' : cisco Mera kj Last updated: 8 March 2019 Lab Solutions Manual #3 Engineering Cisco Meraki Solutions 1 ‘cisco.Table of Contents Overview... Lab 3 —- Troubleshooting and Management... Exercise A — Limited Network Access. Exercise B — Offline Device. Exercise C — Wireless Reconfiguration Exercise D — Unreachable Devi: 2 ECMS@ ‘dsee’ MerakiOverview is particular Juide you through the ECMSi lab and pi earning oppo should do your best to a pt exercis correspondi Important All examples and information (such as IP addresses and subnets) used in this guide are performed using lab station #1as the source — your lab station will likely have slightly different values. Lab 3- Troubleshooting a and Management ound in Li b Man al: Exercise A — Limited Network Access Objective 1 navic in SD-WAN & traffic select Security & SD-WAN and ther shaping 3 ECMS@) ‘dsee’ MerakiUnder Uplink configuration, verify that WAN 1 and WAN 2 bandwidths have not been modified and are still band: figured as 10 Mbps and 5 Mbps followed by ct idth limits and the Per-client limit is still at 5 Mbps Seeker ll. Global bandwidth limits am —— woe ee Potion iit Mbps dais Enable SpeedBurst © came = so —o— .cking Global Objective 2: the navigation bar, select Wireless and then clic! on Firewall & traffic shaping ct Corporate from the SSID drop-down menu at the top Firewall & traffic shaping ssi in to Traffic shaping rules and you'll see that the Per-client bandwidth limit has ified —r been r jure/reset this value back to unlimited by using the slider Traffic shaping rules resenronionit ee aa ent spn rte Spec PeeSSI0 bandit it — ie e “+s ‘Shops ate aap rr 4 ECMSO) ‘dsee’ MerakiExercise B — Offline Device Objective 1 From the navigation bar, select Wireless and then click on Access points You will see that your acc OFFLINE ACCESS POINTS forthe lastday ~ Eat) [Search =| 100289 point eo G: @ maw ens5sa3e 0:40 From the navigation bar, select Switch and then click on Switch ports s ECMS@ ‘ses’ MerakiCheck the box for port 14 and click on the Edit button near the top of the page Edt Aogrogn Spit Mi wr Gi ust You should see that this switch port (for your access point) has been disabled and PoE also disabled — use the drop-down menus to enable these options and click Update 1 port Update + port tpn ust Name Tho "oat toe? Era. eI ast: cote 5 Si? gut rT me | Z| tik = : Pot sd a . akon: © a Tre = . Nae wate 1 ons LAN: © a Wait 2-3 minutes and allow these configuration changes to go into effect and then check your AP to make sure it is good health status and reachable via Tools using Ping AP a =a ‘Set alocaton fortis AP 6 ECMS@®) ‘dsee’ MerakiObjective 2: Scroll down on the page and look for the FIRMWARE and CONFIG sections — they should show Up to date Pr unas. Click on the Location tab and then the Topology subtab to see the topc access point along with the other detected devices that are connected in yy view of your network eMR[I] ’ sorcite we ce CEE] letcnne Sadeneg moatine socom? q = Seta locaton for is AP Objective 3: From the navigatior par, select Wireless and then click on Air Marshal 7 ECMS@ ‘dsee’ MerakiOn the Air Marshal page SSIDs detected click on the Rogue SSIDs tab to verify that there are no Air Marshal Contigur thor SSIDs 121 Spools 101 Malicious broadcasts 0 Packot foods 0 e O rogue SSIDS seen forthe last hours = hae Objective 4: From the navigation bar, select Network-wide and then click on General Look for the Local time zone setting and use the drop-down menu to select your local region's time zone and then click Save Changes Local tine 2006 US Pacie (UTC 7.0, DST) a US-Conval(UTC 50, ~ Traffic analysis oan afi an US Mountain (UTC 6.0, Tae analyss bs1) ‘Custom pie chart Us Arizona} os) Location and scannit, OS? US Aleutian (UTC-90, Aralvies ost) cance! Howat WNTT-1n.0) 7 ‘Scanning APL Saag ADT owiee Yor changes ook tect) s ECMS@) ‘dsee’ MerakiExercise C — Wireless Reconfiguration ol ive 1: From the navigation bar, select Wireless and then click on Radio settings Pd 2 the BAND drop-down menu to switch t clicking on the Target power (dBm) to obs: int Racha settings i pre For 2.4 GHe radio on MRED cm 8 y= par, select Wireless and then click Access control From the naviga ‘ses’ MerakiSelect Corporate from the SSID drop-down menu at the top Access control Scroll down to Wireless options and select 5 GHz band only as the Band selection option and then click Save Changes Weess options | © eevescocinimmtst mnie |b Bann © Datandspin(24 end te) sca Ghar mezecapacty and ec itrerence than 2.4 GH, bloga rt at no ape ing © Dualband operon wih Band Sting ‘and Siang etc cers cate ot G2 operation and ters em oa Healey wb ov 24 GH abe or agy cnt. erm) — 02 aoe ovens ped | seve nae orn orem ree Objective 2: To ensure that devices and clients that connect to the Corporate SSID receives DHCP leases from the LAN (of use static IPs) you must configure the Client IP assignment to use Bridge mode: Make clients part of the LAN ‘Aakiessing and atic cla eaipmat 0 Ne mate te OP > + Ser tn cement ‘ere pt erty oA XDA Ci rene ON nm LA ne er hit har: ng anes conn 0 ECMS@) ‘dsee’ MerakiObjective 3: the navigatio 198.27.194.100 192.168.126.1 1000 Mbit, ful duplex oasis swten Bone From the navigatio Access control ct Corporate from the SSID drop-down menu at the t r, select Wireless and then click Access points 10 into the VLAN field and click Save r, select Wireless and then click Access control ‘ses’ MerakiSet the VLAN Tagging di >-down to Use VLAN tagging and enter 10 as the VLAN ID. dressing a ont aesiormant NAT mode: Use Merk DHCP ora devices send afer» secre unl oan BK cone vane Aptags —VLANIDActons From the navic select Security & SD-WAN and then click Site-to-site VPN or Default ite for both the NY Data Center and SF D: "" Nave 2 ECMS@) ‘dsee’ MerakiGo to the Tools tab of your access point and click the Reboot AP button neti] . [ Srwary | Evie | xan SEI a | . Q ane ep muwtvwe |e Wait 2-3 minutes to allow the access point enough time to reboot. Once it is back online, you should notice that the AP has now received an IP address from VLAN 10 Access points: trmetarssy - 3 ECMSO ‘dsee’ MerakiExercise D — Unreachable Device ive 1: par, select Cameras and then click Cameras mera is offline In the table listing all of the cameras, you should see that your MV Cameras tertnotae day + at +) Sehaaue| [Search cy cossansncese As we proceed to perform a packet capture, we will first need to acquire the MAC address of the security camera. The MAC address can be obtained from [OPTION 1] the same table 2 or [OPTION 2] under the Identifying information on the Network tab of we observed ab the camera © MV [i] identtying information vweciviy farmer any © 5 cami zoe po 18 win « ECMS@ ‘dsee’ Merakijon bar, select Network-wide and then click Packet capture From the naviga lanore: broadcast packets ulticast pac} Ignore: |) tec SERRE OREN packets nter in a Filter expression of We will use the default values but specify 13 for the Ports field ether host MAC address of your MV camera (found previously) and then press Start capture Packet capture torswitehes ~ Switch: [MSE = S| Output |View owsut below 7) Duration (sees): 60 Verbosiy: (aw Ignore: proadeast packets [2 multicast packote — imo a ® ECMS@) ‘dsee’ MerakiObjective 2: From the navigation bar, select Switch and then click Switch ports O wsius 0 wen Edit button near the Check the box for port 13 and click on the Spit Mi 9 ate spite | TD uss ified (reconfigured) anging it back to VLAN 50 ( which is not a valid VLAN on our ne VLAN) and then click Update 1 port coe women = = : = = = = = * ECMS@) ‘dsee’ MerakiObjective 3: From the navigatior par, select Security & SD-WAN and then clic! Firewall You will notice that there is a 3 outbound rule tl outbound whose so is on the video VLAN (10.0. denying Any traffic f ) +n}.0/24) Laver ere are different ways to correct this rule: OPTION A] you can chan wn menu to Allow e the Policy by adjusting the Outbound rues @ a (Sea OPTION B]) Tt od is by clicking on the X unde (delete) the rule complete ‘Comment >_ Corporate 3 Security Rule | 24 the Actions column to remove v7 ECMS@) ‘dsee’ Meraki1e MV camera should now be back online and reachable if you use the Ping camera button on the Network tab e MV [1] Video Anah sation Eventlog Setting Status Connectivity forthelastaay ~ Set a location for this camera jonandctertinermanr Ping empcaneachibonet Ping or Png eamara 10.0512 (via DHCP am — 1e live video s\ hould also e visi ack ¢ on the Video tab 2 ECMS@ ‘asco’ Meraki** End of Lab 3 *** (Please wait for your instructor to provide additional instructions and review Section 3) » ECMS@) ‘dsee’ Meraki