Meraki360 - Lab Guide

On-Site Version

Page 1! of !4
 Introduction

You have just joined the IT team of CloudMart, a quickly growing retail chain that
currently operates ten stores in locations around the world.

The Director of IT is looking for a unified full-stack solution that will also allow
CloudMart to easily and inexpensively add redundancy to their WAN. Additionally,
the solution should allow the IT staff to remotely troubleshoot issues from HQ.

Cisco Meraki’s solution was recommended to you by a colleague and you’ve

decided to run a pilot of the full stack.

During this lab you will work to configure a Cisco Meraki full stack deployment and
develop knowledge in configuring and troubleshooting Meraki networks.

Session Sign-In
In order to receive recognition for your participation in Meraki360, you must
complete and submit the lab sign-in form. If you have not done so already, follow
the link below to access the form.
Form: meraki.cisco.com/meraki360

Your Branch
1 x MX64 Security Gateway

1 x MS120–8LP 8 port Gigabit PoE Switch (with 2 SFP ports)

1 x MR33 Triple-radio, dual stream; 802.11ac access point with integrated
BLE radio

Your Dashboard login credentials:

Site: dashboard.meraki.com
Username: Instructor Provided
Password: Instructor Provided

Page 2
! of !4
Network Topology

Page 3
! of 4!
 MX | Security Appliances

You are fully on-boarded with CloudMart and it is time for your first big
implementation. You have decided to take down and completely replace the
current setup at one of CloudMart’s retail locations. Your current challenge is to
replace the existing security appliance at that location with a Cisco Meraki MX and
recreate all the subnets and security settings that were available on the old device.

Useful Resources:
MX Manual: http://docs.meraki.com/mx
Meraki Documentation page: https://documentation.meraki.com/
Meraki Dashboard page: https://dashboard.meraki.com/

Page 4
! of 4!
 Exercise 1 - Initial Network Setup

1. Sign in to the Meraki Dashboard using the credentials provided by your

instructor. Make sure that you have signed in with the correct lab station
number!
2. Navigate to Security Appliance > Appliance Status and verify that your MX
device is online. Change the name to Branch[n]MX.
3. In order to maintain different types of traffic segments, you must enable VLAN
segmentation on the security appliance. Navigate to the Addressing and
VLANs page, enable VLANs, and modify the default VLAN 1 subnet (refer to
the table below for subnet information). Confirm that VLAN 1 is configured to
be the native (default) VLAN.
4. Now configure VLANs 100 and 200 on the MX to be your “Data” and “Voice”
VLANs respectively. (Refer to the table below for subnet information.)
5. Disable your computer’s wireless adapter. Plug your computer into any of the
LAN ports on the MX and confirm that you are getting a DHCP lease from
VLAN 1. Access the local status page of the MX by navigating to
setup.meraki.com and verify cloud connectivity.



Store LAN Subnets VLAN 1 (Native):

Subnet: 10.0.[n].0/24
Gateway: (MX LAN IP): 10.0.[n].1

VLAN 100 (Data):

Subnet: 10.0.[100+n].0/24
Gateway: (MX LAN IP): 10.0.[100+n].1

VLAN 200 (Voice):

Subnet: 10.0.[200+n].0/24
Gateway: (MX LAN IP): 10.0.[200+n].1

Page ! 1 of !12
 Exercise 2 - Establishing a Site-to-Site VPN

CloudMart needs to connect its retail stores back to HQ. Currently, the sites are
connected by an MPLS line. Bandwidth needs have recently increased due to new
in-store displays, and Corporate is considering a move to IPSec VPN. You’ll need to
set up a site-to-site VPN between your store and the HQ Security Appliance.

1. On the Security Appliance > Site-to-Site VPN page, enable your site as a
Spoke in the VPN Topology.
2. Specify the HQ Appliance as the Hub and configure for a split-tunnel VPN
(“Default Route” checked = Full Tunnel).
3. Make sure that all VLANs are participating in the VPN tunnel advertisements.
4. Test VPN connectivity by pinging the inside interface of the remote VPN
device (your hub HQ MX) at 10.0.50.1 via the Ping Tool on the Appliance
Status page.
5. Determine what other connections, routes and lab stations are online via the
Monitor > VPN Status page. (Note: If you have just configured the VPN, you
may need to refresh the webpage for the VPN status menu item to appear.
You may proceed with the old view of the VPN page since the new one could
take a few minutes to populate successfully.)

Exercise 3 - Traffic Shaping and Content Filtering

CloudMart has a company policy that all traffic not work-essential should be
restricted. In addition, the Marketing department wants to prevent company
comparative shopping while in the store. You are tasked with configuring rules to
limit these behaviors.

1. Create a bandwidth limit under Security Appliance > Traffic Shaping that
limits all Peer-to-Peer traffic and all Video and Music to 50 Kbps. You can do
this by creating one or two separate rules.

Page ! 2 of !12
 2. Create a content filtering rule under Security Appliance > Content Filtering
that blocks access to all shopping websites.
3. Test your configurations and confirm that you are not able to access
amazon.com and that YouTube traffic is limited to 50 Kbps . Note: Make sure
you are wired into the MX with your wireless adapter turned off. Please wait a
minute after saving your configuration before conducting tests. Either clear
your browser cache or use an incognito (private) browser window.

Exercise 4 - Intrusion Detection and Prevention

CloudMart processes numerous credit card transactions. In such an environment,

network security is key. As a result, CloudMart is looking to implement IDS and IPS
systems into their network. Your job is to enable the SourceFire Intrusion detection
and prevention engine.

1. Navigate to Security Appliance > Threat Protection and set Intrusion

detection and prevention to “Detection” mode with a “Balanced” ruleset.
2. Enable AMP and whitelist “cloudmart.com". Make sure you add a comment of
your choice.
3. Explain your configurations to the instructor.
4. Under Security Appliance > Security Center, schedule a monthly report to
be sent out to the CEO of the company at [email protected]. Format the
reports in an HTML format.

Note: There will not be any security events right now as we have just enabled
security protection on the MX. In the future, you would use the Security Center
page to monitor threats on the network. If you want to generate events in the
center, please go through the “Bonus Exercise” below.

Page 3
! of 12
!
 Bonus Exercise - Security Center

Note: After enabling AMP, wait 5 minutes before proceeding with this exercise.

1. Disable the wireless connection from your laptop and connect it directly to
your branch MX.
2. Navigate to http://www.eicar.org/85-0-Download.html.

Note: The European Expert Group for IT Security (www.eicar.org) produces test
malware files. Please note that these files do NOT contain any malicious code and
are designed to be detected by most anti-virus/security vendors for testing
purposes. The file you are about to download is innocuous.

Note: Before proceeding we recommend that you shut down any security software
you have installed on your machine.

3. Download the file named “eicar_com.zip”. In your browser, you should see a
connection reset (example: ERR_CONNECTION_RESET).
4. If you disabled any security software, enable it again.
5. Navigate again to Security Appliance > Security Center. Make sure the filter
on the top includes “Malware Detection” events.

Page 4
! of 12
!
 Bonus Exercise - SD-WAN

CloudMart wants secure, transport independent connectivity between their branch

locations and the campus. You have decided to deploy Cisco Meraki’s SD-WAN
solution.

1. Under Security Appliance > Appliance Status, verify that the status of your
second internet port on your Branch MX is “Ready”.
2. Navigate to Security Appliance > Traffic Shaping and enable the SD-WAN
functionality on the MX by configuring the following settings:
• Under “Flow Preferences”, add a VPN traffic preference that applies to
any traffic originating from 10.0.[200+n].0/24 to send over preferred
uplink WAN 1. Ensure that the link will fail over if there is poor
performance for VoIP devices.

Note: Be sure not to leave any of the source, destination, or port fields blank. The
word "any" can be applied as a wildcard.

• Add a second VPN traffic flow preference to forward any traffic destined
for 10.0.50.1 over WAN 2, unless the uplink is down.
3. Disable the wireless adapter from your laptop and connect it to a LAN port on
the branch MX. Run a continuous ping to the address 10.0.50.1. Verify that
connectivity is available.
4. Verify that the traffic from the ping destined to 10.0.50.1 is going over the
configured WAN 2 interface. (Navigate to Security Appliance > VPN Status
and look at the bottom of the page under “Uplink Decisions”.)
5. To test the resiliency of the setup by simulating an uplink failure, manually
unplug the second uplink cable from WAN 2 of your station MX (or the LAN
port designated as WAN, if the device does not have a dual WAN
configuration). Did the ping test from your laptop fail over to WAN 1?

Note: Replug the cable of WAN 2 to bring the connection back up.

Page ! 5 of !12
 MS | Meraki Switches

Congratulations, you have completed your initial infrastructure setup. You now have
secure and reliable connectivity back to HQ thanks to the configurations you
implemented with Site-to-Site VPN and SD-WAN. Now it is time to get CloudMart’s
LAN set up and configured.

Useful Resources:
Meraki MS documentations page: docs.meraki.com/ms
Meraki Documentation page: https://documentation.meraki.com/

Page ! 6 of !12
 Exercise 1 - Initial Switch Setup

1. Plug in your switch at port 8 to port 1 (or 2 depending on MX model) of the

Branch MX.
2. Verify that the switch is online. Assign a static IP address to the switch with
the value of 10.0.[n].240 in the “Default” VLAN (see table in MX section for the
full details for this subnet). Rename the switch to “Branch[n]Switch”.
3. Plug in your laptop to any port of the switch and verify that your computer can
successfully connect to the network and internet on an address from VLAN 1.

Note: The switch default port configuration for all ports is Trunk, native VLAN 1,
allow all. Please verify that these are the configured settings.

4. Navigate to Switch > Switch Ports and configure the below port tags on the
switch ports.
• “Uplink” – for the port that is currently being used to uplink the switch to
the MX. In our case this should be port 8 (depending on the switch
model). (Note: The arrow on the port diagram indicates an uplink port.)
• “Wireless” – for port 1 on the switch. You will use this port to connect the
access point later in the lab.
5. Select ports 2–5 on your switch. Configure the ports as access on VLAN 100
and tag each of the ports with the “Data” tag.
6. Select ports 6 and 7 on your switch. Configure the ports as access on VLAN
200 and tag each of the ports with the “VoIP” tag.
7. Select the port that connects your Wireless AP (use the LLDP info) and
configure that port with the name“Wireless”. Confirm the port is “Trunk”.
8. Select all access ports on the switch and enable BPDU guard to protect the
switch from STP reconvergence from unauthorized switches. Make sure you
do not enable BPDU guard on your uplink port, as doing so will break the
connectivity between your switch and the MX appliance.


Page 7! of 12
!
 Exercise 2 - Port Schedules

CloudMart wants to save power by turning off PoE devices after hours. Use the port
schedule feature to configure this functionality.

1. Before you begin this exercise, make sure you set the time zone of your
network to the timezone you are currently in. You can accomplish this by
navigating to Network-wide > General.
2. Navigate to Switch > Port Schedules and create a new schedule. Name it
Lab[n]Schedule. Set the schedule to turn the ports off from 11pm to 6am every
day.
3. Apply the port schedule to the “Wireless” and “VoIP” ports on your switch.

Exercise 3 - Access Policies and ACLs

CloudMart wants to further tighten the security of their network by disallowing

access to certain resources. You will need to create an ACL that prevents traffic
coming from the Data VLAN to reach a server.

1. Navigate to Switch > IPv4 ACL. Create an ACL rule that filters traffic coming
from the any host on the Data VLAN (100) and going to the destination
address of 10.0.50.1.
2. From your computer, connect to the network (you should get an address on
the Data VLAN), disable your wireless adapter, and test to verify that
connectivity to 10.0.50.1 is not available.

Page 8
! of 12
!
 MR | Meraki Wireless

Nice work on getting this far! Now, let’s add WiFi connectivity to the network at
CloudMart so that visitors and employees of the stores can access network
resources and the internet.

Useful Resources:
Meraki MS documentations page: docs.meraki.com/mr
Meraki Documentation page: https://documentation.meraki.com/

Page ! 9 of !12
 Exercise 1 - AP Setup

1. Go to Wireless > Access Points and select your access point.

2. Specify the name “Branch [n} Wireless” as the name of the AP and change
the geographical address to your training address.
3. Confirm that your AP is connected to the switch using the port you labeled
“Wireless” in the previous lab section. (This should be port 1.)
4. Confirm that the AP port is set to “Trunk” with native VLAN 1.

Exercise 2 - Setting up SSIDs for Guest and Corp

Let’s configure the Guest SSID so CloudMart can provide free WiFi access to its
customers.

1. Under Wireless > SSIDs, enable one of the available SSID slots and rename
it “Lab[n]Guest”.
2. Go into the SSID settings and configure them as follows:
• Use a WPA2 passphrase of meraki123.
• Configure a click through splash page for this SSID.
• Configure the SSID so that local LAN access is not allowed (hint: look
under firewall rules).
3. Navigate back to Wireless > SSIDs. Enable and rename another of the
available SSID slots. Call it “Lab[n]Corp”.
• Use a WPA2 passphrase of ikarem123.
• Enable splash page with the “Meraki authentication” option.
• The network associated with the SSID needs access to your internal
resources, so put it in Bridge mode. Ensure that this SSID allows LAN
Access for wireless clients.

Page ! 10 of 12
!
 • Navigate to Network-Wide > Users and authorize your dashboard login
ID for access to the SSID RADIUS auth.
• Enable VLAN Tagging for Corp SSID.
• Use VLAN tagging and assign “All other APs" to VLAN 100 for this SSID.
4. Connect to the SSID and authenticate using your credentials.

Exercise 3 - PCI Reports and Air Marshal

Since this network will be processing financial transactions, the CloudMart

Compliance department is asking for a report to confirm that the stores’ networks
are PCI compliant.

1. Navigate to Wireless > PCI Report report and select “Run Scan”.
2. Enter in the subnet of your Corp SSID and select your CORP SSID as “in
CDE”. Select “Confirm” for all the self-auditing questions and run the report.
3. Review the output of the report and save it.

Where did you fail and why? Give an example to your instructor. Where in
dashboard do you need to go to fix the issues reported by the PCI scan?

Wireless security can be a big concern in the retail space, especially if the store is
conducting transactions over wireless. Therefore, you want to make sure no one
can conduct a man-in-the-middle attack by spoofing your store’s SSID.

1. Navigate to Wireless > Air Marshal.

2. Explain to your instructor how you could configure rules to automatically
contain any AP trying to spoof your Corporate SSID.


Note: Make sure you don’t save this rule, as doing so would contain all your
neighboring CloudMart SSIDs!

Page ! 11 of 12
!
 Congratulations!
You had a tough day at work, but you’re almost done and ready for the weekend.
Just one last set of tasks for you to complete.

Last Steps
1. Arrange the lab station the way it was when you found it (cables bundled,
neat and tidy, APs powered off). Your station should look exactly the way it
was when you found it.
2. If you completed an SM module, confirm that you properly removed your
mobile device in the final step of the System Manager exercises.
3. Once you’ve confirmed completion of the lab, please provide your feedback
through the survey at https://goo.gl/forms/mvnnc8zI94XkyCwJ3. Thank you!

Page ! 12 of !12