Cisco Meraki SD-WAN

Walk-In Self-Paced Lab

Student Guide

Cisco Live Melbourne, 2018

MARCH 2018
Today, IT departments are under pressure to do more with less;
manage more sites and more clients with limited budgets and a
relatively small team, all without any reduction in reliability and
security. The high cost of enterprise WAN connectivity, support, and
personnel combined with the growth of bandwidth-hungry
streaming applications and cloud-based services, is forcing many
network admins to search for alternative solutions.

With Cisco Meraki SD-WAN, remote sites are connected over low-
cost Internet links secured by VPN. MPLS-like reliability is provided
through multiple uplinks with load balancing capabilities, intelligent
path control, and automatic failover.

1
Introduction
Welcome to the Cisco Live Melbourne 2018, Meraki SD-WAN Walk-In Self-Paced Lab. In this lab, you
will gain hands on experience building an end-to-end Cisco Meraki SD-WAN solution. You will
configure and monitor a functional cloud managed networking environment, alongside other rich
capabilities and customer use cases supported by the Cisco Meraki MX Security Appliance.

HOW TO PERFORM LAB WORK

1. Navigate to http://meraki.com/merakilab and fill out the form using the Session Code provided.

2. Navigate to http://dashboard.meraki.com/ and login with the username and password provided
by the instructor. It is recommended to use Google Chrome.

IMPORTANT: Be sure you are selecting the correct Organization for your Lab session after
logging into the portal. Your instructor will provide the correct session number if needed. If
necessary, be sure to choose your correct lab station number (from your Topology Sheet) from
the network dropdown box in the upper left of Dashboard.

3. Feel free to use the Cisco Meraki knowledge base articles and documentation to assist with
the lab. They can be found at: http://documentation.meraki.com/
You can also use the Dashboard search box for assistance, which is very helpful.

4. Time for “exploring” Dashboard and for finding/using help has been worked into the
suggested times for each lab section.

REFERENCE MATERIALS
Meraki Main Page – meraki.cisco.com
Cloud Architecture Overview – meraki.com/trust
Datasheets/Whitepapers Library – meraki.cisco.com/library
Meraki Product Documentation – documentation.meraki.com
Meraki Webinars & Training – meraki.cisco.com/webinars
Meraki YouTube Channel – http://www.youtube.com/user/milesmeraki/videos
Meraki Community - community.meraki.com
Meraki Create Space – create.meraki.io

2 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
 NETWORK TOPOLOGY OVERVIEW

“x” is your lab station number

Security Appliance
Configuration:
(Step 1.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+X.0/24
Interface: 10.0.10+X.1

VLAN 30 (Voice)
Subnet: 10.0.30+X.0/24
Interface: 10.0.30+X.1

VLAN 100 (Guest)

Subnet: 10.0.100+X.0/24
Interface: 10.0.100+X.1

Switch Configuration:
(Lab 2, Step 2.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+X.0/24
Interface: 10.0.10+X.201
Default gateway: 10.0.10+X.1

VLAN 150 (Legacy)

Subnet: 10.0.150+X.0/24
Interface: 10.0.150+X.1

VLAN 600 (OSPF)

Subnet: 192.168.0.0/24
Interface: 192.168.0.X

3 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
 Let’s Get Started
LOG INTO DASHBOARD

1. Navigate to http://dashboard.meraki.com/ from your web browser. Login with the credentials provided
below:
• Username: clmel2018[x]@meraki.com.test (where ‘x’ is your lab number)
• Password: meraki123
• At the top of the page, make sure your Cisco Live Lab[n] is selected. If it is not, use the network
dropdown menu to choose your specific Lab network.

4 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Cisco Meraki MX Security Appliance Lab
The Cisco Meraki MX Security Appliance Lab exercises begin below.

Please remember to click ‘Save Changes’ throughout the entire lab. This will help save you some time.

Exercise 1: Basic MX Setup

1. Verify that your MX is operational:
a. WAN uplinks are healthy.
b. MX is “green” in dashboard.

2. Edit the name of your MX to be your name, and complete the following configuration:
a. Provide a physical address as per your topology sheet (bottom RHS in red):
For example, Melbourne, AU. Or choose another location of your choice.
b. Apply the following tags: NOTE: You may have to switch to the old version of the
Appliance Status page.
i. CiscoLive
ii. Two letter DNS country code of the address provided previously. For example,
AU for Australia.

USE CASE: TAGS CAN BE USED FOR DATA ANALYSIS AND FOR QUICKLY IDENTIFYING OR
FILTERING FOR DEVICES OF INTEREST

3. Enable VLANs and create the following SVIs as per your topology sheet:
a. Do not remove VLAN 1 (native/untagged VLAN) which is configured by default.
b. VLAN 10: Corp
i. Reserve IP addresses .150 through .250 under DHCP Settings.
ii. Set DNS servers to be OpenDNS.
c. VLAN 30: Voice
i. Enable DHCP option 150 to provide a list of TFTP servers for the VoIP
phones. NOTE: servers not active. We are simply configuring them.
a. 10.0.251.50
b. 10.0.252.50
ii. Set DNS servers to be OpenDNS.
d. VLAN 100: Guest
i. Set DNS servers to be OpenDNS.
e. Ensure that non-tagged traffic will be part of VLAN1 (native vlan) VLAN 1 (Corp).

USE CASE: ENFORCE THE USE OF OPENDNS FOR CLIENTS BEING SERVED ON NETWORK

5 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Exercise 2: Setting Security Policies
1. Apply the following global default policies (Hint: Below section does not use group policies.
Think of this as global settings.)
a. Completely block BitTorrent. (Layer 7 firewall rule.)
b. Maximum bandwidth of 5Mbps per client.
c. For Netflix and Pandora, shape traffic to 1M down, 500 K up. Ensure they are low
priority.
d. For all voice and video conferencing, remove all bandwidth restrictions, ensure they
are high priority and set DSCP to WMM Voice.
e. Apply content filtering for adult websites, and ensure full-list lookups are applied.

2. Enable threat protection as follows:

a. Enable Advanced Malware Protection (AMP)
b. Set the Intrusion detection and prevention mode to ‘Prevention’ with a ‘Balanced’
ruleset.
c. Whitelist any Cisco.com intranet site (i.e., *.cisco.com)

3. Create the following ACLs:

a. Prevent DNS services from being available over TCP and UDP except for OpenDNS
(208.67.222.222 & 208.67.220.220) with a Layer 3 rule.
b. When using the 4G backup, prevent the Guest network from getting out.

4. Create a group-policy called “Guest” to ensure that guest users will conform to below
restrictions:
a. Guest group policies will only be turned on during working hours 8am–5pm M-F.
b. Guests will be restricted to 2M per client.
c. No traffic can communicate to North Korea, China, Russia, and Hungary.
d. Append another content filtering category for all website deemed as “Illegal.”
e. Apply the “Guest” group policy to the “Guest” VLAN.

6 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Exercise 3: Interconnect All Sites with Full-
Mesh AutoVPN
1. Configure a split-tunnel VPN between all sites.
a. Hint: Navigate to Site-to-site VPN and configure your site as a hub (do not configure an
exit hub).
b. Enable VPN for Corp and Voice networks.

2. Verify connectivity by pinging the data centre core switch (10.0.250.1) from the Live tools on
the Appliance status screen.
a. Obtain a packet capture that proves you have two-way traffic to the data centre switch.
b. What is your latency to the data centre?

3. Navigate to VPN Status to verify connectivity to other branches.

a. If you don’t see site-to-site peers listed, try clicking the “View old version” link on the
right-hand side and you can then verify connectivity to other branches.
b. Verify you have a route available to the Data Centres and to the other sites. Take note
of the route status.

Exercise 4: Securing VLANs

USE CASE: WHEN THE SVI LIVES ON THE MX, ACCESS CONTROL POLICIES CAN BE SET UP TO
CONTROL THE BEHAVIOUR OF ALL THE CLIENTS THAT CONNECT ON A SPECIFIC VLAN

1. Create an Access policy for the Corp VLAN.

a. Use Radius host as 10.0.250.100. Port 1812. Secret = “meraki123”

b. Enable NAC control

i. Send them to the following remediation URL: https://goo.gl/IlwEl8

c. Enable the walled garden and set the URL for the remediation site.

2. Create an Access policy for the Guest VLAN.

a. Set it to click-through.

3. Create a Splash page for your Guest VLAN.

a. Add the Cisco logo to the page.

b. Add a custom disclaimer message.

c. Redirect the client to your favourite Cisco Security product URL.

7 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Exercise 5: Client VPN
USE CASE: SETUP A VPN CONNECTION USING THE DEFAULT CONNECTION AVAILABLE ON ANY
MODERN OPERATING SYSTEM

1. Configure client VPN to the MX:

a. Setup your VPN client IPv4 address pool.
b. Select OpenDNS as your name server.
c. Choose a suitable secret.
d. Use Radius host as 10.0.250.100. Port 1812. Secret = “meraki123”.

Exercise 6: VPN Topology & Redundancy

1. Evolve the lab VPN design to a more scalable model using the Hub-and-Spoke topology.
a. Configure your site as a spoke and add both “Data Centre 1” and “Data Centre 2” as
hubs.
b. Prioritize “Data Centre 2”
c. Configure a full tunnel VPN by configuring both hubs with a default route
d. Enable VPN for only Corp and Voice networks

2. Verify that you can still ping each other’s lab MX LAN IP’s just as you did earlier with the full
mesh configuration

3. Verify connectivity to all 3 Data Centre subnets by pinging the “.1” addresses. Hint: use MX
ping tool as well as check Route Table on your MX:
a. 10.0.250.0/24 (Shared)
b. 10.0.251.0/24 (DC1)
c. 10.0.252.0/24 (DC2)

4. Let the lab proctor know that you have reached this point and ask them to initiate a failure at
Data Centre 2 by disabling its uplink.
a. Verify that Data Centre 2 in unreachable by pinging the default gateway of its unique
subnet (10.0.252.2)
b. Verify that the DC shared subnet is still reachable by pinging its default gateway
(10.0.250.1)
c. Verify connectivity to your neighbors despite the data center failure by pinging their
MX
d. Please let the instructors know that you are now complete, so we can re-instate DC2.

8 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Exercise 7: SD-WAN
1. Navigate to Security appliance > Configure > Traffic shaping.

2. Configure uplink bandwidths: WAN 1 = 10Mb, WAN 2 = 5Mb.

3. Enable load balancing.

4. Configure a flow preference for “Guest” internet traffic to prefer WAN2. Hint: any traffic with a
source IP of 10.0.100+x.0/24 should prefer WAN2, and failover if link is down.

5. Create the following customer performance classes named “Acceptable Delay” with a setting
of 150ms of latency.

6. Under VPN traffic, configure the following rules:

a. Any traffic destined to 8.8.8.8/32 should prefer WAN 2 unless performance is worse
than “Acceptable Delay”
b. Any traffic from the “Corp” subnet should load balance on uplinks that meet
“Acceptable Delay”
c. Any traffic from the “Voice” subnet should use the best uplink for VoIP.
d. Any “Webex” traffic should use the best uplink for VoIP.
e. Any “iCloud” traffic should follow the Global preference.

7. Verify path selection by initiating a ping to 8.8.8.8 from the security appliance, wait 30
seconds, and then navigating to the Uplink Decision section of the VPN status page
a. Which uplink was used?
b. Click one of the links in the uplink decision column
c. What is the average latency and MOS score between your branch and Data Center 2
for both of your branch’s WAN links?

9 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Exercise 8: Sentry Policies
USE CASE: SENTRY POLICIES ALLOW YOU TO DYNAMICALLY MAP GROUP POLICIES BASED ON
TAGS FROM SYSTEMS MANAGER. THIS ALLOWS THE CONTEXT OF THE DEVICE TO BE USED
FOR SECURITY PURPOSES. NOW DID SOMEONE SAY EAP-TLS?

1. Find your Lab’s Systems Manager network from the Network drop down.
2. Automatically tag all new devices with “CORP” by Adding the default tag “CORP” to the SM
Network under Configure > General > Enrolment Settings > Default tags.
3. Security Policies are used to determine if a particular profile and/or app should be applied.
Create a Security Policy under Configure > Policies with the following settings:
a. Policy Name of CISCOSECURE
b. Check passcode lock
c. Device is not compromised
d. Require that devices check in at least every week.
4. Return to your lab network. Create a group policy called RESTRICT.
a. Change Firewall and traffic shaping to Custom network firewall & shaping rules.
b. Add a firewall rule that blocks all traffic.
5. Create a group policy called FASTWEBEX.
a. Change Firewall and traffic shaping to Custom network firewall & shaping rules.
b. Add a traffic shaping rule for Webex.
i. Set PCP to 7.
ii. Set DSCP to 5.
6. Navigate to Network-wide > Sentry policies to create a policy tied to Systems Manager.
7. Add a new group policy MDM scope.
a. Select your Lab SM Network Lab[X]-systems manager, apply scope to
“CISCOSECURE-violating” tag, and use the RESTRICT group policy.
b. Select your Lab SM Network Lab[X]-systems manager, apply scope to the CORP tag,
and use the FASTWEBEX group policy.
8. Extend the Sentry use case to enable EAP-TLS for devices with the “CORP” tag. This will
leverage the MR Wireless Access Point included in your network.
a. Enable an SSID called CiscoLive-corp on your MR Access Point under Wireless >
Configure > SSID
b. Configure the SSID association requirements for WPA2-Enterprise using Meraki
authentication.
c. Configure the splash page setting for Systems Manager Sentry enrollment
d. Enable the Systems Manager Sentry Wi-Fi security feature.
e. Configure the Systems Manager Sentry Wi-Fi security feature to require certificate
authentication (EAP-TLS) for the devices with the “CORP” tag on your lab’s Systems
Manager network.
f. Configure Systems Manager Sentry enrollment for your lab’s Systems Manager
network as Strict and enforce enrollment on iOS and Android.
g. Save your changes and EAP-TLS is now configured. On-boarding and corporate SSID
can be separated if necessary.

10 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Exercise 9: Securing Dashboard
1. Change the local time zone of the network to AEDT.
2. Change the default password of the local device status page to “meraki321”.
a. Add a default block message.
3. Explore the Organization settings for some of the ways you may lock down access to
dashboard. NOTE: Do not make any change as this may lock the lab down.

Exercise 10: Alerting, Monitoring & User

Management
1. Create automated alerts for the following:
a. A rogue DHCP server is detected.
b. For malware events.

2. Traffic analysis:
a. Allow for detailed monitoring of the traffic analytics.
b. Create a custom traffic type called CiscoLive that uses port 9321.

3. Create a limited user access role for a user that has read-only access to the network and
nothing else.
a. Use a personal email for this test.
b. Check your personal email for receipt of a message from Dashboard.

4. (Optional) If you have a public reachable syslog, SNMP, and/or NetFlow server, setup the MX
to send events to them.
a. For syslog, only send IDS alerts and Flows.

5. Enable URL Logging. Visibility is improved and enhanced when one can build quick context
around what a particular user is doing on the network.
a. Enable Network-wide URL logging.
b. Review URL Logs.
c. Identify and record the top-site accessed for the day.
d. Identify the most active client for the last day.
e. Filter the URL Log view to show only the top client for the day.
f. Identify the 5th most active remote host and note what country it exists in.
g. Complete a WHOIS lookup for the remote host.
h. Explain how you can quickly block this country for future connections.
i. Filter the URL Log view to show only the 5th most active remote host for the day.
j. Identify the contents of the first HTML GET request to this remote host.
k. Record the User agent in use as part of the HTML GET request.
l. Filter the URL Log view to show only those entries for the site: google.com.
m. Identify and record the other data types you can filter by.

11 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
 Congratulations!! You have successfully
completed the Cisco Meraki MX SD-WAN
Lab.

Please contact your lab proctor for

instructions and thank you for your
attendance.

12 Cisco Systems, Inc. | 500 Terry A. Francois Bvld, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com