Last update: 12 June 2017
Training Manual Certified Meraki Networking Associate Program (Remote Version)
Introduction You have recently been hired to manage the IT systems for a local, doctor’s o!ce group in San Francisco. Nightingale Medical Associates has managed to survive with a consumer ISP-provided gateway for many years, but recent Electronic Medical Records (EMR) mandates, HIPAA HIP AA compliance, more patients, and the demand for guest Internet access has them excited about an enterprise solution. As their new IT admin, you suggest that Nightingale Medical Medi cal Associates try Cisco Meraki as a solution that will not only meet their needs now now,, but can also scale with them as they grow their existing location or expand to multiple locations. In order to get started, you’ve decided to equip them with some Meraki gear.
2
CMNA Technical Training
Network Diagram
Network Configuration Information Subnet Information Note: This is just an overview. Please start the lab from page 4 .
VLAN 100 Name: Corporate Subnet: 10.0. [ 100 + n ] .0/24 Gateway (MX IP): 10.0. [100 + n ] .1 VLAN 200 Name: Voice Subnet: 10.0. [ 200 + n ] .0/24 Gateway (MX IP): 10.0. [ 200 + n ] .1 VLAN 300 Name: Guest Subnet: 10.0. [ n ] .0/24 Gateway (MX IP): 10.0. [ n ] .1 Where n is your lab station number
3
CMNA Technical Training
How to Perform Lab Work 1.
Navigate to https://dashboard.meraki.com and login with the username and password provided by the instructor.
2. You can use Cisco Meraki knowledge base articles and documentation to assist with lab exercises. They can be found on the Internet at: https://documentation.meraki.com 3. Access points and phones are o "ine by design, nothing is wrong with the lab. This is a true demonstration of zero-touch deployment. You do not actually have to have any equipment online in order to pre-configure it.
4
CMNA Technical Training
LAB A | Small / Medium Site To get started, let’s set up your stack of Meraki gear and a Point-of-Sale iPad. Meraki Support has already set up a Dashboard account and added the gear to a network. Also, some of the gear has already been powered up for you. Product manuals are available at: https://documentation.meraki.com
5
CMNA Technical Training
Exercise 1 – Initial MX Security Appliance Setup (10 min) 1.
Under the Security Appliance > Monitor > Appliance status page, verify that your MX is operational (i.e. WAN uplinks are healthy, MX is green in dashboard, etc.).
2. Edit the configuration to change the name of your MX security appliance to “Lab [n] Security Appliance” and update the physical address to your current city. 3. Since this network is pretty basic, you don’t need to segment it into VLANs. However, you will need to update the default addressing space to match the table below: Local LAN Subnet
Local LAN (Default) Subnet: 192.168.128.0/24 Gateway (MX IP): 192.168.128.1
4. Verify that DHCP is running on your Local LAN.
Exercise 2 – Initial MS Switch Setup (10 min) 1.
Navigate to the Switch > Switches page. Verify that your MS switch is operational (green status, passing tra !c).
2. Rename the MS switch to “Lab [n] Switch” (where n is your lab station number) and update the physical address to your current city. 3. On the Switch ports page, rename port 1 “UPLINK” and port 6-10 “VOICE”. 4. Perform a cable test and packet capture on port 1.
6
CMNA Technical Training
Exercise 3 – Initial MR Wireless Access Point Setup (5 min) Note: Access points and phones are o ! ine by design, nothing is wrong with the lab. This is a true demonstration of zero-touch deployment. You do not actually have to have any equipment online in order to pre-configure it . 1.
Rename the access point “Lab [n] AP” and update the physical location to your current city.
2. The AP will eventually be plugged in to port 24 on the switch. Make sure the port is configured in trunk mode with native VLAN 1, all VLANs allowed.
Exercise 4 – Guest WiFi Setup (15 min) One of the most common requests the owner hears from their customers is for Guest WiFi access when they’re in the o !ce. 1.
On the Wireless > SSIDs tab, rename the only enabled SSID to “Lab [n] GUEST”.
2. Secure the SSID with a WPA2-PSK password – “California”. 3. Create a click-through splash page so that guests have to acknowledge your terms and conditions before they are allowed on the network. 4. The AP should handle DHCP for this SSID, so ensure NAT mode is enabled. 5. On the Wireless > Firewall and tra "c shaping page, apply a bandwidth limit of 500 Kbps per device to prevent guests from hogging all of the bandwidth. 6. Guests shouldn’t have any access to internal resources, so Deny all tra !c to the Local LAN with a layer 3 firewall rule. The owners don’t want guests to be able access the SSID outside business hours, so you decide to take advantage of the SSID availability feature. 7.
7
On the SSID availability page, enable Scheduled availability for business hours only (8:00 - 19:00 (7 pm)) Monday through Friday.
CMNA Technical Training
Exercise 5 – Creating a Group Policy (10 min) 1.
Navigate to the Network-wide > Group policies page and create a group policy.
2. Name the policy “Guest Policy”. 3. Guest group policies will only be turned on during working hours 08:00 – 17:00 Monday through Friday. 4. Guests will be restricted to 2Mbps per client. 5. No tra!c can communicate to North Korea. 6. All Online backup and Web file sharing applications should be completely blocked (Hint: Use the Layer 7 firewall rules). 7.
Add another content filtering category for all website deemed as “Illegal”. Note: We won’t apply the group policy to a client yet. That will come in a later section.
Exercise 6 – Basic MX Tra!c Shaping (10 min) Because bandwidth is limited at the small site you don’t want to rely on downstream tra!c rules to ensure that you will not exceed your monthly bandwidth allotment from your provider. You decide it would be best to enforce this in a global setting on the MX at the edge of the network. 1.
Navigate to Security Appliance > Configure > Tra"c Shaping and set the global bandwidth limit for your Internet uplinks to 20 Mbps.
2. Enable HTTP content caching to improve end-user experience by reducing page load times and file download times for frequently accessed web content.
8
CMNA Technical Training
Exercise 7 – MAC Whitelisting on Access Ports (5 min) Only authorized devices should be connected at the o !ce to the switch. Create a MAC whitelist rule so that the only device that can pass tra !c on a particular port is their company workstation. 1.
Create a MAC Whitelist entry on ports 21-23 on your switch using a MAC address of aa:bb:cc:aa:bb:cc. Hint: The ports should be configured in access mode .
Great Job! You’ve completed the setup for your small, single location and have a full Meraki network up and running. The workstation can get secure access via their wired connections, and guests have isolated, Internet-only access. Feel free to move onto the next section prior to the product overview section
9
CMNA Technical Training
LAB B | Lar e Site / Campus Since deploying their enterprise network, Nightingale Medical Associates has continued to grow. They’ve just acquired another medical group that has a legacy private network interconnecting all of their sites. In order to increase collaboration during the acquisition, Nightingale Medical Associates has rolled out the private network to all sites. Also, to protect their new Electronic Medical Records (EMR) system, Nightingale Medical Associates wishes to increase the security of their wired and wireless network. Have a technical question or having issues? The Cisco Meraki Knowledge Base is available at: https://documentation.meraki.com
10
CMNA Technical Training
Exercise 1 – Logically Segment the Corporate Network (10 min) In order to segment the network for better control and security, you decide to use VLANs to separate internal Corporate and Voice tra!c from network control tra !c on the native VLAN. Note: Do not remove VLAN 1 (native/untagged VLAN) which is configured by default. 1.
Navigate to Security appliance > Addressing & VLANs and enable VLANs on the Security Appliance. Create two additional new VLANs in addition to your Native VLAN; Corporate and Voice, based on the subnet information below: Corporate & Voice VLAN Subnets
VLAN 100 Name: Corporate Subnet: 10.0. [ 100 + n ] .0/24 Gateway (MX IP): 10.0. [ 100 + n ] .1 VLAN 200 Name: Voice Subnet: 10.0. [ 200 + n ] .0/24 Gateway (MX IP): 10.0. [ 200 + n ] .1 Where n is your lab station number
2. Verify that all ports in the per-port VLAN configuration on the MX are enabled and set as trunks for the native VLAN and all VLANs are allowed. 3.
On the DHCP page, verify that DHCP is running for each of the new VLANs you set up.
4.
You’ll want to make sure you save some IP addresses for your internal use. Reserve DHCP addresses .1-.20 on the native (Default) VLAN for that use.
11
CMNA Technical Training
Exercise 2 – Switch Port Configuration (5 min) 1.
Using the feature of virtual stacking, select ports 2-5 on your switch and configure these selected ports as access ports on VLAN 100. Name each port “DATA”.
2. Now, select ports 6-10 on your switch and configure them as access ports on VLAN 200. Note: We are not using the “Voice VLAN” field yet. We will use that in a later exercise. 3.
Select only the access ports labeled DATA and VOICE (ports 2-10) and enable BPDU Guard to protect against non-authorized switches. Be sure that you do not enable this on your trunk ports or on your uplink ports as it will break the connection between your switches. Hint: You can search for the ports by using a range (e.g: 2-10) or searching the name of the ports.
Exercise 3 – Configure STP / RSTP for Your Switch (5 min) 1.
Verify that RSTP is enabled for your switch. For more information on RSTP, refer to the Meraki RSTP Documentation.
2. Update the switch bridge priority to ensure that it will always remain the root switch in the network. 3.
Verify that your switch was indeed elected as the root switch for your campus.
Exercise 4 – Voice VLAN & Quality of Service (10 min) Nightingale Medical Associates recently purchased a top notch Cisco VoIP solution. Normally, employees plug their laptops into the secondary Ethernet port of their phone. It is your job to get the switch ready for the VoIP solution.
12
CMNA Technical Training
1.
Configure ports 15-20 on the switch as access ports to VLAN 100 with a Voice VLAN configured as VLAN 200 and name them “Workstation” as these ports will be used for desks using both a computer and a phone.
2. Navigate to the Switch > Configure > Switch settings page and locate the Quality of service subsection. 3.
Select “Add a QoS rule for this network” and configure a QoS rule for all VoIP tra !c across the network.
QoS Settings VoIP Precedence
VLAN: 200 Protocol: Any Subnet: 46 " class 3 (EF voice)
Exercise 5 – Configure a Port Schedule for your VoIP Ports (5 min) You want to save power and secure your environment after hours. Use the port schedule feature to configure this functionality. 1.
Navigate to Configure > Port Schedules. Note: Be sure the correct local time zone is set on the network .
2. Create a new schedule named “VoIP Power Saving” to turn o # ports during nonbusiness hours (assume a work schedule of (8:00 - 19:00 (7 pm)). 3.
Apply the port schedule to ports 15-20 on your switch (your VoIP ports). Do not apply to your switch’s uplink ports.
Exercise 6 – Corporate WiFi Setup (15 min) Set up a new Corporate SSID on your wireless network. Name it “Lab [ n] CORP” (where n is your station number), enable the SSID, then navigate to Wireless > Access Control and configure the following settings: 13
CMNA Technical Training
1.
Secure the SSID with a WPA2-PSK password – “ikarem123”.
2. Enable a splash page with the “Meraki Authentication” option. 3.
This network needs access to your internal resources, so put it in Bridge mode under client IP assignment.
4.
Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.
5. Disable bit rates below 12 Mbps (legacy bitrates). 6. Ensure all LAN access is permitted in the wireless firewall settings. 7.
Restrict the per-client bandwidth to 2 Mbps.
8. Use Cisco Meraki’s tra!c shaping rules to set a 500 Kbps limit on software updates to limit unnecessary background resource utilization and throttle YouTube tra !c to 20 Kbps up/down. 9.
Take it one step further and show management Cisco Meraki’s layer 7 firewall rules. Deny applications: iTunes and Peer-to-Peer. Finally, deny HTTP hostname of “espn.com”.
10. Navigate to Network-wide > Users. The credentials you used to log into Dashboard will be automatically populated. Authorize your lab [ n] account to grant it the ability.
Exercise 7 – Setup Air Marshal / Wireless IPS (5 min) Set up Air Marshal in a way that it automatically contains any rogue access points seen on the LAN and alert the network administrators. 1.
Navigate to Wireless > Air Marshal and configure the access points to automatically contain any rogue APs seen on the LAN.
2. Additionally configure the APs to automatically contain any SSIDs being broadcasted with “Nightingale” in the name. 3.
14
Make sure that administrators are alerted every time a rogue AP is detected (Hint: Network-wide > Alerts & administration).
CMNA Technical Training
Exercise 8 – Tra!c Prioritization and Bandwidth Control (5 min) Now that so many more devices are on the network you want to make sure certain types of tra!c, like the VoIP and video conferencing solutions you are leveraging within your environment, take priority over other types of tra !c 1.
Navigate to the tra!c shaping section for the MX security appliance.
2. Create a new tra!c shaping rule to give VoIP and video tra !c unlimited bandwidth and High priority on the network. Note: The goal of this is not to limit VoIP tra " c but rather to prioritize it. For more information on how the priority is calculated, refer to the Tra" c Priorities KB article.
Exercise 9 – Increasing Network Security with the MX (15 min) 1.
Many basic security threats can be taken care of simply by blocking access to risky websites. Create content filtering rules to block the following categories: Bot Nets, Confirmed Spam, Malware Sites, Spyware & Adware.
2. Additionally, some of the content on the site “thehackerblog.com” might inspire malicious behavior. Create a Blocked URL pattern to block the site. Save the changes and move on for now. 3.
Peer-to-peer tra!c on the network presents a security threat and can also hog valuable bandwidth on the network. Create a Layer 7 firewall rule on your MX to block all Peer-to-peer and Web file sharing tra !c.
4.
In order to cover threats that may be arriving via malicious methods, enable Malware detection and Intrusion Detection and Prevention (IDS/IPS). For now, a Balanced approach to blocking threats should be su !cient.
Exercise 10 – New Guest VLAN & Applying Group Policy (15 min) A decision has been made to centralize the DHCP services on the MX security appliance instead of hosting IP addressing for guest users on the APs.
15
CMNA Technical Training
1.
Create the following subnet on the MX security appliance:
Subnet Information
VLAN 300 Name: Guest Subnet: 10.0. [ n ] .0/24 Gateway (MX IP): 10.0. [ n ] .1 Where n is your lab station number
2. Change the Guest SSID from NAT mode to Bridge mode and tag the SSID for all all APs. 3.
Apply the “Guest Policy” group policy to this new guest VLAN on the MX. Hint: Navigate to Security appliance > Addressing & VLANs.
Exercise 11 – Configure Switch Access Policies (15 min) Corporate policy now favors 802.1X port authentication in place of local MAC whitelisting. We now need to configure an 802.1X access policy and place that on the ports that originally had MAC whitelisting in place. 1.
Navigate to Switch > Access policies and add an Access policy.
2. Name the access policy “Lab [n] RADIUS” where n is your lab station number. 3.
16
Configure an access policy with the RADIUS server using the information below. The access policy should have the following attributes: Host
10.0.250.100
Port
1812
Secret
meraki123
Access Policy Type
802.1X
Guest VLAN
300
CMNA Technical Training
Note: There’s no need to test it authentication to the RADIUS server at this time. 4.
Add the settings such as phones are not required to authenticate and unauthorized users are placed on the Guest VLAN 300.
5. Apply the Access Policy to ports 15-20. Hint: The ports need to be configured in access mode .
Nice Work! In that short amount of time you configured RSTP for your switch fabric to reduce unnecessary broadcast overhead on the network and QoS policies rule to ensure best performance for voice applications. You also created a port schedule and configured port security for better power and port management. Furthermore, you created a Corporate SSID to support the ever growing needs of wireless devices on network. Feel free to move onto the next lab if you are finished prior to the Distributed Enterprise demo or you can add additional security to the network in the following bonus exercise.
17
CMNA Technical Training
LAB C | Distributed Enterprise Nightingale Medical Associates has been using their Meraki network for an entire year now. Their Cloud Managed Network has helped them rollout electronic medical records, ensure HIPAA compliance, and has accommodated the demand for guest Internet. To keep up with the growing number of doctor’s o!ces joining the group and increase the level of performance and reliability required by a growing distributed network, they will need to add centralized Data Center services and interconnect the sites. Looking for datasheets, whitepapers or solution guides? Check out the Meraki Library at: http://meraki.cisco.com/library/
18
CMNA Technical Training
Exercise 1 – Site-to-Site VPN Configuration (10 min) To make the pilot easier you’ve taken some gear from the campus for this deployment which already has minimal configuration on it for Internet connectivity. Your branch will connect via VPN back to the corporate campus and also leverage services such as RADIUS that have been set up over the VPN connection. Let’s get this branch connected back to HQ via a site-to-site VPN tunnel. 1.
Configure a hub-and-spoke, split-tunnel VPN with your branch MX as a spoke and “Data Center 1” as the primary hub and “Data Center 2” as the secondary hub.
2. Make sure your Corporate and Voice VLANs are the only subnets being advertised in the VPN. 3.
Determine if other branch pilot labs are online using the Security Appliance > Configure > Site-to-Site VPN page. Note: You will find other VPN peers online in the remote VPN participants table of this page.
4.
Verify that you have connectivity to Data Center 1 and 2. Ping 10.0.251.1 and 10.0.252.2. Use the live tools.
5. Verify that you can ping the internal address of your neighbor’s MX from your own MX. This address should be 10.0. [100 + n] .1 where n is their lab station number. Use the live tools.
Exercise 2 – Securing the Switch Fabric (10 min) Now that we are connected via VPN to the HQ network, new policies need to be put into place to deny certain types of tra !c across the switch fabric. In particular corporate IP tra!c from the remote branch should not be able to access the human resources file server. Configure an IPv4 ACL to block this tra !c. 1.
Navigate to Switch > IPv4 ACL and add a rule.
2. Configure a rule to deny any tra !c from the Corporate IP subnet to the human resources file server at 10.0.250.10. Be sure that the protocol drop-down is set to ‘any’ so that all tra !c will be blocked to the file server.
19
CMNA Technical Training
Exercise 3 – Securing Corporate Wireless (10 min) Recent security concerns necessitate enabling WPA2-Enterprise for the corporate SSID to bring an added layer of security to the network. You will need to configure the Corporate SSID to authenticate against the Corporate RADIUS server over the VPN. 1.
Navigate to the ‘Access control’ settings for the Corporate SSID.
2. The Corporate SSID is currently set to have users associate with a pre-shared key and sign into a splash page using Meraki authentication. Change this so that users associate with WPA2-Enterprise & a RADIUS server and disable the sign on splash page. 3.
Configure the RADIUS server using the same information you used for port authentication on the switch:
Host
10.0.250.100
Port
1812
Secret
meraki123
Note: There’s no need to test it authentication to the RADIUS server at this time.
Exercise 4 – Summary Reports (10 min) As part of managing many more locations, reporting is more important than ever. You will need to test network summary reporting from Dashboard. For this pilot you just want to see information about switch port utilization. 1.
Navigate to Network-wide > Summary report.
2. Set a search parameter in the dropdown at the top of the page for Lab[n] - Switch with All devices. You also want to see information for the last week.
20
CMNA Technical Training
Note: You may not see any information when the report is generated given the small amount of time your network has been online . 3.
You also want these reports to be emailed on a scheduled basis, a week at a time to the CEO of the company at
[email protected].
Congratulations! Thanks to you, Nightingale Medical Associates has been able to adopt an enterprise solution that has scaled with the group’s growth. You’ve expanded their small original location to a large enterprise and even helped the company support a multisite architecture. Before you leave, there’s just one last task to complete…
Be sure your trainer has signed o # on your lab before leaving for the day!
21
CMNA Technical Training
