: : cisco Meraki Last updated: 8 March 2019 Lab Solutions Manual #2 Engineering Cisco Meraki Solutions 1 ‘cisco.Table of Contents OVErVIOW..sseesssssssnnssseeeesccennnnens Lab 2 — Enabling Features and Optimizing Network... Exercise A — Setting up Security Policies on the MX. Exercise B— Auto VPN and Redundancy. VPN Configuration Verification. Exercise C — Securing and Shaping Guest Wireless Acces: Exercise D — Enable and Configure Routing on the Switch. Routing Configuration Verification. Exercise E - Configuring SD-WAN (Software-Defined waN) ‘SD-WAN Configuration Verification. Exercise F— Adjusting Camera Quality and Retention. Exercise G — Building a Video Wall. 2 ECMSO ‘dsee’ MerakiOverview ide detailed ide you through the ECMS1 lab and pi es. To maximize learning opportunities, yo ur own before reading the ‘ument will he the should do your best tc corresponding € son yo! s found in this ¢ Important All examples and information (such as IP addresses and subnets) used in this guide are performed using lab station #1.as the source — your lab station will likely have slightly different values. Lab 2 — Enabling Features and Optimizing Network lowing are detailed instructions on and solutions on how to correctly complete the ses found in Lab Manual 2. Exercise A — Setting up Security Policies on the MX 1 ct Security & SD-WAN and then click on Firewall 2 navigation bar, s¢ ‘Aton fey) Click Add a layer 7 firewall rule and select Peer-to-peer (P2P) in the Application column, followed by BitTorrent in the next d Layer 7 Fowl nies 4 Poiey Aepiaton ‘Acton Forwarding rules ra 3 ECMS@ ‘dsee’ Meraki2. From the shaping ition bar, s elect Security & SD-WAN and then click on SD-WAN & traffic Caluisr suri n the page to 5 Mbps imit Global bandwidth limits Percent limit 5 Mbps 4 ECMSO) ‘dsee’ Meraki3. Under Traffic shaping rules, click on Add a new shaping rule and then the Add+ button to open up a scrolling list. Select Video & music from the list followed by clicking on Netflix and also Pandora from the list on the right Traffic shaping rules alot bX Dsiten evemstnmaametmiss gage "Netix | Pandora |e) aac] rregavideacom Bandwidth tnt News Miscolansous ao nine backup Misclansous video Prony Peer to peer Pah) SCP tagging Produetiy ‘Addanew shaping we emote monitoring & management Web ihe HTTP colle eaching © For the Bandwidth limit, select Choose a limit from drop-down menu followed by clicking on the word details — this will open up the down and up (Kb/s) limits where you can enter 1000 and 500. Finish the configuration by selecting Low on the Priority field 5 ECMSO@ ‘dsee’ Meraki4. Click Add a new shaping rule followed by the Add¥ button to begin creating a second Tule — this time select VoIP & video conferencing from the list followed by All VoIP & video conferencing Rul #2 oi X Dentin Tse ba ences on ane nating yeti andi kit Priory SCP tagging ‘Add anew shaping rule Web che HTTP conf caching © —_ ‘Va & oo conker |x| ani] VoIP & video conerencing Web fle sharing Web payments Select High on the Priority field for this rule SCP tagging 6 ECMSO) par nw poco ¥ ca pr ¥ sthitdte cisco. Merakion Content filtering Blocked website categories ct Adult and Pornography Category filtering Blocked website categories ‘Abortion 7 ‘Abusod Deu UAL category ls size ‘Acoho| and TOoaIO 7 ECMS@) ‘dsee’ Meraki‘t Security & SD-WAN and then click on Threat protection Whitlistes files There are no whitoisted files. Acid a whitelisted fle t Enabled fi wed by putting t! d Malware Protection (AMP; Je while using the Balanced rule 1 fo turn on A opliance in Prevention ‘Threat protection Advanced Malware Protection (AMP) Mode © Whitefsted URLS “Thete are no whitoisted URL, ‘Add awhitslisted UBL Whitefstod tes ‘Thote are no whitested Mes, Add a whitest fe Intrusion detection and prevention s ECMS@) ‘dsee’ MerakiExercise B — Auto VPN and Redundancy 1. From the navigation bar, select Security & SD-WAN and then clic on Site-to-site VPN ect the Spoke op’ ppliance Site-to-site VPN Te 0 on aublen VPN ur i lhe ad pene poke, = Seale iter and NY Data Hubs © Name: Default route Actions 9 ECMS@) ‘dsee’ MerakiOnce both hubs have been added, use the arrow to drag-and-drop such that the NY Data Center appears at the top, meaning that it is prioritized ahead of the SF Data Center Center 4, For both the Corp and Voice local networks, change the Use VPN menu to yes VPN settings: {Local networks Name ‘Subnet Use VPN Default 192.108.128.024. [nor] ae ee wo tomes] code wh ga SE 0 ECMSO ‘dsee’ MerakiVPN Configuration Verification Fr the navigation bar, select Security & SD-WAN and then click on Appliance status Set a locath applic P addresses that you would like to ping ck Ping ‘armory | Unik | ONGP | Locaon [BE ego, Pra spyans Praing 1002522 Seta location fortis Sa soplonce Lae to map ney 2m Poaing 1002512 Cong wm pr ean 0% age Wen 2m ‘o027 454s Ping 1002501 Inc etic wiebgnlodmane n ECMS@ ‘dsee’ MerakiExercise C — Securing and Shaping Guest Wireless Access 1 From the navigation bar, select Wireless and then clic! on Firewall & traffic shaping ct Guest from the SSID drop-down menu Firewall & traffic shaping 90S} na Unoxergues SSID + \azabes) N in the Layer Il rules table, defines traffic destined for th je the Policy to Deny for the default rule tha’ local LAN Block IPs and ports Layer? LANisclaon [Bain ¥](ondge mode ony) Layer firewall rules © 4 Policy Protocol Destination Port Comment Teiond Dery ¥] Any. Local LAN Any Wireless clients accessing LAN ee ry atte Psa nye eeu re wthiatie 2 ECMS Oo cisco. Meraki3. To begin adding rules, start by clicking Add a layer 7 firewall rule Block applications and content categories Layer 7 firewall rules. ‘There are no rules defined for this SSID. ae tie Proceed to add and select Peer-to-peer (P2P), File sharing, and Gaming under the Application column and choose to block all types (second column to the right) Block applications and content categories Layer 7 frewal rules * 1 2 3 as 4. Adjust the Perclient bandwidth limit to 1 Mbps while leaving the Per-SSID bandwidth limit at unlimited Traffic shaping rules mo Perclentbardth brit 4 Mbps be SpeedBurst © —— FerSSiDbandwith kit yaad ° “os 3s ECMSO ‘dsee’ MerakiExercise D — Enable and Configure Routing on the Switch A. From the navigation bar, select Switch and then clic! on Routing & DHCP 10.0.151.4, Click o \¢ CREATE INTERFACE bi You don't have any interfaces or static routes configured Create an interac to configure ly = to create the three interfac information defined in the lab guide for t ting one inter page d OSPF) using t jelds — when you t ave and add another button at the ngs and e finished ‘om of the e various f carat [Exearratrane] (Poston aneurin to) “« ECMSO@ ‘dsee’ MerakiInetoce efor DHCP settings OSPF sets DOP setinas| chasing SPF eating % ECMSG) on seas cots ns etbetlis cisco. Meraki‘t Security & SD-WAN and then click o B. From the navigation bar, VLANs in Addressing & of tho cocurt| Contiguro DH Click on Add Static Route under your Routes tab Configure this route with a name of Route to Legacy and fill in the Subnet, Nex Active, and In VPN fic e clicking the Update but 4s with the right values be ‘State Rowe * ECMS@) ‘dsee’ MerakiC. From the ne Check the for port 24 and click on the Edit button near the top of the page i usis Spit | Mier Change the Type to Access and configure it in VLAN [ 600 +n J and click Update 1 port Update 1 port ‘Switch ports: ms [sy24 Name: Tage: 9 emai.slens phone” Enable RsIP: STP guard Link Pon cherie: Isolation: © Type: -Aozoss ploy: VLAN Voice VIAN: © v ECMS@ ‘dsee’ MerakiD. From the navigation bar, select Switch and then clic on OSPF routing he drop-down menu to Enabled OSPF Open Shortest Path First (OSPF) routing Check the box the Legacy and OSPF inter Inertaces Edi) coor ‘interfaces Swen interface VLAN IP ‘Submat ospr A msi] cop 10 001201 001104 Disabled |] Legacy 150 100.1511 10.0153.004 —Dicablod IS[1] OSPF 601 482468101.4 162.168.101.024 Disabled % ECMS@ ‘dsee’ MerakiMake sure the Area has a default 0:Backbone, Cost of 1, and Not Passive before clicking Update 2 interfaces Update 2 imerfaces Check the box for the default route and click Edit + static route | Switch* Name Subnet Nexthop Advertised? Priority eS OSPF rouse pteres Click Yes to prefer static routes over OSPF routes and click Update 1 static route Update 1 static roure ‘Advertise via OSPF? Profor over OSPF routes? Ed] Canc » ECMSO ‘dsee’ MerakiYou should now see the priority as Overrides OSPF route 1% MS[1] Detaultroule 0.0.000 100.111 No Routing Configuration Verification A. Select port 24 of your switch and look to make sure that it appears green with the proper configurations MS [1] Ms250.24P onss:2d:e:et02 ° ‘Set a location for this switch rere ups ea 192.168.1282 (via DHOP) 1 192.169.120.1 Not congue 10x90. Port 24 ial oe Historical data forthe ast day ~ Port trate ’ nies ‘Useb’ MerakiSamay | Poe | Power REI iy [one Layer 3 routing yer 9 tric ante, Contes Scroll down to the bottom of the page and look for 10.0.250.1in the OSPF neighbors table SF aatber: | Fry Sk se | C. Click on the Tools tab, select the Legacy Source interface (10.0. [ 150 +n] .1) and enter 10.0.250.1 to start a Ping snes | Po | ome | Wroary| Ewin [0107] ote ™ EE: f Png 002501 om 104814 3 Misis25 5 us 21 ECMSO@ ‘dsee’ MerakiDisable the port by changing the Enabled field to disabled and then click Update 1 port Perform the same ping as before, click on the Tools tab, select the Legacy Source interface (10.0. [150 +n ].1) and enter 10.0.250.1 to start a Ping snes | Po | ome | Wroary| Ewin [0107] ote ™ Eases. f Png 002501 om 104814 3 2 ECMS@ ‘dsee’ MerakiE. Answer. Because we disabled switch port 24, the traffic destined for our data center switch (10.0.250.1) will no longer be able to use the original “MPLS” route (private network), Instead, the traffic will now utilize the routes and neighbors as identified through OSPF routing — this can be observed in the switch’s routing table. This is why the series of pings initiated after the original path has been disrupted (switch port 24 disabled) as we still have an alternate routable path available through the network. Sey 23 ECMSO) etbetlis cisco. MerakiExercise E — Configuring SD-WAN (Software-Defined WAN) gation bar, select Security & SD-WAN and then click on SD-WAN & traffic From the na shaping Uplink configuration WAN 10 mey us Wane ‘SMe coats age 2. Under thi he Enabled button ferences, turn on Load balancing by s Uplink selection Global preferences Primary uplink was © Enabled Load balancing Trafic willbe spread across both uplinks in the proportions specitiod above, Managem wae to the Morak cloud will uso the primary uplink Disabled Al Inernet trafic wil use the primary uplink unless overccen by an uplink preference orf the primary uplink as 2 ECMSO) ‘dsee’ Meraki3. Under Flow preferences, look for Internet traffic and click on Add a preference Flow preferences Internet tac “Thete are no uplink preferences for Iniernet trafic configured on this network. — ‘Adda pcofernca Configure this preference by selecting Any under the Protocol column, enter 10.0. [ 100 +n] .0/24 (which is the guest subnet VLAN) under the Source column, Any under the Destination column, and finally select WAN 2 as the Preferred uplink Internet trafic Protocal Source Detport Preferred upink Actions — => eee — 4. Under SD-WAN policies, look for Custom performance classes and click on Create a new custom performance class... Custom performance ‘Create anaw custom performance class. classes aT Configure this performance class by naming it Acceptable Delay and enter in 200 as the Maximum latency (ms) then click the Save button [sxe roe | Youhave wnesved changes 2 ECMSO@ ‘dsee’ Meraki5. Under SD-WAN policies, look for VPN traffic and click on Add a preference VPN tac ‘Thar are no uplink preferoncos for VPN ttc configured on this nawork. ‘Ada preferenan Click on the Add + button and define this Custom expression by selecting Any for the Protocol, Any for the Source (leave Any as the Src port), enter 8.8.8.8/32 as the Destination (leave Any as the Dst port) and then click the Add expression button Uplink selection policy Tal toe (A) SD-WAN Configuration Verification A. Nav Sou ct 10.0. [ 10 +n ].201 as your 15+ seconds) tch and si click Ping (let this ping rur syst . Samay Poe) Fos | a ty | PL = come ESE)" ~~ Qn B. From the navigation bar, select Security & SD-WAN and then click on VPN status 2 ECMSO) ‘dsee’ MerakiScroll down to the Uplink decisions table and you should be able to see the ping traffic (ICMP packets towards 8.8.8.8 as the Destination) with WAN 2 used as the corresponding interface in the Uplink decisions column C. In the Uplink decisions table, click on WAN 2 of one of the rows containing an entry for traffic destined for 8.8.8.8 You should then be taken to a page that shows the Latency, Jitter, Loss, and MOS data for this particular traffic flow outbound from your security appliance — you can hover your cursor over the results to see more metrics 3 ECMS@ ‘dsee’ MerakiExercise F — Adjusting Camera Quality and Retention 1. From the navigation bar, select Cameras and then click on Cameras in the table, click on the mac address to see more details of your camera Eat ~| Schedule... Soarch =) tcamoca or locale ce twasiz Click on the Settings tab eM [i] 7 II nserver | aoe | in Ae 2. Click on the subtab named Quality and Retention e MV [1] 4 : Video Anaivios Network Location Eventlog Settings vie Sar Wop ide |More 2» ECMS@ ‘dsee’ MerakiYou can now adjust the various options which have different effects on the total number of days of ESTIMATED RETENTION near the bottom of the page— some options will increase the number of days, while others will decrease it (try enabling or disabling these options to see their effect on the ESTIMATED RETENTION) When should this camera record footage? Teen) enecuce oe oa tne = lo Won should tis camera dot footage? "© tent rect sora pe © Went cage | 7d = | 2 ECMS@ ‘dsee’ MerakiExercise G — Buliding a Video Wall ect Cameras and then clic! owed by the New layout Layoutrame estivareo eanowors O) “This ajc crony amply. ick the tes below oak steam io your ay Select C: ‘ses’ Meraki10.765: Click on the Save layouts icon when finished a ECMSO) ‘dsee’ Meraki** End of Lab 2 *** (We will be reviewing Section 2 before moving on to Section 3. You may now take a break but do not move on until Lab Manual #3 has been distributed. It is especially important to wait for further instructions as Lab 3 requires instructor setup. Do NOT skip ahead.) 3 ECMS@ ‘dsee’ Meraki