stfretfne : cisco Mera kj Last updated: 8 March 2019 Lab Manual #3 Engineering Cisco Meraki Solutions 1Table of Contents How to Read the Lab Guide. ECMS1 Lab Topology... Lab 3 — Troubleshooting and Management... Exercise A — Limited Network Access.. Exercise B — Offline Device... Exercise C — Wireless Reconfiguration Exercise D — Unreachable Device. 2 ECMS@ ‘dsee’ MerakiHow to Read the Lab Guide Throughout the lab guide you will see various notations that serve to call out different types of information. These are classified into the following categories: Important These are high priority, critical bits of instructions that you must read carefully and pay close attention to performing correctly or they could have an adverse effect on your lab station, Note: These are typically warnings that usually serve as reminders as they are sometimes easily overlooked or missed. useful pieces of advice that could help point you in the right direction or help draw your r confusing configurations. Information: These serve as additional footnotes and reference materials sourced from the official Meraki documentation portal (located at: https//documentation.meraki,com) for various topics or technologies. 3 ECMS@® ‘dsee’ MerakiECMS1 Lab Topology The following diagram depicts the general topology of the ECMS lab architecture. The design of the network is the same for all lab pods/stations throughout all lab sections and exercises. OC 1 Network C2 Network 10.0.251.0/24 10.0.252.0/24 Figure 1: ECMS1 Lab Topology Diagram 4 ECMSO ‘dsee’ MerakiLab 3 — Troubleshooting and Management In this section of the lab, your main objective will be to perform root cause analysis and troubleshooting of issues. These exercises are based on some of the most commonly reported problems that the Meraki Support Team frequently encounter. By successfully resolving these complications directly within Dashboard, you will be well equipped with the knowledge to quickly tackle them in reakworld deployments. At this point, your lab station has been modified (selectively-reconfigured) by your instructor. You may begin working on any of the exercises in this lab as soon as you have completed the exercises from Lab 1 and Lab 2. Exercise A — Limited Network Access Scenario: As the main IT administrator of your company, part of your day-to-day is to ensure that users have accessibility to the desired resources with decent throughput. Recently, some new company-wide security and workplace productivity initiatives have been enforced and as a result, corporate users are starting to complain about slow access from their laptops and not being able to access certain websites Objective 1: The first stage of your troubleshooting is to verify that none of your uplink connections to the internet service provider have been modified. Double check that the bandwidth of your WAN uplinks on your MX security appliance (traffic shaping) have not been reduced. Just as importantly, you need to be sure that your per-client bandwidth (global limit) is also still intact across your network. Objective 2: After reviewing the above settings, you've narrowed the reported cases down to just corporate employees who are connected to your corporate wireless network. You suspect that the root cause of the throughput decrease may be due to some unintended traffic shaping. Your job is to restore the unrestricted (unlimited) access for wireless users on your “Corporate” SSID s ECMS@ ‘dsee’ MerakiExercise B — Offline Device Scenario: You've been notified about a section of a building for which wireless seems to be completely unavailable. No infrastructure outages such as electrical issues have been reported and we can assume that it is not due to faulty cabling or failed devices (layer 1 issues), Objective 1: After looking in the Dashboard, you can easily see that the MR access point for that section of the building seems to be offline. Under the impression that it is not a wiring issue, determine the cause of the offline AP and fix the issue. Your task is complete once your access point appears healthy (green) in the Dashboard and you can successfully ping the device from the Tools menu. Objective 2: Once the MR access point is back online, take a close look to ensure that everything appears correct. Go to the AP details page (Monitor > Access Points > your access point) and look at the left side of the page: is the firmware and configuration for the device both up to date? Also find the “Location” tab and click on “Topology” to see how your AP is connected in your network stack — does it appear online and healthy? Objective 3: Most Meraki access points also have a dedicated builtin third radio that can detect rogues devices. Double check to make sure that no rogues were introduced to your network while your AP was offline. Navigate to the wireless Air Marshal page and investigate the Rogue SSID tab to see if any suspicious activity has been detected, Note: if Air Marshal on your AP does detect and display activity, we willnot take any action at this time, Objective 4: You have configured the devices in your network to always upgrade and run the latest stable firmware release. You also recognize that every upgrade requires the device to reboot and you have strategically scheduled the maintenance windows during non-business hours. Reconfigure and properly set your network's local time zone such that it matches your current geographic location 6 ECMSO®) ‘dsee’ MerakiExercise C — Wireless Reconfiguration Scenario: After the initial wireless rollout across the company, you became aware of additional requirements that should be enforced to help optimize the deployment. There were also some network-specific changes that required reconfiguration in order to grant proper access and network addressing to devices. Objective 1: A site survey showed that some adjustments to the RF was needed to optimize client performance. Start by visiting the Radio Settings of your MR access point and take a close look at the Target Power of both the 2.4 and 5 GHz radio settings. By setting it to “Auto” the dedicated third radio of the MR access point will dynamically adjust the TX power to improve performance. Once confirmed, your follow-up task is to reduce interference by performing a configuration change to the “Corporate” SSID to allow only 5 GHz clients Objective 2: Your network team has informed you that wireless clients on the “Corporate” SSID were being assigned IP addresses from a 10.0.0.0/8 network. This is not desirable because shared devices or statically addressed assets (such as printers and display boards) that connect to this SSID aren't properly functioning. Reconfigure this SSID's client IP assignment mode to allow clients to receive DHCP leases from the LAN or use static IPs. Objective 3: You quickly realize that there is the need to reassign your access points onto the corporate VLAN since the address it originally received from the network was from the native VLAN. Your task will be to configure the wired network correctly to assign via DHCP an IP address to the access point from the corporate VLAN (10). Most importantly, you may NOT manually assign a static IP address to the access point in this deployment. Hint: At this point, you should REMOVE the full tunnel of the Security Appliance > Site-to-site VPN configuration by UNCHECKING the boxes for Default Route. Hint 2: Once you've made the necessary configurations (including the hint above) the recommended method of forcing the AP to pull a new IP address is by cycling the port - there are multiple ways to perform that action, including (but not limited to) disabling the port and re-enabling it. 7 ECMSO ‘dsee’ MerakiExercise D — Unreachable Device Scenario: Your company has split up the building infrastructure team apart from your networking team. As a result, at times the two groups are not on the same page. The MV physical security cameras have been correctly patched and connected to the right network ports but the building infrastructure team is reporting that they aren't able to see the live video stream in Dashboard. Objective 1: Upon checking Dashboard, you are able to verify that the MV camera is indeed unreachable and not responding to pings. You decide to utilize the builtin packet capture tool in Dashboard to take a closer look at switch port 8 (where the MV is connected) Perform a packet capture to inspect traffic containing the MAC address of your MV camera Use the following settings for your packet capture: Packet Capture | For Switches Switch | MS [>] Ports |13 Output | View output below Duration (secs) | 60 Verbosity |Low Filter Expression | ether host occa Hint In the filter expression, you will need to replace xx:xx2020c30cxx with your lab station's MV camera's MAC address, This can be found in seve ions within Dashboard such as on the Network tab (under Identifying Information) or on the table listing all MV cameras (under the MAC Address column), Below is an example of a packet capture output you should expect to see — look for the BOOTP/DHCP request from your MV camera s ECMS@) ‘dsee’ MerakiStart Of Stream — reading from fle Ampicick_pcap_dump.link-type ENTOMB (Ethernet) 2226 59 937807 LLDP. length 103: MV 20 2227-03 484825 IP 0.0.0.0.68 > 255 255 255.256 67 End Of Stream — Objective 2: You should see within the packet capture output that the MV camera seems to be requesting DHCP but not getting any responses at all from the network. This must be resolved, so begin your troubleshooting in the Dashboard. Look for misconfigurations on this switch port to find out why nothing is responding to the device's DHCP requests and make the necessary changes. Objective 3: Once you've reconfigured your network to properly interact with the MV camera's DHCP requests, you might notice the camera's video stream is still down. Perform another packet capture (use same settings as before) and you'll see that the traffic seems to only be passing in one direction such as in the example packet capture below: Stat of Sean — ‘eaeg fom the Ampck_pcap_dur.tnkype ENOME (Ethernet) 2232-13. 260508 ARI Request woos 100 70.1188 700 702 length 46 7232 13299718 ARP Reply 10070163 C80: DO 2, engin «2 This reveals to us that there’s still something restricting the full, bi-directional flow of traffic on our network. Your final task to restoring proper MV camera access will be to find and remove this obstruction. You'll know that you've succeeded once you can see the live video stream again. *“* End of Lab 3 *** (Please wait for your instructor to provide additional instructions and review Section 3) s ECMSO ‘dsee’ Meraki