stfretfne :
cisco Mera kj Last updated: 8 March 2019
Lab Manual #3
Engineering Cisco Meraki Solutions 1Table of Contents
How to Read the Lab Guide.
ECMS1 Lab Topology...
Lab 3 — Troubleshooting and Management...
Exercise A — Limited Network Access..
Exercise B — Offline Device...
Exercise C — Wireless Reconfiguration
Exercise D — Unreachable Device.
2 ECMS@ ‘dsee’ MerakiHow to Read the Lab Guide
Throughout the lab guide you will see various notations that serve to call out different types
of information. These are classified into the following categories:
Important These are high priority, critical bits of instructions that you must read carefully and pay close
attention to performing correctly or they could have an adverse effect on your lab station,
Note: These are typically warnings that usually serve as reminders as they are sometimes easily
overlooked or missed.
useful pieces of advice that could help point you in the right direction or help draw your
r confusing configurations.
Information: These serve as additional footnotes and reference materials sourced from the official Meraki
documentation portal (located at: https//documentation.meraki,com) for various topics or technologies.
3 ECMS@® ‘dsee’ MerakiECMS1 Lab Topology
The following diagram depicts the general topology of the ECMS lab architecture. The
design of the network is the same for all lab pods/stations throughout all lab sections and
exercises.
OC 1 Network C2 Network
10.0.251.0/24 10.0.252.0/24
Figure 1: ECMS1 Lab Topology Diagram
4 ECMSO ‘dsee’ MerakiLab 3 — Troubleshooting and Management
In this section of the lab, your main objective will be to perform root cause analysis and
troubleshooting of issues. These exercises are based on some of the most commonly
reported problems that the Meraki Support Team frequently encounter. By successfully
resolving these complications directly within Dashboard, you will be well equipped with the
knowledge to quickly tackle them in reakworld deployments.
At this point, your lab station has been modified (selectively-reconfigured) by your instructor.
You may begin working on any of the exercises in this lab as soon as you have completed
the exercises from Lab 1 and Lab 2.
Exercise A — Limited Network Access
Scenario:
As the main IT administrator of your company, part of your day-to-day is to ensure that users
have accessibility to the desired resources with decent throughput. Recently, some new
company-wide security and workplace productivity initiatives have been enforced and as a
result, corporate users are starting to complain about slow access from their laptops and
not being able to access certain websites
Objective 1: The first stage of your troubleshooting is to verify that none of your uplink
connections to the internet service provider have been modified. Double check that the
bandwidth of your WAN uplinks on your MX security appliance (traffic shaping) have not
been reduced. Just as importantly, you need to be sure that your per-client bandwidth
(global limit) is also still intact across your network.
Objective 2: After reviewing the above settings, you've narrowed the reported cases down
to just corporate employees who are connected to your corporate wireless network. You
suspect that the root cause of the throughput decrease may be due to some unintended
traffic shaping. Your job is to restore the unrestricted (unlimited) access for wireless users
on your “Corporate” SSID
s ECMS@ ‘dsee’ MerakiExercise B — Offline Device
Scenario:
You've been notified about a section of a building for which wireless seems to be
completely unavailable. No infrastructure outages such as electrical issues have been
reported and we can assume that it is not due to faulty cabling or failed devices (layer 1
issues),
Objective 1: After looking in the Dashboard, you can easily see that the MR access point for
that section of the building seems to be offline. Under the impression that it is not a wiring
issue, determine the cause of the offline AP and fix the issue. Your task is complete once
your access point appears healthy (green) in the Dashboard and you can successfully ping
the device from the Tools menu.
Objective 2: Once the MR access point is back online, take a close look to ensure that
everything appears correct. Go to the AP details page (Monitor > Access Points > your
access point) and look at the left side of the page: is the firmware and configuration for the
device both up to date? Also find the “Location” tab and click on “Topology” to see how
your AP is connected in your network stack — does it appear online and healthy?
Objective 3: Most Meraki access points also have a dedicated builtin third radio that can
detect rogues devices. Double check to make sure that no rogues were introduced to your
network while your AP was offline. Navigate to the wireless Air Marshal page and
investigate the Rogue SSID tab to see if any suspicious activity has been detected,
Note: if Air Marshal on your AP does detect and display activity, we willnot take any action at this time,
Objective 4: You have configured the devices in your network to always upgrade and run
the latest stable firmware release. You also recognize that every upgrade requires the
device to reboot and you have strategically scheduled the maintenance windows during
non-business hours. Reconfigure and properly set your network's local time zone such that
it matches your current geographic location
6 ECMSO®) ‘dsee’ MerakiExercise C — Wireless Reconfiguration
Scenario:
After the initial wireless rollout across the company, you became aware of additional
requirements that should be enforced to help optimize the deployment. There were also
some network-specific changes that required reconfiguration in order to grant proper
access and network addressing to devices.
Objective 1: A site survey showed that some adjustments to the RF was needed to optimize
client performance. Start by visiting the Radio Settings of your MR access point and take a
close look at the Target Power of both the 2.4 and 5 GHz radio settings. By setting it to
“Auto” the dedicated third radio of the MR access point will dynamically adjust the TX
power to improve performance. Once confirmed, your follow-up task is to reduce
interference by performing a configuration change to the “Corporate” SSID to allow only 5
GHz clients
Objective 2: Your network team has informed you that wireless clients on the “Corporate”
SSID were being assigned IP addresses from a 10.0.0.0/8 network. This is not desirable
because shared devices or statically addressed assets (such as printers and display boards)
that connect to this SSID aren't properly functioning. Reconfigure this SSID's client IP
assignment mode to allow clients to receive DHCP leases from the LAN or use static IPs.
Objective 3: You quickly realize that there is the need to reassign your access points onto
the corporate VLAN since the address it originally received from the network was from the
native VLAN. Your task will be to configure the wired network correctly to assign via DHCP
an IP address to the access point from the corporate VLAN (10). Most importantly, you may
NOT manually assign a static IP address to the access point in this deployment.
Hint: At this point, you should REMOVE the full tunnel of the Security Appliance > Site-to-site VPN
configuration by UNCHECKING the boxes for Default Route.
Hint 2: Once you've made the necessary configurations (including the hint above) the recommended
method of forcing the AP to pull a new IP address is by cycling the port - there are multiple ways to
perform that action, including (but not limited to) disabling the port and re-enabling it.
7 ECMSO ‘dsee’ MerakiExercise D — Unreachable Device
Scenario:
Your company has split up the building infrastructure team apart from your networking
team. As a result, at times the two groups are not on the same page. The MV physical
security cameras have been correctly patched and connected to the right network ports but
the building infrastructure team is reporting that they aren't able to see the live video stream
in Dashboard.
Objective 1: Upon checking Dashboard, you are able to verify that the MV camera is indeed
unreachable and not responding to pings. You decide to utilize the builtin packet capture
tool in Dashboard to take a closer look at switch port 8 (where the MV is connected)
Perform a packet capture to inspect traffic containing the MAC address of your MV camera
Use the following settings for your packet capture:
Packet Capture | For Switches
Switch | MS [>]
Ports |13
Output | View output below
Duration (secs) | 60
Verbosity |Low
Filter Expression | ether host occa
Hint In the filter expression, you will need to replace xx:xx2020c30cxx with your lab station's MV camera's
MAC address, This can be found in seve ions within Dashboard such as on the Network tab (under
Identifying Information) or on the table listing all MV cameras (under the MAC Address column),
Below is an example of a packet capture output you should expect to see — look for the
BOOTP/DHCP request from your MV camera
s ECMS@) ‘dsee’ MerakiStart Of Stream —
reading from fle Ampicick_pcap_dump.link-type ENTOMB (Ethernet)
2226 59 937807 LLDP. length 103: MV 20
2227-03 484825 IP 0.0.0.0.68 > 255 255 255.256 67
End Of Stream —
Objective 2: You should see within the packet capture output that the MV camera seems to
be requesting DHCP but not getting any responses at all from the network. This must be
resolved, so begin your troubleshooting in the Dashboard. Look for misconfigurations on
this switch port to find out why nothing is responding to the device's DHCP requests and
make the necessary changes.
Objective 3: Once you've reconfigured your network to properly interact with the MV
camera's DHCP requests, you might notice the camera's video stream is still down. Perform
another packet capture (use same settings as before) and you'll see that the traffic seems to
only be passing in one direction such as in the example packet capture below:
Stat of Sean —
‘eaeg fom the Ampck_pcap_dur.tnkype ENOME (Ethernet)
2232-13. 260508 ARI Request woos 100 70.1188 700 702 length 46
7232 13299718 ARP Reply 10070163 C80: DO 2, engin «2
This reveals to us that there’s still something restricting the full, bi-directional flow of traffic
on our network. Your final task to restoring proper MV camera access will be to find and
remove this obstruction. You'll know that you've succeeded once you can see the live
video stream again.
*“* End of Lab 3 ***
(Please wait for your instructor to provide additional instructions and review Section 3)
s ECMSO ‘dsee’ Meraki