Meraki Cloud Networking Workshop

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Cloud Networking Lab
Jay Bradford and Mike Makkaoui
Cloud Networking Systems Engineers
May 2016

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notes
Thank you for attending Cisco ConnectToronto 2016,here are a few housekeeping notes
to ensure we all enjoy the sessiontoday.
• Please ensureyourcellphones/ laptops are set on silent to ensure no one is disturbed
during the session
• SSID: CiscoLabs Password:CiscoLabs

20 min Welcome and Introduction
35 min Dashboard Demo
20 min Local MX, MS and MR configuration
60 min MX | SecurityAppliances Lab
30 min MS | Access Switches Lab
30 min MR | WirelessAccess Points Lab
25 min SM | System Manager Demo
10 min Q&A and Wrap-Up
Agenda

Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.
About Cisco Meraki

Cisco Meraki:a complete cloud-managed networking solution
- Wireless, switching, security, MDM and telephony, centrally managed over the web
- Built from the ground up for cloud management
- Integrated hardware, software, and cloud services
Cloud Networking Leader:
- Cisco’s fastest-growing acquisition ever: over 100% annual growth
- 600,000+ customer networks in 147 countries
- Tens of millions of devices connected worldwide
Recognized for innovation
- Gartner Magic Quadrant
- InfoWorld Technology of the Year
- TechWorld Mobility product of the year
- CRN Coolest Technologies
About Cisco cloud-managed networking

Cloud Managed WiFi Cloud Managed Network Cloud Managed IT
Meraki MR
Wireless LAN
Meraki MS
EthernetSwitches
Meraki MX
Security Appliances
Meraki SM
MDM
Meraki MC
Telephony
Bringing the cloud to enterprise networks

Meraki cloud architecture

Scalable
Unlimited throughput, no bottlenecks
Add devices or sites in minutes
Reliable
Highly available cloud with multiple datacenters
Network functions even if connection to cloud is interrupted
99.99% uptime SLA
Secure
No user traffic passes through cloud
Fully HIPAA / PCI compliant (level 1 certified)
3rd party security audits, daily penetration testing
Automatic firmware and security updates (user-scheduled)
Reliability and security information atmeraki.cisco.com/trust
Management
data (1 kb/s)
WAN
Out-of-band management in every product

Cloud Licensing Model is Simple
9
Simple Cloud Licensing model
No per-feature or per-user licenses
Licensing options: 1 Year, 3 Year, 5 Year, 7 Year & 10 Year
Cloud License price is all inclusive
Cloud Management UI
24 x 7 phone support
Automated software updates
Advanced hardware replacement
All features built on the platform
All new features

Dashboard Demo

Hands-on Labs
Visit
meraki.com/merakilab
Session Code: #142NA
* Limit of 3 free APs per customer and includes previous promotional offers

Your individual lab
lives at our SF office!

Go to dashboard.meraki.com
Username: torontoX@meraki.com.test
Password: meraki123
X (number) as assigned
Lab slides: http://cs.co/CCT2016_lab_slides
Lab manual: http://cs.co/CCT2016_lab_manual

Network Topology
Firewall Configuration:
VLAN 1 (Corp)
Subnet: 10.0.x.0/24
Interface:10.0.x.1
VLAN 30 (Voice)
Subnet: 10.0.[30+x].0/24
Interface:10.0.[30+x].1
VLAN 100 (Guest)
Subnet: 10.0.[100+x].0/24
“x” is your lab station number
Switch Configuration:
VLAN 1 (Corp)
Subnet: 10.0.x.0/24
Interface:10.0.x.201
Default gateway:10.0.x.1
VLAN 150 (Legacy)
Subnet: 10.0.[150+x].0/24
VLAN 600 (OSPF)
Subnet: 192.168.0.0./24
Interface:192.168.0.x

MX | Security Appliance Lab

A Complete Unified Thread Management Solution
Application Control
Client Fingerprinting, Traffic
Shaping, Content Filtering,
Security
NG Firewall, Client VPN,
Site to Site VPN, IDS/IPS,
Anti-Malware, Geo-Firewall
Networking
NAT/DHCP, 3G/4G Cellular,
Link Balancing, IWAN

MX65 / MX65W – (small) Branch in a box
• 802.11ac with doublethe MX64 power
• 802.1x port authentication
• 2 WAN ports
• 8 LAN ports
• 2 LAN PoE+ ports (60W total)
• Ready for IWAN
• Ideal for smallbranchesor
telecommuters
Same throughput as MX64/64W
with increased interface count

Automated site-to-site VPN
Site-to-site IPsec VPN in just two
clicks in the Dashboard
Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard
Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN
tunnel between all peers and adjusts to IP changes
Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem

Meraki Intelligent WAN
WAN 1
Secure VPN tunnel (active)
Latency / loss > threshold
WAN 2
Secure VPN tunnel (active)
Latency / loss < threshold
Data
Based on L3 / L4 categorization, this data
normally travels out WAN 1 (PbR), but MX
detects optimal path is WAN 2 based on
latency / loss on WAN 1 (PfR).
Dual-active path:
Active-active VPN
Policy-based routing (PbR):
Allows uplinks to be intelligentlyassigned based
on traffic protocol, subnet, source, destination,
etc.
Dynamic Path Selection
Ensures the best uplink is used based on
latency and loss metrics
Reference Meraki Architecture
The architecture diagram displaysthe Meraki
full-stack alongside iWAN.

Choosing the right MX for your environment
MX64/64W
MX65/65W
MX84
MX100
MX400
MX600
Z1
Small branch
(~50 users)
Where FW Throughput
250 Mbps
Campus / VPN
concentration
(~10,000 users)
Large branch /
campus (~2,000
users)
Mid-size branch
(~200 users)
Mid-size branch /
small campus
(~500 users)
Notable Features
802.11ac wireless
(MX64W/MX65W)
Power redundancy
Modular interface
SFP or SFP+ (with modules)
500 MbpsSFP Ports
750 MbpsSFP Ports
1 Gbps
2 Gbps
Power redundancy
Modular interface
SFP or SFP+ (with modules)
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput:50 Mbps
All devices support3G/4G

MX Base Configuration
• Enable VLANs and create VLANs 1 (Corp), 30 (Voice) and 100 (Guest) per the Network Topology diagram.
• Ensure that non-tagged traffic will be part of VLAN 1 (native vlan)
• VLAN 1 (Corp) Reserve IP addresses .150 through .250 under DHCP Settings
• When done go to Switch/Switches and under live tools reboot your switch
• Apply the following global default policies (Hint: Below section does not use grouppolicies)
• Completely block BitTorrent
• For Netflix and Pandora, shape traffic to 100K down, 50 K up. Ensure they are low priority and are marked appropriately.
• Apply content filtering for adult websites
• Enable site-to-site VPN with following settings
• Type: Spoke
• Full Tunnel (Hint: Default Route)
• Hubs: Data Center 1 and Data Center 2 (Prioritize Data Center 2)
• Include VLAN 1 and VLAN 30 in VPN and exclude VLAN 100
• Check the Route Table and VPN Status under Monitoring
• You should be able to ‘ping’ your neighbor’s networks and the Data Center networks
• (Hint: “10.0.lab#.1”, 10.0.250.1, 10.0.251.1, 10.0.252.1)

MX IWAN Configuration
• Security appliance > Configure > Traffic shaping
• Uplink configuration
• Uplink bandwidth WAN 1 = 10Mb, WAN 2 = 5Mb
• Global preferences
• Load balancing enabled
• Flow preferences
• Internet traffic
• “Guest” subnet prefers WAN 2
• Custom performance classes
• Create “Acceptable Delay” with a setting of 250ms
• VPN Traffic
• Any Protocol with Destination 8.8.8.8/32 prefer WAN 2 unless performanceexceeds for
“Acceptable Delay”
• “Corp” subnet Load balance on uplinks that are suitable for “Acceptable Delay”
• “Voice” Preferred uplink: Best for VoIP
• Verify VPN path selection by initiating ping from switch (Hint: Check Security Appliance/VPN Status)
• In a new browser tab Ping 8.8.8.8 and 8.8.4.4 from your Security Appliances “live tools”
• Review and note the results on the VPN status page
• Wait for instructor to createISP level disruption

MS | Switch Lab

Complete Campus Switching Portfolio
22 modelsscaling from access to campus aggregation
Enterprise-classperformance and reliabilityincluding non-blocking Gigabit
performance,802.3af/at PoE/PoE+on all ports, 10GbE uplinks,and voice and video QoS
Voice and video QoS
Dynamic Routing
Layer 7 app visibility
Virtual stacking
Enterprise security, ACLs
Remote packet capture, cable testing
Feature highlights

Mission Critical Features
OSPF
Dynamic routing with intuitive, browser-based configuration
IPv6 visibility and tracking
Usage statistics for IPv6 address now in Dashboard
DHCP server
Integrated DHCP service to help prevent single points of network failure
IPv4 Access Control Lists (ACLs)
Granular security boundaries configurable by subnet, protocol, port range, or host.
Virtual Router Redundancy Protocol (VRRP) with DHCP Failover support
High availability via a warm spare with automaticfailover and DHCP failover support
Addressingevolvingcustomerneedsaroundredundancy,campusconnectivity,and
reducing complexity

Meraki stacking: Virtual and physical
San Francisco
London
Sydney
Apply Access Policy
on ports 1-10
San Francisco
Benefits of virtual stacking apply equally to standalone or physically stacked switches
Step 1: Select ports to edit
Step 2: Configure multiple ports as desired
Step 3: Save, you’re done!
Standalone
switches
Stacked
switches

MR52 and MR53
Highest Performance 802.11acIntroducing MS350-24X
Stackable Multigigabit L3 access switch
Gigabit
(1G)
Multigigabit
(1/2.5/5/10G)
• New 24-port addition to the MS350
Family
• 8 Multigigabit (1/2.5/5/10G) ports
• UPoE (60W) capable
• Designed to work with the new
Multigigabit-capable MR53
Launching & shipping 17 May
$7,495

MR52 and MR53
Highest Performance 802.11acIntroducing MS425
Next Gen 10G aggregation
• 16 & 32 port 10G fiber aggregation
• 40G QSFP+ uplinks
• Flexible stacking
• MS420 refresh with additional price
points & unified design
• Ships with 1 PSU and all fans
(redundant PSU is optional)
10 Gigabit
(SFP+)
40 Gigabit
(QSFP+)
Launching & shipping 17 May
MS425-16 $14,000
MS425-32 $22,000

Access Aggregation
MS220 MS320 MS350 MS410 MS420 MS425
Features
• 8, 24, 48 port models
• Layer 2
• Gigabit SFP uplinks
• 24, 48 port models
• Layer 3
• 10Gb SFP+ uplinks
• Hot-swappable,
redundant power
supplies
• Physical stacking
(160Gbps)
• High performance
Layer 3
• 1Gb & Multigigabit
• Hot-swappable fans
and power supplies
• Management port
• Physical stacking
(160Gbps)
Layer 3
• 1Gb SFP interfaces
and power supplies
• Management port
• Front-port stacking
Layer 3
• 10Gb SFP+
• Hot-swappable,
redundant fans and
power supplies
• Management port
• Front-port stacking
Layer 3
• 10G SFP+
• 40Gb QSFP+ uplinks
and power supplies
• Management port
Positioning
• Branch access
switching (L2)
• Branch and Campus
access switching (L3)
• Stackable Branch and
Campus access
switching (L3)
• Stackable Branch and
Campus aggregation
switching (L3)
• Stackable Campus
aggregation switching
(L3)
• Stackable Campus
aggregation switching
(L3)
Meraki MS switching product families

MS Base Configuration
• Verify that your switch is operational under Monitoring page (green status, passing traffic)
• Click on “Initialize layer 3 features” link to add following SVIs:
• Name: Corp
Subnet: 10.0.x.0/24
Interface: 10.0.x.201
VLAN: 1
Default gateway: 10.0.x.1
Disable DHCP
• Name: Legacy, Subnet: 10.0.[150+x].0/24, Interface: 10.0.[150+x].1, VLAN: 150, DHCP Enabled
• Name: OSPF, Subnet: 192.168.0.0/24, Interface IP: 192.168.0.x, VLAN: 600, Disable DHCP
• Go to the MX Appliance and create a static route for the “Legacy” subnet with gateway IP address to your
L3 switch SVI in the “Corp” VLAN - 10.0.x.201.
• “In VPN” option shouldbe “Yes”.

MS OSPF Configuration
• On the switch, configure OSPF with following settings:
• First configure switch port 25 to be access VLAN 600
• Enable OSPF with default Area 0
• Edit Legacy and OSPF interfaces to use the default Area 0 and Cost 1
• Make sure static routes override the OSPF routes
• Verify the OSPF neighbors and routes on the switch Monitoring page. Start a ping to 10.0.252.1 from the
Legacy Source interface and try again with port 25 on your switch disabled
• (Hint 10.0.[150+x].1. wait about 30 sec and restart ping if necessary).

So what is going on?
DC2 MX
10.0.252.2
DC2 MS
10.0.252.1
Note your VLAN30 Voice subnet is being learned
through the DC2 VPN – how would you fix this?

MR | Access Point Lab

MR wireless access points
8 modelsincluding indoor / outdoor,high performance and value-priced
Enterprise-classsilicon including RF optimization,PoE, voice / video support
Lifetime warranty on indoor APs
BYOD policies
Application traffic shaping
Guest access
Enterprise security
Location analytics
WIPS – 3rd
Security Radio
Feature highlights

4-stream 4x4 802.11ac Wave 2
160 MHz channels & MU-MIMO
Quad-radio architecture
Dedicated scanning radio & BLE
Dual 1-gigabit Ethernet interfaces
Full operation on 802.3at PoE+ power
17 May: available in US/CAN/EU/ANZ/JP
US$ 1,399 list price
Introducing MR52
Highest performance 802.11ac
1-gigabit 1-gigabit

4-stream 4x4 802.11ac Wave 2
160 MHz channels & MU-MIMO
Quad-radio architecture
Dedicated scanning radio & BLE
Multigigabit + 1-gigabit Ethernet
Full operation on 802.3at PoE+ power
17 May: available in US/CAN/EU/ANZ/JP
US$ 1,699 list price
Introducing MR53
Future-proof802.11ac
100/1000/2.5G 1-gigabit

Indoor Capabilities
MR53 / MR52 Highest-performance & future-proof MR42 General purpose Quad-radio architecture
- 2.4 GHz client radio
- 5 GHz client radio
- Scanning/security radio*
- Bluetooth LE beacon**
Enterprise wireless
- Band steering & Auto RF
- Traffic shaping& QoS
- Secure login
Advanced features
- Deep packet inspection
- Location analytics
- Splash page logins
Enterprise license
- 24x7 support
- Advance replacement
PoE & DC power options
*except MR66, MR62
**except MR18, MR66, MR62
Wave 2 802.11ac
4-stream4x4
4ssMU-MIMO
160 MHz channels
Multigigabit (MR53)
Wave 2 802.11ac
3-stream3x3
2ssMU-MIMO
80 MHz channels
MR32 Entry-level 11ac MR18 Entry-level 11n
802.11ac
2-stream2x2
SU-MIMO
802.11n
2-stream2x2
Outdoor / rugged
MR72 High-performance MR66 General-purpose MR62 Entry-level
802.11ac
quad-radio
2-stream2x2
802.11n
dual-radio
2-stream2x2
802.11n
single-radio
2-stream2x2
Meraki MR wireless portfolio

Bluetooth and Beacons
Bluetooth & BLE integrated in many
consumer devices already
Beacons use BLE for location services like
asset tracking, mobile commerce, and nav
-iBeacon is Apple’s BLE trademark
Gaining traction as an opt-in alternative to
WiFi-based location services
Integrated Bluetooth to drive location trends

Use Case: Location Engagement with Beacons
Seamless site-wide
deployment by integrating
Beacons into the AP
Better consumer
experience with opt-in
mobile app integration
Increased customer
visibility with both WiFi
and Bluetooth analytics
built-in

Use Case: Asset Tracking with Bluetooth
Seamless site-wide
deployment with Bluetooth
integrated into the AP
Track Beacon-tagged
assets with Bluetooth
scanning and location
estimation
Increased administrative
visibility with both WiFi
and Bluetooth inventory
built-in

MR Configuration (APs have been turned off)
• Rename existing SSID under Configuration to “Corp” and enable an additional SSID for “Guest”
• On your “Corp” SSID, use WPA2-Enterprise for authentication and add a RADIUS server with IP address
10.0.250.100, port 1812 and shared key “meraki123”. Change client IP assignment to “Bridge Mode” and
VLAN tagging to 1
• On the “Guest” SSID, ensure the users sign on with a simple click-through splash page that refreshes
every half hour (hint: customize it under Configure / Splash Page). Change client IP assignment to “Bridge
Mode” and VLAN tagging to 100
• Under Configure / Firewall & Traffic Shaping, select the “Guest” SSID and create L7 firewall rules to block
P2P File Sharing and Gaming on this SSID. Also, limit the per-client bandwidth to 1 Mbps
• Block access to the Local LAN from clients connected to the “Guest” SSID

Systems Manager Enterprise

Cisco’s Enterprise Mobility Solution: Systems Manager
Meraki Systems Manager
Cloud Managed Mobility Management
Provision, monitor, and secure mobile devices
Flexible, easy
provisioning
Centrally scale 100,000s
devices worldwide
Auto-tagging, dynamic
security compliance
Integrate seamlessly with the
rest of your Cisco network

Risk of Mobile Devices in the Enterprise?
• Insider Misuse = Significant Cause of Breaches
>20% of breaches come directly from insiders with malicious intent.
In most breaches, attackers havefoothold within internal networks &
spread / steal data through privilege abuse / credential misuse.
• Mobile Devices = Increasingly Used to Harvest Data
Adware grew 136% to 410,000 apps between 2013 and first three
quarters of 2014, givingattackers accesstopersonal information
such as contacts, whichcansubsequently be used to launch
phishing attacks
• Mobile Device Management = Critical in Preventing Breaches
22% of breaches reported by network security decisionmakers
involvelost / stolendevices
Are the devices on your network secure?

SM Dashboard Demo

Meraki Cloud Networking Workshop

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Meraki Cloud Networking Workshop

Similaire à Meraki Cloud Networking Workshop (20)

Plus de Cisco Canada

Plus de Cisco Canada (20)

Dernier

Dernier (20)

Meraki Cloud Networking Workshop