Mini-Lab Student Guide

1
Introduction
You have recently been hired to manage the IT systems for a local doctor’s office group in San Francisco.
Nightingale Medical Associates has managed to survive with a consumer ISP-provided gateway for many years,
but recent Electronic Medical Records (EMR) mandates, HIPAA compliance, more patients, new offices
opening up, and the demand for guest Internet access has them excited about an enterprise-class solution.
As their new IT admin, you suggest that Nightingale Medical Associates deploy Cisco Meraki as their solution.
This will not only meet their needs now, but can scale with them as they grow their main location and open
new offices, as well as provide them with a simple, intuitive management interface and rich application
visibility, reporting and analytics.
In order to get started, you’ve decided to equip them with a stack of Meraki gear, and today you’ll be
configuring that gear for one of the offices.

How to perform lab work

1. Navigate to http://meraki.com/merakilab and fill out the form using the Session Code provided.

2. Navigate to http://dashboard.meraki.com and login with the username and password provided by the
instructor. It is recommended to use Google Chrome. IMPORTANT: Be sure you are selecting the
correct Organization for your Minilab session after logging into the portal. Your instructor will provide
the correct session number if needed. If necessary, be sure to choose your correct lab station number
(from your Topology Sheet) from the network dropdown box in the upper left of Dashboard.

3. Feel free to use the Cisco Meraki knowledge base articles and documentation to assist with the lab.
They can be found at: http://documentation.meraki.com
You can also use the Dashboard search box for assistance, which is very helpful.

4. Time for “exploring” Dashboard and for finding/using help has been worked into the suggested times
for each lab section.

Reference materials:
Meraki Main Page – meraki.cisco.com
Cloud Architecture Overview – meraki.com/trust
Datasheets/Whitepapers Library – meraki.cisco.com/library
Meraki Product Documentation – documentation.meraki.com
Meraki Webinars & Training – meraki.cisco.com/webinars
Meraki YouTube Channel – www.youtube.com/user/milesmeraki/videos

2
 Network Topology Overview
“x” is your lab station number

Security Appliance
Configuration:
(Step 1.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+X.0/24
Interface: 10.0.10+X.1

VLAN 30 (Voice)
Subnet: 10.0.30+X.0/24
Interface: 10.0.30+X.1

VLAN 100 (Guest)

Subnet: 10.0.100+X.0/24
Interface: 10.0.100+X.1

Switch Configuration:
(Lab 2, Step 2.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+X.0/24
Interface: 10.0.10+X.201
Default gateway: 10.0.10+X.1

VLAN 150 (Legacy)

Subnet: 10.0.150+X.0/24
Interface: 10.0.150+X.1

VLAN 600 (OSPF)

Subnet: 192.168.0.0./24
Interface: 192.168.0.X

3
Exercise 1 | Small / Medium Site (90-120 minutes)
To get started, let’s set up your first three pieces of Meraki gear. Meraki Support has already set up a
Dashboard account and added the MX, MS and MR equipment to a network. In this exercise, you will create
an initial configuration for a doctor’s office, create a baseline security policy, configure a guest wireless
network, and interconnect all of the remote branches over a secure VPN.
**Make sure you are in the CORRECT POD and the CORRECT NETWORK that corresponds to your Lab
Number**

1.1.1 Initial MX Setup (20-30 minutes)

(If you need help to find where commands are located use the search function in the upper right corner)

1. Verify that your MX is operational noting that it’s green in Dashboard and the WAN uplinks are healthy.

2. Edit the name of your MX such as “Lab <n> MX” and assign a city/address (refer to your topology
sheet), and use the live tools to ping the appliance, maybe run a traceroute to google.com.
Check the status of your WAN1 and WAN2 uplinks using the “Uplinks” tab.

3. VLAN configuration
a. On the “Addressing and VLANs” page, first Enable VLANs and then create VLANs 10 (Corp), 30
(Voice) and 100 (Guest) as per your topology diagram.
See additional notes b/c/d below.
b. Do not remove/modify VLAN 1 (default/untagged VLAN) which is there by default.
c. Use the “Add a Local VLAN” link to configure VLANs 10, 30 and 100.
d. All non-tagged traffic will be part of VLAN1 (default vlan).

4. On VLAN 10 (Corp) reserve IP addresses .150 through .250 under DHCP Settings.

NOTE: This addressing section is required before moving onto lab 2-4.

1.1.2 Setting a Security Policy (20-30 minutes)

1. Apply the following global default policies [Hint: This first part does not use group policies.]
a. Completely block peer-to-peer BitTorrent traffic.
b. Set a maximum bandwidth of 5Mbps per client.
c. For Netflix and Pandora, shape traffic to 1M down, 500K up and ensure they are low priority.
d. For all voice and video conferencing, remove all bandwidth restrictions and ensure they are
high priority.
e. Apply content filtering to block adult and gambling websites, but allow 777.com.

4
 2. Enable Advanced Malware Protection (AMP) and Intrusion detection with Balanced Ruleset.

3. Enable network alerts if the MX goes offline for more than 10 minutes or a DCHP pool is exhausted.

4. Create a group-policy called “Guest” to ensure that guest users will conform to below restrictions.
a. Guests will be restricted to 2M per client.
b. Guest group policies will only be turned on during working hours 8am–5pm Mon-Fri.
c. No traffic can communicate to/from North Korea or Syria.
d. Add another L7 firewall rule to block all gaming applications.
e. Append the default content filter to add all sports web sites.
f. Now that all sports sites are blocked, allow [Hint: Append to Whitelist] sports.yahoo.com.
g. Apply the “Guest” group policy to the “Guest” VLAN. (Hint: Addressing & VLANs page)

1.1.3 Interconnect All Sites via Full-Mesh Auto VPN (20 minutes)
1. Configure a full-mesh VPN between all sites, and enable VPN for the Corp and Voice VLANs, but not the
default or guest VLANs.
[Hint: Navigate to Site-to-site VPN and configure your site as a hub (and do not configure an exit hub)]

2. Verify connectivity by pinging the data center core switch (10.0.250.1) from the Live tools on the
Appliance status screen. What is your latency to the data center?

3. Navigate to VPN Status to verify connectivity to other branches. Note: If you don’t see site-to-site
peers listed, try clicking the “View old version” link on the right-hand side and you can then verify
connectivity to other branches.

4. Examine the MX’s routing table.

Do you see your local VLANs and VPN peer networks?
Can you ping any of the VPN peers? (Check with your neighbors if they have also reached this step.)

1.2.1 Initial Switch Configuration (20-30 minutes)

1. Verify that your MS switch is operational (green status, passing traffic)

2. Edit the name of your switch and apply the tag(s) and city/location from your topology handout.

3. Customize your flex table view under Switch > Switches to include local IP, Tags and S/N.

4. Configure ports 4 – 7 for VoIP phone access

a. Tag these 4 ports with the “voip” tag.
b. Make them access ports on VLAN 1 with voice VLAN 30.
c. Create a QoS rule for the network to mark all traffic in voice VLAN 30 as DSCP 46 (EF) for voice.

5
 5. Create an energy-saving port schedule to turn off ports (power down phones) during off hours.
a. First confirm (or set) the appropriate time zone for your network. (Network-Wide à General)
b. Apply the port schedule to ports 4 – 7 simultaneously (try searching for “voip”).

6. Cable test and packet capture

a. Go to the Switch monitoring page and click on port 1.
b. In the Troubleshooting section, run a cable test on port 1 by clicking on the arrow next to it.
c. Run a packet capture on port 1 of your switch for 30 seconds. View the output in Dashboard, or
download to a .pcap file if you have Wireshark installed on your device.

7. Extra Credit: Server ports

a. Configure ports 23 and 24 to be access ports on VLAN 1.
b. Give them a name of “File Server” and a “Server” tag.
c. Set up an email alert if any switch port with a tag of “Server” goes down for > 5 minutes.

1.3.1 Configuring Guest and Corporate Wireless (30-60 minutes)

1. Go to the AP status page, observe that it’s offline.

2. Edit the name of your access point and apply the tag(s) and address from your handout. Please note
that the access point(s) will be shown as offline, they are not powered on in the lab environment, but
we can still completely configure our wireless network of course!

3. Create two new SSIDs —one for corporate, and one for isolated secure guest access.
a. Rename the first/default SSID to Corp.
b. Create the 2nd SSID and name it Guest.
c. Make sure both SSIDs are enabled.

4. On your corporate SSID:

a. Use a PSK and use the password “meraki123”.
b. Place all traffic for this SSID on your Corp VLAN.
[Hint: Read up about the different types of client IP assignment methods and VLAN tagging.]

5. On the guest SSID:

a. Ensure users sign on via a click-through splash page that refreshes every half hour.
b. Place all traffic for your guest SSID on guest VLAN 100 and use the MX as the DHCP server.
c. Block all Android devices.
d. Make sure that guests are firewalled off from the local LAN.
Hint: Under Firewall & Traffic Shaping, select the “Guest” SSID and create an L3 firewall rule to
block access to the local LAN.
e. Create L7 firewall rules to block P2P File Sharing and Gaming.

6
 f. Limit all guests to 2Mbps bandwidth, but allow them to temporarily exceed that for app
downloads for example.
g. Customize your splash page with a custom logo and/or message and preview it.

6. Make the Guest SSID unavailable on weekends.

7. Let’s implement some best & common practices for the RF settings.
a. For the Corporate SSID, make it dual-band operation, but use band steering to get more users
onto the cleaner 5GHz radio.
b. For all SSIDs, disallow very old legacy 802.11b devices.
c. Enable automatic power reduction so the AP isn’t always running at 100% Tx power.
d. Enable DFS channels if they are not enabled already.
e. Use a default 5GHz channel width of 40MHz.
f. Force the 2.4 and 5GHz radios for your AP to operate on channels 11 and 48

8. Extra Credit – Systems Manager: Create a 3rd SSID called BYOD to be used for mobile device
onboarding, force iOS and Android clients to have Meraki Systems Manager installed to join the SSID
and get network access, Windows or Mac laptops will just see a splash page – Mobile clients will
download System Manager upon joining the BYOD SSID, the firewall blocks everything else.
[Hint: This is under the access control]

7
Exercise 2 | Large Site / Campus
Since deploying their enterprise network, Nightingale Medical Associates has continued to grow. They’ve just
acquired another medical group that has a legacy private network interconnecting all of their sites. In order to
increase collaboration during the acquisition, Nightingale Medical Associates has rolled out the private
network to all sites. Also, to protect their new Electronic Medical Records (EMR) system, Nightingale Medical
Associates wishes to increase the security of their wired and wireless network.

2.1.1 Layer 3 Routing on the Switch (30-60 minutes)

1. Navigate to the Switch -> Routing and DHCP screen and create the interfaces below
a. Name: Corp, Subnet: 10.0.10+x.0/24, Interface: 10.0.10+x.201, VLAN: 10, Default gateway:
10.0.10+x.1, Disable DHCP
b. Name: Legacy, Subnet: 10.0.150+x.0/24, Interface: 10.0.150+x.1, VLAN: 150, DHCP Enabled
c. Name: OSPF, Subnet: 192.168.0.0/24, Interface IP: 192.168.0.x, VLAN: 600, Disable DHCP

2. Go to the MX Appliance and create a static route to the “Legacy” subnet using the IP address on your
L3 switch SVI in the “Corp” VLAN as next hop. Reference the topology sheet for supplemental
information. [Hint: The Legacy network now lives on the MS only so we need to tell the MX where this network is now.
The answers can be found in 1.a and 1.b above]
a. “In VPN” option should be “Yes”

3. On the switch, configure OSPF with following settings:

a. First configure switch port 13 to be access VLAN 600
b. Enable OSPF with default Area 0
c. Edit Legacy and OSPF interfaces to use the default Area 0 and Cost 1
d. Edit the default static route to be preferred over OSPF routes
NOTE: Let the instructor know you reached this point and ask them to enable the private network for lab 2.
4. Navigate to the switch monitoring page
a. Verify that port #13 is now operational
b. Verify that your switch is using 192.168.0.x as the Router ID. If not, change it.
c. Verify the OSPF neighbors and routes using the live tools
i. Do you see the other lab stations as OSPF neighbors?
ii. Do you see the data center switch as an OSPF neighbor (192.168.0.254)?

5. Start a ping to the data center switch (192.168.0.254) from the Legacy Source interface (10.0.150+x.1).
a. Ping 10.0.250.1 again with port 13 disabled. Wait about 30 seconds after disabling the port.
b. What path is the switch now taking to get to 10.0.250.1?
c. Does the switch still have OSPF neighbors?
d. See the diagram at the end of this document to better understand the logical data flow /
topology.

8
 6. Re-enable port 13.

2.1.2 Wired 802.1X and DHCP protection (20 minutes)

1. Create an Access policy (Switch > Configure > Access Policies)
a. Give it a name of “Test Policy 1” or something similar.
b. Use Radius host IP 10.0.250.100. Port 1812. Secret = “meraki123”
c. Place clients into VLAN 100 if they are unable to participate in 802.1x via a guest VLAN.
[Hint: MS switches support hybrid auth, so they’ll try 802.1X 1st and fall back to MAB 2nd.]
d. Allow phones (Voice VLAN Clients) to bypass authentication.

2. Navigate to Switch > Switch Ports

a. Apply the access policy to ports 4 – 7 simultaneously.
Note you can type “voip” or “4-7” in the search box, then select all 4 ports at once.
b. On the switch ports page, update the flex table to include the “Access Policy” column.

3. Navigate to Switch -> DHCP Servers

a. In order to improve the security of the LAN, change the default DHCP server policy to block
DHCP servers.
b. Allow any existing DHCP servers detected within the last day (If there are some you simply click
the “allow” link in the policy column)

2.2.1 Wireless IPS and 802.1X Authentication (20-30 minutes)

1. On your “Corp” SSID, use WPA2-Enterprise for authentication and add a RADIUS server with IP address
10.0.250.100, port 1812 and shared key “meraki123”.
2. Configure the AP to act as a dynamic authorization server by responding to Change-of-Authorization
messages coming from the RADIUS server. [Hint: This is below the RADIUS server configuration section in the same
general location]

3. Navigate to the Air Marshal screen and configure the Access Points to automatically contain any rogue
APs seen on the LAN.
4. Configure the access point to automatically contain any SSIDs [Hint: Keyword Containment] being broadcast
with “Nightingale” in the name of the SSID. This should automatically contain any other local SSIDs
with “Nightingale” in the SSID name.

9
Exercise 3 | Distributed Enterprise (60-120 minutes)
Nightingale Medical Associates has been using their Meraki network for an entire year now. Their Cloud
Managed Network has helped them rollout electronic medical records, ensure HIPAA compliance, and has
accommodated the demand for guest Internet. To keep up with the growing number of doctor’s offices joining
the group and increase the level of performance and reliability required by a growing distributed network,
they will need to add centralized Data Center services, increase redundancy, and ensure that their business-
critical applications are always preferring the best performing WAN path.

3.1.1 VPN Topology & Redundancy (30-60 minutes)

1. Evolve the lab VPN design to a more scalable model using the Hub-and-Spoke topology.
a. Configure your site as a spoke and add both “Data Center 1” and “Data Center 2” as hubs.
b. Prioritize “Data Center 2”.
c. Configure a full tunnel VPN by configuring both hubs with a default route.
d. Enable VPN for only Corp and Voice networks.

2. Verify that you can still ping each other’s lab MX LAN IP’s just as you did earlier with the full mesh
configuration.

3. Verify connectivity to all 3 Data Center subnets.

Hint: Use MX ping tool as well as check Route Table on your MX.
a. 10.0.250.0/24 (Shared)
b. 10.0.251.0/24 (DC1)
c. 10.0.252.0/24 (DC2)

NOTE: Let the instructor know that you have reached this point and ask them to initiate a failure at Data
Center 2 by disabling its uplink for your lab pod.

4. Perform the following verification tasks.

a. Verify that Data Center 2 in unreachable by pinging the default gateway of its unique subnet
(10.0.252.2).
b. Verify that the DC shared subnet is still reachable by pinging its default gateway (10.0.250.1).
c. Verify connectivity to your neighbors despite the data center failure by pinging their MX.

10
3.1.2 Software Defined WAN (SD-WAN) (30-60 minutes)
1. Navigate to Security appliance > Configure > Traffic shaping.

2. Configure uplink bandwidths: WAN 1 = 10Mbps, WAN 2 = 5Mbps.

3. Enable load balancing.

4. Configure a flow preference for “Guest” internet traffic to prefer WAN2. Hint: any traffic with a source
IP of 10.0.100+x.0/24 should prefer WAN2.

5. Create a customer performance class named “Acceptable Delay” with a setting of 200ms of latency.

6. Under VPN traffic, configure the following rules:

a. Any traffic destined to 8.8.8.8/32 should prefer WAN 2 unless performance is worse than
“Acceptable Delay”.
b. Any traffic from the “Corp” subnet should load balance on uplinks that meet “Acceptable
Delay”.
c. Any traffic from the “Voice” subnet should use the best uplink for VoIP.

7. Verify path selection by navigating to the Uplink Decision section of the VPN status page.
a. Which uplink is used for traffic destined for 8.8.8.8?
i. WAN2 is cycling between 50ms and 400ms of latency every 20 seconds resulting is the
uplink cycling between WAN1 and WAN2.
b. Click one of the links in the uplink decision column.
i. What is the average latency and MOS score between your branch and Data Center 2 for
both of your branch’s WAN links?

8. (Optional) Feel free to adjust the “Acceptable Delay” latency setting and see how the uplink cycling
between WAN1 and WAN2 changes.

11
Logical Data Flow / Topology

12
Exercise 4 | Meraki Communications (30-60 minutes)
Nightingale Medical Associates has been using legacy Centrex lines. They would like to reduce their telephony
costs while improving the end-user experience and are therefore interested in migrating to VoIP. They’ve had
such a great experience with the Meraki dashboard and are curious what else they can manage in the cloud.
Luckily Meraki also offers the MC74 cloud managed VoIP phone which is both easy to manage and easy to use.

4.1.1 Provisioning and initial phone configuration (10-20 minutes)

1. Navigate to Network-Wide -> Add Devices.
2. Choose an MC74 and add it to your network.
3. Refresh your browser screen and navigate to Phones -> Directory.
4. Create a new contact, name it John Doe, add the title Receptionist, and click save.
5. Navigate to Phones -> Phones, click into your phone, assign John Doe to the phone, assign a public
number based on the table below, and assign the last four digits of the public number as the extension
(ask your instructor which pod you are using if you don’t already know).
6. That’s it!!! This phone is now ready to plug in and use.

4.1.2 Configuring an IVR (Interactive Voice Response) (10-20 minutes)

1. Navigate to Phones -> IVR menus.
2. Create a new IVR and give it a name.
3. Click into the IVR and assign it a public phone number based on the table below (ask your instructor
which pod you are using if you don’t already know).
4. Assign the last four digits of the public number as the extension.
5. Download “Greeting.m4a” and “Hours.m4a” and “invalid.m4a” from the Google drive location.
6. Set “Greeting.m4a” as the Main greeting for your IVR.
7. Set “invalid.m4a” as the invalid option response for your IVR.
8. Create 2 menu items: play “Hours.m4a” for option 1 and transfer to John Doe’s phone for option 2.
9. Save the menu options.
10. Test your newly created IVR by calling into the number with your cell phone and try option 1 (hours)
and some invalid option like 4 or 5. (Due to the fact that John Doe’s phone is not yet operational,
option 2 (transfer) will not work yet).
11. Extra Credit: Record your own Greeting and Hours recordings and upload them to the IVR if you wish.
12. Remove the public phone number and delete your IVR.

13
4.1.3 Configuring and testing a voice conference room (10-20 minutes)
1. Navigate to Phones -> Conference Rooms.
2. Create a new conference room and give it a name.
3. Assign a public phone number based on the table below (ask your instructor which pod you are using if
you don’t already know).
4. Set a pin.
5. Test your newly created conference room by dialing into the number with your cell phone.
6. Use a 2nd phone or have the lab attendee next to you call in as well to test the conference room.
If your lab instructor brought a phone with them, make sure to check it out.
You can use it to call into your conference room and make sure it is working.

Public Phone Number Table

Phone Public Number IVR / Conference Room

Pod 1 707.731.8400+lab number 707.731.8420+lab number

Pod 2 707.731.8270+lab number 707.731.8460+lab number

Pod 3 707.731.8340+lab number 707.731.8360+lab number

Pod 4 707.731.8290+lab number 707.731.8440+lab number

Pod 5 707.731.8380+lab number 707.731.8486+lab number

Congratulations!
Thanks to you, Nightingale Medical Associates has been able to adopt an enterprise solution that has
scaled with the group’s growth. You’ve expanded their small original location to a larger enterprise
deployment, supporting a multi-site architecture that meets all of their security and reliability
requirements. You have saved them a lot of time and money given the single-pane-of-glass
management across their full stack of infrastructure, zero-touch deployment model, simple
troubleshooting and reporting, and great visibility and analytics to improve business practices.

14