meraki cloud networking workshop

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

Cloud Networking LabJay Bradford and Mike MakkaouiCloud Networking Systems Engineers

May 2016

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Housekeeping notes

Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.

• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session

• SSID: CiscoLabs Password: CiscoLabs


20 min Welcome and Introduction

35 min Dashboard Demo

20 min Local MX, MS and MR configuration

60 min MX | Security Appliances Lab

30 min MS | Access Switches Lab

30 min MR | Wireless Access Points Lab

25 min SM | System Manager Demo

10 min Q&A and Wrap-Up

Agenda

Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.

About Cisco Meraki


Cisco Meraki: a complete cloud-managed networking solution-Wireless, switching, security, MDM and telephony, centrally managed over the web- Built from the ground up for cloud management- Integrated hardware, software, and cloud services

Cloud Networking Leader:- Cisco’s fastest-growing acquisition ever: over 100% annual growth- 600,000+ customer networks in 147 countries- Tens of millions of devices connected worldwide

Recognized for innovation-Gartner Magic Quadrant- InfoWorld Technology of the Year- TechWorld Mobility product of the year- CRN Coolest Technologies

About Cisco cloud-managed networking


Cloud Managed WiFi Cloud Managed Network Cloud Managed IT

Meraki MR Wireless LAN

Meraki MS Ethernet Switches

Meraki MX Security Appliances

Meraki SMMDM

Meraki MCTelephony

Bringing the cloud to enterprise networks


Meraki cloud architecture


ScalableUnlimited throughput, no bottlenecksAdd devices or sites in minutes

ReliableHighly available cloud with multiple datacentersNetwork functions even if connection to cloud is interrupted99.99% uptime SLA

SecureNo user traffic passes through cloudFully HIPAA / PCI compliant (level 1 certified)3rd party security audits, daily penetration testingAutomatic firmware and security updates (user-scheduled)

Reliability and security information at meraki.cisco.com/trust

Management data (1 kb/s)WAN

Out-of-band management in every product


Cloud Licensing Model is Simple

9

Simple Cloud Licensing modelNo per-feature or per-user licensesLicensing options: 1 Year, 3 Year, 5 Year, 7 Year & 10 Year

Cloud License price is all inclusiveCloud Management UI 24 x 7 phone supportAutomated software updatesAdvanced hardware replacement All features built on the platformAll new features


Dashboard Demo


Hands-on LabsVisitmeraki.com/merakilab

Session Code: #142NA

* Limit of 3 free APs per customer and includes previous promotional offers


Your individual lab lives at our SF office!


Go to dashboard.meraki.com

Username: [email protected]: meraki123

X (number) as assigned

Lab slides: http://cs.co/CCT2016_lab_slidesLab manual: http://cs.co/CCT2016_lab_manual


Network Topology

Firewall Configuration:

VLAN 1 (Corp)Subnet: 10.0.x.0/24Interface: 10.0.x.1

VLAN 30 (Voice)Subnet: 10.0.[30+x].0/24Interface: 10.0.[30+x].1

VLAN 100 (Guest)Subnet: 10.0.[100+x].0/24Interface: 10.0.[100+x].1

“x” is your lab station number

Switch Configuration:

VLAN 1 (Corp)Subnet: 10.0.x.0/24Interface: 10.0.x.201Default gateway: 10.0.x.1

VLAN 150 (Legacy)Subnet: 10.0.[150+x].0/24Interface: 10.0.[150+x].1

VLAN 600 (OSPF)Subnet: 192.168.0.0./24Interface: 192.168.0.x


MX | Security Appliance Lab


A Complete Unified Thread Management Solution

Application ControlClient Fingerprinting, Traffic Shaping, Content Filtering,

SecurityNG Firewall, Client VPN, Site to Site VPN, IDS/IPS, Anti-Malware, Geo-Firewall

NetworkingNAT/DHCP, 3G/4G Cellular, Link Balancing, IWAN


MX65 / MX65W – (small) Branch in a box

• 802.11ac with double the MX64 power• 802.1x port authentication• 2 WAN ports• 8 LAN ports• 2 LAN PoE+ ports (60W total)

• Ready for IWAN• Ideal for small branches or

telecommuters

Same throughput as MX64/64W with increased interface count


Automated site-to-site VPN

Site-to-site IPsec VPN in just two clicks in the Dashboard

Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard

Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN tunnel between all peers and adjusts to IP changes

Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem


Meraki Intelligent WAN

WAN 1Secure VPN tunnel (active)Latency / loss > threshold

WAN 2Secure VPN tunnel (active)Latency / loss < threshold

DataBased on L3 / L4 categorization, this data normally travels out WAN 1 (PbR), but MX detects optimal path is WAN 2 based on latency / loss on WAN 1 (PfR).

Dual-active path:Active-active VPN

Policy-based routing (PbR):Allows uplinks to be intelligently assigned based on traffic protocol, subnet, source, destination, etc.

Dynamic Path SelectionEnsures the best uplink is used based on latency and loss metrics

Reference Meraki ArchitectureThe architecture diagram displays the Meraki full-stack alongside iWAN.


Choosing the right MX for your environment

MX64/64WMX65/65W

MX84

MX100

MX400

MX600

Z1

Small branch (~50 users)

Where FW Throughput

250 Mbps

Campus / VPN concentration (~10,000 users)

Large branch / campus (~2,000 users)

Mid-size branch (~200 users)

Mid-size branch / small campus (~500 users)

Notable Features

802.11ac wireless (MX64W/MX65W)

Power redundancyModular interfaceSFP or SFP+ (with modules)

500 MbpsSFP Ports

750 MbpsSFP Ports

1 Gbps

2 Gbps

Power redundancyModular interfaceSFP or SFP+ (with modules)

For teleworkers(1-5 users)

Dual-radio wireless

FW throughput: 50 Mbps

All devices support 3G/4G


MX Base Configuration• Enable VLANs and create VLANs 1 (Corp), 30 (Voice) and 100 (Guest) per the Network Topology diagram.

• Ensure that non-tagged traffic will be part of VLAN 1 (native vlan)• VLAN 1 (Corp) Reserve IP addresses .150 through .250 under DHCP Settings• When done go to Switch/Switches and under live tools reboot your switch

• Apply the following global default policies (Hint: Below section does not use group policies)• Completely block BitTorrent• For Netflix and Pandora, shape traffic to 100K down, 50 K up. Ensure they are low priority and are marked appropriately.• Apply content filtering for adult websites

• Enable site-to-site VPN with following settings• Type: Spoke• Full Tunnel (Hint: Default Route)• Hubs: Data Center 1 and Data Center 2 (Prioritize Data Center 2)• Include VLAN 1 and VLAN 30 in VPN and exclude VLAN 100• Check the Route Table and VPN Status under Monitoring• You should be able to ‘ping’ your neighbor’s networks and the Data Center networks

• (Hint: “10.0.lab#.1”, 10.0.250.1, 10.0.251.1, 10.0.252.1)


MX IWAN Configuration• Security appliance > Configure > Traffic shaping

• Uplink configuration• Uplink bandwidth WAN 1 = 10Mb, WAN 2 = 5Mb

• Global preferences• Load balancing enabled

• Flow preferences• Internet traffic

• “Guest” subnet prefers WAN 2• Custom performance classes

• Create “Acceptable Delay” with a setting of 250ms• VPN Traffic

• Any Protocol with Destination 8.8.8.8/32 prefer WAN 2 unless performance exceeds for “Acceptable Delay”

• “Corp” subnet Load balance on uplinks that are suitable for “Acceptable Delay”• “Voice” Preferred uplink: Best for VoIP

• Verify VPN path selection by initiating ping from switch (Hint: Check Security Appliance/VPN Status)• In a new browser tab Ping 8.8.8.8 and 8.8.4.4 from your Security Appliances “live tools” • Review and note the results on the VPN status page• Wait for instructor to create ISP level disruption


MS | Switch Lab


Complete Campus Switching Portfolio

22 models scaling from access to campus aggregation

Enterprise-class performance and reliability including non-blocking Gigabit performance, 802.3af/at PoE/PoE+ on all ports, 10GbE uplinks, and voice and video QoS

Voice and video QoS

Dynamic Routing

Layer 7 app visibility

Virtual stacking

Enterprise security, ACLs

Remote packet capture, cable testing

Feature highlights


Mission Critical Features

OSPFDynamic routing with intuitive, browser-based configuration

IPv6 visibility and trackingUsage statistics for IPv6 address now in Dashboard

DHCP serverIntegrated DHCP service to help prevent single points of network failure

IPv4 Access Control Lists (ACLs)Granular security boundaries configurable by subnet, protocol, port range, or host.

Virtual Router Redundancy Protocol (VRRP) with DHCP Failover supportHigh availability via a warm spare with automatic failover and DHCP failover support

Addressing evolving customer needs around redundancy, campus connectivity, and reducing complexity


Meraki stacking: Virtual and physical

San Francisco

London

Sydney

Apply Access Policyon ports 1-10

San Francisco

Benefits of virtual stacking apply equally to standalone or physically stacked switches

Step 1: Select ports to edit

Step 2: Configure multiple ports as desired

Step 3: Save, you’re done!

Standaloneswitches

Stackedswitches


MR52 and MR53Highest Performance 802.11acIntroducing MS350-24X

Stackable Multigigabit L3 access switch

Gigabit (1G)

Multigigabit(1/2.5/5/10G)

• New 24-port addition to the MS350 Family

• 8 Multigigabit (1/2.5/5/10G) ports

• UPoE (60W) capable

• Designed to work with the new Multigigabit-capable MR53

Launching & shipping 17 May

$7,495


MR52 and MR53Highest Performance 802.11acIntroducing MS425

Next Gen 10G aggregation

• 16 & 32 port 10G fiber aggregation

• 40G QSFP+ uplinks

• Flexible stacking

• MS420 refresh with additional price points & unified design

• Ships with 1 PSU and all fans (redundant PSU is optional)

10 Gigabit (SFP+)

40 Gigabit(QSFP+)

Launching & shipping 17 MayMS425-16 $14,000MS425-32 $22,000


Access AggregationMS220 MS320 MS350 MS410 MS420 MS425

Features

• 8, 24, 48 port models• Layer 2• Gigabit SFP uplinks

• 24, 48 port models• Layer 3• 10Gb SFP+ uplinks• Hot-swappable,

redundant power supplies

• 24, 48 port models• Physical stacking

(160Gbps)• High performance

Layer 3 • 1Gb & Multigigabit• 10Gb SFP+ uplinks• Hot-swappable fans

and power supplies• Management port

• 16, 32 port models• Physical stacking

(160Gbps)• High performance

Layer 3• 1Gb SFP interfaces• 10Gb SFP+ uplinks• Hot-swappable fans


• 24, 48 port models• Front-port stacking• High performance

Layer 3• 10Gb SFP+• Hot-swappable,

redundant fans and power supplies

• Management port

• 16, 32 port models• Front-port stacking• High performance

Layer 3• 10G SFP+• 40Gb QSFP+ uplinks• Hot-swappable fans


Positioning

• Branch access switching (L2)

• Branch and Campusaccess switching (L3)

• Stackable Branch and Campus access switching (L3)

• Stackable Branch and Campus aggregation switching (L3)

• Stackable Campus aggregation switching (L3)

• Stackable Campus aggregation switching (L3)

Meraki MS switching product families


MS Base Configuration• Verify that your switch is operational under Monitoring page (green status, passing traffic)

• Click on “Initialize layer 3 features” link to add following SVIs:• Name: Corp

Subnet: 10.0.x.0/24Interface: 10.0.x.201

VLAN: 1Default gateway: 10.0.x.1Disable DHCP

• Name: Legacy, Subnet: 10.0.[150+x].0/24, Interface: 10.0.[150+x].1, VLAN: 150, DHCP Enabled• Name: OSPF, Subnet: 192.168.0.0/24, Interface IP: 192.168.0.x, VLAN: 600, Disable DHCP

• Go to the MX Appliance and create a static route for the “Legacy” subnet with gateway IP address to your L3 switch SVI in the “Corp” VLAN - 10.0.x.201.

• “In VPN” option should be “Yes”.


MS OSPF Configuration• On the switch, configure OSPF with following settings:

• First configure switch port 25 to be access VLAN 600• Enable OSPF with default Area 0 • Edit Legacy and OSPF interfaces to use the default Area 0 and Cost 1• Make sure static routes override the OSPF routes

• Verify the OSPF neighbors and routes on the switch Monitoring page. Start a ping to 10.0.252.1 from the Legacy Source interface and try again with port 25 on your switch disabled

• (Hint 10.0.[150+x].1. wait about 30 sec and restart ping if necessary).


So what is going on?

DC2 MX10.0.252.2

DC2 MS10.0.252.1

Note your VLAN30 Voice subnet is being learned through the DC2 VPN – how would you fix this?


MR | Access Point Lab


MR wireless access points

8 models including indoor / outdoor, high performance and value-pricedEnterprise-class silicon including RF optimization, PoE, voice / video supportLifetime warranty on indoor APs

BYOD policies

Application traffic shaping

Guest access

Enterprise security

Location analytics

WIPS – 3rd Security Radio

Feature highlights


4-stream 4x4 802.11ac Wave 2160 MHz channels & MU-MIMO

Quad-radio architectureDedicated scanning radio & BLE

Dual 1-gigabit Ethernet interfaces

Full operation on 802.3at PoE+ power

17 May: available in US/CAN/EU/ANZ/JP

US$ 1,399 list price

Introducing MR52Highest performance 802.11ac

1-gigabit 1-gigabit


4-stream 4x4 802.11ac Wave 2160 MHz channels & MU-MIMO

Quad-radio architectureDedicated scanning radio & BLE

Multigigabit + 1-gigabit Ethernet

Full operation on 802.3at PoE+ power

17 May: available in US/CAN/EU/ANZ/JP

US$ 1,699 list price

Introducing MR53Future-proof 802.11ac

100/1000/2.5G 1-gigabit


Indoor Capabilities

MR53 / MR52 Highest-performance & future-proof MR42 General purpose Quad-radio architecture- 2.4 GHz client radio- 5 GHz client radio- Scanning/security radio*- Bluetooth LE beacon**Enterprise wireless- Band steering & Auto RF- Traffic shaping & QoS- Secure loginAdvanced features- Deep packet inspection- Location analytics- Splash page loginsEnterprise license- 24x7 support- Advance replacementPoE & DC power options

*except MR66, MR62**except MR18, MR66, MR62

Wave 2 802.11ac4-stream 4x44ss MU-MIMO160 MHz channelsMultigigabit (MR53)

Wave 2 802.11ac3-stream 3x32ss MU-MIMO80 MHz channels

MR32 Entry-level 11ac MR18 Entry-level 11n

802.11ac2-stream 2x2SU-MIMO

802.11n2-stream 2x2

Outdoor / rugged

MR72 High-performance MR66 General-purpose MR62 Entry-level

802.11acquad-radio2-stream 2x2

802.11ndual-radio2-stream 2x2

802.11nsingle-radio2-stream 2x2

Meraki MR wireless portfolio


Bluetooth and Beacons

Bluetooth & BLE integrated in many consumer devices already

Beacons use BLE for location services like asset tracking, mobile commerce, and nav- iBeacon is Apple’s BLE trademark

Gaining traction as an opt-in alternative to WiFi-based location services

Integrated Bluetooth to drive location trends


Use Case: Location Engagement with Beacons

Seamless site-wide deployment by integrating

Beacons into the AP

Better consumer experience with opt-in mobile app integration

Increased customer visibility with both WiFi and Bluetooth analytics

built-in


Use Case: Asset Tracking with Bluetooth

Seamless site-wide deployment with Bluetooth

integrated into the AP

Track Beacon-tagged assets with Bluetooth scanning and location

estimation

Increased administrative visibility with both WiFi and Bluetooth inventory

built-in


MR Configuration (APs have been turned off)

• Rename existing SSID under Configuration to “Corp” and enable an additional SSID for “Guest”

• On your “Corp” SSID, use WPA2-Enterprise for authentication and add a RADIUS server with IP address 10.0.250.100, port 1812 and shared key “meraki123”. Change client IP assignment to “Bridge Mode” and VLAN tagging to 1

• On the “Guest” SSID, ensure the users sign on with a simple click-through splash page that refreshes every half hour (hint: customize it under Configure / Splash Page). Change client IP assignment to “Bridge Mode” and VLAN tagging to 100

• Under Configure / Firewall & Traffic Shaping, select the “Guest” SSID and create L7 firewall rules to block P2P File Sharing and Gaming on this SSID. Also, limit the per-client bandwidth to 1 Mbps

• Block access to the Local LAN from clients connected to the “Guest” SSID


Systems Manager Enterprise


Cisco’s Enterprise Mobility Solution: Systems Manager

Meraki Systems ManagerCloud Managed Mobility Management

Provision, monitor, and secure mobile devices

Flexible, easy provisioning

Centrally scale 100,000s devices worldwide

Auto-tagging, dynamic security compliance

Integrate seamlessly with the rest of your Cisco network


Risk of Mobile Devices in the Enterprise?

• Insider Misuse = Significant Cause of Breaches>20% of breaches come directly from insiders with malicious intent. In most breaches, attackers have foothold within internal networks & spread / steal data through privilege abuse / credential misuse.

• Mobile Devices = Increasingly Used to Harvest DataAdware grew 136% to 410,000 apps between 2013 and first three quarters of 2014, giving attackers access to personal information such as contacts, which can subsequently be used to launch phishing attacks

• Mobile Device Management = Critical in Preventing Breaches22% of breaches reported by network security decision makers involve lost / stolen devices

Are the devices on your network secure?


SM Dashboard Demo

Thank you.