' : cisco Mera kj Last updated: 8 March 2019 Lab Solutions Manual #1 Engineering Cisco Meraki Solutions 1 ‘cisco.Table of Contents Overview... Lab 1— Setup and Configuration..... Exercise A— MX Security Appliance Setup. Exercise B — MS Switch Setup... Exercise C — MR Wireless Setu; Exercise D— MV Camera Setup. Exercise E — SM Device Profile Setup BaNow Ww 2 ECMS@ ‘dsee’ MerakiOverview his particular document will help guide you through the ECMS1 lab and pro’ explanations to the various lab exercises. To maximize ning opportunities, yo should do your best to attempt all lab exerci your own before reading the corresponding solutions found in this guide. de detailed Important All examples and information (such as IP addresses and subnets) used in this guide are performed using lab station #1as the source — your lab station will likely have slightly different values. Lab 1 — Setup and Configuration lowing are detailed instructions on and solutions on how cises found in Lab Manual 1 ‘0 correctly complete the Exercise A— MX Security Appliance Setup 1. From the navigation bar, select Security & SD-WAN and then click on Appliance status Set a locati applic 2. Click on the pencil icon, rename as “MX {nJ", then click Save @00:55:3d:2c:7Q70 4 3 ECMS@ ‘dsee’ Meraki3. From the navigation bar, select Security & SD-WAN and then click on Addressing & VLANs Check the box that says Use VLANs and then clic won Mf ‘N sutra 1 Add VLAN Create and configure the 4 VLANs with the information then click Update din the lab guide and Local VLAN cop so0s10%6 toot 4 ECMSO) ‘dsee’ Merakielect all of the ports in the Per-port VLAN Settings table and click Edit = a Enabled a an 3 . ‘un sath 4 . Trunk eat 5 . Trunk @ Butin 6 . Tron a sat 7 . ‘ean a ean ° . run Set the type to trunk, the native VLAN to VLAN 1, and the Allowed VLANs to All VLANs. Click Update yee 4. From the navigation bar, select Security & SD-WAN and then clic DNS nameserver s ECMS@) ‘dsee’ MerakiScroll do configure the First IP, Last IP, and Comment VLAN 10 (Corp) toost0ne 0 hen sdoning Innere . Exercise B — MS Switch Setup 1. From the navigation r, select Switch and then click on Switches in the table, click on the mac address to see more details of Eat | (Search = omitch situs are ac astoss eo cone n to VLAN 10 (Corp) to click on Add a reserved IP address range and then cisco 6 ECMS oO etbetlisme as “MS [n]", then click Save 2. Click on the pencil icon, rei © €0:55:3d:18: 28 Sy save 2 a Q@ = From the navigation bar, select Switch and then click on Switch ports 3. 0 ust 0 ws near the top ‘es for ports 15 to 18 and then click on the Edit bu Check the bi aps Switch ports «| grogale Split | Mi MSL -wane wsnue 7 ECMS@ ‘dsee’ MerakiChange the Tags, PoE, Type, VLAN, and Voice VLAN fields and click Update 4 ports us (1/15 Ms f s ECMS@) ‘dsee’ Meraki4. Click on the + icon on the top row of the table and check the box for CDP/LLDP. 5. Check the box for port 13 and click on the Edit button near the top Switch ports se pont a sus sine a 2 ECMS@®) ‘dsee’ MerakiChange the Tags, PoE, Type, and VLAN fields and click Update 1 port 6. [OPTION jin the picture showing the switch ports, click on port 13 MS [1] ° wsaso2iP 9 sssi\eatee gel ® Port 13 [aoa oll Setalocatonforthis switch = SESS ESS aa 0 ECMS@) ‘dsee’ Merakivn and click on the arrow button for Cycle port Scroll Troubleshooting Packet capsuto Aun a packet capture on this prt Cable test > [Runa fon this port CoE ce Gye wom | | Diate and enable tis prt ‘Wiaming: POE powere device wl be temporary powered down, OPTION B] Click on the Tools tab, scroll down and enter 13 in the Cycle ports field, and then click Cycle ports Seomary| Po | Per | Srey | Een | Loon ES ems [1] “ 7 a f Qe ae memntceeee | anc - == — | een ” _Wiamng: POE powosod davies mil be temporal powared doen $m “ Co Be sure to wait 2-3 minutes for the MV camera to finish rebooting, then go to the navigation bar and select Cameras and then click on Cameras n ECMSO) ‘dsee’ MerakiLook fora local IP address for your MV camera that falls within VLAN 50 (you may have to click on the wrench icon on the top row of the table and check the box for Local IP) Exercise C — MR Wireless Setup 1. From the navigation bar, select Wireless and then click on Access points in the table, click on the mac address to see more details of your access point 2. Click on the pencil icon, rename as “MR [n]", then click Save © €0:55:3d:3¢: rae 10 4A Save — 2 ECMS@ ‘dsee’ Meraki, select Wireless and then click on SSIDs R ‘corporate and thens nthe drop-d mer ult is named “Uni and ren SSID as Guest LAB1 - Wireless WiFi Unconfigured SSID 2 Unconfigured SSID 2 ait settings Start by selecti the Corporate SSID fro Access control Lnsormgues S810: jacales) Naan Urcorigied S80 # (den) 3 ECMS@) ‘dsee’ MerakiProceed to configure the Corporate SSID using Pre-shared key with WPA2 (set Meraki123 as the password), Splash page access is None, and Client IP assignment as NAT mode Network access Associaton requements © Opan no enenypn) ‘Any user can associate aD © ee craediey win HE] semen scones: Pear (© nc based aces conta (no oerypon) RADIUS corer is quored at association io © Wrrz Energise wih (Mest subriton ¥) User credenisae valeee with 202.1% tasociation time WPA enoyptonmeds | Wikzady —¥] oor 0 iar rn cers can acs th network as oon a they associate Addressing and traffic Ciiet IP assignment (© NAT mode: Use Maraki DHCP (Clients receive IP addresses in an isolated 1 © Bridge mode: Make cents part of the LAN Moraki dvicos operate vansparoily (n0N Similarly, configure the Guest SSID using Open (no encryption) association, Click- through splash page access, Client IP assignment in Bridge mode, and use VLAN tagging (Alll other APs should be using VLAN ID: 100) Access control —=— Network access mo ‘Association requirements ® Open (no encryption) ‘Any user can aasociave “« ECMSO) ‘dsee’ MerakiSplash page © None (atect access) Users can acess the ntwork as soon a they associat —_ © Gickthrough Users must view and acknowiedge your splash page before being allowed onthe network Addressing and traffic (Cont IP assignment © NAT mode: Use Meraki DHCP Conte receive IP addrossos in an iclated 16.00.08 aD © 2120: nore tat tons arene tN Meraki devices operate transparently (ne NAT of DHCP), Addressing and traffic (cient IP assignment (© NAT mode: Use Marale DHCP (Clients recsive IP ackdrasses in an isclated 100.0018 natwerke I © 850 te ta cats pat hw LAN Moraki dovioas operate transparent (ne NAT or DHCP), Clon! © Layor 3 roaring Clients reesive DHGP leases fom the LAN or use sate IP a © Layer roaming with a concentrator CChents are innelad fo a spacted VLAN at he eoncantrator. 1 (© VPN: tunnel data toa concontator Moraki dovions ond rae over a secure tunnel to an MX cone) ania Bodoomadeard ier VIAN ID 15 ECMSO®nto the Splash behavior Splash quney Whore should woot go | Ey tw hoe Exercise D — MV Camera Setup 1. From the navigatio Dar, select Cameras and then clic Cameras in the table, click on the mac address to see more details of your ca Eat ~| Schedule... Soarch +) camera statis Name ocal 1 @ wd oust * ECMS@) ‘dsee’ Meraki2. Click on the pencil icon, rename as “MV [n]’, then click Save e €0.55:34:83:. ora Witeo roan a a | wet sen [se] 3. Click on the Network tab and scroll down to verify the camera has an IP address from VLAN 50, the firmware & configuration are up to date, and then click the Ping camera button to verify that the camera is reachable by the Dashboard Location Eventlog Setings Connectivity forthe ist ay = 9 - | Tools ‘Seta location for this camera Astonastessmiousna tek emer Ping Pig off Pr eamare foosts Reboot device became “oot, a er sists} Ponta Bink Ds [ne] Traceroute [opened set | Fan ‘Useb’ MerakiExercise E— SM Device Profile Setup 1 N From the navigation bar, select Systems Manager and then cli See or Look for the + Add profile button near the top right of the Profile and click Continue Select the Device profile (default) butt. Ad new profile Sta © Device prot (detauty ‘Supported on all davies types Advanced © User roi Ape) Swope on [1 108) @ macs User proto (rome) Supporiedon © Cuomo Upload oust pl reie Supported on [105 | d macOs = *% ECMS@) ‘dsee’ Meraki3. Name the profile Corporate Devices, select Require password to remove this profile (set Meraki123 as the password) from the Removal Policy, set with ANY of the following tags as the Scope, and create a new tag called Corp (click Create option after typing in the tag) Corporate Devices | Pete conto Profile Configuration ve . moe o ne Profle Removal Policy fens rey —= a — oe one Pe —> hase . 4. Click on + Add settings near the left side of the page to open up the profile options Corporate Devices 8B Prete contgraion ‘Add new settings payload vane [mie | een ape fais] aan tn enn eon wien » ECMS@) ‘dsee’ MerakiThe first setting to be added and configured is under Restrictions — once you click on it, proceed to uncheck the box for Allow use of camera 38 Pate conan Restrictions | Seach eaters (Cross-platform restrictions N ana [Mow es creamer 105 | msc | Ari ok Winds To add more settings, click on + Add settings to be retumed to the main selection menu The second setting to be added and configured is under Passcode Policy — once you click on it, proceed to check the boxes for Allow simple value and Require alphanumeric value and select a Minimum length (6) from the drop-down menu Passcode Policy to Look 2 ECMS(@) ‘dsee’ MerakiTo add more settings, click on + Add settings to be returned to the main selection menu Patents Resvictons qa a The third setting to be added and configured is under WiFi Settings — once you click on it, proceed to select Sentry as the Configuration option, using your Lab — wireless as the network, and to select the Corporate SSID which you should enforce devices to Auto Join (check the box) WiFi Settings Cotati Newer ssi0 Py Arata ne woe [Ton onde log Gergen con ert cS ** End of Lab 1** (We will be reviewing Section 1 before moving on to Section 2. You may now take a break but do not move on until Lab Manual #2 has been distributed and your instructor informs you that itis time for the next lab period.) 2 ECMS@) ‘dsee’ Meraki