliance
status that the uplink for the second Internet port is up and that you are getting an
IP address.
a. Under “Flow preferences”, add a VPN traffic preference that matches any
traffic destined for 10.[n].200.0/24 and send matched traffic over its preferred
uplink WAN 2 while ensuring that the link will fail over if there is poor
performance for VoIP devices.
Note: Be sure not to leave any of the source, destination, or port fields blank -
the word "Any" can be applied as a wildcard.
b. Add a second VPN traffic flow preference to forward any traffic destined for
192.168.50.10 over WAN2 as long as it is up.
3. Disable the wireless adapter from your laptop and connect it to LAN port #3 on the
branch MX65 and run a continuous ping to the Corp server 192.168.50.10. Verify that
connectivity is successful.
4. Verify that traffic destined to the 192.168.50.10 is forwarded over WAN2 uplink.
Navigate to Security appliance > Monitor > VPN status and take a look at the
‘Uplink decisions’ section of the page.
5. To test out the resiliency of the solution by simulating an uplink failure, manually
unplug the second uplink cable from WAN2 of the MX65. Monitor the ping test from
your laptop.
Note: Plug the WAN cable back to WAN2 when you’re done testing.
Note: If you are a Windows user and you’re not getting the login prompt, it is likely
that 802.1X is disabled on your Ethernet adapter. You can enable 802.1X per this KB
article. If you have a corporate policy on your laptop that prevents connections to
wired 802.1X connections, please connect to port 10 instead and bypass the login.
1. Under Network-wide tab of the branch network, navigate to the Sentry policies
page.
2. Add a new group policy MDM scope for your “Campus Lab [n] Systems Manager”
network.
3. Elect to have the “Cashier iPads” group policy you created in Lab A applied to any
device with the “cashier” Systems Manager tag. This setting will associate the
“Cashier iPads” group policy to your device because it is tagged with the “cashier”
tag.
4. Navigate back to the network client listing in Network-wide > Monitor > Clients.
5. Verify that the ‘cashier iPads’ group policy applied to the iPad correctly.
Hint: You may need to select 'all clients with a policy' to be able to see the iPad.
The iPad would appear in the general clients list only when it is actually connected
to the Branch network.
Note: You will need to navigate back to your Campus network for the following
step.
1. Navigate to Systems manager > Configure > Geofencing and select ‘Add new,’
located at the right side of the page.
3. The Geofence should apply to devices with the ‘cashier’ tag and add a new area to
this Geofence that encompasses your current location.
4. After you save the configuration, navigate to Systems manager > Configure >
Alerts and configure Dashboard to alert you if a device violates a Geofence policy.
1. Navigate to the Video tab of the MV’s details page and you should now notice a
green check mark in the lower left corner indicating a local connection to the
camera. Click the Motion Search button.
2. A light grid-system should overlay the video stream. Using your cursor, proceed to
highlight an area within the video stream that you would like to perform a motion
search.
Hint: To increase the number of results, you may want to select a larger search
window by using the zooming options (Zoom in, Zoom out icons to the right of the
playback time slider).
3. All detected events will be displayed in a table directly below the video feed and
the search timeline. You can click on each row (event) to bring up the recorded
search. Verify that the camera did in fact detect a change in your region of interest
for the returned motion search event(s).
! 26 CMNA Technical Training !
Note: The MV camera for your lab station is setup inside a rack. The motion search
feature might not find any motion events due to the lack of motion recorded by the
camera inside the rack.
2. Set a search parameter in the drop-down at the top of the page for Campus LAB [n]
- Switch with All devices. You also want to see information for the last week.
Note: You may not see any information when the report is generated given the
small amount of time your network has been online.
3. You also want these reports to be emailed on a scheduled basis, a week at a time to
the CEO of the company at ceo@missionsandwiches.com.
Today, however, one of the cashier iPads was stolen by a disgruntled employee. You’ve
received an alert that is has violated the geofence, but the employee is long gone. You
decide to wipe the iPad to remove any sensitive information and access.
1. Navigate to your Systems Manager network and locate the Clients page.
3. Completely erase the iPad so that it is set back to factory default settings by using
the live tools on the iPad details page.
Note: Be sure to have your trainers check your lab station before resetting the iPad.
1. Reset the lab station to the way it was when you arrived (bundled cables, neat and
tidy, disconnect your AP).
2. Confirm that you properly wiped your iPad in the final step of the Systems Manager
exercises and plug the iPad into the charger and have your lab checked by your
trainer before leaving.