Mini-Lab Student Guide

1
Introduction
You have recently been hired to manage the IT systems for a local doctor’s office
group in San Francisco.
Nightingale Medical Associates has managed to survive with a consumer ISP-provided
gateway for many years, but recent Electronic Medical Records (EMR) mandates,
HIPAA compliance, more patients, new offices opening up, and the demand for guest
Internet access has them excited about an enterprise-class solution.
As their new IT admin, you suggest that Nightingale Medical Associates deploy Cisco
Meraki as their solution. This will not only meet their needs now, but can scale with
them as they grow their main location and open new offices, as well as provide them
with a simple, intuitive management interface and rich application visibility, reporting
and analytics.
In order to get started, you’ve decided to equip them with a stack of Meraki gear, and
today you’ll be configuring that gear for one of the offices.

How to perform lab work

1. Navigate to http://meraki.com/merakilab and fill out the form using the Session Code provided.
2. Navigate to http://dashboard.meraki.com and login with the username and password provided
by the instructor. It is recommended to use Google Chrome. IMPORTANT: Be sure you are
selecting the correct Organization for your Minilab session after logging into the portal. Your
instructor will provide the correct session number if needed. If necessary, be sure to choose
your correct lab station number (from your Topology Sheet) from the network dropdown box in
the upper left of Dashboard.
3. Feel free to use the Cisco Meraki knowledge base articles and documentation to assist with the
lab.
They can be found at: http://documentation.meraki.com
You can also use the Dashboard search box for assistance, which is very helpful.
4. Time for “exploring” Dashboard and for finding/using help has been worked into the suggested
times for each lab section.

Reference materials:
Meraki Main Page – meraki.cisco.com
Cloud Architecture Overview – meraki.com/trust
Datasheets/Whitepapers Library – meraki.cisco.com/library
Meraki Product Documentation – documentation.meraki.com
Meraki Webinars & Training – meraki.cisco.com/webinars
Meraki YouTube Channel – www.youtube.com/user/milesmeraki/videos

2
How to Read the Lab Guide
Throughout the lab guide you will see various notations that serve to call out different
types of information. These are classified into the following categories:

Important: These are high priority, critical bits of instructions that you must read carefully and pay
close attention to performing correctly or they could have an adverse effect on your lab station.

Note: These are typically warnings that usually serve as reminders as they are sometimes easily
overlooked or missed.

Hint: These are useful pieces of advice that could help point you in the right direction or help draw
your attention to hard-to-find or confusing configurations.

Information: These serve as additional footnotes and reference materials sourced from the official
Meraki documentation portal (located at: https://documentation.meraki.com) for various topics or
technologies.

3
As you log into Dashboard, you should pay close attention to ensure that you are
working within the right lab network. For example, if you have been assigned to Lab
Station #7 within POD 4, then you should see very clearly at the top that you are
signed in using the right user account and working in the right lab station network.
Your instructor should let you know what POD you’re working in today.

Verification for Lab Station #7, POD 4

Hint: The Cisco Meraki Dashboard is compatible with the most recent version of Firefox, Internet
Explorer, and Chrome web browsers. However, the most recommended browser is Chrome as it
provides the best and most consistent user interface experience. It should also be noted that MV
security camera streaming is not supported on Windows 7 + Internet Explorer 11.

4
1. Lab Station References (IP Addressing)
Throughout the lab exercises, you will occasionally see instructions that reference
your lab station number. These references appear as a green “n” or “X” whereby it
should be immediately replaced by your lab station number:

Example Instruction: Rename the MX’s name as “MX [n]”

• Lab Station 7’s results: MX 7
• Lab Station 18’s results: MX 18

A similar but slightly different instruction may tell you to add your lab station number –
again referenced as “n” – to an existing value. This should be treated as a simple add
(+) operation, as illustrated in the following example:

Example Instruction: Use the following as the subnet: 10.0. [ 10 + n ] .0/24

• Lab Station 7’s correct results: 10.0.17.0/24 (10 + 7 = 17)
• Lab Station 18’s correct results: 10.0.28.0/24 (10 + 18 = 28)

Important: It would be incorrect if a concatenation were to be used, such as 10.0.107.0/24 for Lab
Station 7 or 10.0.1018.0/24 for Lab Station 18 – these are incorrect and possibly invalid IP addressing
values.

This type of replacement applies not just to subnets but also to IP addressing and
VLAN instructions in the lab guide. Here are some more examples:

Example Instruction: Use the following as the IP address: 10.0. [ 150 + n ] .1

• Lab Station 7’s correct results: 10.0.157.1 (150 + 7 = 157)
• Lab Station 18’s correct results: 10.0.168.1 (150 + 18 = 168)

Example Instruction: Configure the access port to be in VLAN [ 600 + n ].

• Lab Station 7 would configure the port to be in VLAN 607 (600 + 7 = 607)
• Lab Station 18 would configure the port to be in VLAN 618 (600 + 18 = 618)

5
 Your Station’s Network Topology Overview
“n” is your lab station number

Security Appliance
Configuration:
(Step 1.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+n.0/24
Interface: 10.0.10+n.1

VLAN 30 (Voice)
Subnet: 10.0.30+n.0/24
Interface: 10.0.30+n.1

VLAN 100 (Guest)

Subnet: 10.0.100+n.0/24
Interface: 10.0.100+n.1

Switch Configuration:
(Lab 2, Step 2.1.1)

VLAN 10 (Corp)
Subnet: 10.0.10+n.0/24
Interface: 10.0.10+n.201
Default gateway: 10.0.10+n.1

VLAN 150 (Legacy)

Subnet: 10.0.150+n.0/24
Interface: 10.0.150+n.1

VLAN 600 (OSPF)

Subnet: 192.168.0.0./24
Interface: 192.168.0.n

6
Exercise 1 | Small / Medium Site (90-120 minutes)
To get started, let’s set up your first three pieces of Meraki gear. Meraki Support has
already set up a Dashboard account and added the MX, MS and MR equipment to a
network. In this exercise, you will create an initial configuration for a doctor’s office,
create a baseline security policy, configure a guest wireless network, and interconnect
all of the remote branches over a secure VPN.

Important: Make sure you are in the CORRECT POD and the CORRECT NETWORK that corresponds
to your Lab Number

1.1.1 Initial MX Setup (20-30 minutes)

Hint: If you need help to find where commands are located use the search function in the upper left
corner, right of the POD number, or Cisco Meraki logo. It says “Search Dashboard”

1. Verify that your MX is operational noting that it’s green in Dashboard and the WAN uplinks
are healthy.
2. Edit the name of your MX such as “Lab <n> MX” and assign a city/address (refer to your
topology sheet), and use the live tools to ping the appliance, maybe run a traceroute to
google.com.
Check the status of your WAN1 and WAN2 uplinks using the “Uplinks” tab.
3. VLAN configuration
a. On the “Addressing and VLANs” page, first Enable VLANs and then create VLANs 10
(Corp), 30 (Voice) and 100 (Guest) as per your topology diagram.
See additional notes b/c/d below.
b. Do not remove/modify VLAN 1 (default/untagged VLAN) which is there by default.
c. Use the “Add a Local VLAN” link to configure VLANs 10, 30 and 100.
d. All non-tagged traffic will be part of VLAN1 (default vlan).
4. On VLAN 10 (Corp) reserve IP addresses .150 through .250 under DHCP Settings.

Note: This addressing section is required before moving onto any further labs.

1.1.2 Setting a Security Policy (20-30 minutes)

1. Apply the following global default policies [Hint: This first part does not use group policies.]
a. Completely block peer-to-peer BitTorrent traffic.
b. Set a maximum bandwidth of 5Mbps per client.

7
 c. For Netflix and Pandora, shape traffic to 1M down, 500K up and ensure they are low
priority.
d. For all voice and video conferencing, remove all bandwidth restrictions and ensure
they are high priority.
e. Apply content filtering to block adult and gambling websites, but allow 777.com.
2. Enable Advanced Malware Protection (AMP) and Intrusion detection with Balanced Ruleset.
3. Enable network alerts if the MX goes offline for more than 10 minutes or a DHCP pool is
exhausted.
4. Create a group-policy called “Guest” to ensure that guest users will conform to below
restrictions
a. Guests will be restricted to 2M per client.
b. Guest group policies will only be turned on during working hours 8am–5pm Mon-Fri.
c. No traffic can communicate to/from North Korea or Syria.
d. Add another L7 firewall rule to block all gaming applications.
e. Append the default content filter to add all sports web sites.
f. Now that all sports sites are blocked, allow [Hint: Append to Whitelist]
sports.yahoo.com.

5. Apply the “Guest” group policy to the “Guest” VLAN. (Hint: Addressing & VLANs page)

1.1.3 - Interconnect All Sites via Full-Mesh Auto VPN (20 minutes)
1. Configure a full-mesh VPN between all sites, and enable VPN for the Corp and Voice VLANs,
but not the default or guest VLANs.

Hint: Navigate to Site-to-site VPN and configure your site as a hub (and do not configure an exit hub)

Verify connectivity by pinging the data center core switch (10.0.250.1) from the Live tools on
the Appliance status screen. What is your latency to the data center?

2. Navigate to VPN Status to verify connectivity to other branches. Note: If you don’t see site-to-
site peers listed, try clicking the “View old version” link on the right-hand side and you can then
verify connectivity to other branches.
3. Examine the MX’s routing table.
Do you see your local VLANs and VPN peer networks?
Can you ping any of the VPN peers? (Check with your neighbors if they have also reached
this step.)

1.2.1 Initial Switch Configuration (20-30 minutes)

1. Verify that your MS switch is operational (green status, passing traffic)

8
 2. Edit the name of your switch and apply the tag(s) and city/location from your topology
handout.
3. Customize your flex table view under Switch > Switches to include local IP, Tags and S/N.
4. Configure ports 4 – 7 for VoIP phone access
a. Tag these 4 ports with the “voip” tag.
b. Make them access ports on VLAN 1 with voice VLAN 30.
c. Create a QoS rule for the network to mark all traffic in voice VLAN 30 as DSCP 46 (EF)
for voice.
5. Create an energy-saving port schedule to turn off ports (power down phones) during off
hours.
a. First confirm (or set) the appropriate time zone for your network. (Network-Wide à
General)
b. Apply the port schedule to ports 4 – 7 simultaneously (try searching for “voip”).
6. Cable test and packet capture
a. Go to the Switch monitoring page and click on port 2.
b. In the Troubleshooting section, run a cable test on port 2 by clicking on the arrow next
to it.
c. Run a packet capture on port 1 of your switch for 30 seconds. View the output in
Dashboard, or download to a .pcap file if you have Wireshark installed on your device.
7. Extra Credit: Server ports
a. Configure ports 23 and 24 to be access ports on VLAN 1.
b. Give them a name of “File Server” and a “Server” tag.
c. Set up an email alert if any switch port with a tag of “Server” goes down for > 5 minutes

1.3.1 – Configuring Guest and Corporate Wireless (30-60 minutes)

1. Begin by first verifying that your MR access point is online and operational (i.e. MR is in good
health status, firmware & configuration are up to date, etc.) – you should see only one AP
listed on the Monitor > Access points page.

2. By default, the MR’s name will appear as its MAC address - look for and click on the pencil
icon which will allow you to change/edit the name. Proceed to rename the MR’s name as “MR
[n]” where n is your station number. You can also edit the address here to place the AP. (More
detailed placement is available at Wireless > Map & Floor Plans)

3. Navigate to the “Tools” tab to ping the Access Point from Dashboard to confirm it’s online.
You should also be able to ping your station’s MX at 10.0.10+n.1 or even other stations MR’s
across the VPN.

4. Navigate to Configure > SSIDs and proceed to enable as well as rename two SSIDs. Rename
the first SSID as “Corp n” and the other as “Guest n” (where n is your station number.) – be
sure to save your changes before leaving the page.

Hint: You should rename/repurpose the default SSID (usually named “LabX – Wireless WiFi”) as one
of the two SSIDs you are creating.

9
 5. To configure settings for these SSIDs, go Configure > Access control where you must first
make sure that the “Corp” SSID has been selected from the SSID drop-down menu at the top.
This SSID needs to have the following settings:
• Association Requirements: PreShared Key with WPA2, password: ‘meraki123’
• Client IP Assignment: Bridge mode
• VLAN tagging: enabled, VLAN ID: 10

6. Switch to the “Guest” SSID by using the drop-down menu at the top, and give this SSID the
following settings:
• Splash page: Click-through
• Client IP Assignment: Bridge mode
• VLAN tagging: enabled, VLAN ID: 100

7. Because we are using a click-through splash page for our guest wireless network, we will
want to have them re-authenticate every 30 minutes. Navigate to Configure > Splash page
and change the frequency to every half hour.

8. We want to ensure that our wireless guest users have no way of accessing any of the internal
local network resources while also restricting their usage. Go to Configure > Firewall & traffic
shaping and make the following configurations on the “Guest” SSID:
• Edit the default Layer 3 firewall by adjusting the policy to deny access to the Local LAN for
all wireless clients that might try to access the LAN
• Add three Layer 7 firewall rules to block P2P, File sharing, and Gaming services
• Limit the per-client bandwidth to 1 Mbps
• Make the Guest SSID unavailable on weekends.
9. Let’s implement some best & common practices for the RF settings.
a. For the Corporate SSID, make it dual-band operation, but use band steering to get more
users onto the cleaner 5GHz radio.
b. For all SSIDs, disallow very old legacy 802.11b devices.
c. Ensure automatic power reduction so the AP isn’t always running at 100% Tx power.
d. Ensure a default 5GHz channel width of 80MHz.
e. Ensure the AP is choosing its channel assignment automatically.

Hint: These items are on different pages, as some controls are per-SSID, and some are for the AP as
whole. Be sure to check out both Access Control and Radio Settings pages. On Radio Settings, you
can also hover over the current settings on each AP to see available options.

10. Let’s check on the RF utilization of the 2.4Ghz band since we powered on the AP. It’s in a
very busy place, so we want to see how badly overutilized that band has been. Back on the
AP’s status page, use the RF tab on the far right.

10
11. Extra Credit – Systems Manager: Create a 3rd SSID called BYOD to be used for mobile device
onboarding, force iOS and Android clients to have Meraki Systems Manager installed to join
the SSID and get network access, Windows or Mac laptops will just see a splash page –
Mobile clients will download System Manager upon joining the BYOD SSID, the firewall blocks
everything else.
[Hint: This is under access control]

11
Exercise 2 | Large Site / Campus
Since deploying their enterprise network, Nightingale Medical Associates has
continued to grow. They’ve just acquired another medical group that has a legacy
private network interconnecting all of their sites. In order to increase collaboration
during the acquisition, Nightingale Medical Associates has rolled out the private
network to all sites. Also, to protect their new Electronic Medical Records (EMR)
system, Nightingale Medical Associates wishes to increase the security of their wired
and wireless network.

2.1.1 - Layer 3 Routing on the Switch (30-60 minutes)

1. Navigate to the Switch -> Routing and DHCP screen and create the interfaces below
a. Name: Corp, Subnet: 10.0.10+x.0/24, Interface: 10.0.10+x.201, VLAN: 10, Default
gateway: 10.0.10+x.1, Disable DHCP
b. Name: Legacy, Subnet: 10.0.150+x.0/24, Interface: 10.0.150+x.1, VLAN: 150, DHCP
Enabled
c. Name: OSPF, Subnet: 192.168.0.0/24, Interface IP: 192.168.0.x, VLAN: 600, Disable
DHCP
2. Go to the MX Appliance and create a static route to the “Legacy” subnet using the IP address
on your L3 switch SVI in the “Corp” VLAN as next hop. Reference the topology sheet for
supplemental information. [Hint: The Legacy network now lives on the MS only so we need to tell the MX
where this network is now. The answers can be found in 1.a and 1.b above]
a. “In VPN” option should be “Yes”
3. On the switch, configure OSPF with following settings:
a. First configure switch port 13 to be access VLAN 600
b. Enable OSPF with default Area 0
c. Edit Legacy and OSPF interfaces to use the default Area 0 and Cost 1
d. Edit the default static route to be preferred over OSPF routes

NOTE: Let the instructor know you reached this point and ask them to enable the private network for
exercise 2.

4. Navigate to the switch monitoring page

a. Verify that port #13 is now operational
b. Verify that your switch is using 192.168.0.x as the Router ID. If not, change it.
c. Verify the OSPF neighbors and routes using the live tools
i. Do you see the other lab stations as OSPF neighbors?
ii. Do you see the data center switch as an OSPF neighbor (192.168.0.254)?
5. Start a ping to the data center switch (192.168.0.254) from the Legacy Source interface
(10.0.150+x.1).
a. Ping 10.0.250.1 again with port 13 disabled. Wait about 30 seconds after disabling the
port.
b. What path is the switch now taking to get to 10.0.250.1?
12
 c. Does the switch still have OSPF neighbors?
d. See the diagram at the end of this document to better understand the logical data flow
/ topology.
6. Re-enable port 13.

2.1.2 Wired 802.1X and DHCP protection (20 minutes)

1. Create an Access policy (Switch > Configure > Access Policies)
a. Give it a name of “Test Policy 1” or something similar.
b. Use Radius host IP 10.0.250.100. Port 1812. Secret = “meraki123”
c. Place clients into VLAN 100 if they are unable to participate in 802.1x via a guest VLAN.
[Hint: MS switches support hybrid auth, so they’ll try 802.1X 1st and fall back to MAB 2nd.]
d. Allow phones (Voice VLAN Clients) to bypass authentication.
2. Navigate to Switch > Switch Ports
a. Apply the access policy to ports 4 – 7 simultaneously.
Note you can type “voip” or “4-7” in the search box, then select all 4 ports at once.
b. On the switch ports page, update the flex table to include the “Access Policy” column.
3. Navigate to Switch -> DHCP Servers
a. In order to improve the security of the LAN, change the default DHCP server policy to
block DHCP servers.
b. Allow any existing DHCP servers detected within the last day (If there are some you
simply click the “allow” link in the policy column)

2.2.1 Wireless IPS and 802.1X Authentication (20-30 minutes)

1. On your “Corp” SSID, use WPA2-Enterprise for authentication and add a RADIUS server with
IP address 10.0.250.100, port 1812 and shared key “meraki123”.
2. Configure the AP to act as a dynamic authorization server by responding to Change-of-
Authorization messages coming from the RADIUS server. [Hint: This is below the RADIUS server
configuration section in the same general location]
3. All of your devices should be newer corporate-issued devices. Let’s ensure maximum security
and performance on this SSID by:
a. Allowing Apple devices to use FastLane automatically (hint: It’s also known as adaptive
802.11r)
b. Turning on protected management frames (802.11w)
c. Blocking all Windows Phone and Blackberry devices from connecting. (Hint: Group
policies by device type, still on the Access Control page)
4. Navigate to the Air Marshal screen and configure the Access Points to block users from
connecting to Rogues seen on the LAN.
5. Configure the access point to automatically contain any SSIDs [Hint: SSID Blacklist] being
broadcast with “Nightingale” in the name of the SSID. This should automatically contain any
other local SSIDs with “Nightingale” in the SSID name.
6. Navigate to “Other SSID’s” and find your neighbor’s Corp SSID. Whitelist it so it doesn’t ever
get contained.

13
2.2.2 Advanced Wireless RF Design (20-30 minutes)
1. Navigate to RF Spectrum, and identify top interfering AP’s on your AP’s current 2.4Ghz
channel.
2. Nightingale corporate IT has identified that as the site grows, we will need to have a more
advanced RF Profile applied to very dense offices. Navigate to Radio Settings, and create a
new RF Profile for future AP’s at this location, called “Nightingale High Density” from scratch:
a. Ensure the 5Ghz band is the only one used, and ignore 2.4Ghz.
b. Ensure a narrower channel width of 20Mhz.
c. Ensure Client Load balancing is enabled.
d. Leave the full range of power settings for Auto Power.
e. Set the minimum bitrate to 24Mbit, for the entire AP (not per SSID)
f. Set the RX-SOP (Minimum received power) to ignore any clients weaker than -80dBm.
3. Navigate back to Wireless > Radio Settings, and select your AP, and apply the High Density
profile to it. (Accept any overrides) [Hint: Check out the Edit Settings button]
4. We need to prioritize new wireless VoIP phones on the network, from the AP itself. Navigate
to Wireless > Firewall & Traffic Shaping.
a. Turn on traffic shaping for your Corp SSID.
b. Prioritize All Voice & Video applications.
c. Ignore any bandwidth restrictions for this rule.
d. Place this traffic in PCP 6 (a priority queue), and tag it with DSCP “EF” (46) so other
network devices will prioritize the traffic upstream.

14
Exercise 3 | Distributed Enterprise (60-120 minutes)
Nightingale Medical Associates has been using their Meraki network for an entire year
now. Their Cloud Managed Network has helped them roll out electronic medical
records, ensure HIPAA compliance, and has accommodated the demand for guest
Internet. To keep up with the growing number of doctor’s offices joining the group and
increase the level of performance and reliability required by a growing distributed
network, they will need to add centralized Data Center services, increase redundancy,
and ensure that their business-critical applications are always preferring the best
performing WAN path.

3.1.1 VPN Topology & Redundancy (30-60 minutes)

1. Evolve the lab VPN design to a more scalable model using the Hub-and-Spoke topology.
a. Configure your site as a spoke and add both “Data Center 1” and “Data Center 2” as
hubs.
b. Prioritize “Data Center 2”.
c. Configure a full tunnel VPN by configuring both hubs with a default route.
d. Enable VPN for only Corp and Voice networks.
2. Verify that you can still ping each other’s lab MX LAN IP’s just as you did earlier with the full
mesh configuration.
3. Verify connectivity to all 3 Data Center subnets.
Hint: Use MX ping tool as well as check the Route Table on your MX.
a. 10.0.250.0/24 (Shared)
b. 10.0.251.0/24 (DC1)
c. 10.0.252.0/24 (DC2)

NOTE: Let the instructor know that you have reached this point and ask them to initiate a failure at
Data Center 2 by disabling its uplink for your lab pod.

4. Perform the following verification tasks.

a. Verify that Data Center 2 in unreachable by pinging the default gateway of its unique
subnet (10.0.252.2).
b. Verify that the DC shared subnet is still reachable by pinging its default gateway
(10.0.250.1).
c. Verify connectivity to your neighbors despite the data center failure by pinging their
MX.

3.1.2 Software Defined WAN (SD-WAN) (30-60 minutes)

1. Navigate to Security appliance > Configure > Traffic shaping.
a. Configure uplink bandwidths: WAN 1 = 10Mbps, WAN 2 = 5Mbps.

15
 b. Enable load balancing.
c. Configure a flow preference for “Guest” internet traffic to prefer WAN2. Hint: any traffic
with a source IP of 10.0.100+x.0/24 should prefer WAN2.
2. Create a custom performance class named “Acceptable Delay” with a setting of 200ms of
latency.
3. Under VPN traffic, configure the following rules:
a. Any traffic destined to 8.8.8.8/32 should prefer WAN 2 unless performance is worse
than “Acceptable Delay”.
b. Any traffic from the “Corp” subnet should load balance on uplinks that meet
“Acceptable Delay”.
c. Any traffic from the “Voice” subnet should use the best uplink for VoIP.
4. Verify path selection by navigating to the Uplink Decision section of the VPN status page.
a. Which uplink is used for traffic destined for 8.8.8.8?
i. WAN2 is cycling between 50ms and 400ms of latency every 20 seconds
resulting is the uplink cycling between WAN1 and WAN2.
b. Click one of the links in the uplink decision column.
i. What is the average latency and MOS score between your branch and Data
Center 2 for both of your branch’s WAN links?
5. (Optional) Feel free to adjust the “Acceptable Delay” latency setting and see how the uplink
cycling between WAN1 and WAN2 changes.

16
Final Logical Data Flow / Topology

17
Congratulations!
Thanks to you, Nightingale Medical Associates has been able to adopt an
enterprise solution that has scaled with the group’s growth. You’ve expanded
their small original location to a larger enterprise deployment, supporting a
multi-site architecture that meets all of their security and reliability requirements.
You have saved them a lot of time and money given the single-pane-of-glass
management across their full stack of infrastructure, zero-touch deployment
model, simple troubleshooting and reporting, and great visibility and analytics to
improve business practices.

18