Mini-Lab Student Guide

1
Introduction
You have recently been hired to manage the IT systems for a local doctor’s office
group in San Francisco.
Nightingale Medical Associates has managed to survive with a consumer ISP-provided
gateway for many years, but recent Electronic Medical Records (EMR) mandates,
HIPAA compliance, more patients, new offices opening up, and the demand for guest
Internet access has them excited about an enterprise-class solution.
As their new IT admin, you suggest that Nightingale Medical Associates deploy Cisco
Meraki as their solution. This will not only meet their needs now, but can scale with
them as they grow their main location and open new offices, as well as provide them
with a simple, intuitive management interface and rich application visibility, reporting
and analytics.
In order to get started, you’ve decided to equip them with a stack of Meraki gear, and
today you’ll be configuring that gear for one of the offices.

How to perform lab work

1. Navigate to http://meraki.com/merakilab and fill out the form using the Session Code provided.

2. Navigate to http://dashboard.meraki.com and login with the username and password provided
by the instructor. It is recommended to use Google Chrome. IMPORTANT: Be sure you are
selecting the correct Organization for your Minilab session after logging into the portal. Your
instructor will provide the correct session number if needed. If necessary, be sure to choose
your correct lab station number (from your Topology Sheet) from the network dropdown box in
the upper left of Dashboard.

3. Feel free to use the Cisco Meraki knowledge base articles and documentation to assist with the
lab.
They can be found at: http://documentation.meraki.com
You can also use the Dashboard search box for assistance, which is very helpful.
4. Time for “exploring” Dashboard and for finding/using help has been worked into the suggested
times for each lab section.

Reference materials:
Meraki Main Page – meraki.cisco.com
Cloud Architecture Overview – meraki.com/trust
Datasheets/Whitepapers Library – meraki.cisco.com/library
Meraki Product Documentation – documentation.meraki.com
Meraki Webinars & Training – meraki.cisco.com/webinars
Meraki YouTube Channel – www.youtube.com/user/milesmeraki/videos

2
 Your Station’s Network Topology Overview
“n” is your lab station number

Security Appliance
Configuration:
(Step 1.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+n.0/24
Interface: 10.0.10+n.1

VLAN 30 (Voice)
Subnet: 10.0.30+n.0/24
Interface: 10.0.30+n.1

VLAN 100 (Guest)

Subnet: 10.0.100+n.0/24
Interface: 10.0.100+n.1

Switch Configuration:
(Lab 2, Step 2.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+n.0/24
Interface: 10.0.10+n.201
Default gateway: 10.0.10+n.1

VLAN 150 (Legacy)

Subnet: 10.0.150+n.0/24
Interface: 10.0.150+n.1

VLAN 600 (OSPF)

Subnet: 192.168.0.0./24
Interface: 192.168.0.n

6
Exercise 1 | Small / Medium Site (90-120 minutes)
To get started, let’s set up your first three pieces of Meraki gear. Meraki Support has
already set up a Dashboard account and added the MX, MS and MR equipment to a
network. In this exercise, you will create an initial configuration for a doctor’s office,
create a baseline security policy, configure a guest wireless network, and interconnect
all of the remote branches over a secure VPN.

Important: Make sure you are in the CORRECT POD and the CORRECT NETWORK that corresponds
to your Lab Number

1.1.1 Initial MX Setup (20-30 minutes)

Hint: If you need help to find where commands are located use the search function in the upper left
corner, right of the POD number, or Cisco Meraki logo. It says “Search Dashboard”

1. Verify that your MX is operational noting that it’s green in Dashboard and the WAN uplinks
are healthy.

2. Edit the name of your MX such as “Lab <n> MX” and assign a city/address (refer to your
topology sheet), and use the live tools to ping the appliance, maybe run a traceroute to
google.com.
Check the status of your WAN1 and WAN2 uplinks using the “Uplinks” tab.
3. VLAN configuration
a. On the “Addressing and VLANs” page, first Enable VLANs and then create VLANs 10
(Corp), 30 (Voice) and 100 (Guest) as per your topology diagram.
See additional notes b/c/d below.
b. Do not remove/modify VLAN 1 (default/untagged VLAN) which is there by default.
c. Use the “Add a Local VLAN” link to configure VLANs 10, 30 and 100.
d. All non-tagged traffic will be part of VLAN1 (default vlan).
4. On VLAN 10 (Corp) reserve IP addresses .150 through .250 under DHCP Settings.

Note: This addressing section is required before moving onto any further labs.

1.1.2 Setting a Security Policy (20-30 minutes)

1. Apply the following global default policies [Hint: This first part does not use group policies.]
a. Completely block peer-to-peer BitTorrent traffic.
b. Set a maximum bandwidth of 5Mbps per client.

7
 c. For Netflix and Pandora, shape traffic to 1M down, 500K up and ensure they are low
priority.
d. For all voice and video conferencing, remove all bandwidth restrictions and ensure
they are high priority.
e. Apply content filtering to block adult and gambling websites, but allow 777.com.

2. Enable Advanced Malware Protection (AMP) and Intrusion detection with Balanced Ruleset.
3. Enable network alerts if the MX goes offline for more than 10 minutes or a DHCP pool is
exhausted.
4. Create a group-policy called “Guest” to ensure that guest users will conform to below
restrictions

a. Guests will be restricted to 2M per client.

b. Guest group policies will only be turned on during working hours 8am–5pm Mon-Fri.
c. No traffic can communicate to/from North Korea or Syria.
d. Add another L7 firewall rule to block all gaming applications.
e. Append the default content filter to add all sports web sites.
f. Now that all sports sites are blocked, allow [Hint: Append to Whitelist]
sports.yahoo.com.

5. Apply the “Guest” group policy to the “Guest” VLAN. (Hint: Addressing & VLANs page)

1.1.3 - Interconnect All Sites via Full-Mesh Auto VPN (20 minutes)
1. Configure a full-mesh VPN between all sites, and enable VPN for the Corp and Voice VLANs,
but not the default or guest VLANs.

Hint: Navigate to Site-to-site VPN and configure your site as a hub (and do not configure an exit hub)

Verify connectivity by pinging the data center core switch (10.0.250.1) from the Live tools on
the Appliance status screen. What is your latency to the data center?

2. Navigate to VPN Status to verify connectivity to other branches. Note: If you don’t see site-to-
site peers listed, try clicking the “View old version” link on the right-hand side and you can then
verify connectivity to other branches.
3. Examine the MX’s routing table.
Do you see your local VLANs and VPN peer networks?
Can you ping any of the VPN peers? (Check with your neighbors if they have also reached
this step.)

1.2.1 Initial Switch Configuration (20-30 minutes)

1. Verify that your MS switch is operational (green status, passing traffic)

8
 2. Edit the name of your switch and apply the tag(s) and city/location from your topology
handout.
3. Customize your flex table view under Switch > Switches to include local IP, Tags and S/N.

4. Configure ports 4 – 7 for VoIP phone access

a. Tag these 4 ports with the “voip” tag.
b. Make them access ports on VLAN 1 with voice VLAN 30.
c. Create a QoS rule for the network to mark all traffic in voice VLAN 30 as DSCP 46 (EF)
for voice.
5. Create an energy-saving port schedule to turn off ports (power down phones) during off
hours.
a. First confirm (or set) the appropriate time zone for your network. (Network-Wide
General)
b. Apply the port schedule to ports 4 – 7 simultaneously (try searching for “voip”).

6. Cable test and packet capture

a. Go to the Switch monitoring page and click on port 2.
b. In the Troubleshooting section, run a cable test on port 2 by clicking on the arrow next
to it.
c. Run a packet capture on port 1 of your switch for 30 seconds. View the output in
Dashboard, or download to a .pcap file if you have Wireshark installed on your device.
7. Extra Credit: Server ports
a. Configure ports 23 and 24 to be access ports on VLAN 1.
b. Give them a name of “File Server” and a “Server” tag.
c. Set up an email alert if any switch port with a tag of “Server” goes down for > 5 minutes

1.3.1 – Configuring Guest and Corporate Wireless (30-60 minutes)

1. Begin by first verifying that your MR access point is online and operational (i.e. MR is in good
health status, firmware & configuration are up to date, etc.) – you should see only one AP
listed on the Monitor > Access points page.

2. By default, the MR’s name will appear as its MAC address - look for and click on the pencil
icon which will allow you to change/edit the name. Proceed to rename the MR’s name as “MR
[n]” where n is your station number. You can also edit the address here to place the AP. (More
detailed placement is available at Wireless > Map & Floor Plans)

3. Navigate to the “Tools” tab to ping the Access Point from Dashboard to confirm it’s online.
You should also be able to ping your station’s MX at 10.0.10+n.1 or even other stations MR’s
across the VPN.

4. Navigate to Configure > SSIDs and proceed to enable as well as rename two SSIDs. Rename
the first SSID as “Corp n” and the other as “Guest n” (where n is your station number.) – be
sure to save your changes before leaving the page.

Hint: You should rename/repurpose the default SSID (usually named “LabX – Wireless WiFi”) as one
of the two SSIDs you are creating.

9
 5. To configure settings for these SSIDs, go Configure > Access control where you must first
make sure that the “Corp” SSID has been selected from the SSID drop-down menu at the top.
This SSID needs to have the following settings:
• Association Requirements: PreShared Key with WPA2, password: ‘meraki123’
• Client IP Assignment: Bridge mode
• VLAN tagging: enabled, VLAN ID: 10

6. Switch to the “Guest” SSID by using the drop-down menu at the top, and give this SSID the
following settings:
• Splash page: Click-through
• Client IP Assignment: Bridge mode
• VLAN tagging: enabled, VLAN ID: 100

7. Because we are using a click-through splash page for our guest wireless network, we will
want to have them re-authenticate every 30 minutes. Navigate to Configure > Splash page
and change the frequency to every half hour.

8. We want to ensure that our wireless guest users have no way of accessing any of the internal
local network resources while also restricting their usage. Go to Configure > Firewall & traffic
shaping and make the following configurations on the “Guest” SSID:
• Edit the default Layer 3 firewall by adjusting the policy to deny access to the Local LAN for
all wireless clients that might try to access the LAN
• Add three Layer 7 firewall rules to block P2P, File sharing, and Gaming services
• Limit the per-client bandwidth to 1 Mbps
• Make the Guest SSID unavailable on weekends.
9. Let’s implement some best & common practices for the RF settings.
a. For the Corporate SSID, make it dual-band operation, but use band steering to get more
users onto the cleaner 5GHz radio.
b. For all SSIDs, disallow very old legacy 802.11b devices.
c. Ensure automatic power reduction so the AP isn’t always running at 100% Tx power.
d. Ensure a default 5GHz channel width of 80MHz.
e. Ensure the AP is choosing its channel assignment automatically.

Hint: These items are on different pages, as some controls are per-SSID, and some are for the AP as
whole. Be sure to check out both Access Control and Radio Settings pages. On Radio Settings, you
can also hover over the current settings on each AP to see available options.

10. Let’s check on the RF utilization of the 2.4Ghz band since we powered on the AP. It’s in a
very busy place, so we want to see how badly overutilized that band has been. Back on the
AP’s status page, use the RF tab on the far right.

10