Lab 1: Configure the Cisco Meraki

Dashboard
Introduction

For most new Cisco Meraki deployments, a user begins by establishing a dashboard account
and creating an organization for their operational entity. Upon receiving the sales or purchase
order information, which typically consists of data such as the tracking number for shipped
equipment, serial numbers, and purchased licenses keys, those devices and licenses will be
claimed in the dashboard. Administrators can then create and define networks to which they
will allocate the claimed devices. Your lab will begin from this setup and configuration stage of
the deployment. Devices and licenses have been claimed and added to networks.

You will begin by setting up the Cisco Meraki stack with basic network configurations. These
settings represent typical deployments and your focus is on getting the devices operating with
common configurations. As you progress through the labs, the exercises will help you build and
expand the network in ways that take advantage of and use different features to address the
various needs of an organization.

Topology

Set Up the Cisco Meraki MX Security Appliance

Activity

1. On Admin-PC, wait until the Ready icon appears on desktop.

Open Firefox web browser window and log in to the Cisco Meraki Cloud Dashboard at
the URL that you can find in bookmarks bar. Use the pre-saved username and
password.
In case a verification code is required back to Admin-PC desktop and open
Thunderbird email client and look for a new email with the verification code.

On Admin-PC start Thunderbird email client.

 On Thunderbird verify the Inbox email folder, there should be a new email, copy the
verification code and paste on Firefox.

2. Choose your LABn dashboard network from the Network drop-down list in the top-left
corner of the page.

3. From the navigation bar, choose Security & SD-WAN > Monitor > Appliance status.
This page provides important information, details of the status of your Cisco Meraki
MX appliance, and access to other data or tools
 4. Identify the MAC address field, and the model number. Identify the configured WAN1
and WAN 2 IP Addresses. Note the Hostname and Serial Number. Finally, note the
Network usage display and the Ports display.

5. Under Ports, hover the mouse over Port 3. What is its speed and which duplex is it
using? Is it connected?

Note

Your ports may appear differently. Hover only above Port 3 that is the focus of this exercise.

6. By default, the name of the Cisco Meraki MX appliance name will appear as its MAC
address. Look for and click the Pencil icon, which will allow you to change the name.
Rename the Cisco Meraki MX name as MX [n], where n is your allocated lab number.
Click Save.

The displayed Cisco Meraki MX name has changed. Note that you can still see the model
number and the MAC address.
Set Up VLANs

You will now set up the Cisco Meraki MX appliance with various VLANs used by different traffic
types.

7. Choose Security & SD-WAN > Configure > Addressing & VLANs.
 8. Scroll down to Routing, click VLANs, and click Add VLAN.

9. Fill in the fields for all four VLANs (Corp, Voice, Video, and Guest) using the information
in the following table. Begin each configuration by clicking Add VLAN (in this example,
LAB1 was used).

Note

IMPORTANT: Do not remove or change VLAN 1, which is configured by default. In the example,
you will add your lab number to the base number. For example, LAB1 Corp would use
10.0.11.0/24, whereas LAB13 Corp would use 10.0.23.0/24.

VLAN Name: Corp VLAN Name: Voice

VLAN ID: 10 VLAN ID: 30

Group policy: None Group policy: None

MX IP: 10.0.[10 + n].1 MX IP: 10.0.[30 + n].1

 Subnet: 10.0.[10 + n] .0/24 Subnet: 10.0.[30 + n].0/24

VLAN Name: Video VLAN Name: Guest

VLAN ID: 50 VLAN ID: 100

Group policy: None Group policy: None

MX IP: 10.0.[50 + n].1 MX IP: 10.0.[100 + n].1

Subnet: 10.0.[50 + n].0/24 Subnet: 10.0.[100 + n].0/24

10. After you have added all four VLANs, it should look like the following figure:
Note

The IP addressing for your pod may differ from the screenshot.

Scroll down to the bottom of the page and click Save.

11. Scroll down to Per-port VLAN Settings. Confirm that the Type for all LAN ports (ports 3
to 12) on the Cisco Meraki MX appliance are configured as Trunk. Also, confirm that
the VLAN is configured as Native VLAN 1 and that Allowed VLANs is set to all.
12. Choose Security & SD-WAN > Configure > DHCP.

13. Scroll down to VLAN 10 (Corp) and click Add a reserved IP address range to configure
a pool of IP addresses for VLAN 10 (Corp). For the First IP, set your address to
 10.0.10[+n].150, and for the Last IP, set your address to .250. In the Comment field,
enter reserved range. n represents your pod number.

Note

This IP pool for your pod may vary from the screenshot.

14. If a box appears in the lower-right part of the screen alerting you that You have
unsaved changes, click Save. If not, scroll down to the bottom of the web page and
click Save Changes.

You will see a green box confirming Changes saved.

Set Up the Cisco Meraki MS Switch

Activity

1. Navigate to your Cisco Meraki MS switch by choosing Switch > Monitor > Switches.
2. You will see only one switch available. Note its MAC address.

3. Choose the MAC address in the Name column.

 4. Information about your switch should appear. This page provides important
information and many details of the status of your switch and access to other data or
tools. Identify the MAC address field and the model number. Identify the configured
addresses. Note the hostname and MAC address. Finally, note the Clients section, the
Client usage chart, and the Ports display.

Note

It is expected, at this point, to see an alert at the top of the switch status page indicating a
VLAN mismatch on port 24. This situation is normal and expected.

5. Hover your mouse over Port 2. What is its trunk or VLAN configuration? Is it
connected? Note the lightning symbol. What do you think this symbol indicates?
The port is configured as a trunk, it is connected, and the lightning symbol indicates that the
port is providing PoE. Your AP is connected to this port.

6. By default, the Cisco Meraki MS switch name will appear as its MAC address. Look for
the Pencil icon, which will allow you to change the name.

Note

You may see an alert at the top of the switch status page indicating a VLAN mismatch on port
24. This situation is normal and expected.

7. Click the Pencil icon and rename the Cisco Meraki MS switch as MS [n] where n is your
allocated lab number. Click Save to save the changes.
 8. The displayed name of the Cisco Meraki MS switch has changed. Note that you can still
see the model number and the MAC address.

In your lab deployment, switch ports 10 to 14 will be designated for Cisco Meraki MV cameras,
which you will install later. You will now navigate to the Switchports page and implement
settings using the Virtual Stacking method of bulk port configuration. Virtual Stacking is a Cisco
Meraki feature that allows you to edit multiple switch ports at the same time.

9. Choose Switch > Monitor > Switch ports to bring up the Switchports page.
 10. The Switchports page appears.

Note

You may want to include 30 results per page to make choosing the ports easier.

11. Select ports 10 to 14 and click Edit.

12. Configure the switch ports with the following information, as shown in the figure.
Then, click Update.

o Tags: Video (To add a tag, type the tag word in the field, and press the Tab
key.)

o PoE: Enabled

o Type: Access

o VLAN: 50
As you selected a separate voice VLAN, VoIP traffic will be in its own broadcast domain and
then tagged for optimal transfer and prioritization. The Cisco Meraki MS access switch utilizes
Link Layer Discovery Protocol (LLDP) to recognize the VoIP phone connected and retrieve
various properties of the phone.

13. The switch ports should look like the following figure:

Note
If you switched to 30 results per page earlier, you should now change back to 10 results per
page. Then, in the lower right, choose the number 2 (for page 2), for easier viewing.

14. Click the Wrench icon in the top right and check the POE and Tags check boxes. Then,
click the Wrench icon again to close the option window.

15. You should now see POE and Tags fields.

 16. Scroll down the page to configure switch ports 15 to 18 for VoIP traffic using the bulk
configuration method. Select ports 15 to 18 and click Edit.

17. Configure the switch ports with the following information, as shown in the figure.
Then, click Update.

Note

You may need to scroll the page down to see some options.

o Tags: VoIP (To add a tag, type the tag word in the field and press the Tab key.)

o PoE: Enabled

o Type: Access

o VLAN: 1

o Voice VLAN: 30
 18. The switch ports should look like the following figure.

Note

You should change back to 10 results per page, and in the lower right, choose the number 2
(for page 2) for easier viewing.

19. To order the displayed ports based on the discovered Cisco Discovery Protocol (CDP)
and LLDP neighbors, click the Wrench icon in the top right and check the CDP/LLDP
check box to display the discovered neighbors. Click the Wrench icon again to close
the option window.
 20. Look at how many ports have neighbors. On which port is the AP located? (Hint: Look
for a Cisco Meraki MR AP.)

Note

To sort the ports with neighbors to the top, click the CDP/LLDP column.

There are several ports with connected neighbors.

The AP is on Port 2.

21. Configure the AP port with the tag Wireless. Leave all other settings alone.

Note

To add a tab, type the tag word in the field and press the Tab key.

Click Update when complete.

Note

You may need to scroll the page down, to see some options.
 22. The Tag should be displayed when you view the Switchports page.

Set Up the Cisco Meraki MR Wireless AP

You will configure the Cisco Meraki MR access point, including naming and the base
configuration of SSIDs.

Activity

1. Navigate to your Cisco Meraki MR AP by choosing Wireless > Monitor > Access points.
2. You will see only one AP available. Note its MAC address.

3. Click the MAC address in the Name column.

4. AP information appears. This page provides important information, details of the
status of your AP, and access to other data or tools. Identify the MAC address field,
and the model number. Identify the configured Addresses, SSIDs, and Radio Settings.
Note the Uplink traffic and Current clients sections.

5. By default, the name of the Cisco Meraki MR wireless AP will appear as its MAC
address. Look for the Pencil icon, which allows you to change the name.
6. Click the Pencil icon and rename the Cisco Meraki MR as "MR [n]," where n is your
allocated lab number. Click Save to save the changes.

7. The displayed name of the Cisco Meraki MR AP has changed. Note that you can still
see the model number and the MAC address.
8. Choose Wireless > Configure > SSIDs.
9. The Configuration overview page appears. You can configure SSIDs on this page.

10. Choose Rename under LABn – wireless WiFi (where n is your lab number; in this case,
LAB1 was used). Change the name to Corporate and click Save Changes. A Changes
saved message will appear to confirm the save.

11. To add a second SSID, that you will configure for guest access later in the exercise,
under Unconfigured SSID 2, change disabled to enabled in the drop-down list. Then,
click rename and change the name to Guest. Finally, click Save Changes.
 12. Choose Wireless > Configure > Access control.

Note

If at the top of the page, you see a notification to switch to a new version, make sure to click
the new version option.
SSID Wireless Settings

You will now configure the wireless settings for these SSIDs.

SSID: Guest

SSID: Corporate Association requirements:

Association requirements:  Open (no encryption)

 Pre-shared key with WPA2 Splash page:

 Password: Meraki123  Click-through

Splash page: Client IP assignment:

 None (direct access)  Bridge mode

Client IP assignment: VLAN tagging:

 NAT mode: Use Meraki DHCP  Use VLAN tagging

 VLAN ID (All other APs): 100

An SSID with a Pre-shared Key (PSK) requires that a client enter a pre-defined PSK to be able to
associate to the SSID. Without entering the correct PSK, the client will not be able to associate.

13. First, configure the Corporate SSID. Ensure that Corporate is chosen in the drop-down
list at the top. Click the Pre-shared key (PSK) option under Security and enter
Meraki123 as the key.

Note

You can click the eye icon to confirm that the key was typed correctly.

Scroll down the page and confirm that the None (direct access) radio button is clicked under
the Splash page.

Finally, scroll down the page and confirm that Meraki AP assigned (NAT mode) is chosen
under Client IP and VLAN..
 14. If a box appears in the lower right of the screen alerting you that You have unsaved
changes, click Save. If not, scroll down to the bottom of the web page and click Save
Changes.

15. Next, configure the Guest SSID. Ensure that Guest is clicked in the drop-down list at
the top.

Under Security, confirm that the Open (no encryption) option is set.

Scroll down to the Splash page and select the option Click-through.

Scroll down to Client IP and VLAN and select the option External DHCP server > Bridged.

Finally, next to VLAN Tagging, select Enabled. Then, under AP tags, set Default to VLAN ID
100. (This action will assign all guest traffic to VLAN 100).
16. Save changes.

17. Finally, because you are using a click-through splash page for the Guest SSID, you want
guests to reauthenticate every 30 minutes. Choose Wireless > Configure > Splash
page.
 18. Scroll down to Splash Behavior > Splash frequency and choose Every half hour in the
drop-down list.

19. Save changes.

Set Up the Cisco Meraki Systems Manager Device Profile

You will create and configure a Cisco Meraki Systems Manager device profile, including Wi-Fi
settings payload, a passcode policy payload, and a restrictions payload.

Activity

1. To create a device profile within Cisco Meraki Systems Manager, navigate back to your
Network view, then choose Systems Manager > Manage > Settings, and click the +
Add profile button near the upper-right corner.
2. Click the Device profile (default) radio button. This option will give you access to the
maximum number of configurable Cisco Meraki Systems Manager settings, and it is
supported on all device types. Click Continue.

3. Name this profile Corporate Devices and then continue by defining the Profile
Removal Policy with the following settings:

o Removal Policy: Require password to remove this profile

 Password: Meraki123

o Scope: With any of the following tags

o Device tags: Create a tag named corp.

Now that you have used tags to define the scope of the profile, you must define the various
settings and restrictions.

4. Click + Add settings near the left side of the page to open the full list of Cisco Meraki
Systems Manager configurable options.

The first setting to be added and configured is under Restrictions. Once you click Restrictions,
uncheck the Allow use of camera check box.
5. Click + Add settings to configure the second setting. Under Passcode Policy, check the
following check boxes:

o Allow simple value

o Require alphanumeric value

o Minimum length: Choose 6 from the drop-down list.

 6. Finally, click + Add settings again and choose WiFi Settings. For WiFi Settings, use
Sentry as the Configuration type, use your LABn - wireless network, and select the
check box next to Auto Join to have devices automatically join your Corporate SSID.

Note

Ignore the enrollment authentication warning.

7. Scroll down the page and click Save.

8. Navigate to your Systems Manager settings by choosing Systems Manager > Manage >
Settings. You should see the configured profile.
Lab 2: Enable Advanced Features and
Optimize Networking
Introduction

The lab environment has the basic network settings for your Cisco Meraki stack through the
Cisco Meraki dashboard configured. Now you will turn on features to customize the treatment
of traffic and clients. You will also see some instructions to guide you through verification of
these more advanced configurations.

Topology

Set Up Security Policies on the Cisco Meraki MX Security Appliance

This task focuses on enabling features that will filter and prioritize or shape traffic on the Cisco
Meraki MX security appliance. The security features that are enabled in this exercise include
Layer 7 firewall rules, content filtering, Cisco Advanced Malware Protection (AMP), and the
intrusion prevention system (IPS).

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
 2. Choose your LABn dashboard network from the Network drop-down list in the top-left
corner of the page.

3. Layer 7 firewall rules can be configured on the Cisco Meraki MR wireless APs and the
Cisco Meraki MX security appliances. These firewall rules allow you to deny certain
types of traffic based on traffic type. Most firewall rules only inspect headers at Layers
3, 4, and 5, but a Layer 7 rule inspects the packet based on known traffic types. You
will configure a Layer 7 rule to deny specifically BitTorrent traffic.

On your Cisco Meraki MX security appliance, choose Security & SD-WAN > Configure >
Firewall to create a Layer 7 firewall rule to completely block peer-to-peer traffic, specifically
targeting BitTorrent.
 4. Click Add a Layer 7 firewall rule.

Choose Peer-to-peer (P2P) in the Application column, and then choose BitTorrent in the next
drop-down list. (Notice that the Policy is set to Deny.)
 5. If a box appears in the lower-right part of the screen alerting you that you have
unsaved changes, click Save. If it does not appear, scroll down to the bottom of the
web page and click Save Changes.

Per-client Bandwidth

Another feature of the Cisco Meraki MX appliance is the ability to force a per-client bandwidth.
Next, you will enforce a per-client bandwidth limit of 5 Mbps.

6. In the navigation menu, choose Security & SD-WAN > Configure > SD-WAN & traffic
shaping. Scroll down the page to the Global bandwidth limits and drag the slider for
the Per-client limit to 5 Mbps.
 7. If prompted, save changes, but do not leave the SD-WAN & traffic shaping page.

Traffic-Shaping Rules

The traffic-shaping feature set can be used to prioritize traffic in several ways. You will limit
Netflix and Pandora globally with a less than average prioritization, and prioritize all voice and
video conferencing traffic.

8. Scroll down the page to Traffic shaping rules. Click Create a new rule, and then click
the Add+ button to open a scrolling list.
 9. Choose Video & music from the list. To add a new traffic-shaping rule for Netflix and
Pandora, choose both Netflix and Pandora.

Note

You may have to move your web page down to see the box that appears.

Click within the page to the right of the box to close the list.

10. For the more granular Bandwidth limit settings, click Choose a limit from the drop-
down list, and click the word details.
 11. This action will open the down (Kb/s) and up (Kb/s) limits. Choose a limit of 1000 for
down (Kb/s) and 500 for up (Kb/s) for this rule. Finish the configuration by choosing
Low for the Priority field.

You will repeat the process for a new shaping rule for all VoIP and video conferencing.

12. To create a separate traffic-shaping rule for all VoIP and video conferencing, click Add
a new shaping rule followed by the Add+. Choose VoIP & video conferencing from the
list, followed by All VoIP & video conferencing in the box that appears on the right.

Click within the page to the right of the box to close the list.
 13. For this rule, for the Bandwidth limit, choose Ignore network per-client limit
(unlimited), and for the Priority field, choose High.

Finally, scroll down to the bottom of the web page and select Save Changes.

Content Filtering

Content filtering allows you to block certain categories of websites based on your
organizational policies. You can also block or permit individual websites for additional
customization.
 14. You want to block any website that is categorized as adult and pornography. Choose
Security & SD-WAN > Configure > Content filtering to enable content filtering for your
Cisco Meraki MX appliance. To add Adult and Pornography as a website category that
will be blocked, in the Category blocking > Content categories drop-down list, choose
Adult and Pornography.

15. If prompted, save changes.

Cisco AMP and IPS

Two other important security features are Cisco AMP and IPS.

Cisco AMP is an industry-leading, anti-malware technology that will analyze HTTP-based file
downloads based on the disposition that is received from the Cisco AMP cloud. If the Cisco
Meraki MX appliance receives a disposition of malicious for a file download, it will be blocked.
If the MX receives a disposition of clean or unknown, the file download will be allowed to
complete. If the Cisco AMP cloud can determine that a downloaded file is malicious after it is
downloaded, it will automatically notify the Cisco Meraki dashboard administrator that a
malicious file has been downloaded. To use Cisco AMP, it simply needs to be enabled in the
Cisco Meraki dashboard. You will enable Cisco AMP shortly.

Cisco Meraki dashboard also has the ability to configure Intrusion Detection System (IDS) or
Intrusion Prevention System (IPS) operations.

You can enable intrusion detection by selecting Detection in the Mode drop-down list under
Security & SD-WAN > Configure > Threat protection > Intrusion detection and prevention.

You can choose from three distinct intrusion detection rulesets using the Ruleset selector:

 Connectivity: This ruleset contains rules from the current year and the previous two
years for vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of
10.

 Balanced (default): This ruleset contains rules that are from the current year and the
previous two years, are for vulnerabilities with a CVSS score of 9 or greater, and are in
one of the following categories:

1. Malware-Command and Control (CNC): This category includes rules for known
malicious command and control activity for identified botnet traffic. This
includes Call Home, downloading of dropped files, and exfiltration of data.

2. Block list: This category includes rules for Uniform Resource Identifiers (URIs),
user agents, DNS hostnames, and IP addresses that have been determined to
be indicators of malicious activity.

3. SQL Injection: This category includes rules that are designed to detect SQL
Injection attempts.

4. Exploit-kit: This category includes rules that are designed to detect exploit kit
activity.

 Security: This ruleset contains rules that are from the current year and the previous
three years, are for vulnerabilities with a CVSS score of 8 or greater, and are in one of
the following categories:

1. Malware-CNC: This category includes rules for known malicious command and
control activity for identified botnet traffic. This includes Call Home,
downloading of dropped files, and exfiltration of data.

2. Block list: This category includes rules for URIs, user agents, DNS hostnames,
and IP addresses that have been determined to be indicators of malicious
activity.

3. SQL Injection: This category includes rules that are designed to detect SQL
Injection attempts.

4. Exploit-kit: This category includes rules that are designed to detect exploit kit
activity.

5. App-detect: This category includes rules that look for and control the traffic of
certain applications that generate network activity.
You can enable intrusion prevention by selecting Prevention from the Mode drop-down list
under Security & SD-WAN > Configure > Threat protection > Intrusion detection and
prevention. Once enabled, traffic will be automatically blocked by best effort if it is detected as
malicious based on the intrusion detection ruleset specified.

The IPS feeds all packets that flow between the LAN and Internet interfaces and between
VLANs through the Snort intrusion detection engine. The IPS will block all traffic that is
identified as malicious. The Cisco Meraki dashboard also allows an administrator to configure
the ruleset that the Snort engine will use. You will configure the IPS to use the balanced
ruleset.

16. Choose Security & SD-WAN > Configure > Threat protection.

You will configure Cisco AMP and turn on the IPS by using and enforcing a balanced ruleset.

17. To turn on Cisco AMP, choose Enabled in the drop-down list. Next, choose Prevention
in the Mode drop-down list and choose Balanced as the Ruleset.

Scroll down to the bottom of the web page and click Save Changes.
Configure Auto VPN and Redundancy

You will continue the configuration of the Cisco Meraki MX security appliance by enabling Auto
VPN to execute a scalable VPN deployment. Auto VPN securely connects locations with IPsec
VPN tunnels using a mesh or hub-and-spoke topology. You will use Auto VPN to connect the
lab network (spoke) to two remote data centers (hubs).

The remote data centers each consist of a Cisco Meraki MX security appliance that is
configured in VPN concentrator mode. The VPN tunnels are configured as full tunnels to the
data centers. To configure these tunnels, simply check the Default route box for each hub.

Connectivity to the data centers is verified by pinging IP addresses on the data center subnets.
If the VPN configuration is correct, the pings should be successful.

Activity

As an organization's network architecture expands, it is typical to roll out a scalable VPN

deployment using the Auto VPN ability of the Cisco Meraki MX platform in a hub-and-spoke
topology.

1. To enable Auto VPN, from the navigation bar, choose Security & SD-WAN > Configure
> Site-to-site VPN. Then, for the Type, click the Spoke option for this particular Cisco
Meraki MX appliance.
 2. Click Add a hub. An option appears as either SF Data Center or NY Data Center. To
easily prioritize the option, choose it first. In your case, first choose the NY Data Center
location as the primary hub, then click Add a hub again, and the second data center
should populate.

Note

Hint: You can drag and drop to rearrange your hubs, with the one at the top having higher
priority and acting as the primary.
 3. Make sure that a full tunnel VPN is established by checking the Default route check
boxes for both data center hubs.

4. Next, scroll down to VPN settings and enable VPN only for the Corp and Voice
networks/subnets by choosing VPN on in the VPN participation drop-down list.

5. Click Save, to save your configuration.

Verify the VPN Configuration

Note

Wait a few minutes before performing the verification pings in the following instructions. You
have to allow time for the Cisco Meraki MX security appliance to update and synchronize its
configurations with the Cisco Meraki dashboard and allow the VPN information to be
propagated to the cloud VPN registry.
You will verify that you now have connectivity to all three data center subnets with successful
pings:

 Shared subnet (10.0.250.0/24): 10.0.250.1

 Data Center 1 subnet (10.0.251.0/24): 10.0.251.1

 Data Center 2 subnet (10.0.252.0/24): 10.0.252.1

6. From the navigation bar, choose Security & SD-WAN > Monitor > Appliance status.

7. Click the Tools tab. Next, ping the first of the three IP addresses (10.0.250.1). Enter
10.0.250.1 in the box at the top of the page and click Ping. Notice that the ping starts.

8. Notice the Loss ratio and Average latency.

 9. Repeat this process by adding the IP addresses 10.0.251.1 and 10.0.252.1 and clicking
Ping.

Secure and Shape Guest Wireless Access

You will lock down the Guest SSID and apply a bandwidth limit to every client device that
connects. You want to ensure that your wireless guest users have no way of accessing any of
the internal local network resources, and you also want to restrict their overall network
utilization.

Activity

First, you will deny client access to the local LAN. A default rule is created for every SSID. The
rule cannot be deleted. You can configure it as allow or deny. This rule acts as an access
control list (ACL) that allows or blocks traffic that is destined for any private IP address in the
RFC 1918 address space.

1. Choose Wireless > Configure > Firewall & traffic shaping. Next, from the SSID drop-
down list, choose Guest.
 2. In the Layer 3 firewall rules table, change the Policy to Deny for Local LAN in the
Destination column to deny access for all wireless clients that might try to access the
LAN.

Your company has decided to add three separate and unique Layer 7 firewall rules to block the
following application and content categories: peer-to-peer (all types), file sharing (all types),
and gaming (all types). Your company has also decided to limit per-client bandwidth on the
guest SSID to 1 Mbps up and down, but per-SSID bandwidth is unlimited.

3. To begin adding rules, scroll to Block applications and content categories, and click
Add a layer 7 firewall rule.

4. Block the following application and content categories:

o Peer-to-peer (P2P) (all types)

o File sharing (all types)

o Gaming (all types)

Note

After each application is configured, click Add a layer 7 firewall rule to add another rule until
all three rules are configured.
 5. Finally, scroll down to Traffic shaping rules, and adjust the Per-client bandwidth limit
to 1 Mbps while leaving the Per-SSID bandwidth limit at unlimited.

6. Click Save.

Enable and Configure Routing on the Switch

You will configure switch virtual interfaces (SVIs) and OSPF routing on your Cisco Meraki MS
switch. An OSPF adjacency is formed on the private network. Assume that the private network
is a Multiprotocol Label Switching (MPLS) network that has been created. This MPLS private
network simulates a direct connection back to the shared data center subnet.

While creating the first SVI on the switch, the dashboard will ask for a next-hop IP. This IP is
used to create a default route that is required to define any SVIs. This IP is only requested on
the first SVI creation. After enabling these SVIs, OSPF is enabled on two interfaces: the existing
SVI and port 24. This task only covers basic, single-area OSPF, so most of the parameters are
left unchanged.
OSPF functionality is verified by checking the OSPF neighbor table and running a ping to IP
addresses in the data center subnets. After a successful ping from the switch is achieved, Auto
VPN connectivity is tested by disabling port 24 on the switch, which brings down the OSPF
adjacency and forces the pings to use the default route on the switch pointing to the Cisco
Meraki MX appliance. After this ping succeeds, port 24 is re-enabled.

Activity

1. Before you enable and configure OSPF routing on your network, you will first need to
add some Layer 3 interfaces. From the navigation bar, choose the Switch > Configure >
Routing and DHCP.

Interface Information

Next, you will create the following interfaces. (Pay attention to the use of your LABn number
here; n is your lab number. For example, for LAB1, n is 1.)

Switch: (your switch) Switch: (your switch) Switch: (your switch)

Name: Corp Name: Legacy Name: OSPF

VLAN: 10 VLAN: 150 VLAN: [600 + n]

Subnet: 10.0.[10 + Subnet: 10.0.[150 + n].0/24 Subnet: 192.168.[100 +

n].0/24 n].0/24
Interface IP: 10.0.[150 + n].1
Interface IP: 10.0.[10 + Interface IP: 192.168.[100
Multicast routing: Disabled
n].201 + n].[n]
DHCP settings: Run a DHCP server (use
Default Gateway: 10.0. Multicast routing: Disabled
default settings)
[10 + n].1
DHCP settings: Do not
OSPF settings: Disabled
Multicast routing: respond
Disabled

DHCP settings: Do not

OSPF settings: Disabled
respond

OSPF settings: Disabled

2. Click the CREATE INTERFACE button to create the Layer 3 interfaces listed in the
previous table. Fill in the information from the table for each of the interfaces.

Start with Corp. (Note that in this example, LAB1 was used, so all the addresses will match
where n=1. You will need to adjust for your lab number n.)

When you have finished creating the interface, click Save at the bottom of the page.
 3. Next, click Add in the top right of the page. Now, continue filling in the information
from the Interface Information table for the other interfaces, Legacy, and OSPF.

Note

Each time, click Save, and then click Add, until you have added all three interfaces.

Note

Note that in this example, LAB1 was used, so all the addresses will match where n=1. You will
need to adjust for your lab number n.

Note
The IP addressing for your pod may differ from the screenshot.

4. The table should eventually look like the following figure:

5. In the navigation bar, choose Security & SD-WAN > Configure > Addressing & VLANs.
 6. Scroll down to Routing, and then down to Static routes. Click Add Static Route.

7. Use the following settings:

o Enabled: Enabled

o Name: Route to Legacy

o Subnet: 10.0. [150 + n] .0/24

o Next hop IP: 10.0. [10 + n] .201

o Active: Always

o VPN mode: Enabled

When you are done, click Update in the bottom right. Finally, click Save.

8. You should now see your Route to Legacy route appear in the Static routes on the
Cisco Meraki MX appliance.

9. You will now configure port 24 of your switch as an access VLAN to connect with OSPF.
Choose Switch > Monitor > Switch ports.
10. Find port 24 (you may have to use the numbers on the lower right to move between
pages, alternatively, depending on sort order, port 24 may be listed near the top of
page 1).

11. Check the box for port 24 and click Edit near the top of the page (or you can select the
port directly).
 12. Change the Type to Access and configure it in VLAN [600 + n]. Click Update. You will
see a green box confirming that your changes are saved.

Note

The VLAN number for your pod may vary from the screenshot.
 13. You are now ready to configure OSPF routing. Choose Switch > Configure > OSPF
routing on your switch, and in the OSPF field, choose Enabled.

OSPF Configuration

Once you have enabled OSPF, proceed with the following configuration.

14. Under Areas, click Add an area. Create new Area using the following parameters:

o ID: 0

o Name: Backbone

o Type: Normal

Click Save, to implement the changes.

15. Under Interfaces, check the boxes for the Legacy and OSPF interfaces and click Bulk
Edit.
16. Since you will not be doing any summarization, there is no need to configure multiple
OSPF areas. Make sure that the Area shows 0:Backbone, Cost of 1, and No for Passive,
and then click Update 2 interfaces.

17. Under Static Routes, check the Default route check box, and then click Bulk Edit.

18. Ensure that the default route is not being advertised via OSPF. Choose Yes for Prefer
over OSPF routes? By default, an OSPF route will be preferred over a static route
unless you choose Yes to prefer static routes over OSPF routes, and then click Update
1 static route.
 19. Your screen should look like the following figure.

Note that you should now see the Preferred over OSPF routes option set to Preferred.

Finally, save changes.

Verify the Routing Configuration

20. Navigate to your Cisco Meraki MS switch by choosing Switch > Monitor > Switches.

21. Choose the name in the Name field. (In this example, you are using MS [1], but you
will replace the number 1 with your lab number n.)
22. Hover the mouse over port 24 of your switch and make sure that it appears green with
the Access port on VLAN 600 + n (where n is your lab number n).

23. Click the L3 routing tab. Scroll down to the bottom of the page and confirm that the
address 10.0.250.1 is in the OSPF neighbors table.

24. Click the Tools tab. Choose the Legacy Source Interface (10.0. [150 + n] .1) and enter
the shared Data Center IP 10.0.250.1 and click Ping. The ping should be successful.
25. Now, click Summary.

26. Click port 24 and then click the Pencil icon next to Configuration.

27. Disable the port by changing the Port enabled field to Disabled, and then click Update.
28. If you hover your mouse cursor over port 24, you should now see that it is displayed as
Disabled.

29. Click the L3 routing tab. Scroll down to the bottom of the page and look for 10.0.250.1
in the OSPF neighbors table.
Note

If the neighbor still shows as being present, wait 30 seconds, then press the refresh icon. Do
not move on until the neighbor disappears. Keep waiting and pressing the refresh icon until
the neighbor disappears. If you do not see an OSPF neighbor, be sure to verify your IP
addressing matches your LabX number and your VLAN also matches your LabX number.

30. Click the Tools tab again. Choose the legacy Source Interface (10.0. [150 + n] .1), enter
10.0.250.1, and click Ping. The ping should be successful.

31. Why can you still reach the subnet?

The static route that you created earlier allows the 10.0. [150 + n].0/24 (where n is your pod
number) traffic to be known across the Auto VPN networks, so you can still communicate with
the data center network so long as your connection via your Cisco Meraki MX is still enabled.
32. Now re-enable port 24. Click Summary. Choose port 24 and then click the Pencil icon
next to Configuration.

33. Enable the port by changing the Port enabled field to Enabled, and then click Update.
 34. Ensure that port 24 is Enabled by hovering your mouse cursor over port 24.

Configure SD-WAN

This task uses the traffic-shaping and SD-WAN feature sets on the Cisco Meraki MX security
appliance. All Cisco Meraki MX security appliances support two wired uplinks for failover and
load balancing.
On the Cisco Meraki MX security appliance, bandwidth limits can be applied to an uplink, to
each individual client device, or to specific types of traffic. In this task, a bandwidth limit is
applied to each uplink. These limits are global and apply to all traffic that passes through the
uplinks.

When load balancing is enabled on the Cisco Meraki MX appliance, traffic flows will be
distributed across the two uplinks. In addition to enabling load balancing, you will create an
Internet flow preference. Internet flow preferences act as exceptions to the primary uplink
that is set or to load balancing if it is enabled. The purpose of the Internet flow preference
here is to force all guest traffic to use the WAN 2 uplink.

You will create three SD-WAN policies. SD-WAN policies are used to ensure that specific VPN-
bound traffic will always traverse the optimal path. The criteria by which the Cisco Meraki MX
appliance chooses the optimal path can be defined in custom performance classes. Custom
performance classes enable the administrator to define the thresholds at which traffic will fail
over to the alternate uplink based on packet loss, latency, and jitter values. After a custom
performance class is defined, a policy can be configured that maps this class to a traffic
definition. Two of the SD-WAN policies will use a custom performance class and one will use a
predefined performance class.

After the SD-WAN policies are configured, you will verify their functionality by initiating a ping
and using the Uplink Decision section of the VPN Status page to verify the uplink on which the
traffic flow is placed and the policy that the traffic matches.

Activity

SD-WAN offers many features that can be enabled immediately across all Cisco Meraki MX
devices.

1. Choose Security & SD-WAN > Configure >SD-WAN & traffic shaping.
 2. Now you will configure the actual different uplink bandwidths of the two WANs. Use
the sliders to adjust the uplink limit to 10 Mbps for WAN 1 and 5 Mbps for WAN 2.

Note

You may think it is unusual to limit your WAN links, but you are doing so because you are
turning on load balancing. The algorithm will take these values into account when load
balancing, to distribute the load based on the ratio. In the real world, you can also limit these
links so that you do not exceed SLAs for WAN links.

Save your changes.

3. Because you have two uplinks, you will also want to take advantage of those
connections by enabling load balancing on your Cisco Meraki MX security appliance.
 Scroll to Uplink selection. Under Global preferences, turn on Load balancing by
clicking the Enabled button.

The first flow preference to configure is a rule for Internet traffic. Your networking team wants
to implement this rule to require all guest VLAN Internet traffic to traverse outbound only
across your ISP connection on WAN 2.

4. Under Flow preferences, look for Internet traffic and click Add a preference.

5. Configure this preference by choosing Any in the Protocol column. In the Source
column, enter 10.0. [100 + n] .0/24, which is the guest subnet VLAN. In the
Destination column, enter Any. Finally, choose WAN 2 as the Preferred uplink.

VPN Traffic Rules

You will now create a few VPN traffic rules. The first rule will use the custom performance class
that you created previously. This rule will define how to treat outbound traffic that is destined
for 8.8.8.8 (Google Public DNS), which should prefer WAN 2 unless it is worse than Acceptable
Delay.

6. Under SD-WAN policies, look for Custom performance classes and choose Create a
new custom performance class.

7. Name the class Acceptable Delay. Set the performance Maximum latency to 200 ms
and click Save. This custom performance class will help your Cisco Meraki MX
appliance decide how to dynamically direct (or redirect) traffic based on network
conditions.

Note

After you create this custom performance class and save it, refresh your dashboard browser
window before proceeding.

8. Under SD-WAN policies, look for VPN traffic and click Add a preference. Then, click
Add + .
 9. When prompted, use Custom expressions to define the following parameters for your
traffic filter:

Traffic Filter (Layer 3) Policy

Protocol Any Preferred uplink WAN2

Source Any (Src port: Any) Failover if Poor performance

Destination 8.8.8.8/32 (Dst port: Any) Performance class Acceptable Delay

Note

When you choose Any for the source port, you simply choose the option Any. However, when
you enter the IP address 8.8.8.8/32 for the destination port, you must click the Add button to
add that IP address to the filter.

After defining the custom expression parameters for your traffic filter, click the Add expression
button to save and define the Policy portion of your SD-WAN policy. Also, if you are not seeing
the Acceptable Delay performance class, go back to the previous step to make sure you have
created and saved it.

Click Custom expressions. Choose Any for the Protocol, Any for the Source (leave Any as the
Src port), and enter 8.8.8.8/32 as the Destination (leave Any as the Dst port).
 10. The configuration should look like the following figure. If it does, click Add expression.
If it does not, click the x in the top right-hand corner and re-create the configuration.

You may have to click to move off the policy configuration. Be careful here because if you click
the background, the policy will cancel. It is easiest to click the words “Uplink selection policy”
to move on.
 11. Next, under Policy, choose WAN 2 as the Preferred uplink, choose Poor performance
as the Fail over if option, choose Acceptable Delay as your Performance class, and
then click Save.

Note

Note that the Acceptable Delay policy was created earlier. If you do not see it as an option, go
back and re-create it.

12. The policy should be displayed as follows:

13. A second policy will also take advantage of the Acceptable Delay custom performance
class, but this time, it will ensure that any traffic from the Corp subnet (10.0. [10 +
n] .0/24) should load balance on uplinks that meet the Acceptable Delay metrics.

Traffic Filter (Layer 3) Policy

Protocol Any Preferred uplink Load balance

10.0. [10 + n].0/24 (Src On uplinks that meet Acceptable

Source
port: Any) performance class Delay
 Traffic Filter (Layer 3) Policy

Destination Any (Dst port: Any)

Note

If you are not able to choose the Load Balance option, make sure you have enabled Load
Balancing under the Global Preferences section.

Click Add a preference and then repeat the process that you performed earlier, but this time,
add the new policy from the table above. (Here, LAB1 was used as an example. You will replace
the value n with your lab number.)

Save your changes.

When you are finished, your new policy configuration should look like the following figure.

14. Once you have saved your changes, the policies should be displayed as follows:

15. Finally, a third policy should ensure that any traffic from the Voice (10.0. [30 + n] .0/24)
subnet should use the best uplink for VoIP.

Traffic Filter (Layer 3) Policy

Protocol Any Preferred uplink Best for VoIP

Source 10.0. [30 + n].0/24 (Src port: Any)

Destination Any (Dst port: Any)

Click Add a preference and repeat the same process that you used for the first two policies,
but this time, add the new policy from the table above. (Here, LAB1 was used as an example.
You will replace the value n with your lab number.)

Save your changes.

When you are finished, your new policy configuration should look like the following figure

16. Once you have saved your changes, the policies you configured should be displayed as
follows.

Verify the SD-WAN Configuration

17. Navigate to the Tools tab of your Cisco Meraki MS switch and, within the Ping menu,
choose 10.0. [10 + n] .201 as the Source interface. Enter 8.8.8.8 and click Ping (let this
ping run for at least 15 seconds).

18. From the navigation bar, choose Security & SD-WAN > Monitor > VPN status.
 19. Scroll down to the Uplink decisions table. You should be able to see the ping traffic
(Internet Control Message Protocol [ICMP] packets to 8.8.8.8 as the Destination) with
WAN 2 as the corresponding interface in the Uplink decision column.

Note

If you are unable to see the expected uplink decision, please assure that configured SD-WAN
rules apply to all traffic, and not just to TCP or UDP protocols.

The Uplink decision table may need some more data to show these ICMP entries. You may
need to run the ping test several times.

20. In the Uplink decisions table, click WAN 2 in one of the rows containing an entry for
traffic that is destined for 8.8.8.8.
 21. You should then be taken to a page that shows the Latency, Jitter, Loss, and MOS data
for this particular traffic flow outbound from your Cisco Meraki MX security appliance.
You can hover your cursor over the results to see more metrics.

Note

Please be patient, it may take more than several minutes for results to appear.

Lab 3: Troubleshoot the Network Using the

Cisco Meraki Dashboard
Introduction

Your main objective is to perform root cause analysis and troubleshoot issues. These exercises
are based on some of the most frequently reported problems that the Cisco Meraki Support
Team encounters. By successfully resolving these complications directly within the dashboard,
you will be well equipped to quickly solve them in real-world deployments.
Topology

Troubleshoot a Network-Down Situation

Scenario

Your company recently onboarded a new IT administrator who was tasked with enhancing
network security for your organization. You come into the office one morning and find that all
your equipment is reporting offline from the dashboard except for your Cisco Meraki MX
security appliance.

Activity

First Objective

The first stage of troubleshooting is to view the topology and determine if you see any traffic
from the downstream network arriving on your Cisco Meraki MX security appliance. Using the
packet capture tool, verify that your Cisco Meraki MX security appliance is seeing traffic from
the downstream equipment, and make sure that return traffic is being sent.

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
 2. Choose your LABn dashboard network from the Network drop-down list in the top-left
corner of the page.

3. From the navigation bar, choose Network-wide > Monitor > Topology.

You will see that your MX appears green, your switch appears red, and your AP either appears
red, or does not appear at all!

Note

Your layout may vary, but you should see your MX as green, and your switch as red.
4. Go back to the navigation bar, choose Network-wide > Monitor > Packet capture.
5. Configure the following settings in the packet capture tool:

Packet Capture: for security appliances

Security Appliance: MX[n]

Interface: LAN

Output: View output below

Duration: 60

Verbosity: High

Filter Expression: <None>

o At the top of the tool, verify that the capture is set to run for security
appliances in the drop-down list.

o Set the Interface to LAN and set the Output to View output below.

o Set Verbosity to High and then click Start capture.

o In the output, you should see traffic from downstream devices arriving on the
Cisco Meraki MX security appliance but no responses coming back.

1. For example, you see traffic flowing from 192.168.128.3 to 8.8.8.8, but
no return traffic.
Second Objective

After investigating the packet capture, you will see traffic from the downstream switch and AP,
but no return traffic is being sent. The Cisco Meraki MX security appliance is online and
functioning, so it seems that some configuration on the appliance is causing this issue. Your job
is to remove any configurations that might prevent this traffic from flowing properly.

6. From the navigation bar, choose Security & SD-WAN > Configure > Firewall.

Review the configuration. Does anything look incorrect?

Note

You will notice that a deny all rule is configured, which is incorrect.
 7. Under Actions, click X to remove the firewall rule that is blocking traffic from all
downstream devices.

8. Save changes.

Note

Do not move on to the next steps until you see that your switch is no longer showing as red. It
will either become green, or appear yellow.

Troubleshoot an Offline Device

Scenario

After resolving the previous scenario, your switch is back online, but you have been notified
about a section of a building for which wireless seems to still be completely unavailable. No
infrastructure outages such as electrical issues have been reported, and you can assume that it
is not due to faulty cabling or failed devices (Layer 1 issues).

Activity

First Objective

Start by checking the status of the Cisco Meraki MR AP. After looking in the Cisco Meraki
dashboard, you can easily see that the Cisco Meraki MR AP for that section of the building
seems to be offline. Assuming that it is not a wiring issue, determine the cause of the offline AP
and fix the issue. Your task is complete when your Cisco Meraki MR AP appears healthy (green)
in the dashboard and you can successfully ping the device from the Tools menu.

1. From the navigation bar, choose Wireless > Monitor > Access points.

You will see that your Cisco Meraki MR AP appears to be offline.

Note

The AP may appear as red, or may appear as completely unconnected. This is entirely normal,
and depends on how the “fault” was created for you to be able to troubleshoot. In either case,
the AP is not working, and you need to fix it!
 2. Go back to the navigation bar and choose Switch > Monitor > Switch ports.

Check the box for port 2 and click the Edit button near the top of the page.
3. You should see that this switch port (for your Cisco Meraki MR AP) and PoE have been
disabled. (You will need to scroll the page down to see the POE status.) Click Enabled
for both options, and click Update.

4. Wait several minutes and allow these configuration changes to go into effect (please
be patient and wait even if it seems to be taking a long time). Then, choose Wireless >
Monitor > Access Points to check your Cisco Meraki MR AP to make sure it is in good
health status.
 5. Choose your Cisco Meraki MR AP and confirm that it is reachable via the Tools tab
using Ping AP.

Second Objective

Once the Cisco Meraki MR AP is back online, look closely to ensure that everything is correct.
Go to the AP details page by choosing Wireless > Monitor > Access Points and choose your AP.
Scroll down the page while looking at the left side of the page. Are the firmware and the
configuration for the device both up to date? Find the Location tab and click Topology to see
how your AP is connected in your network stack. Is the AP online and healthy?

6. Scroll down the page and look for the FIRMWARE and CONFIG sections. They should
show Up to date.

Note

The specific version in use on your AP may show a different version number.

7. Choose the Location tab and then the Topology tab to see the topology view of your
AP, along with the other detected devices that are connected in your network.
Third Objective

Most Cisco Meraki MR APs also have a dedicated built-in third radio that can detect rogue
devices. Double check to make sure that no rogues were introduced to your network while
your AP was offline. Navigate to the wireless Air Marshal page and investigate the Rogue SSIDs
tab to see if any suspicious activity has been detected.

Note

If Air Marshal on your AP does detect and display activity, you will not take any action now.

8. From the navigation bar, choose Wireless > Monitor > Air Marshal.

9. On the Air Marshal page, choose the Rogue SSIDs tab to verify that no rogue SSIDs
have been detected.
Fourth Objective

You have configured the devices in your network to always upgrade and run the latest stable
firmware release. You also recognize that every upgrade requires the device to reboot and you
have strategically scheduled the maintenance windows during nonbusiness hours. Reconfigure
and properly set your network's local time zone so that it matches your current geographic
location.

10. From the navigation bar, choose Network-wide > Configure > General.

11. Scroll down to the Local time zone setting. Use the drop-down list and choose America
– Los Angeles (UTC -8.0) time zone for your local time zone, if it is not already
selected.
 12. If a box appears in the lower right of the screen alerting you that you have unsaved
changes, click Save. If it does not, scroll down to the bottom of the web page and click
Save Changes.

Troubleshoot Limited Network Access

Scenario

As the main IT administrator of your company, part of your day-to-day job is to ensure that
users can access the required resources with acceptable throughput. Recently, some new
companywide security and workplace productivity initiatives have been enforced. As a result,
corporate users are starting to complain about slow access from their laptops and an inability
to access certain websites.

Activity

First Objective

The first stage of your troubleshooting is to verify that none of your uplink connections to the
ISP have been modified incorrectly. Double-check that the WAN uplink bandwidths on your
Cisco Meraki MX security appliance (traffic shaping) have not been reduced. You also need to
confirm that your per-client bandwidth (global limit) is also still intact across your network.

1. From the navigation bar, choose Security & SD-WAN > Configure> SD-WAN & traffic
shaping.
2. Under Uplink configuration, verify that the WAN 1 and WAN 2 bandwidths have not
been modified and are still configured as 10 Mbps and 5 Mbps, respectively.

3. Next, scroll down to Global bandwidth limits and confirm that the Per-client limit is
still 5 Mbps.
Second Objective

After reviewing the settings, you reinvestigate and discover that the problem is only affecting
corporate employees who are connected to your corporate wireless network. You suspect that
the root cause of the throughput decrease may be due to some misconfiguration, such as
unintended traffic shaping on the AP.

4. Go back to the navigation bar and choose Wireless > Configure > Firewall & traffic
shaping.

From the SSID drop-down list at the top, confirm that Corporate is selected.

5. Scroll down to Traffic shaping rules. You will see that the Per-client bandwidth limit
has been modified. Reset this value back to unlimited using the slider.
Note

To display the slider, click simple.

6. Save changes.

Troubleshoot Wireless Reconfiguration

Scenario

After the initial wireless introduction across the company, you became aware of additional
requirements that should be enforced to help optimize the deployment. There were also some
network-specific changes that required reconfiguration to grant proper access and network
addressing to devices.

Activity

First Objective

A site survey showed that some adjustments to the RF are needed to optimize client
performance. Start by visiting the radio settings of your Cisco Meraki MR AP and looking
closely at the target power of the 2.4- and 5-GHz radios. These settings are already set to Auto,
which means the dedicated third radio of the Cisco Meraki MR AP will help dynamically adjust
the transmit power to improve performance. So, there is no need to make a change here. Your
next task is to reduce interference by performing a configuration change to the Corporate SSID
to allow only 5-GHz clients.

1. From the navigation bar, choose Wireless > Configure > Radio settings.
 2. Use the BAND drop-down list on the left to switch between the 2.4- and 5-GHz
spectrums.

For each spectrum, choose Target power (dBm) and observe the Transmit power setting of the
Cisco Meraki MR AP.

The Transmit power is set to Auto for both spectrums. Click cancel to close the pop-up box.
3. Next, click RF profiles.

4. On the right side, in the Basic Indoor Profile, click the Edit button .
 5. Under General > General > Band Selection > All SSIDs, check Enable 5 GHz band only.
Save changes.

Note

Assume that all client devices running voice applications, can operate on 5 GHz.

Second Objective
Your network team has informed you that wireless clients on the Corporate SSID are being
assigned IP addresses from the wrong IP subnet. This situation is not desirable because shared
devices or statically addressed assets (such as printers and display boards) that connect to this
SSID are not properly functioning. They should be receiving DHCP addresses from VLAN 10.

6. Go to the navigation bar and choose Wireless > Configure > Access control.

From the SSID drop-down list at the top, ensure that Corporate is selected.

Note

If at the top of the page, you see a notification to switch to a new version, make sure to click
the new version option

7. Ensure that devices and clients that connect to the Corporate SSID receive DHCP leases
from the LAN (or use static IP addresses). Choose under Client IP and VLAN and the
radio button for: External DHCP server assigned to use Bridge mode.
 8. The other requirement for this objective is to ensure that wireless clients receive IP
addresses from the Corporate VLAN (VLAN 10). Under Client IP and VLAN, set the
VLAN tagging to Enabled and in the VLAN ID box enter 10 as the VLAN ID. Save
changes.

Third Objective

You have been instructed to reassign your Cisco Meraki MR APs to the corporate VLAN
because the address it originally received from the network was from the native VLAN. You
must configure the wired network correctly to assign an IP address to the Cisco Meraki MR AP
from the corporate VLAN (10) via DHCP. Most importantly, you may not manually assign a
static IP address to the Cisco Meraki MR AP in this deployment.
9. From the navigation bar, choose Wireless > Monitor > Access points. Then, choose
your AP.

10. Scroll down to view the LAN IP. Click the Pencil icon next to LAN IP, enter 10 in the
VLAN field, and Click Save.

11. Go to the Tools tab of your Cisco Meraki MR AP and click Reboot AP. Then, click
Reboot Now.
 12. Wait 2 to 3 minutes to allow the Cisco Meraki MR AP enough time to reboot. Once it is
back online, in the navigation bar, choose Wireless > Monitor > Access points.

13. You should notice that the AP is displaying a yellow warning. Choose your AP.

The warning indicates that the AP is using the wrong DHCP address.
14. From the navigation bar, choose Switch > Monitor > Switches. Then, choose your
switch.

15. Choose Port 1 (the uplink port). You will see that VLAN 10 is not present, which
prevents the AP from getting a DHCP address on that VLAN.
 16. Click the Pencil icon for port 1.

Modify the Allowed VLANs to allow VLAN 10 over the uplink, by changing the Allowed VLANs
field to all. Click Update.
17. Reboot the AP again. Wait several minutes to allow the Cisco Meraki MR AP enough
time to reboot. Once it is back online, you should see that it reports green and healthy
with a DHCP address from VLAN 10.
Lab 4: Configure Tags, Link Aggregation,
Port Mirroring, and High-Density SSIDs
Introduction

You will be focusing on creating, applying, and verifying device and switch port tags on Cisco
Meraki MX, MS, and MR devices. You will also configure and verify an EtherChannel bond
between two switch ports and configure a switch port to mirror another switch port for
monitoring purposes. Finally, you will configure a Service Set Identifier (SSID) to include a high-
density design and configuration.

Topology

Create Device and Switch Port Tags

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.

3. From the navigation bar, choose Switch > Monitor > Switches.
4. Once the Switches window opens, check the check box next to your Cisco Meraki MS
switch. To add or remove tags, click Edit, and from the drop-down list, choose Tag.
 5. In the Add field, enter IDF, and press Enter. If you already see the tag, be sure it’s
selected to complete the process.

Note

IDF stands for Intermediate Distribution Facility, which is the location where the network
connection is distributed in the building.

6. Now, you will add a tag to an AP. Choose Wireless > Monitor > Access points and
repeat the process of tagging this device, using the tag LOBBY.

First, check the check box next to your Cisco Meraki MR AP. In the Edit drop-down list, choose
Tag. Next, add LOBBY and save.

Note

After adding LOBBY, do not forget to click outside the box and the Save button.
7. Now, choose Switch > Monitor > Switch ports and check the check boxes next to ports
3 and 4.
 8. Click Edit to open additional options.

Once the update window appears, position your cursor inside the Tags field, enter tag name
BONDED, and press Enter. The tag should now appear. Click Update to complete the process.

Note

Do not change any other port settings.

You are adding this tag to ports 3 and 4 since they will be later configured for link aggregation.

Tags option is at the bottom of the screen that opens. Depending on your screen resolution,
you may have to scroll down the page to see it. The scroll bar may not show, depending on
your browser selection.
Verification

9. While you are on the Switchports page, click the Wrench (Tools) icon in the top right.
Check the Tags check box to show the Tags column.

Note
To close the listing, click the page behind it.
Configure Link Aggregation

Activity

1. From the navigation bar, choose Switch > Monitor > Switch ports.

2. Check the check boxes next to ports 3 and 4 and click Aggregate to create an
EtherChannel between these two ports.

Note that the ports will seem to disappear; they have been moved to the end of the display
list. You will also see a new Aggregation group appear as: AGGR/0.
Verification

3. When two (or more) ports are configured as an EtherChannel, the switch ports list will
show only one entry for the two ports.

By choosing this entry, a port page will open. Under Configuration information for this port,
the field Aggregation group will list multiple ports.

To see these ports, choose number 3 at the bottom of the page to move to page 3 of the
Switchports listing.

Note

The maximum number of switch ports that you can aggregate is limited to eight ports. If more
than eight ports are selected, the Aggregate button becomes inaccessible.

Configure Port Mirroring

Port mirroring allows capturing switch packets seen on one or multiple ports via another,
mirrored, port. This method, also known as Switched Port Analyzer (SPAN), is mostly used
when traffic flows need to be recorded. An example would be VoIP calls archiving for training
purposes or compliance.

Activity

1. From the navigation bar, choose Switch > Monitor > Switch ports.
 2. Check the check box next to port 5 and click Mirror. The Create Port Mirror page
appears. In the Select destination port field, choose port 6 of your switch and then
click Create Mirror to save and complete the process.

Verification
 3. In the table listing all the switch ports, click the Wrench (Tools) icon and include the
column for Mirror.

Note

You can choose multiple ports to configure to be mirrored to the same destination port. (Be
aware of oversubscribing the destination port.)
Design High-Density SSIDs

You will create an SSID and enable it for high density.

Activity

1. From the navigation bar, choose Wireless > Configure > SSIDs.

Note

When designing wireless, unless you have special requirements, a good best practice is to try
to limit the number of SSIDs to three, and ideally, no more than five. (This approach is
especially important for high-density wireless.)

2. In the Unconfigured SSID 4 column, use the drop-down list to change disabled to
enabled.
 3. Click rename. Change the name to HD-WiFi.

Click Save Changes at the bottom of the screen.

 4. Next, to modify the security, click edit settings. Choose Network access and click Pre-
shared key (PSK). Use Merak123$% as the password.

Note

Alternatively, you may choose Wireless > Configure > SSIDs to get to the same network access
security settings page.

This exercise is simply an example. In the real world, you would set the appropriate settings for
your network.
 5. Scroll down to Addressing and traffic. Click Bridge mode: Make clients part of the
LAN.

Note

Bridge mode is recommended for high density, because it provides seamless roaming.

If a box appears in the lower right of the screen alerting you that you have unsaved changes,
click Save. If not, scroll down to the bottom of the web page and click Save Changes.
 6. Scroll to Wireless options.

You are going to set an RF profile on the AP.

First, click the Go to Radio Settings button.

RF Profiles and Transmit Power Range

RF profiles provide more control over radio settings for APs within a specific network. Using RF
profiles, you can customize the RF settings and no longer need to manually make changes for
each AP.

You can select from five predefined RF profile templates or create your own profile from
scratch. The predefined RF profiles have their settings configured for typical auditoriums, open
offices, and outdoor coverage scenarios.

These five RF profile templates are available:

 Auditorium: This profile is designed for open auditorium deployments with many
devices. TX power is in the lower range.

 Classroom: This profile is designed for a medium number of devices in a classroom. TX

power is in the lower range.

 Open Office: This profile is designed for a medium number of devices in an open office
environment. TX power is in the medium range.

 Conference Room: This profile is designed for a medium number of devices in a

conference room. TX power is in the lower range.

 Outdoors: This profile is configured for outdoor deployments. TX power is in the high
range.

These templates are carefully configured to meet specific predefined environments. After
selecting a template, you can always update settings to match your specific needs in the
network.

The AutoTX Power feature tries to reduce the TX power uniformly for all APs within a network.
But in complex high-density environments, you may need to change the radio transmit power
range.
In this exercise, you will create a profile from scratch and examine the configuration options.
You will set the transmit power range to the values that are commonly applied to an open
auditorium with large number of devices.

7. Choose Radio settings > RF profiles and click New Profile. Next, click New Profile from
Scratch.

8. Under General, enter High Density Profile as the Profile name.

9. Scroll down to 2.4 GHz radio settings, and change the Radio transmit power range
(dBm) to the range 5 to 11. (Drag the circle and move the slide-bar to highlight these
settings.)
10. Scroll down to 5 GHz radio settings, and change the Channel width to Manual. Click
the 20 MHz (23 channels) button.

11. Scroll down to Radio transmit power range (dBm) and set it to the range 8 to 14.
(Drag the circle and move the slide-bar to highlight these settings.) Finally, save
changes.
12. You will return back to the Radio settings page. Choose Overview.

13. Check the check box for your AP, and choose Edit settings > Assign profile.
14. Choose the custom profile you just created, High Density Profile, and click Next.

15. Check all three check boxes and click Review changes. After observing, click Apply
changes.
16. From the navigation bar, choose Wireless > Configure > Firewall & traffic shaping.

17. Scroll down to Traffic shaping rules and set the Per-client bandwidth limit to 5 Mbps,
and click Enable SpeedBurst. Leave the Per-SSID bandwidth limit as unlimited. Save
the changes.
Lab 5: Establish Auto VPN

Introduction

You will configure the main subnet and configure Auto VPN.

Topology

Configure the Main Subnet and Configure Auto VPN

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.

2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.
3. Choose Security & SD-WAN > Configure > Addressing & VLANs.

4. Scroll down to the Routing section. Confirm that Single LAN is selected for LAN
settings and click the IP address that is shown for the LAN Config setting.
 5. Change the MX IP to 10.0.[100 + n].1 and the Subnet to 10.0.[100 + n].0/24 (replacing
n with your pod number). Then click Update. Scroll down and click Save.

Note

If prompted to confirm changes, click Yes to continue on the pop-up notification.

Note

The Subnets you see here may differ from the ones you see in your lab environment.

6. Choose Security & SD-WAN > Configure > Site-to-site VPN.

7. Click Spoke as the Type of site-to-site VPN. Then click Add a hub.

8. Choose SF Data Center – DC1 from the Hubs drop-down list (may already be the
default).
 9. Scroll down to VPN settings. Go to Local networks. In the VPN Mode column, choose
Enabled from the drop-down list.

10. If a box appears in the lower right of the screen alerting that You have unsaved
changes, click Save. If not, scroll down to the bottom of the web page and click Save
Changes.

You will see a green box confirming Changes saved.

Lab 6: Configure Virtual Interfaces and Routing on
Cisco Meraki MS Switches
Introduction

Now you will focus on configuring SVIs and OSPF routing on your Cisco Meraki MS switch.

While creating the first SVI on the switch, the dashboard will ask the administrator for a next-
hop IP address. This IP address is used to create a default route, which is required to define
any SVIs. This information is requested only for the first SVI creation.

Topology

Create SVIs

Activity

1. From the navigation bar, choose Switch > Configure > Routing & DHCP.
Create Interfaces

Next, you will create the following interfaces. Remember to use your Lab n number here—n is
your lab number, for example, for LAB1 n is 1:

Switch: (Your switch)

Switch: (Your switch)
Name: Management
Name: Corp
VLAN: 1
VLAN: 10
Subnet: 10.0. [100 + n] .0/24
Subnet: 10.0. [10 + n] .0/24
Interface IP: 10.0. [100 + n] .254
Interface IP: 10.0. [10 + n] .254
Default Gateway: 10.0. [100 + n] .1
Multicast routing: Disabled
Multicast routing: Disabled
DHCP settings: Run a DHCP server (use default
DHCP settings: Do not respond to DHCP settings)
requests

Switch: (Your switch) Switch: (Your switch)

Name: Voice Name: Guest

VLAN: 30 VLAN: 50

Subnet: 10.0. [30 + n] .0/24 Subnet: 10.0. [50 + n] .0/24

Interface IP: 10.0. [30 + n] . 254 Interface IP: 10.0. [50 + n] .254

Multicast routing: Disabled Multicast routing: Disabled

DHCP settings: Run a DHCP server (use default DHCP settings: Run a DHCP server (use default
settings) settings)

2. Click the CREATE INTERFACE button to create Layer 3 interfaces.

3. To create an interface, use the information provided previously in the section “Create
Interfaces” to populate all the necessary fields in the Interface editor.

Start with the Management interface.

Note

Note that in this example, LAB1 was used, so all the addresses will match where n=1. You will
need to adjust for your lab number n.
 4. When you have finished creating the interface, scroll down and click Save at the
bottom of the page.

Note

Always use the Save button and do not use the Save and add another button to avoid losing
some parts of the configuration.

5. Next, in the top-right corner, click Add to create a second interface.

 6. Continue filling in the information provided previously in the “Create Interfaces”
section for each of the other interfaces Corp, Voice, and Guest.

Each time, repeat the whole procedure, click Save, and then Add, until you have added all the
interfaces.
Your Interfaces table should eventually look similar to the following example with the
exception of your IP addressing matching your Pod number::

Turn On OSPF on the Cisco Meraki MS Switch

Activity

1. To enable OSPF on your switch, from the navigation bar, choose Switch > Configure >
OSPF routing.
 2. Change OSPF to Enabled and verify the default timer parameters:

o Hello: 10 seconds

o Dead: 40 seconds

Under the Areas section, click the button Add an area and enter the following parameters:

o ID: 0

o Name: Backbone

o Type: Normal

o Then click Save.

 3. Scroll down to Interfaces. Check the Management interface check box and click Bulk
Edit.

From the drop down list.Change the Area to be 0: Backbone, then set the following:

o Cost: 1

o Passive: No

Finally, click Update 1 interface. If you cannot enable OSPF on the interface, be sure you saved
your configuration in the previous step.

4. Verify that VLAN 1 Management Interface is configured for OSPF.

If a box appears in the lower right of the screen alerting you that You have unsaved changes,
click Save. If not, scroll down to the bottom of the web page and click Save Changes.

Examine the OSPF Configuration on the Cisco Meraki MS Switch

Activity

Note

There are many attributes that can be configured on a Cisco Mearki MS switch for OSPF. Here,
you will only examine some of them. You will not save these changes, but simply explore the
options that are available.

1. To examine OSPF settings on your switch, from the navigation bar, choose Switch >
Configure > OSPF routing.

2. First, observe the OSPF Hello timer and Dead timer.

Timers

The value that is configured for the timers must be identical for all participating OSPF
neighbors. If you are introducing a Cisco Meraki MS switch to an existing OSPF topology, be
sure to reference the existing configuration.

The two timers that are used in OSPF are as follows:

 Hello timer: This timer indicates the frequency at which the Cisco Meraki MS switches
send hello packets to OSPF neighbors to maintain connectivity.

 Dead timer: This timer value is used to determine when peers are declared “dead” or
no longer active.

3. Next, observe the different network type options under Type.

Area Types

Area types in OSPF are used to define the kinds of Link-State Advertisements (LSAs) that will be
found within an area and determine how the route table will be generated in each area.

Cisco Meraki MS switches support three area types:

 Normal areas: Normal areas allow for the creation of a full link state database on all
routers in the area. This database allows all routers in the area to know of all routes in
the AS. Normal areas are generally acceptable unless the network uses a router that
cannot run recalculations without slowing itself down.
 Stub areas: Stub areas are ideal for branch locations where not every route needs to
be advertised, so a default route to the core would suffice. Stub areas allow the Layer
3 switch to save resources and bandwidth by reducing recalculations and the number
of LSAs going over the wire.

 Not-so-stubby areas (NSSA): NSSAs are similar to stub areas, except they allow
external routes to be introduced to them from a local ABR. In this scenario, the Cisco
Meraki MS switch can inject outside routes into the NSSA, which will then pass them
on to the ABR.

4. Note that MD5 authentication can be configured, but there are no changes needed.

5. Finally, note that Static Routes can be advertised into OSPF.

6. Do not save any changes that you may have made.

Lab 7: Configure Routes and Redistribution
Introduction

Note

The OSPF and SVIs are configured on your Cisco Meraki MS switch. You will create a static
route for redistribution of local LAN subnets and enable remote routes advertisement for
OSPF.

Finally, you will verify OSPF functionality by checking the OSPF neighbor table and viewing the
learned routes.

Topology

Create a Static Route for Redistribution

Activity

1. From the navigation bar, choose Security & SD-WAN > Configure > Addressing &
VLANs.
2. Scroll down to Routing, and then down to Static routes. Click Add Static Route.

3. Use the following information to populate the fields:

o Enabled: Enabled

o Name: Local LAN Subnets

o Subnet: 10.0. [10 + n] .0/24

o Next hop IP: 10.0. [100 + n] .254

o Active: Always

o VPN mode: Enabled

Once you are finished, click Update.

Finally, scroll down and click Save.

 4. You should now see that your Local LAN Subnets route appears as a Static route on
the Cisco Meraki MX security appliance.

Turn On OSPF on the Cisco Meraki MX Security Appliance

Activity

1. From the navigation bar, choose Security & SD-WAN > Configure > Routing.

2. Change OSPF to Enabled.

When the other fields appear, change the following:

o Router ID: 10.0.[100 + n].1

o Area ID: 0

Save changes.
Verification

3. Observe the topology diagram. At the SF Data Center, there are also routes created
and subnets being shared.

From the navigation bar, choose Switch > Monitor > Switches. Choose your switch and
click the L3 routing tab.

Note

It will take a couple of minutes before all the route and neighbor information is
communicated and collected in the Cisco Meraki cloud and reflected in the dashboard.
4. Scroll down to the OSPF neighbors section. Do you see any neighbors listed in the
table? If so, how many?

You should see one neighbor. The router ID and IP address should be that of your lab
station's Cisco Meraki MX security appliance, 10.0.[100 + n].1.

5. In the Routing table section, what are the routes that you can see being redistributed
(advertised) across Auto VPN via OSPF?

There should be several routes that are learned over OSPF (they should be identified
as OSPF in the Route type column) and it will vary depending on the number of other
 active lab stations in this organization at the time that you read this table. There
should also be a couple of routes to the SF Data Center (192.168.128.0/24) and a
subnet within (192.168.254.0/24), which they have advertised.

6. After creating the static route, what should the SF Data Center be able to see and
reach?

The SF Data Center should be able to see and reach your 10.0.[10 + n].0/24 subnet.
Lab 8: Configure QoS

Introduction

You will first configure QoS on your Cisco Meraki switch, then configure QoS on your Cisco
Meraki AP. You will make sure that VoIP is configured correctly and that appropriate voice QoS
settings are set.

Topology

Visual Topology

Voice VLAN and QoS Settings on the Cisco Meraki MS Switch

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.
3. Choose Switch > Monitor > Switch ports.

4. To allocate ports as VoIP devices, select the check boxes next to ports 7 through 10
and click Edit.

5. In the Edit window, set Type to Access, VLAN to 10, and Voice VLAN to 30. Click
Update. You will see a green box confirming that your changes have been saved.
6. Observe that ports 7 through 10 are now configured as type access, with a data VLAN
of 10, and a voice VLAN of 30.

7. Choose Switch > Configure > Switch settings.

8. Scroll down to Quality of service and click Add a QoS rule for this network.

9. You will add a QoS rule that ensures traffic in VLAN 30 will be marked with DSCP value
of 46.

Set VLAN to 30 and Protocol to Any. Under DSCP, you will see two drop-down lists.
Change the first drop-down to Set DSCP to and the second one to 46 -> class 3 (EF
voice).
10. If a box appears in the lower right of the screen alerting you that you have unsaved
changes, click Save. If not, scroll down to the bottom of the web page and click Save
Changes.

11. Finally, under quality of service > DSCP, click Edit DSCP to CoS map to view the default
DSCP to CoS queue mappings.

12. Observe the settings and note that they are set to best practices by default. Click Close
to exit without making changes.
 Voice VLAN and QoS Settings on the Cisco Meraki MR Access Point

Activity

Scenario and Design Criteria

When designing a wireless network for VoIP, it is always a good idea to do a proper
site survey. In this scenario, you will assume that a site survey has been completed and
the following design criteria has been developed:

 Ensure closer grouping of APs with more overlapping coverage: It is best practice,
when designing VoIP for wireless, to ensure that you have more overlap than a
standard data design so the clients can roam easily. In a VoIP wireless network, the
APs are usually closer together.

 Create smaller cells with lower power settings: In a wireless VoIP design, it is best
practice to turn down the power and have smaller cells. This approach increases the
overall number of cells, and therefore the number of APs.

 Identify challenging areas and potential sources of interference: It is best practice to

identify troublesome or challenging areas, possibly with a Layer 1 spectrum scan. The
areas need to be identified and a solution must be prepared and implemented.

 Prioritize 5 Ghz coverage due to the lower noise floor: Use of 2.4 GHz can have a very
high noise floor and can have many types of interferers. It is best practice to use 5 GHz
for VoIP networks.

 Verify that a client can see an AP (and vice versa) at –67 dBm or higher in all areas: It
is best practice to design your cell edges at –67 dBm or higher. A client should always
be able to connect to an AP at –67 dBm or higher, which can be achieved by combining
this rule with the overlap coverage rule.

 Set the signal-to-noise ratio (SNR) to 25 dB or higher in all areas: It is best practice to
keep the SNR at 25 dB or higher. This SNR level is a requirement of the higher-end
speeds in wireless networks.

 Set channel utilization at less than 50 percent: It is a good idea to keep utilization low
on a wireless network. Low utilization leads to better performance, lower delay, and
lower jitter for the VoIP packets. Best practice mandates that channel utilization
remains below 50 percent for VoIP.

When using VoIP devices, it is best practice to keep them on their own SSID. (VoIP
devices are already on their own SSID in this task.) In fact, it is common to have an SSID
that is dedicated to VoIP. You will now inspect the voice SSID and confirm that it is
configured correctly for VoIP.

1. Choose Wireless > Configure > Access control.

 2. From a drop-down list for SSID, choose Voice SSID.

Note

If at the top of the page, you see a notification to switch to a new version, make sure to click
the new version option.
3. Scroll down to Client IP and VLAN, and select the radio button for External DHCP
server assigned, leaving the default Bridged mode highlighted. Save changes.

In the bridge mode, the DHCP lease is obtained from a DHCP server upstream. The
access point also acts as a bridge between the wireless and wired medium, allowing
wireless clients to communicate with wired clients or wired network resources.

This allows seamless Layer 2 roaming (assuming all APs on the floor support the same
VLAN).

4. Scroll back up to Security, and select the radio button for Enterprise with. Then, from
its drop-down list, choose Meraki Cloud Authentication.

WPA encryption mode should be set to WPA2 only (recommended for most
deployments).

802.11r should be set to enabled (if all devices support it) or adaptive (if only some
devices support 802.11r).

Note

802.11r is Fast Roaming (also known as Fast Transition). This feature speeds up and
simplifies the act of roaming (client support of 802.11r is mandated for this to work
correctly). You need smooth fast roaming to sustain your voice calls.
5. Scroll down to VLAN tagging.

Click the Enabled box.

You want to enforce an SSID-wide single VLAN method so you will set the VLAN ID to
30.

This ensures that wireless client traffic on this SSID will be properly tagged when
forwarded to the upstream switch, which is critical for proper QoS. If a voice VLAN is
specified on a Cisco Meraki MS switch, the port will accept tagged traffic on the voice
VLAN and the port will send out LLDP and CDP advertisements recommending that
devices use that VLAN for voice traffic.

6. Click Save Changes to complete the process.

7. Choose Wireless > Configure > Radio settings.

8. Under Radio Setting, click RF profile.

9. On the right side, under Basic Indoor Profile, click Edit.

10. In the Edit Basic Indoor Profile, choose General > General > Band selection > All SSIDs,
click Enable 5 GHz band only radio button.

Note

Assume that all client devices running voice applications, can operate on 5 GHz.
 11. Scroll down to 5 GHz radio settings, and under Minimum bitrate confirm that 12Mbps
is set on the scroll bar.

Setting the minimum bit-rate to 12 Mbps or higher effectively sets the minimum speed
of the wireless cell to be 12 Mbps, and simultaneously prevents or eliminates any
legacy 802.11b devices from joining (which would force all other clients to slow down).

12. Click Save to complete the process.

Lab 9: Configure Traffic Shaping

Introduction

Note

You will focus on traffic shaping and traffic handling. You will first configure traffic shaping on
your Cisco Meraki MX security appliance, and then you will configure traffic shaping on your
Cisco Meraki MR AP. You will make sure that VoIP is configured correctly and that appropriate
voice traffic shaping settings are set.

Topology

Visual Topology

Configure Traffic Shaping on the Cisco Meraki MX Security Appliance

Activity

1. Choose Security & SD-WAN > Configure > SD-WAN & traffic shaping.
2. You want traffic from your network to go over WAN2. Under Uplink selection, find
Flow preferences > Internet traffic and click Add a preference.

3. Use the following information to configure the parameters:

o Protocol: Any

o Source: 10.0.[10 + n].0/24

o Destination: Any

o Preferred uplink: WAN 2

Note the following about flow preferences:

 They apply to Internet traffic only (does not refer to SD-WAN traffic, which flows
across VPN and is processed differently).

 Flow preferences supersede load-balancing decisions.

 Priority queues will only take effect when WAN interfaces are being 100% utilized.

4. Scroll to Traffic shaping rules and click Create a new rule. Once the new window
opens, click Add+.

5. Click Custom expression and enter 10.0.[30 + n].0/24 (where n is your pod number –
in this example Lab pod 1 was used) to make your voice traffic (VLAN 30) sent out of
the WAN 2 interface.

Note

Enter the above string directly into the text field and do not leave any spaces. After
entering the string, click Add expression. You will need to click on the browser page
background to close that window.
 6. Now, from the following drop-down lists, set the following parameters:

o Bandwidth limit: ignore network per-client limit (unlimited)

o Priority: High

o DSCP tagging: 46 (EF - Expedited Forwarding, Voice)

Click Save Changes.

Configure Traffic Shaping on the Cisco Meraki MR Access Point

To complete your VoIP configuration, you will configure traffic shaping on the Cisco Meraki MR
AP.

Activity

1. Choose Wireless > Configure > Firewall & traffic shaping. Under SSID, choose Voice.
 SpeedBurst

SpeedBurst allows users to temporarily exceed the bandwidth limit for up to 5 seconds
while still keeping them under the bandwidth limit over time. This option provides a
better experience to a user browsing the web, while not slowing down the network if
they are transferring large amounts of data.

2. Scroll down to Traffic shaping rules and use the slider to set the Per-client bandwidth
limit to 5Mbps. Check the check box to enable SpeedBurst. Leave the Per-SSID
bandwidth limit as unlimited.

This will limit all nonvoice application traffic.

3. Now, observe your settings. Notice that Shape traffic is set to Shape traffic on this
SSID, and that the Default Rules are enabled.

The default rules offer some default boost to VoIP, but you need to add to this
configuration. Click Create a new rule, and then Add+.

4. Scroll down and click VoIP & video conferencing, and then click All VoIP & video
conferencing in the window that appears to the right.

Note

You may have to click on the background to close the pop-up.

5. To allow voice traffic to use additional bandwidth when needed and not be bound by
the per-client bandwidth limit you set earlier, from the Per-client bandwidth limit
drop-down list, choose the ignore SSID per-client limit (unlimited).

Finally, set PCP/DSCP tagging to 6 / 46 (EF – Expedited Forwarding, Voice)

6. Click Save Changes to complete the process.

Additional traffic-shaping rules can be created to prioritize custom VoIP traffic that
does not match the built-in application signatures.

The configuration assumes that your edge devices and servers are marking voice traffic
correctly, however that is not always the case. You may need to manually configure
settings (or Group Policies on Microsoft systems.)
Lab 10: Configure Load Balancing
Configure Load Balancing

You will first confirm that the uplink settings are correct (and in the correct ratio), and then you
will enable load balancing that will utilize the uplink bandwidth ratio.

Topology

Visual Topology
 Enable Load Balancing

Activity

1. Choose Security & SD-WAN > Configure > SD-WAN & traffic shaping.

2. Under Uplink configuration, use the slider bar to set WAN1 to 400 Mbps. For WAN2,
click details and set both down and up to 200 Mbps.

Note

The values set here will control the ratio at which load balancing will operate. In this
instance WAN1 to WAN2 is 2:1. (Half the traffic will be sent out WAN2 compared to
WAN1.)
3. Under Uplink selection > Global preferences, set Primary uplink to WAN1 and Load
balancing to Enabled.

4. Click Save Changes to complete the process.

Lab 11: Define Firewall Rules
Introduction

First, you will be introduced to the Cisco Talos website, which can advise on security threats.
Then you will configure Layer 3 and Layer 7 firewall rules on the Cisco Meraki MX security
appliance and the Cisco Meraki MR AP.

Topology

Visual Topology
Use Cisco Talos to Identify Threats

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.

2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.

3. Open a new browser window and navigate to

https://www.talosintelligence.com/reputation_center/email_rep to visit the Cisco

Talos team website. In the Email & Spam Data section, click the TOP SENDERS BY IP
tab.
4. In the table, identify a sender with a Poor email reputation and make a note of the IP
address. Note: You may need to check the radio button for spam to view Poor.

5. Now, navigate to the Cisco Talos Cyber Attack map at the

https://talosintelligence.com/ebc_malware/# and under Malware Volume, you can
view the Top 10 Malware Senders.
 6. In the Malware Volume table on the right, choose one of the malware senders and
click one of the locations on the map. Note the IP address located in the box that
appears. You will use this address “Create Layer 3 Firewall Rules on the Cisco Meraki
MX Security Appliance" next task.

Create Layer 3 Firewall Rules on the Cisco Meraki MX Security Appliance

Activity

1. Layer 3 firewall rules can be configured on the Cisco Meraki MX security appliance by
choosing Security & SD-WAN > Configure > Firewall.
Types of Layer 3 Rules

There are several types of Layer 3 rules that can be set.

Inbound rules: There is a default Deny Any option for traffic that originates from the outside.

 If you want to allow traffic inbound, you need to configure forwarding rules (port
forwarding, 1:1 NAT, or 1:many NAT).

Port forwarding forwards specific TCP or UDP ports that are destined to an Internet interface
of the Cisco Meraki MX security appliance to specific internal IPs. This approach is best for
users who do not have a pool of public IP addresses. This feature can forward different ports to
different internal IP addresses, and allow multiple servers to be accessed from the same public
IP address.

When mapping ports, keep the following in mind:

 Ports can be listed individually or as a range.

 Port ranges must be hyphenated. A comma-separated list is not accepted.

 When mapping a range of public ports to a range of local ports, the ranges must be the
same length (for example, 8000–8500 public must be mapped to 8000–8500 local).

1:1 NAT is for users with multiple public IP addresses available for use and for networks with
multiple servers behind a firewall such as two web servers and two mail servers. A 1:1 NAT
mapping can only be configured with IP addresses that do not belong to the Cisco Meraki MX
security appliance. It can also translate public IP addresses that are in different subnets than
the WAN interface address, if the ISP routes traffic for the subnet toward the Cisco Meraki MX
interface. Each translation added is a one-to-one rule, which means traffic that is destined to
the public IP address can only go to one internal IP address. Within each translation, a user can
specify which ports will be forwarded to the internal IP. When adding ports for NAT, you can
use a range of ports and a comma-separated list of ports.

1:many NAT configurations allow a Cisco Meraki MX appliance to forward traffic from a
configured public IP to internal servers. However, unlike a 1:1 NAT rule, 1:many NAT allows a
single public IP to translate to multiple internal IPs on different ports. For each 1:many IP
definition, a single public IP must be specified. Then, multiple port forwarding rules can be
configured to forward traffic to different devices on the LAN on a per-port basis. As with 1:1
NAT, a 1:many NAT definition cannot use an IP address that belongs to the Cisco Meraki MX
appliance.

Outbound rules: Outbound rules allow you to define rules that would affect traffic that
originates from the inside (LAN-to-WAN and LAN-to-LAN).

 By default, there is an Allow Any option.

 Rules can be configured to deny or allow hosts or subnets or ports.

Cellular failover rules: The rules that are configured here will only be applied when the
appliance is using a 3G or 4G connection as its active uplink.

 The purpose in this design is to conserve data usage.

Security appliance services: These services control which services are available on the outside
interface.

 When a service is set to None, the appliance will not respond to requests of that traffic
type from the WAN.

2. Now you will configure the outbound rules. Choose Layer 3 > Outbound rules and click
Add a rule to begin defining firewall rules.

3. Create the following rule:

o Policy: Deny

o Protocol: Any

o Source: 10.0.[10 + n].0/24

o Destination: (Enter the IP address of the email spam from the task "Use Cisco
Talos to Identify Threats.")
 o Comment: Email spam/phishing

Note

Note that, in this instance, the IP address 192.168.1.2 will be used as a placeholder. You should
use the IP address that you made note of in the task “Use Cisco Talos to Identify Threats.”

4. Click Add a rule, to add another rule:

o Policy: Deny

o Protocol: Any

o Source: Any

o Destination: (Enter the second IP address of the malware site from the task
"Use Cisco Talos to Identify Threats.")

o Comment: Malware host

Note

Note that, in this instance, the IP address 192.168.2.2 will be used as a placeholder. You should
use the second IP address that you made note of in the task “Use Cisco Talos to Identify
Threats.”

After you finish, save your changes.

Layer 3 Rule Configuration

Cisco Meraki dashboard will process the rules from top to bottom, beginning with the topmost
Layer 3 outbound rules, which are defined on the Firewall page. It is possible to adjust the rule
priority order by using the arrow icon in the Actions column to drag and drop.

Note

In this instance, the IP addresses 192.168.1.2 and 192.168.2.2 were used as placeholders.

Note that the number of hits that are displayed in the figure show the number of times this
rule was applied.
Layer 3 firewall rules can be configured in a similar way. Choose Security & SD-WAN >
CONFIGURE > Site-to-site VPN. Scroll down to Organization-wide settings and configure rules
under Site-to-site outbound firewall.

 Similar to the Layer 3 firewall rules configured previously, there is by default an option
to "allow any."

 Rules can be configured here to deny or allow hosts, subnets, or ports that are defined
as the source or destination.

 Proper firewall rules will stop undesired traffic as close to the origination point as
possible, which in turn makes efficient use of VPN tunnel bandwidth and improves
network performance.

Create Layer 7 Firewall Rules on the Cisco Meraki MX Security Appliance

Activity

Layer 7 firewall rules can be configured on the Cisco Meraki MX security appliance. They allow
you to deny certain types of traffic. Where most firewall rules only inspect headers at Layers 3,
4, and 5, a Layer 7 rule inspects the payload of packets to match against known traffic types.

1. On your Cisco Meraki MX security appliance, choose Security & SD-WAN > Configure >
Firewall to create a Layer 7 firewall rule.

2. Choose Layer 7 > Firewall rules and click Add a Layer 7 firewall rule.
 3. To create the following Deny rule, under Application, choose Gaming > All Gaming.

4. Click Add a layer 7 firewall rule to create the next Deny rule:

o Application: Countries

o Traffic to/from: North Korea

If a box appears in the lower right of the screen alerting you that you have unsaved changes,
click Save. If not, scroll down to the bottom of the web page and click Save Changes.

The rules should look like the following figure:

Layer 7 Rule Configuration

Note that Layer 7 firewall rules can be configured in a similar way under Security & SD-WAN >
Configure > Site-to-site VPN. You would open this link and scroll down to Organization-wide
settings and configure rules under Site-to-site outbound firewall.

 Similar to the Layer 7 firewall rules configured previously, there is, by default, an
option to "allow any."

 Rules can be configured here to deny or allow hosts, subnets, or ports that are defined
as the source or destination.

 Proper firewall rules will stop undesired traffic as close to the origination point as
possible, which in turn makes efficient use of VPN tunnel bandwidth and improves
network performance.

Create Layer 3 Firewall Rules on the Cisco Meraki MR Access Point

Activity

Layer 3 firewall rules can also be configured on Cisco Meraki MR APs.

1. Choose Wireless > Configure > Firewall and traffic shaping and for the SSID, choose
Guest from the drop-down list.
2. Choose Block IPs and ports > Outbound rules and click Add new to begin defining
outbound rules.

3. Create the following rule, then click Finish Editing:

o Policy: Deny

o IP Version: IPv4

o Protocol: Any

o Destination: 10.0.99.0/24
 o Port: Any

o Comment: Corporate resources

4. Click Add new to add another rule, then click Finish editing:

o Policy: Allow

o IP Version: IPv4

o Protocol: TCP

o Destination: 10.0.100.100/32

o DST Port: 80

o Comment: Guest splash web server

Note

This destination (subnet) does not exist on the network and therefore it is not reachable. It
was included in this lab as an example.

5. Click Save Changes to complete the process. The rules should look like the following
figure:
Create Layer 7 Firewall Rules on the Cisco Meraki MR Access Point

Activity

Layer 7 firewall rules can also be configured on the Cisco Meraki MR AP. They allow you to
deny certain types of traffic. Where most firewall rules only inspect headers at Layers 3, 4, and
5, a Layer 7 rule inspects the payload of packets to match against known traffic types.

1. Choose Wireless > CONFIGURE > Firewall and traffic shaping, and for the SSID, choose
Guest from the drop-down list.

2. Choose Block applications and content categories > Layer 7 firewall rules and click
Add a layer 7 firewall rule to begin defining firewall rules.
 3. Create the following deny rule:

o Application: Gaming, Xbox LIVE

4. Click Add a layer 7 firewall rule to add another Deny rule.

o Application: HTTP hostname, netflix.com

Click Save Changes to complete the process.

The rules should look like the following figure:

Verification

Looking at the network topology diagram, answer the following questions:

5. Will Client A (a wired desktop PC) be able to access an online gaming service such as
Battle.net?
No, because a Layer 7 firewall rule, that was created on the Cisco Meraki MX appliance, will
deny that traffic (gaming) and drop it.

6. Will Client A (a wired desktop PC) be able to access and stream Netflix videos?

Yes, because there are no firewall rules in the network path of Client A that would block or
drop Netflix traffic.

7. Where will Client B (a wireless client) be blocked or denied access to online game
services: on the wireless access point or on the security appliance?

The Cisco Meraki MR AP's Layer 7 firewall rule that denies Xbox Live traffic (but only that
specific gaming service) will block Client B. If the traffic is some other type of gaming, the
traffic will get past the Cisco Meraki MR AP, but the Layer 7 firewall rules that exist on the
Cisco Meraki MX appliance will deny and drop the traffic.

Lab 12: Enable Advanced Malware

Protection, Intrusion Detection, and
Intrusion Prevention
Introduction

You will focus on Cisco AMP and configuring the Cisco Meraki IDS and IPS. First, you will
configure Cisco AMP; then you will learn about, and enable, the IDS and IPS.

Topology

Visual Topology

Enable Cisco AMP and Enable and Configure IDS and IPS

Activity

Cisco AMP and IPS

Two very important security features on the Cisco Meraki MX appliance are Cisco AMP and IPS.

Cisco AMP is an industry-leading, anti-malware technology from Cisco that analyzes HTTP-
based file downloads based on the disposition that is received from the Cisco AMP cloud. If the
Cisco Meraki MX appliance receives a disposition of malicious for the file download, it will be
blocked. If the Cisco Meraki MX appliance receives a disposition of clean or unknown, the file
download will be allowed to complete. If the Cisco AMP cloud can determine if a downloaded
file is malicious after it is downloaded, it will automatically notify the Cisco Meraki dashboard
administrator that a malicious file was downloaded in the past. To use Cisco AMP, it simply
needs to be enabled in the Cisco Meraki dashboard. You will enable Cisco AMP shortly.

IPS feeds all packets flowing between the LAN and Internet interfaces and between VLANs
through the Cisco Snort intrusion detection engine and will block all traffic that is identified as
malicious. The Cisco Meraki dashboard also allows an administrator to configure the ruleset
that the Cisco Snort engine will use. Here, IPS will be configured to use the balanced ruleset.

1. Choose Security & SD-WAN > Configure > Threat protection.

You will configure Cisco AMP and turn on intrusion prevention using and enforcing a balanced
ruleset.

2. To turn on Cisco AMP, choose Enabled from the Mode drop-down list. Next, choose
Prevention in the Mode drop-down list and choose Balanced as the Ruleset.
Rulesets

When enabling intrusion detection or prevention, there are three distinct rulesets to choose
from, using the Ruleset selector:

 Connectivity: This ruleset contains rules from the current year and the previous two
years for vulnerabilities with a CVSS score of 10.

 Balanced: This ruleset contains rules from the current year and the previous two
years, for vulnerabilities with a CVSS score of 9 or higher. These rules are in one of the
following categories:

1. Malware-CNC: These rules are for known malicious command-and-control

activity for identified botnet traffic. This category includes Call Home,
downloading of dropped files, and exfiltration of data.

2. Denied List: These rules are for URIs, user agents, DNS hostnames, and IP
addresses that are determined to be indicators of malicious activity.

3. SQL Injection: These rules are designed to detect SQL injection attempts.

4. Exploit-kit: Rules that are designed to detect exploit kit activity.

 Security: This ruleset contains rules from the current year and the previous three
years, for vulnerabilities with a CVSS score of 8 or higher. These rules are in one of the
following categories:
 1. Malware-CNC: These rules are for known malicious command-and-control
activity for identified botnet traffic. This category includes Call Home,
downloading of dropped files, and exfiltration of data.

2. Denied List: These rules are for URIs, user agents, DNS hostnames, and IP
addresses that have been determined to be indicators of malicious activity.

3. SQL Injection: These rules are designed to detect SQL injection attempts.

4. Exploit-kit: These rules are designed to detect exploit kit activity.

5. App-detect: These rules look for and control the traffic of certain applications
that generate network activity.

The Balanced ruleset will be selected by default.

Dealing with False Positives: Occasionally, the Cisco Meraki MX appliance may block a file or a
URL that is deemed safe by the administrator. In that case, you can tell the Cisco Meraki MX
appliance to allow the download of the content or web page by adding the content to the
permitted list.

Permitting URLs: Find the URL that was blocked in the Event log page and enter it in the Allow
list URLs section to allow that URL in the future.

Permitting IDs: For files, JavaScripts, and other objects that are not URLs, the Cisco Meraki MX
appliance assigns a unique ID. You can see the blocked items in the Event log page. By entering
the ID of the object that you want to allow in the permitted IDs section, you can instruct the
appliance to allow the detected signature, even if the URL is different.

3. Click Save Changes to complete the process.

4. Choose Security & SD-WAN > Configure > SD-WAN & traffic shaping.
 5. Under Uplink Configuration > List update interval, you can set the List update
interval. This setting determines how often the Cisco Meraki MX appliance should
check for updates to security lists. To specify different frequencies, depending on
which uplink is being used, click details.

Features that this setting affects include IDS and IPS, Top Sites Content Filtering, and Malware
Scanning.

Verification of Cisco AMP

After Cisco AMP has been enabled and a client attempts to download a recognized malicious
file, as seen in the figure, the Cisco Meraki MX appliance will detect and block the threat. The
client will then see a connection reset with an unsuccessful file download.
In the Cisco Meraki dashboard, if you navigate to Security & SD-WAN >Monitor>Security
Center and filter for Malware Detection events, the event should be reported with details
about the time of detection, the name of the device, and the details of the threat.

Note that your lab environment will not display any events.
Verification of IDS and IPS

After intrusion detection is enabled with the balanced ruleset, and a client attempts to reach
an identified malicious source, the Cisco Meraki MX appliance will detect, log, and alert about
the threat in the Cisco Meraki dashboard.

In the Cisco Meraki dashboard, navigate to Security & SD-WAN > Monitor > Security Center
after an event, click the drop-down for Filter and choose IDS. The event should be reported
with details about the time of detection, the name of the device, and the details of the threat.

Note that your lab environment will not display any events.
Under the configuration of Detection, malicious traffic will only be detected and logged and
reported in the Security Center.

Because you set Prevention, the malicious traffic will be blocked in addition to the logging and
reporting in the Security Center.
Lab 13: Enable Content Filtering
Introduction

You will learn how to enable content filtering and restrict access to certain sites. Content
filtering can stop access to inappropriate sites based on the site policies.

Topology

Visual Topology

Configure Content Filters and URL Patterns

Activity

Content Filtering allows you to block certain categories of websites based on your
organizational policies. You can also block or permit individual websites for additional
customization. Now you will use content filtering to block any website that is categorized as
social networking.

1. Choose Security & SD-WAN > Configure > Content filtering.

 2. To add Social Networking as a website category that will be blocked, in the Category
blocking section, choose Social Networking from the drop-down list under Content
categories and then click Save.

Note

Note that Full list (better coverage) is chosen in the URL category list size drop-down list. (The
list of top sites in each of the blocked categories will be cached locally on the appliance.)

URL Category List Size

If Top sites is chosen for this option, client requests for URLs that are not in the top sites list
will always be permitted (as long as they are not in the denied list, of course).
If Full list is chosen for this option, a request for a URL that is not in the list of top sites will
cause the appliance to look up the URL in a cloud-hosted database (BrightCloud). This action
will have a noticeable impact on web browsing speed, especially when visiting a site for the
first time.

Note that you can check a website’s category at any time by choosing Launch the URL
category lookup tool and entering the website URL. The Cisco Meraki dashboard will show you
the website’s category as determined by BrightCloud.

URL Blocking

You can also perform URL Blocking.

When a client fetches a web page on this network, the requested URL is checked against the
lists that are configured to determine if the request will be allowed or blocked.

Pattern matching follows these steps:

1. Check if the full requested URL is on either list. For example,

http://www.foo.bar.com/qux/baz/lol?abc=123&true=false.

2. Cut off the protocol and leading www from the URL, and check if the remainder is on
either list. For example, foo.bar.com/qux/baz/lol?abc=123&true=false.

3. Cut off any GET parameters (everything following a question mark) and check again.
For example, foo.bar.com/qux/baz/lol.

4. Cut off paths one by one, and check each one. For example, foo.bar.com/qux/baz and
then foo.bar.com/qux, and finally foo.bar.com.

5. Cut off subdomains one by one and check each one. For example, bar.com and then
com.

6. Finally, check for the special catch-all wildcard, the asterisk (*), in either list.

If any of these options produces a match, then the request will be allowed if it is in the
permitted list and blocked otherwise. (That is, the permitted list takes precedence over the
denied list.)

If there is no match, the request is allowed, subject to the category filtering settings.

HTTPS requests can also be blocked. Because the URL in an HTTPS request is encrypted, only
the domain checks will be performed (www.foo.bar.com, foo.bar.com, bar.com, com, and the
special catch-all *).

3. In the URL filtering section, in the Blocked URL list field, enter
http://meraki.cisco.com/trust.
 4. Save changes to complete the process.

5. Choose Security & SD-WAN > Configure > SD-WAN & traffic shaping.

6. Under Uplink Configuration, you can set the List update interval.

This setting determines how often the Cisco Meraki MX appliance should check for updates to
security lists.

To specify different frequencies, depending on which uplink is being used, click details.
Features that are affected by this setting include IDS and IPS, Top Sites Content Filtering, and
Malware Scanning.

Verification

7. In which content category is facebook.com? What would you need to do to ensure

that it is not blocked with any of the existing categories?

Facebook.com is in the Social Networking category. A permitted list can be implemented to

make an exemption for a specific website or URL.

8. You chose Full list (better coverage) as the URL category list size. How does this
option differ from the default option Top sites only (higher performance)? What is the
trade-off?

When Full list (better coverage) is chosen, the Cisco Meraki MX appliance will not only block
the websites whose category is locally cached, but it will also query BrightCloud to find the
category of websites that are not locally cached. The trade-off of using the Full list (better
coverage) option is that the performance will be slower but have a more comprehensive
coverage.

9. You set configuration to block a specific URL or web page. How would you block all
web pages at meraki.cisco.com?

In the Blocked URL patterns field, you could enter the desired specific URL (such as
meraki.cisco.com) or you could implement wildcards using the * symbol.

Restricting Search

Activity

1. Choose Security & SD-WAN > Configure > Content filtering.

Content Filtering

You are now going to restrict the ability of people to search using a web page. Then you will
configure restrictions on YouTube.

When Web Search Filtering is enabled, the Cisco Meraki MX appliance will rewrite every search
URL and filter adult content from top web search engines. (This feature is very popular in
schools, for example, where it stops children from mistyping and accessing inappropriate
sites.) Web search filtering enforcement relies on modifying the HTTP transmission, so this
feature does not work on encrypted web content (SSL and HTTPS).

When restricting YouTube content, the Cisco Meraki MX appliance uses DNS-based
enforcement. When enabled, YouTube will be available in one of the following two modes:

 Strict mode restricted YouTube access: This setting is the most restrictive. Strict
restricted mode does not block all videos, but it works as a filter to screen out many
videos based on an automated system, while leaving some videos still available for
viewing.

 Moderate mode restricted YouTube access: This setting is similar to strict restricted
mode, but it makes a much larger collection of videos available.

 Disabled YouTube access: This is not a mode, but this setting means that both
restricted modes—strict and moderate—are off. Only apply this setting if you want to
allow users in your organization to have unrestricted YouTube access.
In the Search Filtering section, from the Web search drop-down list, choose Enabled. This
option will filter adult content from results on top web search engines, including Google and
Bing. For search engines other than Google and Bing, filtering can only be enforced on
unencrypted search traffic. If this feature is enabled, you can block encrypted search across
many major search engines.

2. From the Restricted YouTube content drop-down list, choose Strict.

3. Save changes to complete the process.

Verification

After enabling Web search filtering, every search URL is rewritten. For example, the Cisco
Meraki MX appliance will rewrite a Google search and follow the method that is outlined in
Google SafeSearch filtering algorithms to block explicit results (such as pornography) from the
search results.

After enabling Restricted YouTube content, you can limit which YouTube videos are viewable
by signed-in G Suite users in your organization and on your network. You can choose either a
Strict or Moderate level of available content. When any Restricted Mode level is enabled, users
cannot see comments on the videos they watch.
Lab 14: Configure and Apply Access
Policies
Introduction

You will configure and apply access policies for switch ports. You will configure IEEE 802.1X
support on the switch using the Cisco Meraki cloud database, and a local RADIUS server.

Topology

Visual Topology

Create an Access Policy

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.

3. Choose Switch > Configure > Access policies.

 4. Click Add an access policy. You will now create a policy and select an authentication
method.

Authentication Method

There are two authentication methods that are available. Both options are 802.1X. The
difference is where the database of users is hosted.

 Your RADIUS server will use a local server.

 Cisco Meraki authentication will host it in the Cisco Meraki cloud. Users can be
configured on the dashboard by clicking the Users hyperlink that appears, or you can
choose Network-wide > Configure > Users (you will use the latter approach later).

The Guest VLAN has been configured and assigned. When defined, clients that have not
attempted authentication are placed on this VLAN until they have passed or failed the
authentication phase.

The Switch ports field identifies the number of ports that have been assigned this policy. The
link serves as a shortcut to the Switch ports page with a filter that is applied for ports using
this access policy. (Later, you will configure these ports manually.)

5. Name the policy Meraki Auth Policy. In the Authentication method drop-down list,
choose Meraki authentication. Assign 50 to the Guest VLAN. Click Save Changes to
complete the process.
Create and Authorize User Accounts

Activity

You will now configure a user that can log in using a policy that is set to Meraki authentication.

Once users have been created, administrators can authorize or deauthorize the account access
policy privileges very easily.

1. Choose Network-wide > Configure > Users.

2. Under User management portal > Zone choose Meraki Auth Policy from the drop-
down list. Click Add new user.

3. Create a user with the following values:

o Description: Test User

o Email (Username): (Your email address)

Note

You may also choose to use a fake email address for this lab. Dashboard will not send you any
emails (except for the one containing the password) and your address will not be retained or
shared.

o Password: Click Generate.

Note

You may choose to uncheck the Email new password to user check box if you do not want the
dashboard to send you an email containing the password.

o Authorized: Yes

o Expires: Does not expire

To finish, click Create user.

4. Click Save Changes to complete the process.

Create an Access Policy With a RADIUS Server

Activity
1. Choose Switch > Configure > Access policies. Once the Access policies window
appears, click Add an access policy.

2. Name the policy RADIUS Auth Policy. From the Authentication method drop-down
list, choose my RADIUS server. Click Add a server.
 3. Fill in the following settings:

o Host: 10.0.[ 100 + n].50

o Port: 1812

o Secret: meraki123

Note

The above RADIUS server is not active on the network. The previous instructions were included
in this lab as practice.

4. Continue down the page, and from the Access policy type drop-down list, choose
802.1X. To the Guest VLAN, assign 50.

Click Save Changes.

Create an Access Policy to Switch Ports

You will now configure the ports with the access policies that you configured.

Only access ports will enable the configuration option for the Access policy.

Activity

1. Choose Switch > Monitor > Switch ports.

2. At the bottom left of the page, in the results per page panel, change the results per
page value to 30 in the drop-down list.

3. Check the boxes next to ports 11 through 14. Click Edit.

 4. Configure the following fields:

o Name: Meraki Secured

o Type: Access

o Access policy: Meraki Auth Policy

o VLAN: 10

At the bottom of the page, click Update to save changes.

 5. Check the boxes next to ports 16 through 18 and click Edit.

Note

Make sure you uncheck the boxes for ports 11 through 14.

6. Configure the following fields:

 o Name: RADIUS Secured

o Type: Access

o Access policy: RADIUS Auth Policy

o VLAN: 10

At the bottom of the page, click Update to save changes.

Verification

7. What happens if a client device that is plugged into ports 11 through 18 fails the
authentication process?

If a client fails the authentication process (credentials are incorrect or invalid), then they will
be denied access to the network.

8. What happens if a client device that is plugged into ports 11 through 18 ignores the
authentication prompt?

If a client ignores the authentication process (does not attempt authentication), then they will
be placed into the guest VLAN that was defined.

9. In the "Create an Access Policy with a RADIUS Server" task, how would authentication
differ if the access policy type is changed from 802.1X to MAC authentication bypass?
What about hybrid authentication?
If the access policy type is changed to MAC authentication bypass, the network will use the
client device's MAC address for the authentication attempt (no prompts for credentials).

If Hybrid authentication is chosen for the access policy, then the network will first wait and
check for 802.1X before it attempts to use MAC authentication bypass.
Lab 15: Configure Wireless Guest Access
Introduction

You will configure the Guest SSID, and then configure the firewall and traffic-shaping rules on
the Guest network.

Topology

Visual Topology

Configure Wireless Guest Access

Activity

1. Choose Wireless > Configure > Access control.

2. Choose Guest in the SSID drop-down list near the top.

3. Confirm the following are checked for this SSID:

o Under Network access and Association requirements, click Open (no

encryption).

o Scroll down to the Splash page section and click None (direct access).

o Under Addressing and traffic, click NAT mode: Use Meraki DHCP for the Client
IP assignment.
NAT mode is recommended because of the default nature of isolating wireless guest clients
from the wired LAN. Wireless clients are assigned an IP address from a private pool (10.0.0.0/8
range), which also alleviates any DHCP pool requirements upstream. NAT is applied to guest
traffic as it traverses through the AP and to the rest of the network.
 4. If you made any changes, click Save Changes to complete the process.

Apply Firewall Restrictions and Traffic Shaping

Activity

1. Choose Wireless > Configure > Firewall & traffic shaping. Choose Guest from the SSID
drop-down list near the top.

2. Under Block IPs and ports, in the Outbound rules section, look for the rule with the
Rule description "Wireless clients accessing LAN." In the Policy column, choose Deny
in the drop-down list to prevent wireless clients from accessing the LAN.
 3. Scroll down the page and under Traffic shaping rules, adjust the slider for the Per-
client bandwidth limit to 500 Kbps. Check the Enable SpeedBurst check box to allow
web pages to load faster during periods of low utilization. Adjust the slider for the Per-
SSID bandwidth limit to 2 Mbps.

4. Scroll down to the bottom of the web page and click Save Changes.

Verification

5. What will happen if five or more clients are connected to the Guest SSID and all are
trying to stream video (1.5 Mbps) at the same time? How will the per-client and per-
SSID bandwidth limitations impact the video streaming experience?

Because the Guest SSID is restricted to a maximum capacity of 2 Mbps and each associated
client is passing traffic at a maximum rate of 500 Kbps, the overall result will be a degraded
experience for clients.

Both the per-client and per-SSID bandwidth limitations need to be considered during planning
and calculation when considering high usage such as video streaming.
Lab 16: Configure SSIDs
Introduction

Now you will configure a splash page for the guest SSID, configure timing information for the
guest SSID, and finally, configure an SSID for internal staff access.

Topology

Visual Topology

Create a Splash Page for Guest Wireless Access

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.
 3. Choose Wireless > Configure > Access control.

4. Choose Guest from the SSID drop-down list near the top.

Note

If at the top of the page, you see a notification to switch to a new version, make sure to click
the new version option.

5. In the Splash page section, click Click-through. This method requires users to
acknowledge the disclosures and information on the splash page before being granted
network access.
6. If a box appears in the lower-right corner of the screen alerting you that you have
unsaved changes, click Save. If not, scroll down to the bottom of the page and click
Save Changes.

7. Choose Wireless > Configure > Splash page and choose Guest from the SSID drop-
down list near the top.
 8. For Official themes, verify that the built-in Modern theme is selected.

9. Scroll down and customize the various options in the Customize your page section. In
the Welcome message section, enter your welcome section. (In the real world, you
would also configure the splash logo and splash language.)

Note

You can use HTML code directly in the Welcome message box. The following is an example of
code that you can copy and paste, but you may choose to enter your own message.

<h1><span style="font-weight: 400;">ECMS2 Guest Internet Access</span></h1>

<p><span style="font-weight: 400;">Welcome to the ECMS2 Guest Internet Access

Page!</span></p>

<h2><span style="font-weight: 400;">The ECMS2 Guest Internet Access is provided

<b>solely</b> for the use of official ECMS2 guests. Any other use is
unauthorized.</span></h4>

<hr>

<h2 style="text-align: left;"><span style="font-weight:800;"><b>Disclaimer</b></span></h2>

<p style="text-align: left;"><span style="font-weight: 400;">ECMS2 is <b>not responsible</b>

for the content of the Internet.</span></p>

<p style="text-align: left;"><span style="font-weight: 400;">ECMS2 is not responsible for

sensitive information communicated through this public wireless connection, such as credit
card, personal data, or banking information, etc. Please be sure that your device&rsquo;s anti-
virus and firewall software are up-to-date.</span></p>

<p style="text-align: left;"><span style="font-weight: 400;">ECMS2 assumes no responsibility

and shall not be liable for any loss of data, damage, or viruses/malware that may infect your
device on account of your access to, or use of the public wireless connection.</span></p>

<p style="text-align: left;"><span style="font-weight: 400;">ECMS2 assumes no responsibility

or liability for physical damage to, or theft of your device.</span></p>

<p style="text-align: left;"><span style="font-weight: 400;">Minors should only access the

connection under parental or guardian oversight. Any restrictions, limitations, and monitoring
of a minor&rsquo;s access to the network is the sole responsibility of the parent or
guardian.</span></p>

<p style="text-align: left;"><span style="font-weight: 400;">User agrees to respect all copyright

laws and licensing agreement pertaining to material obtained from the Internet and ECMS2 is
not responsible for user&rsquo;s failure to do so.</span></p>

<p style="text-align: left;"><span style="font-weight: 400;">If you have problems accessing the
Internet over the wireless connection, <b>our staff cannot assist</b> in making changes to the
user&rsquo;s network settings or perform any troubleshooting on your device. You should
refer to the owners&rsquo; manual for your device or other support services, offered by your
device manufacturer.</span></p><hr>

10. To finish the splash page configuration. In the Splash behavior area, choose Every
hour in the Splash frequency drop-down list and update the Where should users go
after the splash page? field by clicking A different URL and entering
https://meraki.cisco.com.

11. Click Save Changes to complete the process.

Verification

12. You can click Preview to look at the splash page that you customized.

The Preview button should show you a quick HTML preview of the custom splash page that is
based on the code that was entered. Here is an example output using the code that was
provided previously:
What happens if the user does not click the Continue to the Internet button on the splash
page? Where will the user be redirected? What type of network access will the user have?

If users ignore the button, their access will partially depend on the setting in Wireless > Access
control and the field Captive portal strength on that page (by default it is set to Allow non-
HTTP traffic prior to sign-on). Users will not be redirected and will continue to see the splash
page. They will also have no other network access.

Schedule Guest Wireless Access Availability

Activity

1. Choose Wireless > Configure > SSID availability. Choose Guest from the SSID drop-
down list near the top.
 2. Configure the Visibility as Advertise this SSID publicly. Change the Per-AP availability
to This SSID is enabled on some APs and click the LOBBY tag. Change the scheduled
availability to enabled and choose Available 8-5 daily except weekends from the
Scheduled templates drop-down list.

Click Save Changes to complete the process.

Verification

3. What will happen to clients that are connected to the guest SSID when it becomes
unavailable based on the schedule?

When the SSID becomes unavailable, clients will lose connectivity and be disconnected.

Configure an SSID for Internal and Employee Access

Activity

1. Choose Wireless > Configure > Access control.

2. Choose Corp from the SSID drop-down list near the top.

3. Under Security select the Enterprise with radio button. In the WPA encryption
mode drop-down list, choose WPA2 only.

4. Scroll down to the Client IP and VLAN section and select the External DHCP server
assigned radio button.
5. Next, configure the following parameters:

o VLAN tagging: VLAN ID

o VLAN ID: 10

6. Click Save Changes to complete the process.

7. Choose Wireless > Configure > Radio settings.

8. Then choose RF profiles.

9. Under Basic Indoor Profile, click the Edit button.

 10. Under General > General > Band Selection > All SSIDs, confirm Enable dual band
operation (2.4 & 5) is selected.

If Enable dual band operation (2.4 & 5) is already selected, you do not need to do anything
more. If not, select that setting now.

Save your changes to complete the process.

11. Choose Wireless > Configure > Firewall & traffic shaping. Choose Corp from the SSID
drop-down list near the top.
12. Under Block IPs and ports, in the Outbound rules section, look for the rule with the
Rule description "Wireless clients accessing LAN." In the Policy column, choose Allow
from the drop-down list to allow wireless clients to access the LAN.
 13. Save your changes.

Verification

14. What happens if the user does not authenticate or if they provide incorrect
credentials? Where will the user be redirected? What type of network access will the
user have?

An unauthenticated user will not have network access of any type. No redirection has been
configured for the Corp SSID and users will not be allowed network access.
Lab 17: Implement RF Profiles
Introduction

Now you will configure an RF profile and apply it to your Cisco Meraki MR AP.

Topology

Visual Topology

Configure the Guest SSID

Activity

1. Choose Wireless > Configure > Radio settings.

2. Click the RF profiles tab and then click New Profile.

3. Under Open Office Profile, choose Customize.

 4. Customize the profile by configuring the following parameters in the General section:

o Profile name: Lobby

o Band selection: Choose All SSIDs and click Enable dual band operation (2.4 &
5 GHz). Select the Enable band steering check box.

o Minimum bitrate configuration: Per band

o Client balancing: On

5. Scroll down the page. In the 2.4-GHz radio settings section, keep all the default values.

Continue to scroll down. In the 5-GHz radio settings section, verify that the Channel width is
set to Manual and that the 20-MHz (28 channels) option is chosen.
 6. If a box appears in the lower-right corner of the screen alerting you that you have
unsaved changes, click Save. If not, scroll down to the bottom of the web page and
click Save Changes.

Verification

7. Why did you choose to use 20 MHz channels instead of 40 MHz channels?

20 MHz channels are narrower than 40 MHz channels, which allows more flexible channel
planning and reduces the possibility of channel overlap in a high-density environment.

8. What are the minimum bit rates in this profile for each of the two radios? Will these
rates allow for more traditional (802.11b) client devices to connect?

The minimum bit rates for both radios have been configured as 12 Mbps. Traditional (802.11b)
wireless clients will not be able to connect because they require lower data rates.

Apply an RF Profile to the Cisco Meraki MR Access Point

Activity

1. Choose Wireless > Configure > Radio settings.

2. Be sure to choose the Overview menu. Check the box next to your AP and click Edit
settings to open the drop-down list.

3. Choose Assign profile from the Edit settings drop-down list.

 4. Choose the Lobby profile that you created previously, and click Next to continue.

5. Check all the boxes to allow the profile to clear any existing override settings (channel
width, channel, power). Then click Review changes.

6. Complete the profile assignment process by clicking Apply changes.

Note

Settings on in your screen may differ from the example shown here.

Note

Transmit power in your screen may differ from the example shown here.
Lab 18: Implement Air Marshal
Introduction

You will configure Cisco Meraki Air Marshal to protect your network from potential attacks.

Topology

Visual Topology

Define SSID Block and Allow Lists and Alerting Function

Activity

1. Choose Wireless > Monitor > Air Marshal.

Block List

If you want to protect clients from connecting to rogue SSIDs, you may specify additional rules
to block certain SSIDs or BSSIDs. These policies may match on exact words, MAC address
(BSSID), keywords, or wildcards. Email and syslog alerts will also be generated if SSIDs
matching the rules in the blocked list table are seen.

The acceptable wildcards are:

 * for any number of characters

 ? for any single character

2. In the Configure tab, look for the SSID Block list section. Click Add a match.
 3. Create the following rules (note that you will need to click Add a match again, after
you configure the first rule):

o Block if: Choose Matches wildcard and click Guest.

o Block if: Choose Matches wildcard and click Corp.

Note

Be careful when configuring SSID block list policies. These policies will apply to SSIDs seen on
the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have
legal implications when launched against neighbor networks. Ensure that the rogue device is
within your network and poses a security risk before you launch the containment.

Allow List

Similar to configuring the block list, you can use Air Marshal rules to create an allow list of
certain SSIDs or BSSIDs that clients are allowed to connect to. Rogue or Other SSIDs that match
these rules will not generate alerts.

4. Look for the SSID Allow list section on this page and click Add a match.

5. Create the following rules (note that you will need to click Add a match again, after
you configure the first rule):

o Allow if: Choose Contains keyword and type *-Officejet Pro.

 o Allow if: Choose Matches wildcard and type Amazon-*.

Alerts

You can also configure rules to alert when SSIDs that are matching a rule are seen. Alerts will
be sent via email and via syslog.

6. Look for the SSID alerting section on this page and click Add a match to create the
following rule:

o Alert if: Choose Exactly matches and click ispwifi.

7. Click Save to complete the process.

Verification

8. What will happen if Cisco Meraki Air Marshal detects a match for one of these two
denied rules on the LAN or off the LAN from neighboring Wi-Fi deployments?

Cisco Meraki Air Marshal will attempt to contain the rogue SSID by sending deauthentication
packets using the Basic Service Set Identifier (BSSID) of the rogue to prevent other clients from
connecting to it. The goal is to block this unauthorized SSID.
 9. What is a likely use case for these permitted rules? (In other words, which SSIDs and
BSSIDs would you put on a permitted list?)

Creating a permitted list is an operation that you can use to override default blocking policies.
The SSIDs and BSSIDs that you have allowed are commonly used by IoT devices, printers, and
so on, during their initial configuration phases.

10. What kind of alert will be sent (and to whom) if Cisco Meraki Air Marshal detects a
match for this alerting rule?

If triggered, an email alert will be sent to all Cisco Meraki dashboard network administrators
(and any other recipients who were added for this particular alert).
Lab 19: Create Cisco Meraki Systems
Manager Configuration Profiles
Introduction

Activity part describes the actual steps that are performed during the lab demonstration.

You will create a configuration profile for Apple and Android devices.

Topology

Visual Topology

Create and Configure an Apple Profile

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.

3. Choose Systems Manager > Manage > Settings. When the window opens, click Add
profile, in the top-right corner.
4. Under Standard, click Device profile (default) and click Continue.
 5. Name this profile Apple Profile.

6. Scroll down to the Targets section, look for the Scope field, and choose with ANY of
the following tags from the drop-down list.

In the Device tags field, choose the following two tags: iOS devices and Mac devices.

Backpack Feature

Backpack is a feature within an MDM profile which allows administrators to push files to
remote devices. Built-in file synchronization keeps the content on the device up-to-date with
the latest version of the file in the administrator’s backpack.

An administrator can manage documents, images, applications, and other files and deliver
them over-the-air to one device or thousands of devices, right from the dashboard. An
administrator can simply separate backpacks to be delivered to different departments,
classrooms, or groups. By using tags, the content can be delivered selectively to the
appropriate devices.

The intended devices will receive the content shortly after the administrator saves the
backpack. If the device is currently not connected, it will receive the content after it comes
back online.

7. Scroll up to the top of the page and click Add settings in the upper-left part of the page
to open the configurable settings. Choose the Backpack Item group.
 8. Configure the following options:

o Name: Office Map

o URL: http://office.map.com

o Automatic download: Check the box

iOS Single App Mode and Android Kiosk Mode

Cisco Meraki SM supports iOS Single App mode and Android Kiosk mode that allows an
administrator to lock users on mobile devices into one or more specific applications. These two
modes prevent users from accessing unauthorized apps or functions.

This function is helpful in situations where use of non-corporate applications on corporate

devices should be prevented, where access to search apps should be prevented during tests,
or to prevent accidental closure of an app, for example.

9. Click Add settings to return to the configurable settings. Choose the Single App Mode
(Kiosk) group.
 10. Configure the following options:

o App

1. Device type: iOS

2. App drop-down list: Choose Calendar

o Options

1. Disable rotation sensing: Check the box

2. Disable volume buttons: Check the box

11. Click Save, to complete this profile.

Create and Configure an Android Profile

Activity

1. Choose Systems Manager > Manage > Settings.

2. To add the Android profile, click the Add profile button in the top-right corner. Select
the Device profile (default) option and click Continue.

3. Configure an Android profile using the following information:

o Name this profile Android Profile.

 o In the Targets section, for the Scope field, choose with ANY of the following
tags from the drop-down list.

o In the Device tags field, choose Android devices from the drop-down list.

4. Click Add settings again to return to the configurable settings. Choose the WiFi
Settings group.

5. Configure the following options:

o Configuration: Sentry

o Network: Choose your wireless network.

Note
There should be only one option available in this lab setup for you to choose.

o SSID: Guest

o Auto Join: Check the box

6. Click Add settings again and choose the Android Kiosk Mode group.

7. Configure the following options:

o App Type: Google Play Apps

 Unlock code: 112233

 Google Play apps: Google Calendar

8. Click Save, to complete this profile.
Lab 20: Define Security Policies
Introduction

Now you will configure a security policy for devices that includes a containerization profile for
Apple iOS devices.

Topology

Visual Topology

Define the Security Policy

Activity

1. Choose Systems Manager > Configure > Policies. When the Policies window opens,
click Add new to define a new policy.
2. Define a security policy with the following configurations:

o Security policy name: Corp

o Screen lock after: 5 minutes or less: Check the box

o Passcode lock: Check the box

o Device is not compromised: Check the box

o Device must check in every 1 hour: Check the box

 3. Click Save Changes to complete the process.

Verification

4. What does the configuration of "device is not compromised" enforce?

A device that is not compromised is one that is not rooted or jailbroken.

5. What devices are subject to this security policy?

All Cisco Meraki Systems Manager enrolled devices are subject to the security policy created
and will be evaluated as either compliant or in violation.

Design a Containerization Strategy

Activity

1. Choose Systems Manager > Manage > Settings. Click Add profile in the top-right
corner to create a new profile.
2. Click Device profile (default) and click Continue.
 3. Name this profile Apple Containerization Profile.

4. Scroll down to the Targets section, look for the Scope field, and choose with ANY of
the following tags in the drop-down list.

In the Device tags field, choose the following two tags: iOS devices and Mac devices.

5. Scroll up to the top of the page and click Add settings in the upper-left part of the page
to open the configurable settings. Choose the Restrictions section.
 6. Scroll down to Apple restrictions. Under Device functionality, configure the following
options:

o Do not containerize work data and contacts from unmanaged apps: Uncheck
the box.

o Do not containerize personal data and contacts from managed apps:

Uncheck the box.

Unchecking these boxes allows containerization of sensitive data, such as files, documents, and
contacts, for both unmanaged and managed apps.

7. Scroll to the bottom of the page, and click Save to complete this profile.
In Android Enterprise BYOD deployments, Android devices that are enrolled with a work
profile will automatically create a work container upon enrollment.
Lab 21: Enforce End-to-End Security
Introduction

You will now configure policies for compliant and noncompliant devices. You will then
configure Cisco Meraki Systems Manager Sentry policies and secure wired ports with Systems
Manager Sentry security.

Topology

Visual Topology

Build the Network's Group Policies

Activity

1. Choose Network-wide > Configure > Group policies. When the Group policies window
opens, click Add a group.
2. Create a group policy with the following settings:

o Name: CorporateDevices

o Bandwidth: Use custom bandwidth limit—unlimited

o Firewall and traffic shaping: Custom network firewall & shaping rules

o Add a layer 7 firewall rule: Click this option

1. Policy: Deny

2. Application: Gaming

3. Drop-down list: All Gaming

3. Click Save Changes to complete the process.

4. Click Add a group and create another group policy using the following settings:

o Name: ContainedDevices

o Bandwidth: Use custom bandwidth limit, 500 kbps

o Firewall and traffic shaping: Custom network firewall & shaping rules

o Layer 3 firewall

1. Add a firewall rule: Click this option

2. Policy: Deny

3. Protocol: Any

4. Destination: 10.0.[10 + n].0/24

5. Comment: Corporate Resources

 5. Click Save Changes to complete the process.

Verification

6. What are the differences in network access for devices when they are these two group
policies?

The clients in the Corporate group policy have unlimited bandwidth as compared to clients in
the Contained group policy, in which clients are restricted to 500 kbps. Gaming traffic is
blocked or dropped for clients in the Corporate group policy (as per a Layer 7 firewall rule),
whereas clients in the Contained group policy do not have access to any of the internal VLANs
(as per a Layer 3 firewall rule).

Create the Cisco Meraki Systems Manager Sentry Policies

Now you will create a sentry policy. Sentry policies create mappings between group policies for
Cisco Meraki networking equipment and tags in Systems Manager. Sentry policies allow for a
form of dynamic policy configuration, without the need for a dedicated box in your network.

Activity

1. Choose Network-wide > Configure > Sentry policies. In the Systems Manager Sentry
policies window, click Add a new group policy MDM scope.
 2. Configure the Sentry policy scope using the following parameters:

o Under Systems Manager network, choose the Systems Manager network for
your lab.

Note

There should be only one option available in this lab setup for you to choose.

o Under Tag scope, choose With ANY of.

o Under Tags, scroll down to choose Corp - compliant devices.

o Under Policy, choose Corporate Devices.

3. Choose Add a new group policy MDM scope and configure this Sentry policy scope
with the following parameters:

o Under Systems Manager network, choose the Systems Manager network for
your lab.

Note

There should only be one option available in this lab setup for you to choose from.

o Under Tag scope, choose With ANY of.

o Under Tags, scroll down to choose Corp - violating devices.

 o Under Policy, choose Contained Devices.

4. Click Save Changes to complete the process.

Verification

5. What causes a device to be tagged with the Corp - violating devices tag?

A device is given this tag if it violates one of the parameters or requirements that are defined
in the Corporate Systems Manager security policy.

6. Are all devices always tagged as either Corporate - compliant devices or Corporate -
violating devices?

Yes, devices will always be in either the compliant or violating status for any of the defined
security policies.

Secure Wired Ports with Cisco Meraki Systems Manager Sentry Security

Activity

1. Choose Switch > Configure > Access policies. When the window opens, scroll down to
the bottom of the page and click Add an access policy.
 2. Create an access policy named SM Sentry Policy.

Choose Meraki authentication from the Authentication method drop-down list.

In the Systems Manager Sentry security drop-down list, choose Enabled: Allow devices with
following tag scopes access to network.

Finally, click Add Sentry network.

3. Configure the following parameters:

o Under Network name, choose the Systems Manager network for your lab
(make sure you click your network).

o Under Scope, choose With ANY of.

o Finally, choose the Corp - compliant devices tag.

4. Click Save Changes to complete the process.

5. Choose Switch > Monitor > Switch ports.

6. Check the boxes next to ports 19 through 22.

7. Scroll up and click Edit. Configure the following fields:

o Name: SM Sentry Secured

o Type: Access

o Access policy: SM Sentry Policy

o VLAN: 10
 8. Save your changes by clicking the Update button near the bottom.

Verification

9. Suppose that a device is enrolled but not by Cisco Meraki Systems Manager. What
happens when this device connects to one of the switch ports that the Sentry access
policy enforces?

Note

The Wired Sentry Enrollment feature is currently available only for MacOS devices.

In this scenario, the user will be prompted to enter credentials for authentication (using
Meraki authentication). If successful, it will lead to Systems Manager enrollment for the
device. If unsuccessful, the user will not have any access to the network.
Lab 22: Setup Motion Alerts
Introduction

You will configure schedules and motion alerts on Cisco Meraki MV cameras. You will also
configure recipients of these alerts.

Topology

Visual Topology

Configure the Alerting Parameters

Activity

Scenario

Your company split the building infrastructure team apart from the network team, and the
building infrastructure team has chosen to put the Cisco Meraki MV cameras into a separate
Cisco Meraki dashboard network.

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.
2. Choose the Cameras network from the Network drop-down list on the top-left side of
the page.

3. You will see one or more cameras. Choose Camera 1.

4. Click the Settings tab and then click Motion Alerts.

 5. Under Alerting schedule, choose Scheduled.

6. Next, click Change schedules and then click New Schedule.

7. Enter Schedule1 in the Schedule name field, and using the sliders, choose different
time ranges for each day of the week that you would like motion alerts to be active.

Experiment with the sliders.

When you are finished, click Done.

 8. Click Close.

Note

You will not be able to save this schedule due to the level of permission that is granted to this
lab account for the shared Camera network. The previous instructions were included in this lab
as practice.

9. Use the slider and adjust the Minimum event duration for trigger to 2 seconds.
 10. Scroll down the page and click Enabled for the Areas of interest.

11. The video stream opens. Drag to select an area in the field of view for which you want
to trigger motion alerting.

Note

The analog clock simulates movement.

12. Click Cancel.

Note

You will not be able to save these Motion alert settings. The previous instructions were
included in this lab as practice.

Verification

13. What are some things you could change on your alerting parameters to decrease the
frequency of motion alert events?

The following are options to help decrease the frequency of motion alert events: increasing
the minimum event duration for the trigger, decreasing the motion sensitivity, and decreasing
the areas of interest.

Configure the Alerting Recipients

Activity
 1. From the Motion alert tab, click the general alerts settings page link at the bottom of
the page.

Note

Another way of accessing the same page using the main menu is to choose Network-wide >
CONFIGURE > Alerts and look for the Camera section.

2. Check the Custom recipients for motion alerts check box. Click Show additional
recipients to open a field where you can enter an email address.

Note

If this field has already been selected it will display as Hide additional recipients.

3. Enter any email address (you will not save this information) and press Enter.

Note

You will not be able to save these motion alert recipients. The previous instructions were
included in this lab as practice.

Verification
 4. In addition to the specific recipients that were configured, who else will receive the
configured camera alerts?

All network administrator accounts that have permissions for this network will receive camera
alerts.
Lab 23: Deploy Wireless Cameras
Introduction

Now you will configure wireless profiles to allow Cisco Meraki MV cameras to connect
wirelessly.

Topology

Visual Topology

Wireless Profile Setup

Activity

Scenario

Your company split the building infrastructure team apart from the network team, and the
building infrastructure team has chosen to put the Cisco Meraki MV cameras into a separate
Cisco Meraki dashboard network.

1. Choose the Cameras network from the Network drop-down list on the top-left side of
the page.
 2. Choose Camera 1.

3. Click the Settings tab, and click the Wireless profiles Tab.

4. Click the Manage wireless profiles here link to open a list of the preconfigured
wireless camera profiles.

In this area, you can also choose New Profile to build a profile by defining things such as the
security type, the name of the wireless SSID, and the pre-shared key. Click Next to close the
pop-up.

Note

You will not be building any wireless profiles due to the level of permission that is granted to
this lab account for the shared Camera network. The previous instructions were included in
this lab as practice.
 5. On the Wireless profiles tab, you would use the drop-down menus to choose primary,
secondary, and backup profiles for this camera.

The additional profiles (secondary and backup) provide resilience and failover actions if the
primary settings of the WLAN change and the cameras become inaccessible. Offline cameras
are very difficult to bring back online and often require physical access in hard-to-reach areas.
These additional profiles serve as backup methods for reestablishing access to the cameras to
push any changes to the primary wireless profile settings.

Note

You will not be changing any wireless profiles due to the level of permission that is granted to
this lab account for the shared Camera network. The previous instructions were included in
this lab as practice.
Wireless Connectivity

Once a camera has successfully connected to the WLAN, wireless settings such as the IP
address, the SSID to which it is currently connected, and the signal strength are displayed.

All wireless Cisco Meraki MV cameras must first be staged and configured on the wired LAN
before they can be deployed wirelessly. This step is mandatory and allows configurations
(including the wireless profile assignments) to be pushed to the camera before it can connect
to the WLAN.

6. Click the Network tab and view the area between the ADDRESS and the SERIAL
NUMBER.

The network information provided includes local (LAN) IP address of the camera, public IP
address that the camera is reachable at, gateway and DNS address, as well as a switch and port
number the camera is connected to.

Note

If you see a notification regarding “Poor connectivity to the Meraki cloud,” please ignore.

Lab 24: Manage Video Retention

Introduction

Now you will explore the quality and retention settings on the Cisco Meraki MV camera. You
will also examine how to share streams internally and externally outside your organization.

Topology

Visual Topology

Adjust the Camera Retention Policy

Activity

1. If you have navigated away from the page, choose the Cameras network from the
Network drop-down list. You will see one or more cameras. Choose Camera 1.
 2. Click the Settings tab and then click Quality and retention.

You will now examine various settings that affect the amount of video footage that can be
stored locally on the camera before stored video starts being overwritten.

Cisco Meraki MV cameras record video to a local onboard SSD. The combination of quality and
retention settings in the Cisco Meraki dashboard determines the number of days of footage
that the camera should be expected to retain.

You will view these settings, change them, and see how your changes affect the number of
days of retention.

3. Scroll down to the bottom of the page to see the number of days of retention when
the default settings are used for the camera's video retention policy.

Try adjusting these options and take note of how adjustments to the settings Motion-based
retention, Video resolution, or Video quality affect the number of days of estimated
retention.
Note

Do not try to save your settings. You cannot, because you have read-only access to the shared
cameras.

Verification

4. What is the proper combination of settings to allow the highest number of days of
retention?

To maximize retention, the following should be configured: a recording schedule should be set,
motion-based retention should be enabled, video resolution should be set to 720p, and video
quality should be set to standard.

5. What is the proper combination to provide the best video recording quality?
To obtain the highest quality of video recording possible, video resolution should be set to
1080p and the video quality should be set to enhanced.

Examine Various Camera Settings

Activity

1. From the Cameras page, click the Video tab.

2. Click the Share button. The following options appear:

o Share link internally: This option will only work for Cisco Meraki dashboard
users who have the necessary privileges for the linked camera.

o Share stream externally: A form appears requesting emails and names of the
recipients to whom you would like to grant access to this video stream.

1. This option is used to provide quick and easy access to video without
needing to provision a Cisco Meraki dashboard account.

2. Video links that are generated using this option will expire after 24
hours.

3. All video streams that are initiated using this method will always use
the cloud proxy.

4. Once shared, an email will be sent to the recipient containing a link to

view the live streams that have been shared.

5. You can also view any existing stream shares.

Note

Do not try to save your settings. You cannot, because you have read-only access to the shared
cameras.
Lab 25: Demonstration Video: Enable Alerts
Introduction

Now you will configure Cisco Meraki dashboard alerts and webhooks.

Topology

Visual Topology

Configure Dashboard Email Alerts

Activity
1. Open a web browser and log in to the Cisco Meraki Cloud Dashboard at the URL
https://dashboard.meraki.com. Use the username and password that are provided in
the Job Aids.

2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.

3. Choose Network-wide > Configure > Alerts.

 4. In the Default recipients field, enter an email address to which you have access and
press Enter.

Note

In the United States, most major mobile carriers allow you to send emails to an SMS phone
number (click here to see the list of phone number conversions by carrier). You may choose to
take advantage of this feature to send Cisco Meraki dashboard alerts directly to your mobile
device as a text.

5. In the Network-wide section, check the Configuration settings are changed check box.

6. In the Wireless section, check the A gateway goes offline for check box and change
the time to 5 minutes.
 7. Save your changes to complete the process.

Verification

8. How long did you have to wait before you received an email alert? How many did you
receive?

Configure Webhook Alerts

Note

To be able to perform this task, you need to use your Google account. If you already have such
an account, you can continue to the first step. If you do not have your Google account yet, you
will need to create one now. Visit the https://accounts.google.com, click Create account, and
follow the instructions to create your new account

Activity

1. Open a new web page and log in to your Google account at

https://accounts.google.com. Next, navigate to https://docs.google.com/spreadsheets
and click the Plus (+) icon to start a new blank worksheet.

2. Near the top, change the title of the spreadsheet from Untitled Spreadsheet to
Webhooks.
 3. Choose Extensions > Apps Script. A new browser tab should open with the name
Untitled project with the Code.gs tab in the center.

Note

If you get an error, make sure you are signed in with your Google account.

4. Close any pop-up windows that may open (typically you get the Editor Opt-out Survey,
or Try the brand new Apps Script editor).

Note

If you end up in the New Editor, simply click the Use classic editor button at the upper right
side.
5. Clear all the text that you see in the Code.gs area (select it with your mouse and press
Backspace or Delete on your keyboard).

6. Next, you will use an existing Cisco Meraki script to import the JSON data in the API-
based alert into the Google Sheet. Open the following script in a separate browser tab
or window: http://cs.co/webhooks_lab. Using your mouse, select everything from line
1 down to line 153. Copy and paste the text in the Untitled project, Code.gs area that
you cleared previously. (Here, you see just the first 21 lines for brevity.)
 7. From the menu at the top of the window, choose Publish > Deploy as web app.

8. If prompted, give it the project name Webhooks and click OK. If not prompted to Edit
Project Name, continue to the next step.

9. Verify the following:

o Execute the app as: Me (your email address)

o Who has access to the app: Anyone, even anonymous

Click Deploy to proceed.

Note

If asked for authorization and permissions to access your data on Google, choose Review
Permissions, choose your Google account, click Allow.
 10. If successful, you should see a confirmation that the project has been deployed as a
web app and be given a web app URL. Select and copy this web app URL address. You
will be using it next. Click OK to close the page.

Note

If you fail to copy the URL, just simply repeat the Publish > Deploy as web app… and it will
display the URL.

11. Navigate back to the Cisco Meraki dashboard. Choose Network-wide > Configure >
Alerts.
 12. In the Webhooks section, under HTTP receivers, click Add an HTTPS receivers.

13. Configure the following parameters:

o Name: Google Sheet.

o URL: Enter the web app URL address that you copied previously.

o Shared secret: Leave blank.

o Payload template: Confirm set to Meraki (included)

Click the Send test webhook button.

You should see the message enqued, then delivered.

Note
In the Webhooks Google Sheet that you created, you should now see a new workbook tab on
the bottom. Review the data provided which may display any triggered alerts.

14. Navigate to the top of the Alerts page and add another default recipient address:
Webhook: Google Sheet.

Note

This recipient should auto-populate in the field.

15. Click Save to complete the process.

Lab 26: Add Monitoring and Reporting
Introduction

You will now configure a syslog server and an SNMP server.

Topology

Visual Topology

Add a Syslog Server to the Cisco Meraki Dashboard

Activity

1. Choose Network-wide > Configure > General. In the Reporting section, under Syslog
servers, click Add a syslog server.
 2. Configure the following parameters:

o Server IP: 192.168.0.2

o Port: 514

o Roles: Choose one, for example, Security Events

Multiple syslog servers can be configured.

Note

You will not be connecting to an actual syslog server here (the IP address and port you used
were for a placeholder syslog server). The previous instructions were included as practice.

3. Save your changes to complete the process.

Configure SNMP for Local Network Polling

Activity

1. If you’re not already in the menu, choose Network-wide > Configure > General.
 2. This time, in the Reporting section, under SNMP access, choose V1/V2c (community
string) from the SNMP access drop-down list. In the SNMP community string field,
define a string of your choice.

Note

Most network vendors ship their equipment with a default password of “public,” which is
common for the default public community string. This approach is not the best security
practice and should be changed to something else. It is a common best practice for network
administrators to quickly change the community string to preserve network security.

3. You may also choose V3 (username/passwords) from the SNMP access drop-down
list.

If using SNMP version 3, you must then choose Add an SNMP user and define the needed
Username and Passphrase credentials.

Note

SNMP version 3 adds the ability to encrypt the communication between the manager (network
management system) and the agent (Cisco Meraki device).
4. Click Save Changes to complete the process.
Lab 27: Generate and Analyze Summary
Reports
Introduction

You will configure Cisco Meraki summary reports.

Topology

Visual Topology

Generate and Analyze Summary Reports

Activity

1. Open a web browser and log in to the Cisco Meraki cloud dashboard.
2. In the top-left corner of the page, choose your LABn dashboard network from the
Network drop-down list.

3. Choose Organization > MONITOR > Summary Report.

 4. Examine the Summary Report layout. Click from the last day to change the Timeframe
options. Notice the options:

o Past Day: This option shows the last one day.

o Past Week: This option shows the last seven days.

o Past Month: This option shows the last 30 days.

o Custom range: Use this option to set a time range.

Note

As you click the options in this step or the following steps, the report page will dynamically
change. There is no button to click to run the report.
 5. Click Past Month from the options. (You will need to click behind the pop-up to close
it.)

Review the report page.

6. Now, click the Network(s) drop-down list to choose the network on which to run the
report. Your options include the following:

o A single network: Choose one of the available networks. When clicking this
option, the networks that appear will be split up based on product family
(security appliance, switch, or wireless APs) even though they may originally
have belonged to a combined network.

o Networks with a tag: Choose networks using tags. When clicking this option,
you will be using network tags (choose Organization > MONITOR > Overview
under the Networks tab) to choose multiple networks at a time.

o Entire organization: Choose the entire organization. When clicking this option,
the summary report will be generated using data from all networks in the
organization.
 7. Click Entire organization. (You will need to click behind the pop-up to close it.)

Review the report page.

8. Click the Customize report drop-down list to choose the items you want to include in
the report.

Check the boxes that you want to include and uncheck the boxes for the items you do not
want. (You will need to click behind the pop-up to close it.)

Review the report page.

 9. You can click Export to Excel, which simply exports the report in Excel format.

You can choose to email the report, and you can configure a schedule to run and email the
report.
Verification

10. Generate a summary report for the following:

o Date range: Past Week

o Network(s): Entire organization

Answer this question using the data: Which switch had the most power usage?

The answer will vary, but the report that you generated should reveal the answer in this area:
 11. Next, generate a summary report for the following:

o Date range: Past Week

o Network(s): Entire organization

Answer the following question using the data: Which clients had the most usage?

The answer will vary, but the report that you generated should reveal the answer in this area:

12. Finally, generate a summary report for the following:

o Date range: Past Week

o Network(s): Entire organization

Answer the following question using the data: Which applications had the most usage?

The answer will vary, but the report that you generated should reveal the answer in this area:
Lab 28: Manage Firmware
Introduction

Now you will learn about managing firmware in the Cisco Meraki dashboard.

Topology

Visual Topology

Review the Available Firmware Upgrades Information

Activity

1. Open a web browser and log in to the Cisco Meraki cloud dashboard.
2. In the top-left corner of the page, choose your LABn dashboard network from the
Network drop-down list.

3. Choose Organization > MONITOR > Firmware upgrades. Click the Overview tab.
Overview Tab

Take note of the information that is available on this page:

 Most recent changes: This area lists any recent firmware changes that organization
administrators made and provides the ability for rollbacks (if available).

 Scheduled changes: This area shows any upcoming or pending firmware changes that
organization administrators have scheduled.

 Latest firmware versions: This area shows the latest Stable, Stable release candidate,
and Beta firmware versions across the Cisco Meraki product families. You also have
the visibility and option to choose Release notes for each release.
If rollback is available, you will see a counter-rotated circle:

 Rollback is only available for Stable firmware upgrades if the upgrade took place
within the past 14 days.

 Rollback is also available if you are attempting to roll back to a stable firmware release
after upgrading to release candidate or beta (the rollback will always be available to
revert to a Stable firmware version).

4. Choose the Release notes to view specific information: new features, bug fixes, known
issues, and other caveats. (Click the gray x or click behind the pop-up to close.)

5. Switch between the Stable, Stable release candidate, and Beta subtabs to view the
options.

Note
There might not always be a release candidate or beta version available for all product
families.

6. Click the Scheduled Changes tab. This tab shows any pending firmware upgrades that
have been scheduled and their relevant details. You can reschedule or cancel any
scheduled upgrades.

You can filter based on the DEVICE TYPE and TARGET VERSION.

7. Click the All networks tab. Take note of the information and the various filters that are
available on this page:

o NETWORK NAME: A search field where you can define a string to search for
network names that match.

o DEVICE TYPE: A drop-down list that allows you to search by product family.

o CURRENT VERSION: A drop-down list that allows you to filter by specific

firmware version releases.
 o STATUS: A drop-down list enables network filtering by the status of currently
installed firmware as compared to available firmware versions.

The current version and firmware status filters are typically the most useful and relevant for
taking inventory of any networks that may be behind on firmware upgrades.

8. Next, you will go through the motions of scheduling an upgrade. Choose one of the
check boxes next to a device showing Upgrade available in the Availability column.
Then click Schedule upgrades.

Note

You will not complete this scheduled upgrade in the last step. Instead, you will cancel.

9. Pay attention to the details of the upgrade. Click Next.

 10. You can choose Minimize upgrade time or Minimize client downtime. In this case, you
will choose Minimize upgrade time. Click Next.

11. Click Perform the upgrade now.

Note

Note that you could choose to schedule the upgrade for another time.

Click Next.
 12. Review the Change summary. Do not continue, and do not click Schedule change for 1
network.

Instead, click the gray x in the top-right corner to exit.

Verification

Evaluate the organization and answer the following questions:

13. When was the last upgrade scheduled to take place? What was performed?

The answer will vary but can be found in this area (this area will show only the last 30 days):

14. Are there any scheduled upgrades?

The answer will vary but can be found in this area:

 15. What is the current or latest stable device firmware versions?

The answer will vary but can be found in this area:

Lab 29: Generate a PCI Compliance Report
Introduction

You will learn how to generate a PCI compliance report in the Cisco Meraki dashboard.

Topology

Visual Topology

Compose the Report Scope and Generate a PCI Report

Activity

1. Open a web browser and log in to the Cisco Meraki cloud dashboard.
2. In the top-left corner of the page, choose your LABn dashboard network from the
Network drop-down list.

3. Choose Wireless > MONITOR > PCI report.

 4. Near the top, confirm that the report will be generated for the LABn - wireless
network, and that n is your pod number (in this case n was 1). Click the Run scan
button.

5. Choose 3.0 from the Version drop-down list. Leave the CDE subnets field empty. Check
the box for the Guest SSID. (PCI DSS version 3 was released in November 2013.)

Note

o You would typically enter all the subnets that are part of your company's
cardholder data environment (CDE).

o You would typically check the boxes for all the SSIDs that are part of your
company's CDE.
 6. Scroll down the page and next to the heading The following list of Cisco Meraki
dashboard Administrators is current and accurate check the Confirm check box.

Note

When running a real report, be sure to review the list of Cisco Meraki dashboard
administrators and understand the importance of self-auditing the list.

Under the list, there are several options. Check the check box for the following options:

o Access for terminated users is immediately revoked.

o Vendor accounts are only active when needed.

o Wireless access points are physically secured.

Click Run the report.

Verification

Evaluate the generated report and answer the following questions:

7. Requirement 2.1.1 specifies that all wireless vendor defaults (such as encryption keys,
passwords, SNMP community strings) must be changed.

Your PCI report shows a pass for this requirement. Why?

By clicking Pass, you will see the following: "Cisco Meraki does not ship with default vendor
keys that need to be changed. Cisco Meraki hardware is configurable through an SSL-
encrypted connection, accessible only by authenticated users."

8. Requirement 8.1.4 specifies that all inactive user accounts (90+ days) must be
removed or disabled.

Your PCI report shows a fail for this requirement. What does the Cisco Meraki dashboard
advise you to do to comply with this requirement?

By clicking Fail, you will see a recommendation that any account that has been inactive for
more than 90 days is removed or disabled. (Choose Network-wide > Administration and
Organization > Administrators.)

9. Requirement 8.1.6 requires that repeated failed attempts (six or more) result in the
account ID being locked.

Your PCI report shows a fail for this requirement. What does the Cisco Meraki dashboard
advise you to do to comply with this requirement?
By clicking Fail, you will see a recommendation that you enable account lockout in
Organization > Settings to meet this requirement.
Lab 30: Troubleshoot an Offline Device
Introduction

You will simulate a problem reported from a user and troubleshoot the problem.

Scenario

You have received the following email:

Investigate the issue, find the root cause, and restore the AP connectivity to the Cisco Meraki
cloud.

Topology
Visual Topology

Troubleshoot, Remediate, and Verify Root Cause 1—Inaccurate Port Schedule

Activity

1. On your computer, open another web browser window and log in to the Cisco Meraki
Cloud Dashboard at the URL that you can find in Job Aids. Use the Username and
Password that are provided in Job Aids.

2. You will automatically be dropped into the Camera network. In the top-left corner of
the page, click the down arrow next to Cameras, and choose your LABn network from
the Network drop-down list.
You will begin troubleshooting with the assumption that Layer 1 is operational (the AP is still
physically cabled to the correct switch port and powered on).

You decide to first check whether the switch port to which the AP is connected, operational,
and Configured with the correct settings.

3. Choose Switch > Monitor > Switch ports and click details, which is located beside port
2 (where the AP is plugged in). All switchports connected to an AP should be operating
with an applied Business Hours Port schedule.

Look closely at the Configuration section. Do you notice anything suspicious?

If you look closely, you will notice something strange. The port is Disabled and although you
know your company uses Port schedules as a policy, a Port schedule is no longer applied.

This fact that the port transitioned to a Disabled state, should alert you to check the Port. You
find that a new administrator deployed this Port configuration, and you note that it was
applied incorrectly.

4. To enable the Port, next to configuration, click the pen icon.

5. For Port Schedule, click Enable and under Port schedule, choose Business Hours. Click
Update.
6. Take a closer look at the schedule itself to see how it is defined. Choose Switch >
Configure > Port schedules and click the Business Hours schedule. Do you notice
anything suspicious?
The slider area very clearly shows the times of the days where the port is active (shown in
green) and when it is inactive (shown in gray). It appears that the AP is disabled from 9 to 5 on
weekdays, and that the administrator who performed this configuration made a second
mistake. This mistake can easily be corrected by using the sliders or by reversing the active and
inactive by changing the Status drop-down menu from disabled to enabled for the days
Monday through Friday. Make sure to save the changes.

7. Another verification can be performed before exiting this page. At the top of the Port
schedules page, note the local time zone. Is it the same time zone as the AP and the
times that are Configured on this schedule?

In this case, the time zone is the same, so all is well.

It is possible that the local time zone does not match that of the AP for which the schedule was
built. This issue sometimes happens when administrators attempt to consolidate all devices
(switches, APs) into a single combined network and overlook their local time zones. The fix for
this problem is to split the network into as many local time zones as needed for schedules to
be properly activated.

The AP, may not come online. There is another reason for the AP of your lab pod still not being
online, maybe you are performing this lab exercise several time zones away from the time
zone that the switch is set to. The Business Hours port schedule is specified for the time zone
the switch is located in. The 8:00-17:00 local switch time schedule may fall outside your time
zone. The port would be inactive and the AP not connected. To get your AP back online in your
lab pod, you can either set the Port schedule to Unscheduled or calculate and update the
Business Hours schedule against your local time zone.

Note

Example: You perform the lab exercise at 10:00 in the morning in the CET time zone, which is 9
hours ahead of the PST time zone (this is the time zone your lab pod switch is set to). Port
schedule is set 8:00-17:00 PST, which is 17:00-2:00 CET. The result is that the switch port is
inactive. If you change the port schedule to 00:00-9:00, for example, your current time will fall
into the Business Hours schedule and the port will become active. It may be easier, if you are
having trouble with the Port schedule, to simply disable it for the remainder of this lab.

Troubleshoot, Remediate, and Verify Root Cause 2—Unintended or Inaccurate MAC Allow
List

Apparently, the problem is still not resolved, which means something else must be wrong.

Activity

You will begin troubleshooting with the assumption that Layer 1 is operational (the AP has
already been confirmed as physically connected and powered on).

Similar to the previous situation, begin troubleshooting at the switch port where the AP is
connected.

1. Choose Switch > Monitor > Switch ports and click details, which is located beside port
2 (where the AP is plugged in).

Look closely at the Configuration section. Do you notice anything suspicious? How about the
Access policy?
Although a switch port that is Configured for access is common, you should notice that this
port has an access policy applied. It is using a MAC Allow list.
2. Next to Configuration, click the Pencil icon to investigate.
The allow listed MACs entry does not match your AP.

3. If you choose Open in the Access policy drop-down list, you will remove the Access
policy altogether.

Click Update to save changes.

Note

This method is just one of the ways that you can fix the issue that you encountered.

4. If you intend to use a MAC allow list, then you need the correct MAC address of the AP
to be added. Where can you obtain the MAC address of your AP?

Choose Wireless > Monitor > Access points and look at your AP.

The MAC address of the AP is shown on the page. By default, Cisco Meraki devices will show
their MAC address as their Name unless it has been changed.

Note
Most administrators rename the MAC to something more identifiable.

If you still want to use a permitted list, do the following: Copy the MAC address, return to the
configuration, turn on the Allow list filter, and enter the correct switch port MAC address in
the Allow listed MACs field, and click Update to complete the MAC Allow list access policy for
this port.

5. Hopefully, the problem is now resolved. How would you check the AP status?

Choose Wireless > Monitor > Access points.

Look at your AP. You should see that your AP is green, and connectivity is good.

The dashboard may take a few moments to update the AP to online. Another test you can
issue is to ping the device itself. Click on the AP select Tools and click the Ping AP button. If you
see connectivity you can verify the AP is online.
Lab 31: Demonstration Video: Troubleshoot
Content Filtering
Introduction

You will simulate a problem reported from a user and troubleshoot the problem.

Scenario

You have received the following email:

Investigate the issue, find the root causes, and ensure that the network is configured to
support the company's general Internet usage policy.

Topology
Visual Topology

Troubleshoot, Remediate, and Verify Root Cause 1—Group Policy Override

Activity

You will begin troubleshooting by verifying that Content filtering is Configured to block the
gambling category.

1. Choose Security & SD-WAN > Configure > Content filtering. Has the gambling category
been properly added?
It seems that Gambling is blocked correctly.

You have verified that gambling sites appear to be blocked and that the block is Configured
correctly. So how are clients able to contact gambling sites? They must be bypassing this filter.

2. To verify that all clients are subject to this policy, choose Network-wide > Monitor >
Clients.

To make sure that you see the Policy column, click the wrench icon on the right. From the
drop-down list, check the Policy check box if it is not already checked, to add this column to
the table.

Note

You may not see any clients here. The previous instructions were included as practice. The
following screenshot shows where you would typically enable this column and be able to look
at the applied group policies (if any) for the network clients:

You will assume that all clients that need to belong to group policies have been properly
Configured.

3. Take a closer look at the policies by choosing Network-wide > Configure > Group
policies. Choose the No Auctions policy.

Does everything look correct?

Scroll down to the Security appliance only section, where you will find that Blocked website
categories is set to Override. Because of this setting, any clients that are bound to this group
policy will override any content filtering policies that the Cisco Meraki MX security appliance is
enforcing globally.

4. Because the Auctions category is the only category that is selected here, only auction
websites will be blocked. What happens if you change the Blocked website categories
settings?
Change the drop-down list from Override to Append.

By making this change, auction sites will be blocked in addition to any other categories that
have been Configured globally.

5. Click Save Changes to complete the process.

Troubleshoot, Remediate, and Verify Root Cause 2—Unintended Allow List

Apparently, the problem is still not resolved, which means something else is wrong.

Activity

As you did previously, begin your troubleshooting by verifying that content filtering is
Configured to block the gambling category.

1. Choose Security & SD-WAN > Configure > Content filtering. Has content filtering been
properly Configured to block gambling sites?
Again, it seems that Gambling is blocked correctly.

Once you have verified that gambling sites should be blocked, you should also double-check
the URL filtering section of the page. The Blocked URL list patterns and Allow URL list patterns
have an impact on content filtering.

2. Upon further investigation, you might notice that www.gambling.com has been added
to the permitted list. This action is likely unintended or a mistake that another
administrator made (perhaps they intended to add it to the Blocked URL list area
instead).

How can you remediate this issue? Remove the URL from the Allow URL list or move it to the
Blocked URL list section.

After verifying the original intention of the administrator who made this configuration, you can
either directly remove the URL from the Allow URL list or move it to the Block URL list. The
important thing to note is that the Blocked URL list patterns add to the blocked categories that
are defined on this page, while the Allow URL list patterns define websites that are exempt,
regardless of the categories that are defined near the top of the page.

For this lab exercise you will simply remove this entry from the Allow URL list. Remove this
now.

3. Save changes to complete the process.

Lab 32: Troubleshoot Remote Site
Connectivity
Introduction

You will simulate a problem report from a user and troubleshoot the problem.

Scenario

You have received the following email:

Investigate the issue, find the root cause, and ensure that remote site users can reach internal
resources located at headquarters (your lab station).

Topology
Visual Topology

Troubleshoot, Remediate, and Verify Root Cause 1—Broken Route and Blackholed Traffic

Activity

You will begin troubleshooting by assuming that you have already verified the VPN settings at
the remote sites and confirmed that they are all Configured correctly and not the root cause.

You know that your Cisco Meraki MS switch is the device that performs core routing in your
network. Start by verifying the Layer 3 SVI configurations.

1. Choose Switch > Configure > Routing & DHCP. Is everything Configured correctly?
Everything seems normal.

After verifying that the SVI configurations are correct (no typos or errors), think about where
else routing is Configured in your network. What about the Cisco Meraki MX security
appliance? The device that is terminating the VPN tunnel should have static routing in place to
point to your LAN subnets.

2. Choose Security & SD-WAN > Monitor > Route table and verify that you are viewing
the new version of the page, which you can determine by looking at the top right of
the page.

If you see a link for View new version, click it.

In the Type drop-down list, apply a filter for Static Route. Pay attention to the status icon.
What color is the icon? What do you think you should do?

This route has a red (bad or down) status, which indicates that something is wrong. This status
is a hint for you to investigate further.

Note

If the route does not appear red (a down status) immediately, give it a couple of minutes and
try refreshing your browser window.

3. Choose Security & SD-WAN > Configure > Addressing & VLANs and investigate the
Static routes table.

Choose the Local Corp Subnets route to take a closer look at the configuration. Does anything
appear unusual?
You should notice that the Next hop IP address field is misConfigured with an address that is
invalid (nonexistent) on the network (.253). It is a simple fix to change the address back to the
proper gateway of 10.0.[100 + n].254. An invalid next hop causes traffic to be blackholed and
lost.

You should also notice that the Active setting is set to While host responds to ping with an
invalid (nonexistent) address on the network (10.0.[10 + n].253). The way this has been
Configured with a nonresponsive host will also result in traffic being blackholed and lost.

4. You have two options for solving this problem.

You can use a correct (active) host that will respond to pings or you can change the active
condition to While next hop responds to ping or Always.

Fix the issues. After all the issues have been resolved, Update and Save your fixes.
5. Return to Security & SD-WAN > Monitor > Route table and check on the status of this
static route again. What is the status of the static route?
The static route is green (good). Routing to this network between the Cisco Meraki MX security
appliance and the Cisco Meraki MS switch should now be resolved.

Is everything resolved now? Because the file server is located at headquarters, an active and
properly Configured VPN topology must be in place.

6. Choose Security & SD-WAN > Monitor > VPN status to take a closer look at the status
of the Cisco Meraki MX security appliance.

What is the status of the VPN registry? What about the other key components that are listed
under the VPN status, such as NAT type and the encryption status of the Auto VPN tunnels?
The VPN registry shows Connected and the security appliance is correctly using UDP port 9350
to reach Cisco Meraki cloud VPN registries. It also shows the NAT type as Friendly, which
indicates that there are not any devices upstream that are disturbing proper routing to the
Internet. Finally, the encryption status shows that the Auto VPN tunnels out of this Cisco
Meraki MX appliance are being properly Encrypted.

7. After confirming that the Cisco Meraki MX appliance does not have any VPN
registration or connectivity issues, navigate to Security & SD-WAN > Configure > Site-
to-site VPN to take a closer look at the local networks that are being advertised.

Do you notice anything wrong? Maybe Local LAN Subnets needs your attention.
The Local Corp Subnets route and network is not currently active and participating across the
VPN tunnels that are being built.

8. Navigate to Security & SD-WAN > Configure > Addressing & VLANs.

Choose the Local Corp Subnets route to take a closer look at the configuration. Does anything
look unusual? How about the option VPN mode?
The VPN mode is set to Disabled! This mistake is easy to make because this option appears in
multiple locations in the Cisco Meraki dashboard (here, on the Site-to-site VPN page, and on
the Addressing & VLANs page) and could be modified from different pages. Choose Enabled
for VPN mode.

Click Update and Save your changes.

9. Navigate to Security & SD-WAN > Configure > Site-to-site VPN to take a closer look at
the local networks that are advertised. Is everything fixed now?
The Local Corp Subnets route is now Configured correctly.