Last update: 23 January 2018

Training Manual
Certified Meraki Networking Associate Program
 Introduction

You are the senior network administrator for a rapidly expanding San
Francisco-based coffee and sandwich chain.  Mission Sandwiches has
decided to support their new growth initiatives with a Cisco Meraki
network at its many retail locations and the corporate office in San
Francisco.  The executive team still need to be bought into the idea of
using a cloud-based architecture and you have decided to run a pilot
to demonstrate how a Cisco Meraki deployment can help the business
grow and scale while still providing many different avenues for a return
on the investment.

Mission Sandwiches is in the process of opening its flagship location in

your city and you are on location overseeing the technical aspects of
the build.  You have chosen this store for the pilot deployment and will
be configuring the store equipment on-site and the campus pilot
remotely.  This configuration will serve as a template for other Mission
Sandwiches network administrators to follow for the larger roll-out.

Let’s get started…

! 2 CMNA Technical Training !

 Branch Site (These are the devices on your desk)
1 x MX65 - Security Appliance

1 x MR42 4-Radio 802.11ac Wave 2 Wireless Access Point

1 x Apple iPad Tablet

2 x CAT5e 3’ Ethernet Patch Cable

Campus Site (These devices are located in a remote location)

1 x MX84 Security Appliance

2 x MS225-24P 24 Port Gigabit Stackable Switch (with 4 10Gb SFP+ Ports)

1 x MR42 4-Radio 802.11ac Wave 2 Wireless Access Point

1 x MC74 VoIP Phone

1 x MV21 Security Camera

Dashboard Access
Your Dashboard login credentials (where n is your lab station number):

Site: dashboard.meraki.com

Username: labn@meraki.com.test

Password: meraki123

Apple ID Information
The iPad may ask you to login with Apple ID credentials when installing apps:

Username: partner.training@meraki.com

Password: Meraki2017

Important note: Be sure you are selecting the correct Organization for you CMNA
session. Your instructor will provide the correct session ID.

! 3 CMNA Technical Training !

 CMNA Lab Topology
ISP Stack
MX84

Campus Stack
WAN 1
MR42 MV21
MC74
MX84

LAN port 3 port 24

MS225 (Switch 1)

MS225 (Switch 2)
WAN 1 WAN 2
Branch Stack
MX65
to port 21
to port 1 to port 11 to port 6

MR42 MV21
MC74
MR42
iPad

Your Lab Station n

Note that this is the overall topology of your assigned lab station.

The branch stack displayed in the above topology represents the

Meraki hardware in front of you.

The campus stack is a Meraki full-stack deployment setup remotely and

you will gain access to those devices from Dashboard.

The ISP stack is the Meraki hardware setup in front of the room to
aggregate and provide Internet connectivity to all branch lab stations.

! 4 CMNA Technical Training !

 Network Color Guide
Once you sign in to Dashboard to access your assigned lab station, you
will see the navigation panel on the left-hand side of the page, as shown
below.

From the Network list, you will find three separate networks:

1. Branch LAB [n] - contains the devices in front of you.

2. Campus LAB [n] - contains the remote devices at the campus.
3. Phones - contains the phone devices.

The headings of each exercise are color-coded to represent the network

(branch, campus or phones) that you will be configuring as depicted in
the above figure.

! 5 CMNA Technical Training !

LAB A | Branch

You have just arrived on-site at the branch Mission Sandwiches flagship
location. The branch equipment listed above has already been delivered
to the site and is ready for configuration.  

To get started, let’s set up your stack of Meraki gear and a Point-of-Sale
iPad. Meraki Support has already set up a Dashboard account and added
the gear to a network.

Also, some of the gear has already been powered up for you.

Product manuals are available at: https://documentation.meraki.com

! 6 CMNA Technical Training !

Exercise 1 – Branch MX65 Security Appliance Setup
The first step is to get the branch MX65 configured to establish Internet connectivity at
the site.

1. Make sure you are connected to the CMNA wireless network (DO NOT connect
your computer to the MX via Ethernet yet). Disable any client VPN software running
on your computer.

2. Sign in to dashboard.meraki.com using the credentials provided. Select the

appropriate Session ID. The session ID is displayed on the label of the Meraki
devices in front of you. From the network drop-down at the top-left corner of the
page, choose your “Branch Lab [n]” network.

3. Under Security Appliance > Monitor > Appliance status, edit the configuration to
change the name of your MX security appliance to “Lab [n] Branch Security
Appliance” and update the street address to your current city.

4. Enable VLANs under the Security Appliance > Configure > Addressing & VLANs
page and update the default addressing space to match the table below:

Local LAN Subnet VLAN ID: 1


Name: Branch

Subnet: 10.0. [ n ] .0/24

Gateway (MX IP): 10.0. [ n ] .1

Note: Make sure VLAN is enabled before proceeding to the next step.

5. Ensure that all LAN ports on the MX65 are set to trunk ports with native VLAN 1
allowing all VLANs.

6. Verify that DHCP is running on your Local LAN and reserve DHCP addresses .1 - .20
for internal use on VLAN 1.

Note: Be sure you disable your wireless card before testing the step below.

7. Plug your laptop into LAN port #3 on the MX65 and confirm that you get a DHCP
lease in the IP space of VLAN 1 configured previously. You can do this by navigating
to wired.meraki.com, the local status page hosted on the MX.

Note: Disconnect your laptop from the LAN port of the MX65 and connect back to
the CMNA wireless network.

! 7 CMNA Technical Training !

Exercise 2 – Initial MR Wireless Access Point Setup
1. Under the Wireless > Monitor > Access points page, rename your access point to
“Lab [n] Branch AP” (where n is your lab station number) and update the street
address to your current city.
2. Connect your wireless access point to port 11 (the first PoE port) on your MX65 and
verify its connection to Dashboard.
Note: It will take a few minutes for the access point to boot and register with the
Dashboard.
3. It’s sometimes difficult to find an access point on the ceiling among many
others. Blink the LEDs on your access point to verify you are configuring the correct
access point.
Hint: This can be found under the tools tab.

Exercise 3 – Guest WiFi Setup

Guest WiFi has become ubiquitous with cafes and fast casual restaurants. This new
flagship will be no different and will provide state-of-the-art 802.11ac Wave 2 WiFi for
guests while they are visiting  the store.
1. On the Wireless > SSIDs page, rename the only enabled SSID to “Lab [n] Guest”.
2. Secure the SSID with a WPA2-PSK password – “California”.
3. Create a click-through splash page so that guests have to acknowledge your terms
and conditions before they are allowed on the network.
4. The AP should handle DHCP for this SSID, so ensure NAT mode is enabled.
5. On the Wireless > Firewall and traffic shaping page, apply a bandwidth limit of
500 Kbps per device to prevent guests from hogging all of the bandwidth.
6. Guests shouldn’t have any access to internal resources, so Deny all traffic to the
Local LAN with a layer 3 firewall rule.
7. On the SSID availability page, enable Scheduled availability for business hours
only (8:00 - 19:00 (7 pm) Monday through Friday).
Note: Be sure the correct local time zone is set on the branch network for your
current location.

 8! CMNA Technical Training !
8. Connect your iPad to your new guest SSID.
9. Confirm the bandwidth limit you set in Step 5 is functioning using a site like
speedof.me and check your IP information.
10. Once you have verified your throughput, connect your iPad to the CMNA SSID and
continue working.

Exercise 4 – Creating a Group Policy

In preparation for the iPad connecting to the network as your point-of-sale device,
navigate to the Network-wide > Configure > Group policies page in your Branch
network and add a group policy with the following attributes:

1. Name the policy “Cashier iPads” and set up a Custom firewall and shaping rule to
block all Social web and Gaming websites with L7 firewall rules.

2. Additionally, you don’t want the cashier to be shopping on the payment terminal so
in the ‘security appliance only’ section append ‘shopping’ to the blocked website
categories.

Note: Blocking this traffic through the use of a group policy allows us to dynamically
assign this policy to multiple devices based on posture, rather than statically on the
MX or MR. We will not apply this group policy until later in the lab.

Exercise 5 – Systems Manager Enrollment

In order to better track sales and make transactions more efficient, the company has
expressed interest in utilizing an iPad as a point-of-sale system.  You will enroll the iPad
to Meraki Systems Manager to test the viability of the solution. Systems Manager is an
enterprise mobility management system that will allow you to manage mobile devices in
the Meraki Dashboard.

Note:  You will need to navigate to your Campus network from the network drop-
down on the left side of the page.

1. Initiate the enrollment process by navigating to your campus network (Campus

Lab[n]) Systems manager > MDM > Add Devices and selecting the iOS device
type.

2. The Dashboard should present your SM “network ID” and instruct you to open an
internet browser (Safari) on your iPad to complete the setup process.
! 9 CMNA Technical Training !
 Hint: Make sure to accept all pop-ups on your iPad during enrollment to trust and
accept the MDM policy.

3. Verify that you can see your iPad client on Systems Manager’s client list page
(Systems manager > Monitor > Clients). Click on your device and check the
available battery and storage space.

4. Verify that the Meraki SM app has also been properly installed on your iPad.

Hint: You may be prompted by the iPad for the iTunes password during the Meraki
SM app installation - if so, use:

Username:  partner.training@meraki.com

Password:  Meraki2017

! 10 CMNA Technical Training !

 LAB B | Campus

Now that you have successfully brought the branch store online, it’s
time to configure the campus infrastructure pilot.  As previously stated,
you will do this deployment remotely from the branch store using gear
that another network administrator has connected in the San
Francisco office at your request.

Have a technical question or having issues? The Cisco Meraki

Knowledge Base is available at: https://documentation.meraki.com

! 11 CMNA Technical Training !

Exercise 1 – Campus MX84 Security Appliance Setup
1. If you haven’t already, select your ‘Campus LAB [n]’ network on the left side of
Dashboard in the network drop-down menu.  Under Security Appliance > Monitor
> Appliance status, edit the configuration to change the name of your MX84
security appliance to “Lab [n] Campus Security Appliance” and update the street
address to the corporate headquarters:

500 Terry A Francois Blvd

San Francisco, CA 94158, USA
2. Navigate to Security Appliance > Configure > Addressing & VLANs and verify
your MX is configured in NAT mode and is tracking clients by MAC address.

3. Enable VLANs and modify your existing default VLAN with a name of “Infrastructure”
and set the subnet information to the configuration below:

Infrastructure
 VLAN ID: 1


VLAN Subnets Name: Infrastructure

Subnet: 10. [n] .1.0/24

Gateway (MX IP): 10. [n] .1.1
Where n is your lab station number

4. Add separate VLANs for corporate user data, cameras, voice and a static route for
active directory traffic:

Corporate, Cameras and Voice
 VLAN ID: 100


VLAN Subnets Name: Corporate

Subnet: 10. [n] .100.0/24

Gateway (MX IP): 10. [n] .100.1
Group Policy: None

VLAN ID: 150


Name: Cameras

Subnet: 10. [n] .150.0/24

Gateway (MX IP): 10. [n] .150.1
Group Policy: None
To be continued in the next page…

! 12 CMNA Technical Training !

 VLAN ID: 200

Name: Voice

Subnet: 10. [n] .200.0/24

Gateway (MX IP): 10. [n] .200.1
Group Policy: None
Where n is your lab station number
Active Directory
 Enabled: Yes
Static Route Name: Active Directory
Subnet: 192.168.50.0/24
Next hop IP: 10. [n] .1.254
Active: While next hop responds to ping
Where n is your lab station number

5. Verify all LAN ports are configured with the following:

Configure MX LAN Ports Enabled: Enabled


Type: Trunk

Native VLAN: VLAN 1 (Infrastructure)

Allowed VLANs: All VLANs

6. Under Security Appliance > Configure > DHCP, verify DHCP is running for all of the
configured VLANs and not the static route.

Exercise 2 – Configuring Advanced Security Features

With the ever growing threat of malware, spyware, and network intrusions, Mission
Sandwiches wants to increase network security to mitigate security incidents.  Using the
advanced security features on the MX, you are able to take advantage of Cisco’s
industry leading expertise in intrusion detection and prevention, advanced malware
protection, and a host of other security benefits built right into the platform.

1. Many basic security threats can be taken care of simply by blocking access to risky
websites. Navigate to Security appliance > Configure > Content filtering and
create content filtering rules to block the following categories: Bot Nets, Confirmed
SPAM Sources, Spyware & Adware, and Malware sites

! 13 CMNA Technical Training !

2. Peer-to-peer traffic on the network presents a security threat and can also hog
valuable bandwidth on the network. Navigate to Security appliance > Configure >
Firewall and create a Layer 7 firewall rule on your MX to block all Peer-to-peer and
Web file sharing traffic. Additionally, block all traffic to/from North Korea.
3. After navigating to Security appliance > Configure > Threat protection, enable
Cisco AMP Malware protection and Intrusion Detection and Prevention (IDS/IPS) to
detect and block threats that may arrive via malicious methods. For now, a Balanced
approach to preventing threats should be sufficient.

Exercise 3 – Switch Stack Configuration

In order to provide connection resiliency and simplified network administration, you've
decided on the Meraki MS Switching platform for your campus deployment. This choice
also adds an improved backplane capacity through the built-in switch stacking
technology.

1. Navigate to Switch > Monitor > Switch stacks and you may notice that Dashboard
has already identified your two switches as a potential stack. Rather than provision
the stack manually let's have Dashboard do it for us. Select ‘Provision this stack’
under the Detected potential stacks section. If you do not see this option simply
select the ‘add one’ link on the page above and select both available switches.

2. Name the new stack “Lab [n] Campus Stack” and select Create.

3. Once the stack has been created, select it and verify both switches are configured
as Members in the stack under the ‘Overview’ tab.

4. From your switch stack, select the uplink port (this is denoted as an arrow in the
port). This should be port 24. This will bring you to the switch status page. Name
the switch “Lab [n] Campus Switch 1” and update the street address to the Campus
location:

500 Terry A Francois Blvd

San Francisco, CA 94158, USA
Note:  It may take a few minutes for the stacking configuration alert on your
switches to go away.  Feel free to continue with the lab and check back to see if it
has cleared.

! 14 CMNA Technical Training !

5. Use the navigation arrows above the switch name to move to the next switch status
page and repeat the process naming the switch “Lab [n] Campus Switch 2” and
updating the street address.

Exercise 4 – Switch Routing and Port Configuration

Now that you have configured your switch stack, you will create switched virtual
interfaces (SVI) for local infrastructure and Active Directory subnets. You’ll also finish
your switch port configuration in Meraki’s Virtual Stacking interface, allowing you to
configure the entire switch fabric easily from one interface.

1. Navigate to Switch > Configure > Routing and DHCP page to create the layer-3
interfaces or SVIs on the switch stack with the following configuration (leave DHCP
and multicast support disabled):

Infrastructure Subnet Switch or Stack: Lab [n] Campus Stack


Name: Infrastructure

Subnet: 10. [n] .1.0/24

Interface IP: 10. [n] .1.254
VLAN: 1
Default Gateway: 10. [n] .1.1
Where n is your lab station number
Active Directory Switch or Stack: Lab [n] Campus Stack
Name: Active Directory
Subnet: 192.168.50.0/24
Interface IP: 192.168.50.1
VLAN: 50
Where n is your lab station number

2. Navigate back to Switch > Monitor > Switches and select your Switch 1. Click on
the ‘L3 Routing’ tab and scroll to the bottom of the page to verify that the interfaces
you added appear in the routing table.

! 15 CMNA Technical Training !

3. Now select the ‘Ports’ tab on the status page. You should see a link to ‘Configure
ports on this switch.’ Select this link and you will be taken to the Virtual Stacking
page to configure ports specific to Switch 1.

4. Clear the search bar to view all ports from both switches.

5. Configure the following port parameters on both switches using the search
functionality on the Virtual Stacking page.

Switch Port Configuration
 Ports: 1-5


Switch 1 & 2 Name: Wireless

Type: Trunk
Native VLAN: 1

Allowed VLANs: ALL

Ports: 6-10

Name: Camera

Type: Access
VLAN: 150

Ports: 11-20

Name: Workstation

Type: Access
VLAN: 100

Voice VLAN: 200
Switch Port Configuration
 Port: 21
ONLY switch 2 Name: Active Directory

Type: Access
VLAN: 50

6. Using the large + icon in the top-right corner of the Virtual Stacking (Switch ports)
page add the ‘CDP/LLDP’ Details option to the table and then drag the column to
the left so it is next to the Switch/Port column.  Using the search bar find port 1 on
Switch 1 and select the Cisco Meraki MR42 AP from the CDP/LLDP field.  This will
take you to the access point status page and now you’re ready to move onto the
next exercise.


! 16 CMNA Technical Training !

Exercise 5 – Configuring Corporate WiFi
1. In order to get started, lets first rename the AP to “Campus AP [n]” and update the
street address to the Campus location:

500 Terry A Francois Blvd

San Francisco, CA 94158, USA
2. Navigate to Wireless > Configure > SSIDs, rename the first SSID “Lab [n]
CORP” (where n is your lab station number) and save it before moving on to edit the
settings.

3. Under the Access control page, configure an association requirement of WPA2-

Enterprise with a corporate RADIUS server already in deployment.  Scroll down to
configure the RADIUS server with the following information and then test using the
supplied credentials:

RADIUS Server Host: 192.168.50.10


Port: 1812

Secret: meraki123
RADIUS Test Credentials Username: lab[n]@meraki.com.test
Password: meraki123

Where n is your lab station number

4. This network needs access to your internal resources, so put it in Bridge mode
under client IP assignment.

5. Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.

6. Ensure all LAN access is permitted in the wireless firewall & traffic shaping settings.

7. Restrict the per-client bandwidth to 2 Mbps.

8. Set up Wireless firewall & traffic shaping rules to set a 500 Kbps limit on software
updates to limit unnecessary background resource utilization and throttle YouTube
traffic to 20 Kbps up/down.

9. Take it one step further by creating layer 7 firewall rules.  Deny applications: iTunes
and Peer-to-peer.  Finally, deny the HTTP hostname of “espn.com”.


! 17 CMNA Technical Training !

Exercise 6 – Network Security with Systems Manager
One of the major security risks for any network comes from mobile devices.  In many
cases, these devices have access to sensitive internal documents or enterprise apps,
yet they can be easily lost or stolen.  Now that your iPad is enrolled in your Systems
Manager network, create a policy to make sure it’s secured with a passcode.
1. Navigate to Systems manager > MDM > Settings and create a new Meraki
managed profile by selecting the large + icon in the top right corner of the page.
2. Name the profile “Cashier iPads” and define the scope to apply the profile to
devices with “any of the following tags.”
3. In the Device tags section, create a “cashier” tag and Save Changes at the bottom
of the page.
Hint: To create the tag, you will need to select the ‘add option’ link after typing in
the desired tag string.
4. From your newly created profile, click on + Add settings to add a passcode policy
that requires a simple value, alphanumeric passcode with a minimum length of 6
characters, and at least 1 complex character on the device.
5. The iPad will only be used for transactions so make sure that the camera is disabled
and that screenshots are not allowed by enforcing the appropriate restrictions.
6. Apply the “cashier” tag to the iPad you enrolled previously to push the profile to the
device under Systems manager > Monitor > Clients.
7. Navigate to the home screen on the physical iPad.  When prompted, set the
passcode to ‘abc123!’ without the quotes.  Make sure you cannot take a screenshot
on the iPad.

Exercise 7 – Pushing Apps with Systems Manager

Remember, the iPad is going to be used as a point-of-sale device.  In preparation for
being shipped out to one of the new locations, the iPad needs to have the Square Point
of Sale app installed.
1. In the Systems manager network, push the Square Point of Sale app to any device
with the “cashier” tag.  This can be accomplished under Systems manager > MDM
> Apps.

! 18 CMNA Technical Training !

Exercise 8 – Campus Physical Security Cameras
1. Navigate to the Cameras page and select your camera.

2. You can view the live feed under the ‘Video’ tab.  You may notice a grey cloud in the
lower left corner indicating the camera is cloud streaming to your PC, eliminating the
need for a VPN to view remote video footage.

3. Rename the security camera to “Campus Security Camera [n]” by clicking on the
pencil icon next to the default name of the camera, which is the MAC address.

4. Corporate policy dictates that camera footage need not be archived in a continuous
format and only footage with motion should be stored.  Enable the camera to always
record at the highest quality but delete footage with no motion.

Exercise 9 – Campus Phone Setup

1. Navigate to Switch > Monitor > Switches and select your ‘Switch 2’.  Port 11 should
be green with a lightning bolt indicating PoE is being delivered.

2. For remote troubleshooting, the Meraki switches are equipped with a cable testing
feature. Click on port 11 and run a cable test. You can also reboot any PoE devices
connected to the switch by cycling the port. In this case, cycle port 11.

3. Scroll down to the CDP/LLDP section and select the MC74 link which will take you to
the device details page for your phone.

Note:  If you do not see any CDP/LLDP information you can alternatively copy the
MAC address of the active client on the port, navigate to your ‘Phones’ network in
the network drop-down on the left side of the page and go to Phones > Monitor >
Phones and use the search bar with your MAC address to identify your phone.

4. Rename the phone “Lab [n] Campus Phone”.

Note:  You may notice you are in a phones-only network in the network pane on the
left side of Dashboard.  Meraki phones work best in their own network within the
Organization when making extension to extension calls or using services like IVRs
and Call Groups.

4. On the Phones > Configure > Directory page, create a new contact named “Lab [n]
Campus Phone” (title is optional) and save it.

! 19 CMNA Technical Training !

5. Go back to the phone details page and assign the newly created “Lab [n] Campus
Phone” contact to this phone, as well as a four digit extension of 4000 + [n].  This
means that lab station 5 would use an extension of “4005” whereas lab station 15
would be extension “4015”.

Exercise 10 – Setting up IVRs and Conference Rooms

With the influx of calls, you want to direct everyone to the right departments easily.  You
also want to have a persistent conference room setup to facilitate internal meetings
across different store locations.

1. Navigate to Phones > Configure > Conference rooms and add a persistent
conference room with a name of “Lab [n] Conference” and designate an internal
extension of 5000 + [n].  Similar to the phone extension format, lab station 5 would
use an extension of “5005” whereas lab station 15 would be extension “5015”.  We
also want to secure the conference room, so specify a security pin of 1234.

2. Navigate to Phones > Configure > IVR menus and create a new IVR menu with a
name of “Lab [n] Welcome Menu” with an extension of 6000 +[n] and it should be
active always.

3. Download the following file and set it as the main greeting:


http://cs.co/missiongreeting

4. Download the following file and set it as menu option 1 to play this recording:

http://cs.co/missionhours

Note: Be sure to use a recommended web browser such as Chrome and Firefox if
you’re unable to set the audio file as an option on the IVR menu.

5. Set menu option 2 to transfer calls to your MC contact created earlier.

6. Set menu option 3 to transfer to your conference room.

7. Verify that you have setup your phone network correctly by placing a call from the
MC74 VoIP phone at the front of the training room to the three numbers (Your
individual phone extension, IVR, and conference room) you configured.

Note: When joining the conference room you will not get an audio indication that
you have joined.

! 20 CMNA Technical Training !

Exercise 11 – Configure a Port Schedule for your VoIP Ports
You want to save power and secure your environment after hours.  Use the port
schedule feature to configure this functionality.

1. Navigate back to your campus network and go to Switch > Configure > Port
Schedules.

Note:  Be sure the correct local time zone is set on the network.

2. Create a new schedule named “VoIP Power Saving” to turn on ports only during
business hours (assume a work schedule of 8:00-19:00 Monday through Friday).

3. Apply the port schedule to ports 11-20 on both switches (your VoIP ports).  You
should use the virtual stacking interface to bulk configure these ports across
switches. Do not apply to your switch’s uplink ports.

Exercise 12 – Running a Packet Capture

In traditional troubleshooting scenarios, running packet captures often required
engineers to be present on location to physically connect to equipment and create port
mirrors.  Meraki switches simplify this task and allow network engineers to pull packet
captures from geographically dispersed equipment, anywhere in the world.

1. Navigate to Network-wide > Monitor > Packet capture and stream a high verbosity
packet capture on port 11 of Switch 2 to Dashboard with a filter expression of:

ether proto 0x88cc

2. Validate that you successfully configured your VoIP ports with a voice VLAN of 200.

Hint: The filter expression will filter for LLDP advertisements that show the switch is
advertising the Voice VLAN for the applicable ports.  Once the capture is complete,
search the page for the Application Type field under the Network Policy Subtype. If
nothing appears, try the capture again. If you still don’t see anything, verify your
port configuration with your instructor.

! 21 CMNA Technical Training !

 LAB C | Distributed Enterprise
With both campus and branch deployments properly configured and
online, it is time to bridge them together in order to provide internal
resources (such as AD/RADIUS authentication, file servers, etc.) to the
branch locations. We will also utilize our secondary uplink connection to
take advantage of SD-WAN capabilities in this deployment.

Looking for datasheets, whitepapers or solution guides? Check out the

Meraki Library at: http://meraki.cisco.com/library/

! 22 CMNA Technical Training !

Exercise 1 – AutoVPN Configuration
Your branch will connect via AutoVPN back to the corporate campus and also leverage
services such as RADIUS that have been set up over the VPN connection. Let’s get this
branch connected back to HQ via a site-to-site VPN tunnel.

1. Navigate to your campus security appliance’s site-to-site VPN configuration under

Security Appliance > Configure > Site-to-site VPN.

2. Configure a site-to-site VPN with your campus MX as a hub and advertise all local
subnets over the VPN except the infrastructure subnet. Also advertise the Active
Directory static route over the VPN.

3. Move back to your branch network via the network drop-down on the left side of
Dashboard.

4. Configure your branch network as a split-tunnel site-to-site VPN with your branch
MX as a spoke pointing to your campus MX as the hub. Be sure to advertise your
only one local subnet of the branch under VPN settings (flip from “no” to “yes”).

Note: You may be able to see other Campus Hub MX's.  These are other concurrent
deployments and you should set only the Hub MX that you configured previously.

5. Once you have saved your configuration and refreshed your page, navigate to
Security Appliance > Monitor > VPN status to verify your VPN connection is
running properly.  You should be able to verify if you connected to your hub MX.

Hint:  If you do not see any information try selecting the ‘view old version’ link in the
top right corner of the page.

Exercise 2 – SD-WAN Configuration

Mission Sandwiches wants secure, transport independent connectivity between their
branch locations and the campus. You have decided to deploy Cisco Meraki’s SD-WAN
solution to provide MPLS-like reliability through multiple low-cost Internet links with load
balancing capabilities, intelligent path control, and automatic failover.

1. From the branch MX65, verify under Security Appliance > Monitor > Appliance
status that the uplink for the second Internet port is up and that you are getting an
IP address.

! 23 CMNA Technical Training !

2. Navigate to the Security Appliance > Configure > Traffic shaping page and enable
SD-WAN functionality by making the following configurations:

a. Under “Flow preferences”, add a VPN traffic preference that matches any
traffic destined for 10.[n].200.0/24 and send matched traffic over its preferred
uplink WAN 2 while ensuring that the link will fail over if there is poor
performance for VoIP devices.

Note: Be sure not to leave any of the source, destination, or port fields blank -
the word "Any" can be applied as a wildcard.

b. Add a second VPN traffic flow preference to forward any traffic destined for
192.168.50.10 over WAN2 as long as it is up.

3. Disable the wireless adapter from your laptop and connect it to LAN port #3 on the
branch MX65 and run a continuous ping to the Corp server 192.168.50.10. Verify that
connectivity is successful.

4. Verify that traffic destined to the 192.168.50.10 is forwarded over WAN2 uplink.
Navigate to Security appliance > Monitor > VPN status and take a look at the
‘Uplink decisions’ section of the page.

5. To test out the resiliency of the solution by simulating an uplink failure, manually
unplug the second uplink cable from WAN2 of the MX65. Monitor the ping test from
your laptop.

Note: Plug the WAN cable back to WAN2 when you’re done testing.

Exercise 3 – Extending the Corporate Network to the Branch

1. Navigate to the Security appliance > Configure > Addressing & VLANs page and
configure ports 3-9 as access ports in VLAN 1 with a Hybrid access policy. Add the
RADIUS server with the following information:

RADIUS Server Host: 192.168.50.10


Port: 1812

Secret: meraki123

! 24 CMNA Technical Training !

2. Disconnect from the WiFi and connect your laptop to port 3 on the MX65. You
should be prompted for login credentials to authenticate to the corporate RADIUS
server. Use the following credentials to login:

RADIUS Login Credentials Username: lab[n]@meraki.com.test

Password: meraki123

Where n is your lab station number

Note:  If you are a Windows user and you’re not getting the login prompt, it is likely
that 802.1X is disabled on your Ethernet adapter. You can enable 802.1X per this KB
article. If you have a corporate policy on your laptop that prevents connections to
wired 802.1X connections, please connect to port 10 instead and bypass the login.

Exercise 4 –Group Policies with Systems Manager Sentry

Now that a number of iPads will be out in the field to process credit card transactions, it
is time to enroll your iPad in the “Cashier iPad” group policy you created in Lab A of the
lab.  Systems Manager Sentry policies allow you to enroll devices in network group
policies based on device tags, so you will leverage the fact that you’ve already tagged
the iPad with “cashier’ in Lab B.

1. Under Network-wide tab of the branch network, navigate to the Sentry policies
page.

2. Add a new group policy MDM scope for your “Campus Lab [n] Systems Manager”
network.

3. Elect to have the “Cashier iPads” group policy you created in Lab A applied to any
device with the “cashier” Systems Manager tag.  This setting will associate the
“Cashier iPads” group policy to your device because it is tagged with the “cashier”
tag.

4. Navigate back to the network client listing in Network-wide > Monitor > Clients.

5. Verify that the ‘cashier iPads’ group policy applied to the iPad correctly.

Hint: You may need to select 'all clients with a policy' to be able to see the iPad.
The iPad would appear in the general clients list only when it is actually connected
to the Branch network.


! 25 CMNA Technical Training !

Exercise 5 – Preventing Stolen iPads
In order to be notified in the event of theft you need to configure a Geofence that will
alert you in the event the iPad is removed from the branch location.

Note: You will need to navigate back to your Campus network for the following
step.

1. Navigate to Systems manager > Configure > Geofencing and select ‘Add new,’
located at the right side of the page.

2. Name the Geofence “Lab_n_Geofence” (where n is the lab station number).

3. The Geofence should apply to devices with the ‘cashier’ tag and add a new area to
this Geofence that encompasses your current location.

4. After you save the configuration, navigate to Systems manager > Configure >
Alerts and configure Dashboard to alert you if a device violates a Geofence policy.

Exercise 6 – Performing a Motion Search

The security cameras you provisioned have been mounted with a fixed view over
regions of interest at the Campus.  Staff at HQ have requested footage identifying
specific moments (motion events) that the camera has detected.  The identified moment
can help expedite the retrieval of video and incident reporting.

1. Navigate to the Video tab of the MV’s details page and you should now notice a
green check mark in the lower left corner indicating a local connection to the
camera.  Click the Motion Search button.

2. A light grid-system should overlay the video stream.  Using your cursor, proceed to
highlight an area within the video stream that you would like to perform a motion
search.

Hint:  To increase the number of results, you may want to select a larger search
window by using the zooming options (Zoom in, Zoom out icons to the right of the
playback time slider).

3. All detected events will be displayed in a table directly below the video feed and
the search timeline.  You can click on each row (event) to bring up the recorded
search.  Verify that the camera did in fact detect a change in your region of interest
for the returned motion search event(s).
! 26 CMNA Technical Training !
 Note: The MV camera for your lab station is setup inside a rack. The motion search
feature might not find any motion events due to the lack of motion recorded by the
camera inside the rack.

Exercise 7 – Summary Reports

As part of managing many more locations, reporting is more important than ever.  You
will need to test network summary reporting from Dashboard.  For this deployment you
just want to see information about switch port utilization.

1. Navigate to Network-wide > Monitor > Summary report.

Note: This can be done from either the Branch or Campus locations.

2. Set a search parameter in the drop-down at the top of the page for Campus LAB [n]
- Switch with All devices. You also want to see information for the last week.

Note: You may not see any information when the report is generated given the
small amount of time your network has been online.

3. You also want these reports to be emailed on a scheduled basis, a week at a time to
the CEO of the company at ceo@missionsandwiches.com.

Exercise 8 – Dealing with Stolen Devices

Your branch pilot has been running smoothly for the last few weeks. Everything seems
to be working fine and management of the new company is satisfied with the solution.

Today, however, one of the cashier iPads was stolen by a disgruntled employee. You’ve
received an alert that is has violated the geofence, but the employee is long gone. You
decide to wipe the iPad to remove any sensitive information and access.

1. Navigate to your Systems Manager network and locate the Clients page.

2. Select the iPad.

3. Completely erase the iPad so that it is set back to factory default settings by using
the live tools on the iPad details page.

Note: Be sure to have your trainers check your lab station before resetting the iPad.

! 27 CMNA Technical Training !

Be sure your trainer has signed off on your lab before leaving for the
day!

CMNA Lab Reset

Congratulations!  Thanks to your hard work the Mission Sandwiches branch store has
been a success and people are loving the experience. The company is now ready to
deploy Cisco Meraki across the organization in the months to come.  There are just a
couple final steps on your way to CMNA certification!

1. Reset the lab station to the way it was when you arrived (bundled cables, neat and
tidy, disconnect your AP).

2. Confirm that you properly wiped your iPad in the final step of the Systems Manager
exercises and plug the iPad into the charger and have your lab checked by your
trainer before leaving.

! 28 CMNA Technical Training !