Professional Documents
Culture Documents
ECMS2 Training Slides
ECMS2 Training Slides
ECMS2 Training Slides
To equip attendees with the core To equip attendees with the advanced
knowledge and skills to operate the knowledge and skills to plan, design,
Cisco Meraki platform. implement, and operate complex Cisco
Meraki solutions.
Path to certification
Who?
• IT professional
• Led by Meraki Training & Enablement
What? Where?
• 3-day training course
• Led by Meraki instructors
• Meraki offices and virtual
Why?
• Demand for advanced
Meraki technical training
How? • Bootcamp for certification
• Interactive technical content
• Innovative lab environment
Course syllabus
(https://documentation.meraki.com)
Topics and features will be Other features or functionalities Use the time to take a short
configured in Dashboard with not discussed during the break, use the restroom, or
validation checks to test your presentations will be included in address follow-up questions
understanding the lab exercises from the last lesson
Lab format
• Virtual lab
(access through Dashboard)
• Self-guide
(go at your own speed)
• Not graded
(instructors will not be checking lab work)
• Verification section
(knowledge checks in the lab guide)
Lab assignment instructions
Step 1
Sign into the lab session using Session Key
http://cs.co/sign-in
If you are NOT able to access the above link, please try using another
device (such as a mobile phone with data connection) to complete the form.
Step 2
You will receive an e-mail before the first lab period
Step 3
Log into Dashboard
• Throughout the lab guide, when you see references to a green [n] it should be replaced by
your lab station number
• If it is referenced in the context of an IP address, it should be treated as a simple add (+)
operation as illustrated in the following example:
Example: ** Incorrect **
“Use the following as the subnet: 10.0.[10 + n].0/24”
• Lab station 1’s correct results: 10.0.11.0/24 • 10.0.101.0/24
• Lab station 11’s correct results: 10.0.21.0/24 • 10.0.1011.0/24
LESSON 1
Planning new Meraki architectures
and expanding existing deployments
Meraki solution sizing | Per-device Licensing
TOPIC
Meraki solution sizing
Dashboard structure
MS MS
MR MR
MV
Organization sizing
Single vs. multi-org
Data sovereignty, compliance Split business units, sub-groups Managed services or tiers
Operational response times Large, very distinct use cases Varying levels of SLA/domains
depends on proximity and separate departments and management requirements
Network scope and design
Scenario 1
A company has 4 sites, each with their own IT team. How many networks should this company have?
Company
Company
Site B
Company
Partial Renewals Individual Device 90-day Activation Licensing APIs Move licenses
Shutdowns Window between orgs
API
Renew a subset of Only devices with Licenses won’t burn Claim, assign, and Move devices and
devices or networks expired license are until applied or 90 move licenses through licenses between
independently shut down, not days have elapsed API calls networks and across
organizations from purchase date organizations
Per-device case study
Licenses and expiration dates are tied directly to a device
Organization
Expiration Date: Jan 01, 2022 Expiration Date: Feb 01, 2022 Expiration Date: (different)
x
Original license License Active – OK Grace Period
• Devices and software products are shutdown at the individual level, not organization-wide
• Add-on licenses can only be assigned to Meraki devices with an active base license – if the device
expires before the add-on license does, the add-on functionality will not work
• Add-on licenses inherit the same properties of all other licenses (i.e. 30-day grace period, 90-day
activation window)
License true-ups
Preserving the co-termination date in the organization with 1-day licenses
Start Date Jan 31, 2022 Feb 28, 2022 Apr 2, 2022
End Date Jan 31, 2025 Feb 28, 2025 Apr 2, 2025
Single license keys
Generating multiple license ID’s from a single (primary) license key
1 2 3
ID: 456
ID: 123 ID: 456 ID: 789
Generate individual license ID’s (3)
*With the PDL model, some licenses are applied on a per-network level (i.e. Systems Manager, vMX) ID: 789
Converting from co-term to PDL
Opt-in and conversion tool
Device Expiration
date: Jan 1, 2023
Device expiration
date: Jan 1, 2023
• If there are extra licenses (e.g. license count > device count), an additional license will be generated with
the same expiration date and added to the organization’s inventory
• Once converted, the organization cannot be converted back to the old (co-term) model
Co-term and PDL knowledge check
Co-termination Per-device
Licensing Licensing
What happens when a device exceeds the grace period? Org shutdown Device shutdown
When do license keys begin to burn (count-down)? Order generated When activated or 90 days
6 12 SD-WAN Plus
MI advanced analytics,
Smart SaaS optimization, Segmentation
MS MX MR
Lesson 1 review
Understand limitations & best practices Be able to distinguish between the Do you know how to strategically
when planning & designing logical two licensing models plan and execute license renewals
organizations, networks and account with both licensing models?
access in the Meraki Dashboard
Next lesson will start at:
BREAK PERIOD
Next up: Lesson 2
Design for scalable management & high availability
Lesson 1 Knowledge Check
Which of the following is an advantage unique to the per-device licensing (PDL) model?
Which of the following is a valid reason to split an organization into multiple networks?
In Dashboard
Network-wide > Administration Full Read-only
Network Admin
Guest
Monitor-only Ambassador
TOPIC
Tag design & structure
Types of Tags
What are their uses?
Network
Tags
+
Device
Tags + + + + +
Policy, User,
Time-Based
Tags + + +
TOPIC
MX high-availability
Design check
Why do we want high availability with MX in warm-spare?
• Minimize downtime
• Prevent single point of failure
• No manual intervention needed
What are the costs and requirements of running (setting up) MX in warm-spare?
• Cost of: hardware (appliances, power supplies, accessories), rack space, but not a license
• Internet connection (checked into Dashboard)
• Same firmware release
• Primary appliance: bound/assigned to a network
• Secondary: NOT bound/assigned to a network
Terms and definitions
Primary
The MX that is configured as the "main" MX for the network. If both MX’s are online, this is the MX that traffic
should be flowing through – static designation.
Spare
The MX that is configured as the "secondary" MX for the network. If both MX’s are online, this is the MX that is
the inactive warm spare – static designation.
Active (Primary)
The MX that is currently acting as the edge firewall/security appliance for the network – dynamic designation.
Passive
The MX that is currently acting as an inactive warm spare with no traffic passing through it – dynamic
designation.
Concepts and definitions
VRRP Heartbeats
These heartbeat packets are sent from
the Primary MX to the Secondary MX on Internet Internet
all configured VLANs in order to indicate
that the Primary is online and functioning
properly. WAN 1 WAN 2 WAN 1 WAN 2
Primary Secondary
Connection Monitor (active) (passive)
(active)
Internet Internet
Failover Behavior
1. MX A (primary) WAN1 is the primary 1 2 3 4
interface WAN 1 WAN 2 WAN 1 WAN 2
Internet Internet
Failover Behavior
1. MX A (primary) WAN1 is the primary 1 2 3 4
interface WAN 1 WAN 2 WAN 1 WAN 2
WAN 1 Gateway
X.X.X.254 X.X.X.1
(one-arm configuration)
MX
(VPN Concentrator Mode)
MS
(Datacenter Core Switch Stack)
MX HA (warm spare)
WAN 1
X.X.X.253
VIP Gateway
X.X.X.252 X.X.X.1
MX
(Warm-spare VPN WAN 1
Concentrator Mode) X.X.X.254 MS
(Datacenter Core Switch Stack)
MG cellular gateway
Unlock wireless WAN connectivity via cellular as a primary or backup link
Feature Highlights
Up to 1.2Gbps CAT18 LTE
Dipole antennas come included with external antenna models, patch antennas are available as an accessory
MG as a primary WAN interface
HA pair HA pair
Primary: Cellular SP Primary: Cellular SP 1 Primary: Cellular SP 2 Primary: Cellular SP Primary: Cellular SP
HA pair HA pair
Primary: ISP Primary: ISP 1 Primary: ISP 2 Primary: ISP 1 Primary: ISP 2
Secondary: Cellular SP Secondary: Cellular SP 1 Secondary: Cellular SP 2 Secondary: Cellular SP Secondary: Cellular SP
Source/destination IP, MAC, port Different ratios, specific rules Link bonding (EtherChannel)
2 to 8 ports
Open standards LACP using Proprietary algorithm to provide Enable LACP, set EtherChannel
link bonding load balancing mode to active or passive
TOPIC
High-density wireless deployments
Capacity planning
Primary application and throughput
Application Throughput
Streaming – Video (4k) 16 – 320 Kbps
Estimated Throughput
Protocol Data rate (Mbps) Throughput with Overhead
(1/2 advertised rate)
Number of APs = Max (# of Aps based on Throughput, # of Aps based on Client Count)
= Max ( 15 , 14 )
= 15 APs needed
Are you able to understand and Are you able to leverage and design Do you understand how MX
enforce various levels of a logical and effective tag structure appliances function when configured
administrative access to Dashboard? for an organization based on in a HA pair for both concentrator as
administrative needs? well as NAT modes?
Can you explain the different ways that Are you able to successfully plan for, calculate the
MS switches can achieve redundancy? requirements needed and configure SSID best
practices for a high-density wireless deployment?
LAB
Self-paced lab period (15 mins) Next lesson will start at:
Objective
Complete all lesson 2 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 2 Knowledge Check
Which of the following is an effective use of network tags?
When does a secondary MX in warm spare take over from the primary?
A. Through the application and removal of specific network tags by a Dashboard administrator
B. After VRRP heartbeats from the primary MX are missed
C. When the secondary MX no longer receives ICMP responses from the primary MX
D. Once the primary MX triggers its high-temperature threshold and sends Dashboard an alert
LESSON 3
Automating & scaling Meraki
deployments with Dashboard tools
Role-based access control with SAML | Network cloning |
Configuration templates | Provisioning networks with APIs
TOPIC
Role-based access control with SAML
Components of single sign-on
Service Provider
User Agent
Identity Provider
Service Provider User Agent Identity Provider
2 SP generates SAML
request
IdP generates
5 SAML response
SP verifies SAML
7
response
Network A Network B
MX MX
XYZ
XYZ
MS MS
XYZ
MR MR
XYZ
Network A Network B
MX MX
XYZ XYZ
MS MS
XYZ XYZ
MR MR
XYZ XYZ
MX network A MX network B
MX MX
AAA
ABC
ABC AAA
MR network C MR network D
MR
MR
DDD
DEF DDD
Cloning organizations
Organization A Organization B
• Configuration templates
MX
MS
Template DEF
MR
MX
MS
Network B
DEF
XYZ
MX
MR
MS
DEF
MR
MX templates: subnet considerations
Design requirement Branch 1
• 220 sites/branch locations
• 3 VLANs per site MX
• No subnet overlaps allowed
VLAN1: 172.16.0.0/24
• Need up to 254 hosts per subnet VLAN2: 172.17.0.0/24
VLAN3: 172.18.0.0/24
MX MX
{ API }
Dashboard API
RESTful API
Use cases:
Automate provisioning of new orgs, admins, networks, devices, VLANs…
Build your own Dashboard for store managers, field techs
and much more…
API categories
cURL Python
Python library
Clone ananOrganization
Update SSID
API tools
Postman Node-RED
API tools
Update Device
Information
Warehouse Claim Devices Name, Location
Scans Devices & Licenses
Update
Customer Billing
Meraki
Meraki API Internal Tools
Dashboard
Lesson 3 review
Be able to leverage SAML to create Understand how to rapidly deploy a site using
a secure single sign-on system (various forms of) cloning within Dashboard
API
Are you able to establish a baseline of Know how to take advantage of the
configurations and understand how to near-endless possibilities and utility of
scale effectively by leveraging templates? the various Meraki APIs
Next lesson will start at:
BREAK PERIOD
Next up: Lesson 4
Routing design & practices on the Meraki platform
Lesson 3 Knowledge Check
What are the TWO steps necessary to set up SAML single sign-on for Dashboard? (select 2)
A. To generate a new org with the same configuration templates as the source org
B. To start a new org that has the same Dashboard branding and splash page themes
C. To mirror the same organization administrators and their respective privileges
D. To clone non-template network configurations to a new organization
LESSON 4
Routing design & practices
on the Meraki platform
Routing across Meraki networks | Dynamic routing – OSPF |
BGP for scalable WAN routing & redundancy
TOPIC
Routing across Meraki networks
Foundational knowledge
Layer 2 vs. layer 3
Operates at Logic
Broadcast
Layer domain Broadcast
2 switching environment = broadcast domaindomain
VLAN 1 L3 VLAN 2
Routing on the MS (vs MX) – design best practices
Pros
• offload tasks from MX appliance
• inter-VLAN communication uses VLAN 1: 192.168.1.1/29
shorter path MX
Static route: subnet 10.0.20.0/24 next-hop: 192.168.1.2 ✔
VLAN 20: 10.0.20.1/24 ❌
Transit
VLAN
Cons VLAN 1: 192.168.1.2/29
• inter-VLAN traffic is not filtered by MS
VLAN 20: 10.0.20.1/24
the MX appliance (IDS/IPS)
VLAN 20
Routing on the MS: Cloud management vs. client traffic
MX
192.168.128.3
MS
199.88.77.166
192.168.128.1
192.168.128.1
VLAN 20
Routing on the MS: Requirements
What is required for a L3 capable MS switch to be able to route traffic?
• Clients should be configured to use the switch’s routed interface IP address as their gateway
Routing on the MS
True or False?
T F
Deployments
Most branch deployments utilize MX in Routed Mode to take advantage of NAT
translations performed by the MX, DHCP services, and firewall functionalities
VLAN 1: 192.168.1.1/24
MX
VLAN 20: 10.0.20.1/24
Routing
Provides per-port inter-VLAN routing, handling of client VPN subnets, static
VLAN 20 routes, Auto VPN routes, and iBGP
Routing on the MX – Routed mode
MX serves as a layer 3 gateway for configured subnets
MX
MS
VLAN 20
Routing on the MX – Passthrough or VPN concentrator
MX acts as a layer 2 bridge or one-armed VPN concentrator
MX
WAN one-armed VPN Deployments
concentrator
• As a one-armed concentrator in datacenters for site-to-site
VPN and client VPN aggregation
Routing
L3 core router
• No inter-VLAN routing, no static routes
• No access to DHCP settings/services on the MX
• No address translations are provided by the MX (typically
datacenter edge at a datacenter edge by a Cisco ASA or third party firewall)
Internet
TOPIC
Dynamic routing (OSPF)
Dynamic routing
Why do we need it?
MX MS
OSPFv2
OSPF on MS switches
Static Routing
• Supported on MS210 and above
• Static routes can be redistributed into OSPF
• Can be preferred over OSPF learned routes
= LSA
DR
Normal Area
OSPF on MS – key considerations
Number of OSPF links on a device
10.10.0.0/24
10.10.1.0/24
DR-other DR/BDR
10.10.2.0/24
10.10.3.0/24
...
etc.
OSPF on MS – key considerations
OSPF areas on a device
SPF calculations:
• convergence normal, stub or not
• any network topology changes AREA 1
so stubby areas
Route Summarization!
ABR
AREA 0 AREA 2
backbone area
OSPF on MS
Recap of key considerations
Neighbor per subnet OSPF links per device OSPF areas per device
Be mindful of the workload Size the appropriate hardware Minimize calculations, summarize
OSPF support on L3 Meraki MS switches
• Normal
Area type • Stub
• Not-So-Stubby-Area (NSSA)
Virtual links No
Route type E2
ECMP 16
OSPF support on L3 Meraki MS switches
Model Routing OSPFv2 Routes Routed clients
MS120 No No n/a n/a
EMEAR Region
1000’s sites
172.0.0.0/8 Auto VPN
static routes
NA Region
Auto-VPN 1000’s sites
10.0.0.0/8
OSPF
APJC Region
1000’s sites
192.0.0.0/8
Auto VPN – auto routing Route Table
subnet A
MX route redistribution
L3 switch VPN
OSPF: on
OSPF: on
L3 switch
OSPF route subnet C
L3 switch
OSPF: on
OSPF route
L3 switch VPN
OSPF: on
OSPF: on
L3 switch
OSPF route
OSPF
OSPF
OSPF
OSPF packets are only sent OSPF packets are only sent Requires the configuration
out of the LAN interfaces out of the WAN interfaces of static routes
TOPIC
BGP for scalable WAN
routing & redundancy
BGP basics
Definitions
• BGP: Border Gateway Protocol
• AS: Autonomous System
• Dynamic routing protocols: Interior Gateway Protocols (IGPs) vs. Exterior Gateway Protocols (EGPs)
TCP: 179
Peer 1 Peer 2
Routes
Prefixes Routes
Prefixes
a.a.a.a
a.a.a.a->->local
local c.c.c.c
c.c.c.c->->
local
local
b.b.b.b -> local d.d.d.d -> local
b.b.b.b -> local d.d.d.d -> local
c.c.c.c -> BGP: AS 65002 a.a.a.a -> BGP: AS 65001
d.d.d.d -> BGP: AS 65002 b.b.b.b -> BGP: AS 65001
BGP operating modes
eBGP and iBGP
eBGP eBGP
Path: 65000 > 65003 >
65001 (3 hops)
D
MPLS and BGP
MPLS
(customer view)
BGP BGP
Multiprotocol-BGP
BGP BGP
MPLS
(service provider view)
MPLS or auto VPN
Auto VPN
MPLS
(customer
(customerview)
view)
MPLS
(service provider view)
Data Center 1 Data Center 2
Meraki BGP
AS 65001 AS 65002
Deployment fundamentals eBGP in DC1 edge device eBGP in DC2 edge device
eBG
• Auto VPN between hubs (one-armed P
concentrator) and spokes (NAT or one-armed
concentrator) eBGP eBGP
• When BGP is enabled, all hubs and spokes VPN concentrator in DC1 VPN concentrator in DC2
Branch Offices
Data Center 1 Data Center 2
Meraki BGP use cases
AS 65001 AS 65002
Option 1: DC-DC Failover spoke sites eBGP in DC1 edge device eBGP in DC2 edge device
Branch Offices
Data Center 1 Data Center 2
Meraki BGP use cases
AS 65001 AS 65002
Option 2: Active-Active Datacenters eBGP in DC1 edge device eBGP in DC2 edge device
• Spoke sites will form VPN tunnels to both hubs AS Prepended AS Prepended 2X
2X 65000 1 2
65000 1 2 AutoVPN Routes advertised northbound 192.168.1.0/24
• Spoke sites will be split between DC1/HUB1 192.168.5.0/24 DC routes advertised southbound eBGP
eBGP 192.168.2.0/24
and DC2/HUB2 as primary 192.168.6.0/24 192.168.3.0/24
192.168.7.0/24 192.168.4.0/24
192.168.8.0/24
AS Prepended 1X
• Concentrators enable symmetry and load AS Prepended 65000 1
sharing through BGP traffic engineering 1X 192.168.5.0/24
65000 1 192.168.6.0/24
(performed via AS-Path pre-pending) 192.168.1.0/24 192.168.7.0/24
Hub 1 Hub 2 192.168.8.0/24
192.168.2.0/24
192.168.3.0/24
• Spoke sites will be redirected to their 192.168.4.0/24
secondary DC in the event of an outage
AutoVPN AS 65000
iBGP
• The scalability of this solution is preserved with
max limits for BGP routes – this will protect the
Hub 1 is Primary Hub 2 is Primary
Auto VPN domain from route leaks Hub 1 is
Hub 2 is secondary
Branch A Branch C secondary
192.168.1.0/24
• Route table integrity will be protected by 192.168.2.0/24 192.168.5.0/24
utilizing AS Path Access Lists 192.168.3.0/24 192.168.6.0/24
192.168.4.0/24 192.168.7.0/24
Branch Offices 192.168.8.0/24
Lesson 4 review
Can you explain Meraki’s implementation Can you describe the best practices when it
of dynamic routing protocols across the comes to implementing routing on L3
various product platforms? capable Meraki MS switches?
Are you able to configure OSPF on your MX Be able to increase VPN scalability and
appliance as a method of automatically advertising integrations with data centers through the use of
VPN routes to downstream L3 OSPF neighbors? the MX’s implementations of MPLS and BGP
LAB
Self-paced lab period (30 mins) Next lesson will start at:
Objective
Complete all lesson 4 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 4 Knowledge Check
Which of the following statement about OSPF support on Meraki MX security appliances is FALSE?
A. MX appliances in Routed mode must be configured with VLANs disabled
B. MX appliances can be configured in Passthrough mode
C. MX appliances only support OSPF with an Advanced Security license
D. MX appliances leverages OSPF to advertise remote VPN subnets to neighboring L3 devices
E. All MX appliance models support OSPFv2
Which TWO of the following statements about the OSPF support for Meraki MS switches are FALSE? (select 2)
Traffic Classification
(delivery not
E-Commerce Transactional guaranteed)
(delivery not
VoIP/SIP/Skinny Best-effort guaranteed)
QoS design principles
True or False?
T F
MR MS MX
WMM DiffServ
WMM classes
Voice
Background
Fast Lane
Wireless QoS – 802.11e
Queuing with Enhanced Distributed Channel Access (EDCA)
SIFS
n slots
SIFS, slots, timers Minimum Random Backoff
vary based on protocol Assumptions:
(802.11 a,b,g,n) WAIT (AIFSN) Wait • WME Default Parameters
• Backoff values shown are for initial
Voice 0 – 3 slots
SIFS
3 slots
Background 0 – 15 slots
SIFS
7 slots
Minimum Random Backoff
Wait Wait
Wireless QoS – upstream
Mapping wireless (WMM) to wired (DiffServ)
WMM DiffServ
IEEE 802.11 (802.11e WMM-AC) 802.3 DSCP (decimal) 802.3 DSCP RFC 4594-Based Model
Frame *
802.1p
CoS 0 (default) 1 2 3 4 5
Weight 1 2 4 8 16 32
* Note: an actual frame/packet contains other important fields, omitted in this graphic for simplicity.
CoS bandwidth calculations
Suppose we have a switched environment with the following…
2 3
1 4
Network MOS
The mean opinion score measures the network’s impact on the listening quality of the VoIP
conversation
• MOS should be at least 3.5 or higher
Interarrival jitter
A measure of the quality and variation in arrival times (in ms) of packets (for real-time voice
applications)
• Jitter should be 10-30 ms or less
Wireless voice
Voice call quality without best practices
Wireless voice
Voice call quality following best practices
TOPIC
Traffic shaping & prioritizing with the MX
MX traffic shaping & prioritization
4x
High
Step 2 2x 10 Mbps WAN1
Step 1 Normal
Step 3
1x
Low
LAN Traffic Mux
High 4x
Low 1x
Classify traffic and Selection based on L7 classifiers. The 4x, 2x, 1x packets Traffic distribution is
forward based on app L3/4 classifiers. default priority is are consumed proportional to the path
(L7) Unclassified traffic is Normal respectively from bandwidth ratio. In the
distributed based on each queue example above, WAN1
WAN1 / WAN2 ratio gets 2x packets as WAN2
Shaping and prioritization
To optimize your network, you can create shaping policies to apply per-user controls on a per-application
basis. Traffic priority is a way of ensuring that specific applications or subnets are guaranteed a certain
amount of the uplink bandwidth at all times.
Valid uplink states
ISP 1
10 Mbps
Primary
WAN 1: 10 Mbps
WAN 2: 5 Mbps
ISP 2
1 5 Mbps
2
Secondary
Cellular: 1 Mbps
ISP 3
Priority:
1 Mbps
Critical business apps: WAN 1 High
Policy-based routing Backup
Non-critical business apps: WAN 1 Low
Guest subnet: WAN 2
Guest subnet Active
Standby
YouTube: 1 Mbps Down
Traffic shaping Online backups: 2 Mbps
WebEx: Unlimited
Lesson 5 review
Understand and deploy Meraki’s Are you able to configure and optimize traffic
recommended wireless voice best patterns with policy-based routing and packet
practices through Dashboard prioritization through granular traffic shaping rules?
LAB
Self-paced lab period (30 mins) Next lesson will start at:
Objective
Complete all lesson 5 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 5 Knowledge Check
Which TWO of the following features/options can be configured on MS switches? (select 2)
A. Traffic prioritization
B. 6 different COS queues
C. Load balancing across uplink ports
D. Layer 3 and layer 7 traffic shaping
E. Adding, modifying, and trusting DSCP tags
On the SD-WAN & traffic shaping page, which TWO of the following areas needs to be configured to
properly enforce load balancing across multiple links? (select 2)
A. Uplink speed
B. Load balancing
C. Flow preferences
D. Custom performance classes
E. Traffic shaping rules
LESSON 6
Architecting VPN & WAN topologies
MX VPN operation modes | VPN design & topologies |
Auto VPN 101 | Designing a scalable VPN topology |
Integrating vMX into your Auto VPN architecture |
SD-WAN fundamentals & design
TOPIC
MX VPN operation modes
NAT mode concentrator (routed mode)
Deployments
Very commonly implemented in branch or campus
networks
Public IP address
LAN switch Internet port is most often given a public IP address
Public IP assignment
L3 core router Can be configured (ideally statically assigned)
with either a publicly routable IP address or be
deployed behind another NAT device within the
Datacenter
datacenter topology
Internet edge
TOPIC
VPN design & topologies
VPN topologies
Full mesh
Pros:
• Reliable
• Redundant
Cons:
• Expensive
• Harder to scale
VPN topologies
Exit hubs in a full mesh
Internet
Exit Hub
VPN topologies
Hub-and-spoke
Pros:
• More scalable
• Cost effective
Cons:
• Harder to achieve redundancy
VPN topologies
Adding redundancy to hub-and-spoke
Hub-and-spoke
A strategy that enables a large retail chain to
connect multiple stores to a central data center
Full mesh where internal resources reside.
Split tunnel A strategy for offices with high internet traffic usage
through local ISP broadband connections with
occasional access to HQ
Full tunnel
A strategy that that ensures all internet traffic from
remote offices traverse back to a central site in
order to comply with their internet access and
security policy.
TOPIC
Auto VPN 101
Connection monitor
Three tests to validate WAN connectivity
0. Physical
Internet
1. ARP
2. DNS
WAN1 WAN2
3. Internet (ping, HTTP get)
Cloud orchestration of VPN
Site & Uplink Interface IP Public IP Source Port Destination port: UDP 9350
Site A – WAN 1 5.5.5.5 5.5.5.5 35000 Source port: UDP 32768 - 61000
Site A – WAN 2 192.168.0.10 4.4.4.4 44000
Internet
Site C
Internet UDP hole punch
Internet
Internet
MPLS
Site D
Site A
Cloud orchestration of VPN
Internet
Site B
Internet
Site C
Internet
Internet
Internet
MPLS
Site D
Site A
TOPIC
Designing a scalable VPN topology
Design complexity
Number of tunnels
Hub A
W1 W2
ISP 1 ISP 2
W1 W2
Hub B
2 Hubs = 4 tunnels/hub
Hub A ISP 1 to Hub B ISP 1
Hub A ISP 1 to Hub B ISP 2 4 Hubs + 100 Spokes = ? Tunnels per hub/spoke
Hub A ISP 2 to Hub B ISP 1
Hub A ISP 2 to Hub B ISP 2
Tunnel count formulas
Hub and Spoke Full Mesh
𝐻 number of hubs
𝑆 number of spokes
𝐻 − 1 ∗ 𝐿1 2 = 𝟐𝟎 − 𝟏 ∗ 𝟐𝟐 = 76
= 𝟐 − 𝟏 ∗ (𝟐𝟐 ) + 𝟓 ∗ 𝟐 ∗ 𝟐 = 𝟐𝟒
Overhead required:
vMX
AWS / Azure
Auto VPN
1 M P L S
• Increase the capacity of an existing MPLS network
HQ / DC BRANCH
REDUCING COST
AUGMENTED MPLS
M P L S
• Supplement an existing MPLS network with
broadband for increased bandwidth
2 B R O A D B A N D
HQ / DC BRANCH
• Offload critical traffic from MPLS to broadband
with policy based routing dynamic path
BROADBAND -BRO ADB AND selection
B R O A D B A N D
• Dual high speed broadband connections
3 B R O A D B A N D
• Load balance business critical traffic based on
HQ / DC BRANCH
policy or link performance
• Dual-active path
Data
Based on L3 – L7 categorization, this
data normally travels out WAN1 (PbR)
but MX detects optimal path is WAN2
based on latency / loss on WAN 1
Benefits of SD-WAN
WAN link 1
Dual active VPN
Increased bandwidth and improved reliability MX WAN link 2
BRANCH
WAN link 1
Media Independence Concept Internet
Supported over any Internet or MPLS link MX
WN link 2
BRANCH MPLS
WAN link 1
Improved reliability Business critical
MX
Automatic failover and high availability Non critical WAN link 2
BRANCH
WAN link 1
Enhanced visibility
MX
Live and historical tools for monitoring WAN link 2
BRANCH
SD-WAN algorithm
Dual path availability Can I establish VPN on
both interfaces?
NO
Performance based
L1 flow match?
Unchecked
W2
Performance based
L1 flow match?
NO
W2
Performance based
L1 flow match?
NO
W2
Performance based
L1 flow match?
NO
W2
What is the policy for
W1 Policy based flow match? Use WAN 2
this flow?
W1 YES
Performance based
Which links satisfy
Only WAN 1
L1 flow match?
performance criteria?
YES
W2
W2
SQL Database
Branch 1 Branch 2 Branch 3
• AWS deployment in the public cloud
• Users at HQ only
Cisco collaboration system
Remote
Remote
SQL database
• AWS deployment in the public cloud
• Users at HQ only
Hub-to-hub tunnel
Client VPN concentrator at DC
Hub-to-spoke tunnel
Proposed WAN topology and SD-WAN
Dual WAN
Each location has dual broadband connections
from different Internet Services Providers
HQ
Two custom performance classes
• Voice: 100 ms delay, 2ms jitter, 2% loss
• SQL: 50ms delay, 10ms jitter, 2% loss
Public
Private DC Cloud Implementation locations
SD-WAN rules implemented at HQ
and branch locations
Remote
Can you differentiate between different MX Can you explain the mechanism Be able to design a scalable Auto VPN
VPN operation modes, VPN topologies, as behind Auto VPN? architecture that utilizes appropriately-
well as their pros/cons/use cases? sized Meraki MX appliances?
BREAK PERIOD
Next up: Lesson 7
Securing the network with Advanced Security features
Lesson 6 Knowledge Check
Which of the following information is stored in the Meraki cloud VPN registry?
A. An administrator-defined PSK for each Auto VPN tunnel
B. Interface MAC address
C. Public IP address
D. TCP hole punching logs
E. Randomly chosen well-known UDP ports (0-1023)
What are TWO design requirements for proper, functional SD-WAN deployment? (select 2)
APP
Layer 3 firewall Layer 7 rules Geo-based firewall
AMP
Dynamic content filtering Advanced Malware Protection & Intrusion Detection & Prevention
Threat Grid
Business goals:
Prevent breaches automatically to keep the business moving
& automate operations to save time and reduce complexity
Threat intelligence from Cisco Talos
Did you know? Cisco Talos is the world’s largest non-government threat intelligence organization.
NAT mode MX
LAN WAN
✕
DENY INBOUND
ALLOW OUTBOUND
VPN
ALLOW ICMP
Rules processing order
YES ALLOW
YES
Allow/Deny?
• Rules are processed in a top down fashion, with Layer 3 rules being processed, followed by Layer 7 rules.
• Unless traffic is explicitly blocked by at least one rule, it will be allowed through by a default allow all rule.
Rules processing order
L3 Default
L3 Firewall Rule L7 Firewall Rule L7 Firewall Rule
Firewall Rule
match
L3 Default
L3 Firewall Rule L7 Firewall Rule L7 Firewall Rule
Firewall Rule
no match
Policy Protocol Source Src port Destination Dst port
Allow Any Any Any Any Any
match
Policy Application
Deny Gaming All Gaming
match
L3 Default
L3 Firewall Rule L7 Firewall Rule L7 Firewall Rule
Firewall Rule
no match
Policy Protocol Source Src port Destination Dst port
Allow Any Any Any Any Any
match
Policy Application
Deny Gaming All Gaming
no match
Policy Application
Deny HTTP hostname bbc.co.uk
no match
TOPIC
Advanced security services
Advanced security services: Cisco AMP
Industry leading anti-malware technology that blocks HTTP-based file downloads, based on disposition
LAN WAN
malicious→ ALERT
Retrospective disposition
Advanced security services: Cisco AMP + Threat Grid
Threat Grid combines advanced sandboxing with threat intelligence into one unified solution
LAN WAN
72 15
clean → ALLOW Threat Behavioral
score indicators
Advanced security services: other considerations
XLSX
Platforms: Windows 7 64 bit (English, Korean, Japanese) & Windows 10
Unlimited AMP cloud lookups. Number of file submissions determined on file analysis pack.
E-mail alerts can be configured for malware events The MX currently supports Integration with Threat Grid cloud.
(including retrospective) in the Network-wide > Alerts page. (no integration with on-prem Threat Grid appliance)
Advanced security services: IDS/IPS (Snort)
Snort is an intrusion detection and prevention engine that performs real-time traffic analysis
LAN WAN
URL request
✕
Ruleset:
CVSS [8|9|10]→ DENY Snort Connectivity (CVSS = 10)
Balanced (CVSS = 9, 10) → default
Security (CVSS = 8, 9, 10)
CVSS less than [8|9|10]→ ALLOW
TOPIC
Content filtering
Content filtering
Uses URL patterns and pre-defined categorizations for determining what types of traffic are let through
LAN WAN
URL request
1. URL in allowlist? → ALLOW
2. URL in blocklist? → BLOCK
If HTTPS:
website times out In blocked category→
BLOCK
✕ Add to MX local database
*The organization where the MR + Umbrella integration will be used must have the per-device licensing (PDL) model enabled.
MR + Umbrella integration
Applying pre-defined policies to SSIDs or clients to block content or security threats at the DNS layer
LAN WAN
directed to desired domain name ALLOWED→ encrypted DNS response with appropriate IP Identifier
allowed?
redirected to Umbrella block page BLOCKED→ encrypted DNS response pointing to blocked page IP
Applying an Umbrella policy to an SSID
Step 1:
Select the desired SSID
1 Step 2:
2 Enable DNS layer protection
3
Step 3:
Select the desired Umbrella policy
from the dropdown list
Dashboard Location:
Wireless > Firewall and Traffic Shaping
Lesson 7 review
Can you identify and explain the Be able to protect your network
embedded security features on the from malware with Cisco AMP
Meraki MX appliance?
Be able to protect your network from Understand content filtering capabilities with
cyber internet threats with Cisco Snort the Meraki platform and utilize it effectively
to refine network traffic
LAB
Self-paced lab period (30 mins) Next lesson will start at:
Objective
Complete all lesson 7 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 7 Knowledge Check
What are the ruleset types that can be configured when enabling Intrusion Detection and Prevention on an
MX security appliance?
A. Critical, uptime, and passive
B. Balanced, connectivity, and security
C. Top list and full list
D. Blocklist and allowlist
Which of the following accurately describes the firewall rules processing order of an MX security appliance?
A. L3 allow/deny > L3 implicit deny > L7 deny
B. L3 allow/deny > L3 implicit allow > L7 deny
C. L3 allow/deny > L7 deny > L3 default deny
D. L7 deny > L3 allow/deny > L3 implicit allow
LESSON 8
Switched network
concepts and practices
Access policies using Meraki Authentication |
Cloning switch settings | Switch templates & profiles |
LAN/WLAN guest access best practices
TOPIC
Access policies using
Meraki Authentication
Access policies
802.1X (port-based network access control)
EAPOL RADIUS
RADIUS
EAPOL RADIUS
Branch A Branch B
MS 1 MS 1
XYZ
MS 2 MS 2
Cloning MS switch configurations: which settings?
Port-level
(switch name, management IP) Interface Type Voice VLAN (access only)
Notes:
• If cloning a non-PoE switch to a PoE switch, the PoE state of 'disabled' will be applied to the clone destination
• If the switch receiving the cloned settings exists in a different network, then access policies will only be copied
if that different network does not already have any access policies.
TOPIC
Switch templates and profiles
Built-in automation with templates
Branch A
Switch 1
Template DEF
Switch 2
DEF
Branch B
DEF
XYZ
XYZ
Switch 1
DEF
Switch 2
DEF
Switch templates, profiles and settings
Template Branch A
8-port
Profile (8-port)
24-port PoE
XYZ
Branch B
Profile (24-port PoE)
8-port
Admission Control
Guest
Management
Access
User Permissions
Admission control
Controlling access: Wireless, shared, or wired?
Wireless Shared Wired
Guest self-registration ☐ ☐ ☐
Creation of temporary guest credentials through a web interface ☐ ☐ ☐
802.1x authentication ☐ ☐ ☐
MAC address allowlisting/blocklisting ☐ ☐ ☐
Username and password ☐ ☐ ☐
Pre-shared keys (PSK) ☐ ☐ ☐
Radius integration with an on-prem Active Directory or LDAP server ☐ ☐ ☐
Splash page login with splash page customization ☐ ☐ ☐
User permissions
What they access: Wireless, shared, or wired?
Wireless Shared Wired
PSK CoA
Username/Password 802.1x
Allowlist/Blocklist
Splash
Be able to secure network access via Can you identify the key focal
802.1X through leveraging Meraki areas when it comes to guest
authentication access design?
Objective
Complete all lesson 8 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 8 Knowledge Check
Select the correct statement concerning templates.
Which of the below options is NOT an available access policy types that can be enabled on an MS switchport?
RF Profiles
Helps to automate the deployment of pre-determined radio settings to groups of access points
Minimum bitrate
Disabling lower bitrates in order to reduce the overhead on the wireless network – improves
roaming performance (clients must use the lowest selected rate or a faster one)
Channel width
Controls how broad the signal is for transferring data – a wider channel results in faster speeds
Profile types
Pre-defined profiles
A. Conference room – medium number of devices in an open office environment
B. Auditorium – large number of devices in a small/medium controlled space
C. Outdoors – low number of devices in an outdoor deployment
5 – 11 8 – 14 24
8 – 14 11 – 17 12
17 – 23 17 – 23 6
Pre-defined profiles
A. Conference room – medium number of devices in an open office environment
B. Auditorium – large number of devices in a small/medium controlled space
C. Outdoors – low number of devices in an outdoor deployment
B – 11
5Low – 14
8Low High
24 Large Small
A 8 – 14
Medium 11 – 17
Medium Medium
12 Medium Medium
C – 23
17High – 23
17High Low
6 Low Large
TOPIC
Wireless encryption & authentication
Wireless encryption and authentication
802.11 association process
1. Probe Request
2. Probe Response
3. Authentication Request
4. Authentication Response
5. Association Request
6. Association Response
Wi-Fi Protected Access version 3 (WPA3)
SAE (Personal)
1. Probe Request
2. Probe Response
7. Association Request
8. Association Response
WPA3 Personal has two scenarios: A.) WPA3 SAE only and B.) WPA3 SAE transition mode (WPA2 + WPA3)
Association requirements and splash page options
Combinations
Open
Pre-shared
key
MAC-based
Meraki Cloud
ENTERPRISE
Auth
RADIUS
Local Auth
Identity PSK
Local authentication
Connecting to 802.1X protected SSID’s without relying on the reachability of a RADIUS server
Typical EAP
✕
LDAP
✕
EAP RADIUS
Framework exchange exchange exchange
RADIUS exchange
Meraki Local Auth (handled internally)
✕
EAP LDAP
Requirements: exchange exchange
access points
firmware MR 27.X wireless client MR LDAP server
(supplicant) (authenticator + RADIUS server) (e.g. Active Directory)
IPSK authentication without RADIUS
Typical enterprise WLAN: IPSK without RADIUS:
Multiple SSID’s, single PSK each Reduced SSID’s, multiple PSK, map to group policy
Requirements:
Name: SSID 1 Name: SSID 4
PSK: (RADIUS) PSK: XYZ access points
Use: employees Use: digital displays
firmware MR 27.X
“Client’s anchor AP
is: 192.168.1.2”
Is VLAN 1 available? ✕
“Client’s anchor AP
is: 192.168.2.2”
192.168.1.2”
Is VLAN 1 available? ✔
client layer 2 roams
IP Address: 192.168.1.50 /24 IP Address: 192.168.2.2 /24
Anchor
Host AP
AP
VLAN 5
IP Address: 192.168.2.2 /24
MX as concentrator
Internet
corporate resources
TOPIC
Bluetooth low energy
BLE beacons
What does it look like?
Unauthorized User
(gains access to corporate
LAN resources)
Unauthorized
Wireless AP
Connected
Containment: The process by which clients will be unable to connect and any currently
associated clients will lose their connection to the rogue AP
Rogue AP containment
802.11 packets being sent by MR:
Meraki MR
w/ Air Marshal 1. Broadcast de-authorization
source = Rogue, destination = broadcast
2. Deauthorization messages
source = Rogue, destination MAC = client
Source = Rogue AP
Destination = broadcast
Rogue
Wireless Client
Access Point
Lesson 9 review
Do you understand the importance and Be able to choose and deploy the proper combination of
proper utilization of maps, floor plans, wireless authentication, encryption, splash page, SSID
and RF profiles in Dashboard? mode of client IP addressing, and SSID availability
Objective
Complete all lesson 9 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 9 Knowledge Check
Which of the following features should be used if an administrator was tasked with automating the
deployment of pre-determined radio settings of hundreds of access points?
Which of the following SSID client IP addressing modes gives clients DHCP leases from the access point
itself on the 10.0.0.0/8 subnet?
A. Bridge mode
B. NAT mode
C. Layer 3 roaming
D. Layer 3 roaming with a concentrator
LESSON 10
Endpoint management
concepts and practices
Platform overview | Deployment methodologies |
Deploying applications and containerization profiles |
Implementing security policies |
Securing the network with SM Sentry |
Agent-less onboarding with Trusted Access
TOPIC
Platform overview
Systems manager overview
• Manual
• Automated
Enrollment through Apple DEP
2. Apple sees S/N is owned by
an MDM, enrollment forwarded
• Built into their core operating systems, it clearly separates work from personal data
• No need for proprietary SDKs or APIs when managing apps
Allowed access?
4. Amber’s device 3. Amber (employee) 1. Amber (employee)
gains secure access visits the Self-service needs access to
to network resources Portal and downloads company resources
a certificate using their personal
mobile device
Security and accessibility in 4 easy steps
Step 1:
Enable Trusted Access on an SSID
(association requirements must first be configured
as WPA2-Enterprise with Meraki authentication)
Dashboard Location:
Wireless > Access Control
Security and accessibility in 4 easy steps
Step 2:
Create end-user profile(s) in the
Systems Manager network
Dashboard Location:
Systems Manager > Owners
Step 3:
Select end-user’s network access
privileges and tie it to the Trusted
Access enabled SSID
Dashboard Location:
Systems Manager > Owners
Security and accessibility in 4 easy steps
Step 4:
Send the Self Service Portal link to
the end-user
(to download the trusted certificate)
Dashboard Location:
Systems Manager > General
Lesson 10 review
Do you understand the device security Be able to enhance the security of your Meraki
posturing capabilities of Systems Manager network through leveraging Systems Manager to
when paired with security policies? assign dynamic access
LAB
Self-paced lab period (30 mins) Next lesson will start at:
Objective
Complete all lesson 10 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 10 Knowledge Check
Which of the following is a valid Systems Manager Sentry integration with Cisco Meraki hardware?
A. Sentry Authentication (Systems Manager + MS switches)
B. Sentry Enrollment (Systems Manager + MR access points)
C. Sentry Gateway (Systems Manager + MG cellular gateway)
D. Sentry Vision (Systems Manager + MV smart cameras)
E. Sentry Healthcare (Systems Manager + MR PCI reporting)
Which feature allows client devices to access secured networks through MR wireless access points without
enrolling in Systems Manager?
A. Meraki Trusted Access
B. Systems Manager Sentry
C. Apple Device Enrollment Program (DEP)
D. Windows Agent Installation
LESSON 11
Physical security concepts and practices
MV architecture | Flexible camera deployments with wireless |
MV portfolio | Business intelligence
TOPIC
MV architecture
A traditional security camera deployment
• Hybrid video processing: video is analyzed on camera, motion indexed in the cloud
HTTP Live Streaming (HLS)
Video delivery mechanism developed by Apple
HTTPS
Playlist
.m3u8
Segments
.ts
.ts
Video transport
Local Remote
(direct stream) (cloud proxy)
Local or remote access?
Identify the connectivity method
Local Remote
(direct stream) (cloud proxy)
power data
Camera lens type Fixed Fixed Varifocal Varifocal Fixed Varifocal Varifocal
Advanced
analytics
Wireless-enabled
Coming
Audio recording
soon
IP code and IK
rating
(IP67 & IK10+) (IP67 & IK10+)
Storage (in GB) 0 GB 128 to 256 GB 256 GB 512 GB 256 GB 256 GB 512 GB
TOPIC
Business intelligence
Advanced analytics
Doing more with the traditional security camera
INPUT
CURRENT SNAPSHOT
REQUEST THIRD PARTY
Lots & lots of How many people APPLICATIONS
video data are here now?
MV COMPUTER VISION /
MACHINE LEARNING ALGORITHM
REALTIME FEED
SUBSCRIBE
Sub-second feed of
people and location
Can you explain the difference between Be able to choose and implement the
traditional physical security camera architecture proper retention and storage options
versus that of Meraki MV camera architecture? including Cloud Archive
Be able to configure MV cameras to be Do you understand how Motion Search, visual heat
deployed over the WLAN maps, and the person detection capabilities of the
MV cameras help to provide business intelligence?
LAB
Self-paced lab period (30 mins) Next lesson will start at:
Objective
Complete all lesson 11 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 11 Knowledge Check
Which of the following is a part of the process when deploying MV cameras across the WLAN?
A. Adjusting upstream firewall settings to allow for potential camera proxy streaming
B. Creating a backup Dashboard network admin with camera-only permissions
C. Disabling a camera's local status page to reduce WLAN security risks
D. Purchasing an add-on license to enable wireless connectivity
• Anna performs diagnostics but doesn’t believe that they are the
cause of the problem.
• Anna thinks the Cloud Services provider must be the issue. She
manages to get to Adam, a Cloud Service Customer Representative.
• Adam performs his analysis but also doesn’t believe the root cause is
with their platform.
Adam Anna
(Cloud Services (ISP Customer • Result: Jenna is back at square 1 and needs to continue
Representative) Representative) troubleshooting the problem without conclusive evidence and has
wasted a lot of valuable time.
Meraki insight troubleshooting
• Jenna, an IT administrator with a Meraki
Dashboard enabled with Meraki Insight.
client (end user) LAN MX with MI enabled ISP web apps & cloud services
Internet /
WAN
Meraki Cloud
(with Insight engine)
Performance metrics and indicator
Network WAN
• Performance Score • Available Goodput (WAN-limited)
• Total Network Usage • HTTP response time
• Latency • WAN loss / WAN latency
Performance Indicator • Total network usage
Application
< 80% ≥ 80% LAN
MX6x Small
Up to 450 Mbps
MX100
MX600
Network B
Network C
Licensing scenario Network A
MX450
Auto-adjusting thresholds Per app, per network Reduced false positive alerts
Branch A
Branch B
Branch C
Do you understand the purpose of Meraki Can you explain how Meraki Insight gathers data
Insight and applicable scenarios? and the various metrics it uses to analyze the
performance scores produced in Dashboard?
Be able to choose and accurately size Be able to navigate the Dashboard to find and
out the appropriate license options interpret the metrics produced by Meraki
Insight and WAN Health
Next lesson will start at:
BREAK PERIOD
Next up: Lesson 13
Preparing monitoring, logging, and alerting services
Lesson 12 Knowledge Check
Which TWO of the following statements about Meraki Insight WAN Health are typical use cases? (select 2)
At what percentage will Meraki Insight's Web App Health display a red performance indicator symbol for
underperforming LAN, WAN, or servers?
Both stored in Dashboard, not on Meraki devices, and have advanced filtering capabilities
• Native analytics
• Email*
• SMS
• Webhooks
*All network alerts will be sourced from the same email address. To ensure that alerts are not being lost to a spam filter, please
be sure to add alerts-noreply@meraki.com as a trusted email source.
Logging vs. monitoring vs. alerting
Device status
Configuration change
Rogue AP detection
Summary reports
Traffic analytics
API
Are you familiar with the various Understand how to leverage APIs to export
monitoring tools and interfaces that and gain additional insights from historical
Dashboard provides? data that Dashboard has logged
LAB
Self-paced lab period (30 mins) Next lesson will start at:
Objective
Complete all lesson 13 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 13 Knowledge Check
What is an appropriate use case for leveraging the Scanning API?
Which of the following is a true statement about Meraki device and network alerts?
A. E-mailed network alerts will arrive from the source address: alerts-noreply@meraki.com
B. SMS, webhooks, and automated phone calls are all supported alert types
C. Default recipients for network alerts will include all organizational administrators
D. Individual device alerts can be also be configured through the Local Status Page
LESSON 14
Setting up Dashboard’s reporting
and auditing capabilities
Reporting in Cisco Meraki |
Managing firmware through Dashboard |
Running a PCI audit
TOPIC
Reporting in Cisco Meraki
Summary reports
Dashboard Location:
Organization > Summary report
1. Upgrade scheduled
2. Group 1 is identified and created by
Dashboard
3. Group 1 performs firmware upgrade, clients
associated to Group 1 roams
4. Group 1 completes upgrade, Group 2 performs
firmware upgrade
5. Clients associated to Group 2 roams
6. Group 2 completes upgrade
• Retail
• Hospitality
• Transportation
• Healthcare
• Food services
• Telecom
• Media/Entertainment
• Construction
• Finance
…if you take digital payments, you need to be compliant!
• Energy
PCI audit process
1 2 3
Scans and
Online registration Gap analysis
penetration tests
6 5 4
Remediation
Offsite audit Remediation plan
support
Be able to compare, schedule, and plan Leverage Dashboard’s PCI reporting tool
for staged firmware upgrades across to recommend proper actions to meet
networks in Dashboard PCI DSS compliance
LAB
Self-paced lab period (20 mins) Next lesson will start at:
Objective
Complete all lesson 14 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 14 Knowledge Check
Which of the following is a feature available on the Firmware Upgrades page?
A. Managing Dashboard account privileges to control and schedule firmware changes
B. Release notes for stable, release candidate, and beta firmware
C. Opting-in to Meraki-managed beta firmware upgrade cycles
D. Firmware trial option with automatic rollback after 24 hours
Which of the following is a true statement about the firmware rollback option?
A. Rollback always requires the authorization of Meraki Support before it can be performed
B. Rollback allows admins to return from a beta or RC to a stable firmware release
C. Rollback can be performed up to three months after an upgrade has completed
D. Rollback can be performed by network administrators
LESSON 15
Gaining visibility and resolving
issues using Meraki tools
Troubleshoot methods | Native logging capabilities |
Wireless troubleshooting | Troubleshooting cloud applications performance
| Troubleshooting Meraki auto VPN | Local status page
TOPIC
Troubleshooting methods
Troubleshooting: not an exact science
Business goals:
reduced time-to-fix & incident prevention
Common troubleshooting tools
Protocol analyzer -
SNMP $
Netflow $
Retrospective detections
TOPIC
Wireless troubleshooting
An IT admin’s inbox…
1 new message
“Hi, this is Todd from the marketing department on level 6. I am connecting to access point AP-
6B with my Windows 10 laptop, I successfully authenticate via 802.1X but I am not obtaining an
IP address although I can see my laptop is sending out DHCP discoveries. Could you help me?”
1 2 3 4
Associate with an AP Authenticate to the network Obtain an IP address Resolve hostnames
Being proactive
Can users access the wireless Are connected users having a Are any AP’s overloaded or in
network successfully? good experience? need of optimization?
Slow data rates? Check the signal-to-noise ratio (SNR)
SNR Recommendation
The difference in decibels between20the
dBreceived
or more for data networks
signal and the background noise25 level
dB or(noise
more for voice applications
floor).
Symptoms Fixes
Slow network performance Channel planning
Network timeouts Raise minimum bitrate
Troubles connecting to network Adjust cell size (lower power)
Dropped network packets Keep SSIDs to a minimum
"Missing" SSIDs Check for rogue APs
Check traffic analytics for unnecessary traffic
* All Meraki APs (except for MR20 and MR70) have a dedicated dual-band radio for this purpose.
Track security threats with Air Marshal
2 Authentication
__: 3 DHCP Request
__: 2 RADIUS Access-Request
__:
4 DNS
__: 4 DHCP ACK
__: 4 EAP-Response
__:
1 Association
__: 2 DHCP Offer
__: 1 EAP-Request
__:
3 DHCP
__: 1 DHCP Discovery
__: 3 RADIUS Access-Challenge
__:
6 EAP-Success
__:
5 RADIUS Access-Accept/Reject
__:
TOPIC
Troubleshooting cloud
applications performance
Troubleshooting application performance with Meraki Insight
TLS-encrypted syslog
T CP 6514
LAN WAN SERVER
Web App
User
HTTP/S Request
HTTP/S Response
Meraki Insight monitors HTTPS traffic on TCP port 443; for HTTP, any port can be specified.
No synthetic probes required. Ensure TCP 6514 is open on any firewall upstream.
VoIP Health
An active tool within Meraki Insight that measures network links for the performance of the uplink for cloud-
managed VoIP services.
1. Utilize the built-in traceroute tool to Hop number Status IP address Domain MOS Loss Latency Jitter
find the root cause gw-276meraki-
1 ● 10.20.30.1 dhcp.static.monkeybrains.n 4.0 5.00% 75 ms 6.4 ms
2. Tool probes each hop along the path et
between MX and VoIP server be2681.ccr21.sfo01.stlas.co
2 ● 38.88.216.117
gentco.com
4.1 2.00% 78 ms 3.5 ms
HQ Branch
1.1.1.1 2.2.2.2
Internet
Subnets A, B, C Subnet Y
Registration Phase
VPN Registry
UDP 9350
Auto VPN: connection phase
HQ Branch
1.1.1.1 2.2.2.2
Internet
Subnets A, B, C Subnet Y
S: 50000 S: 60000
D: 60000
Connection Phase D: 50000
Direct tunnel between peers (P2P)
UDP hole punching
Auto VPN: what can go wrong?
HQ Branch
1.1.1.1 2.2.2.2
Internet
HQ 1.1.1.1 54321 A, B, C ?
Branch 2.2.2.2 60000 Y
HQ Branch
1.1.1.1 2.2.2.2
Internet
HQ Branch
1.1.1.1 2.2.2.2
Internet
Branch
Auto VPN: what can go wrong?
HQ Branch
1.1.1.1 2.2.2.2
Internet
Subnets A, B, C Subnet Y
D: subnet Y ? Registration Phase
Use VPN
Subnet Y VPN OFF
Auto VPN: what can go wrong and resolutions
192.51.100.23:56125 - >203.0.113.57:9350
192.51.100.23:56126 - >203.0.113.194:9350
✕ ✕
VPN
192.168.1.5:44019 - > 203.0.113.57:9350
192.168.1.5:44019 - > 203.0.113.194:9350
WAN
LAN
TOPIC
Local status page
Local status page
Make local configuration changes, monitor device status/utilization, and perform local troubleshooting
MX
switch.meraki.com Internet
my.meraki.com
MS
Internet
connection is
NOT required
MR
Note: my.meraki.com or setup.meraki.com will work for any Cisco Meraki device (MX, MS, MR) but will only access the first device in the path
Local status page: alternative access
If access via DNS doesn’t work, there are other ways
MX
1.1.1.100 Internet
my.meraki.com
MS
Internet
connection is
NOT required
MR
Note: alternate access requires local client/workstation to be manually configured with an IP in the same range (/24)
Troubleshooting the local status page
What can go wrong?
my.meraki.com
Local status page disabled DNS traffic not through MX MX in Passthrough Mode
Lesson 15 review
Understand various troubleshooting Are you able to assess wireless intrusions, Do you know how to monitor threats
methods (on the Meraki platform) failures, and network issues through the via the Security Center and take
tools available in the Dashboard? protective actions?
my.meraki.com
Understand the various forms of Do you know how to access and fully
troubleshooting with respect to Auto VPN utilize the Local Status Page?
and the VPN Status page in Dashboard
LAB
Self-paced lab period (45 mins) Next lesson will start at:
Objective
Complete all lesson 15 labs and review the verification section of each lab.
Directions
1 2 3
Read the student lab guide At each verification section, attempt to Stop when you have
carefully and complete the answer the questions and seek out the completed the last lab for this
directions in each step. solution. Check the lab solution lesson. Do not go ahead.
guide to verify your answers.
http://cs.co/ecms2-lab
http://cs.co/ecms2-lab-solution
Class instructors are lab proctors. They are only available for lab guide clarification or to assist with lab gear issues.
Lesson 15 Knowledge Check
Which of the following is a supported method for accessing Dashboard's packet capture tool?
Which of the following is NOT one of main benefits or uses of the Local Status page?