meraki cloud networking workshop
TRANSCRIPT
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Cloud Networking LabJay Bradford and Mike MakkaouiCloud Networking Systems Engineers
May 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session
• SSID: CiscoLabs Password: CiscoLabs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
20 min Welcome and Introduction
35 min Dashboard Demo
20 min Local MX, MS and MR configuration
60 min MX | Security Appliances Lab
30 min MS | Access Switches Lab
30 min MR | Wireless Access Points Lab
25 min SM | System Manager Demo
10 min Q&A and Wrap-Up
Agenda
Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.
About Cisco Meraki
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cisco Meraki: a complete cloud-managed networking solution-Wireless, switching, security, MDM and telephony, centrally managed over the web- Built from the ground up for cloud management- Integrated hardware, software, and cloud services
Cloud Networking Leader:- Cisco’s fastest-growing acquisition ever: over 100% annual growth- 600,000+ customer networks in 147 countries- Tens of millions of devices connected worldwide
Recognized for innovation-Gartner Magic Quadrant- InfoWorld Technology of the Year- TechWorld Mobility product of the year- CRN Coolest Technologies
About Cisco cloud-managed networking
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Cloud Managed WiFi Cloud Managed Network Cloud Managed IT
Meraki MR Wireless LAN
Meraki MS Ethernet Switches
Meraki MX Security Appliances
Meraki SMMDM
Meraki MCTelephony
Bringing the cloud to enterprise networks
Cisco Confidential 7© 2015 Cisco and/or its affiliates. All rights reserved.
Meraki cloud architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
ScalableUnlimited throughput, no bottlenecksAdd devices or sites in minutes
ReliableHighly available cloud with multiple datacentersNetwork functions even if connection to cloud is interrupted99.99% uptime SLA
SecureNo user traffic passes through cloudFully HIPAA / PCI compliant (level 1 certified)3rd party security audits, daily penetration testingAutomatic firmware and security updates (user-scheduled)
Reliability and security information at meraki.cisco.com/trust
Management data (1 kb/s)WAN
Out-of-band management in every product
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Cloud Licensing Model is Simple
9
Simple Cloud Licensing modelNo per-feature or per-user licensesLicensing options: 1 Year, 3 Year, 5 Year, 7 Year & 10 Year
Cloud License price is all inclusiveCloud Management UI 24 x 7 phone supportAutomated software updatesAdvanced hardware replacement All features built on the platformAll new features
Cisco Confidential 10© 2015 Cisco and/or its affiliates. All rights reserved.
Dashboard Demo
Cisco Confidential 11© 2015 Cisco and/or its affiliates. All rights reserved.
Hands-on LabsVisitmeraki.com/merakilab
Session Code: #142NA
* Limit of 3 free APs per customer and includes previous promotional offers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Your individual lab lives at our SF office!
Cisco Confidential 13© 2015 Cisco and/or its affiliates. All rights reserved.
Go to dashboard.meraki.com
Username: [email protected]: meraki123
X (number) as assigned
Lab slides: http://cs.co/CCT2016_lab_slidesLab manual: http://cs.co/CCT2016_lab_manual
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Network Topology
Firewall Configuration:
VLAN 1 (Corp)Subnet: 10.0.x.0/24Interface: 10.0.x.1
VLAN 30 (Voice)Subnet: 10.0.[30+x].0/24Interface: 10.0.[30+x].1
VLAN 100 (Guest)Subnet: 10.0.[100+x].0/24Interface: 10.0.[100+x].1
“x” is your lab station number
Switch Configuration:
VLAN 1 (Corp)Subnet: 10.0.x.0/24Interface: 10.0.x.201Default gateway: 10.0.x.1
VLAN 150 (Legacy)Subnet: 10.0.[150+x].0/24Interface: 10.0.[150+x].1
VLAN 600 (OSPF)Subnet: 192.168.0.0./24Interface: 192.168.0.x
Cisco Confidential 15© 2015 Cisco and/or its affiliates. All rights reserved.
MX | Security Appliance Lab
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
A Complete Unified Thread Management Solution
Application ControlClient Fingerprinting, Traffic Shaping, Content Filtering,
SecurityNG Firewall, Client VPN, Site to Site VPN, IDS/IPS, Anti-Malware, Geo-Firewall
NetworkingNAT/DHCP, 3G/4G Cellular, Link Balancing, IWAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
MX65 / MX65W – (small) Branch in a box
• 802.11ac with double the MX64 power• 802.1x port authentication• 2 WAN ports• 8 LAN ports• 2 LAN PoE+ ports (60W total)
• Ready for IWAN• Ideal for small branches or
telecommuters
Same throughput as MX64/64W with increased interface count
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Automated site-to-site VPN
Site-to-site IPsec VPN in just two clicks in the Dashboard
Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard
Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN tunnel between all peers and adjusts to IP changes
Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Meraki Intelligent WAN
WAN 1Secure VPN tunnel (active)Latency / loss > threshold
WAN 2Secure VPN tunnel (active)Latency / loss < threshold
DataBased on L3 / L4 categorization, this data normally travels out WAN 1 (PbR), but MX detects optimal path is WAN 2 based on latency / loss on WAN 1 (PfR).
Dual-active path:Active-active VPN
Policy-based routing (PbR):Allows uplinks to be intelligently assigned based on traffic protocol, subnet, source, destination, etc.
Dynamic Path SelectionEnsures the best uplink is used based on latency and loss metrics
Reference Meraki ArchitectureThe architecture diagram displays the Meraki full-stack alongside iWAN.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Choosing the right MX for your environment
MX64/64WMX65/65W
MX84
MX100
MX400
MX600
Z1
Small branch (~50 users)
Where FW Throughput
250 Mbps
Campus / VPN concentration (~10,000 users)
Large branch / campus (~2,000 users)
Mid-size branch (~200 users)
Mid-size branch / small campus (~500 users)
Notable Features
802.11ac wireless (MX64W/MX65W)
Power redundancyModular interfaceSFP or SFP+ (with modules)
500 MbpsSFP Ports
750 MbpsSFP Ports
1 Gbps
2 Gbps
Power redundancyModular interfaceSFP or SFP+ (with modules)
For teleworkers(1-5 users)
Dual-radio wireless
FW throughput: 50 Mbps
All devices support 3G/4G
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
MX Base Configuration• Enable VLANs and create VLANs 1 (Corp), 30 (Voice) and 100 (Guest) per the Network Topology diagram.
• Ensure that non-tagged traffic will be part of VLAN 1 (native vlan)• VLAN 1 (Corp) Reserve IP addresses .150 through .250 under DHCP Settings• When done go to Switch/Switches and under live tools reboot your switch
• Apply the following global default policies (Hint: Below section does not use group policies)• Completely block BitTorrent• For Netflix and Pandora, shape traffic to 100K down, 50 K up. Ensure they are low priority and are marked appropriately.• Apply content filtering for adult websites
• Enable site-to-site VPN with following settings• Type: Spoke• Full Tunnel (Hint: Default Route)• Hubs: Data Center 1 and Data Center 2 (Prioritize Data Center 2)• Include VLAN 1 and VLAN 30 in VPN and exclude VLAN 100• Check the Route Table and VPN Status under Monitoring• You should be able to ‘ping’ your neighbor’s networks and the Data Center networks
• (Hint: “10.0.lab#.1”, 10.0.250.1, 10.0.251.1, 10.0.252.1)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
MX IWAN Configuration• Security appliance > Configure > Traffic shaping
• Uplink configuration• Uplink bandwidth WAN 1 = 10Mb, WAN 2 = 5Mb
• Global preferences• Load balancing enabled
• Flow preferences• Internet traffic
• “Guest” subnet prefers WAN 2• Custom performance classes
• Create “Acceptable Delay” with a setting of 250ms• VPN Traffic
• Any Protocol with Destination 8.8.8.8/32 prefer WAN 2 unless performance exceeds for “Acceptable Delay”
• “Corp” subnet Load balance on uplinks that are suitable for “Acceptable Delay”• “Voice” Preferred uplink: Best for VoIP
• Verify VPN path selection by initiating ping from switch (Hint: Check Security Appliance/VPN Status)• In a new browser tab Ping 8.8.8.8 and 8.8.4.4 from your Security Appliances “live tools” • Review and note the results on the VPN status page• Wait for instructor to create ISP level disruption
Cisco Confidential 23© 2015 Cisco and/or its affiliates. All rights reserved.
MS | Switch Lab
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Complete Campus Switching Portfolio
22 models scaling from access to campus aggregation
Enterprise-class performance and reliability including non-blocking Gigabit performance, 802.3af/at PoE/PoE+ on all ports, 10GbE uplinks, and voice and video QoS
Voice and video QoS
Dynamic Routing
Layer 7 app visibility
Virtual stacking
Enterprise security, ACLs
Remote packet capture, cable testing
Feature highlights
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Mission Critical Features
OSPFDynamic routing with intuitive, browser-based configuration
IPv6 visibility and trackingUsage statistics for IPv6 address now in Dashboard
DHCP serverIntegrated DHCP service to help prevent single points of network failure
IPv4 Access Control Lists (ACLs)Granular security boundaries configurable by subnet, protocol, port range, or host.
Virtual Router Redundancy Protocol (VRRP) with DHCP Failover supportHigh availability via a warm spare with automatic failover and DHCP failover support
Addressing evolving customer needs around redundancy, campus connectivity, and reducing complexity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Meraki stacking: Virtual and physical
San Francisco
London
Sydney
Apply Access Policyon ports 1-10
San Francisco
Benefits of virtual stacking apply equally to standalone or physically stacked switches
Step 1: Select ports to edit
Step 2: Configure multiple ports as desired
Step 3: Save, you’re done!
Standaloneswitches
Stackedswitches
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
MR52 and MR53Highest Performance 802.11acIntroducing MS350-24X
Stackable Multigigabit L3 access switch
Gigabit (1G)
Multigigabit(1/2.5/5/10G)
• New 24-port addition to the MS350 Family
• 8 Multigigabit (1/2.5/5/10G) ports
• UPoE (60W) capable
• Designed to work with the new Multigigabit-capable MR53
Launching & shipping 17 May
$7,495
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
MR52 and MR53Highest Performance 802.11acIntroducing MS425
Next Gen 10G aggregation
• 16 & 32 port 10G fiber aggregation
• 40G QSFP+ uplinks
• Flexible stacking
• MS420 refresh with additional price points & unified design
• Ships with 1 PSU and all fans (redundant PSU is optional)
10 Gigabit (SFP+)
40 Gigabit(QSFP+)
Launching & shipping 17 MayMS425-16 $14,000MS425-32 $22,000
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Access AggregationMS220 MS320 MS350 MS410 MS420 MS425
Features
• 8, 24, 48 port models• Layer 2• Gigabit SFP uplinks
• 24, 48 port models• Layer 3• 10Gb SFP+ uplinks• Hot-swappable,
redundant power supplies
• 24, 48 port models• Physical stacking
(160Gbps)• High performance
Layer 3 • 1Gb & Multigigabit• 10Gb SFP+ uplinks• Hot-swappable fans
and power supplies• Management port
• 16, 32 port models• Physical stacking
(160Gbps)• High performance
Layer 3• 1Gb SFP interfaces• 10Gb SFP+ uplinks• Hot-swappable fans
and power supplies• Management port
• 24, 48 port models• Front-port stacking• High performance
Layer 3• 10Gb SFP+• Hot-swappable,
redundant fans and power supplies
• Management port
• 16, 32 port models• Front-port stacking• High performance
Layer 3• 10G SFP+• 40Gb QSFP+ uplinks• Hot-swappable fans
and power supplies• Management port
Positioning
• Branch access switching (L2)
• Branch and Campusaccess switching (L3)
• Stackable Branch and Campus access switching (L3)
• Stackable Branch and Campus aggregation switching (L3)
• Stackable Campus aggregation switching (L3)
• Stackable Campus aggregation switching (L3)
Meraki MS switching product families
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
MS Base Configuration• Verify that your switch is operational under Monitoring page (green status, passing traffic)
• Click on “Initialize layer 3 features” link to add following SVIs:• Name: Corp
Subnet: 10.0.x.0/24Interface: 10.0.x.201
VLAN: 1Default gateway: 10.0.x.1Disable DHCP
• Name: Legacy, Subnet: 10.0.[150+x].0/24, Interface: 10.0.[150+x].1, VLAN: 150, DHCP Enabled• Name: OSPF, Subnet: 192.168.0.0/24, Interface IP: 192.168.0.x, VLAN: 600, Disable DHCP
• Go to the MX Appliance and create a static route for the “Legacy” subnet with gateway IP address to your L3 switch SVI in the “Corp” VLAN - 10.0.x.201.
• “In VPN” option should be “Yes”.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
MS OSPF Configuration• On the switch, configure OSPF with following settings:
• First configure switch port 25 to be access VLAN 600• Enable OSPF with default Area 0 • Edit Legacy and OSPF interfaces to use the default Area 0 and Cost 1• Make sure static routes override the OSPF routes
• Verify the OSPF neighbors and routes on the switch Monitoring page. Start a ping to 10.0.252.1 from the Legacy Source interface and try again with port 25 on your switch disabled
• (Hint 10.0.[150+x].1. wait about 30 sec and restart ping if necessary).
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
So what is going on?
DC2 MX10.0.252.2
DC2 MS10.0.252.1
Note your VLAN30 Voice subnet is being learned through the DC2 VPN – how would you fix this?
Cisco Confidential 33© 2015 Cisco and/or its affiliates. All rights reserved.
MR | Access Point Lab
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
MR wireless access points
8 models including indoor / outdoor, high performance and value-pricedEnterprise-class silicon including RF optimization, PoE, voice / video supportLifetime warranty on indoor APs
BYOD policies
Application traffic shaping
Guest access
Enterprise security
Location analytics
WIPS – 3rd Security Radio
Feature highlights
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
4-stream 4x4 802.11ac Wave 2160 MHz channels & MU-MIMO
Quad-radio architectureDedicated scanning radio & BLE
Dual 1-gigabit Ethernet interfaces
Full operation on 802.3at PoE+ power
17 May: available in US/CAN/EU/ANZ/JP
US$ 1,399 list price
Introducing MR52Highest performance 802.11ac
1-gigabit 1-gigabit
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
4-stream 4x4 802.11ac Wave 2160 MHz channels & MU-MIMO
Quad-radio architectureDedicated scanning radio & BLE
Multigigabit + 1-gigabit Ethernet
Full operation on 802.3at PoE+ power
17 May: available in US/CAN/EU/ANZ/JP
US$ 1,699 list price
Introducing MR53Future-proof 802.11ac
100/1000/2.5G 1-gigabit
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Indoor Capabilities
MR53 / MR52 Highest-performance & future-proof MR42 General purpose Quad-radio architecture- 2.4 GHz client radio- 5 GHz client radio- Scanning/security radio*- Bluetooth LE beacon**Enterprise wireless- Band steering & Auto RF- Traffic shaping & QoS- Secure loginAdvanced features- Deep packet inspection- Location analytics- Splash page loginsEnterprise license- 24x7 support- Advance replacementPoE & DC power options
*except MR66, MR62**except MR18, MR66, MR62
Wave 2 802.11ac4-stream 4x44ss MU-MIMO160 MHz channelsMultigigabit (MR53)
Wave 2 802.11ac3-stream 3x32ss MU-MIMO80 MHz channels
MR32 Entry-level 11ac MR18 Entry-level 11n
802.11ac2-stream 2x2SU-MIMO
802.11n2-stream 2x2
Outdoor / rugged
MR72 High-performance MR66 General-purpose MR62 Entry-level
802.11acquad-radio2-stream 2x2
802.11ndual-radio2-stream 2x2
802.11nsingle-radio2-stream 2x2
Meraki MR wireless portfolio
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Bluetooth and Beacons
Bluetooth & BLE integrated in many consumer devices already
Beacons use BLE for location services like asset tracking, mobile commerce, and nav- iBeacon is Apple’s BLE trademark
Gaining traction as an opt-in alternative to WiFi-based location services
Integrated Bluetooth to drive location trends
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Use Case: Location Engagement with Beacons
Seamless site-wide deployment by integrating
Beacons into the AP
Better consumer experience with opt-in mobile app integration
Increased customer visibility with both WiFi and Bluetooth analytics
built-in
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Use Case: Asset Tracking with Bluetooth
Seamless site-wide deployment with Bluetooth
integrated into the AP
Track Beacon-tagged assets with Bluetooth scanning and location
estimation
Increased administrative visibility with both WiFi and Bluetooth inventory
built-in
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
MR Configuration (APs have been turned off)
• Rename existing SSID under Configuration to “Corp” and enable an additional SSID for “Guest”
• On your “Corp” SSID, use WPA2-Enterprise for authentication and add a RADIUS server with IP address 10.0.250.100, port 1812 and shared key “meraki123”. Change client IP assignment to “Bridge Mode” and VLAN tagging to 1
• On the “Guest” SSID, ensure the users sign on with a simple click-through splash page that refreshes every half hour (hint: customize it under Configure / Splash Page). Change client IP assignment to “Bridge Mode” and VLAN tagging to 100
• Under Configure / Firewall & Traffic Shaping, select the “Guest” SSID and create L7 firewall rules to block P2P File Sharing and Gaming on this SSID. Also, limit the per-client bandwidth to 1 Mbps
• Block access to the Local LAN from clients connected to the “Guest” SSID
Cisco Confidential 42© 2015 Cisco and/or its affiliates. All rights reserved.
Systems Manager Enterprise
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Cisco’s Enterprise Mobility Solution: Systems Manager
Meraki Systems ManagerCloud Managed Mobility Management
Provision, monitor, and secure mobile devices
Flexible, easy provisioning
Centrally scale 100,000s devices worldwide
Auto-tagging, dynamic security compliance
Integrate seamlessly with the rest of your Cisco network
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Risk of Mobile Devices in the Enterprise?
• Insider Misuse = Significant Cause of Breaches>20% of breaches come directly from insiders with malicious intent. In most breaches, attackers have foothold within internal networks & spread / steal data through privilege abuse / credential misuse.
• Mobile Devices = Increasingly Used to Harvest DataAdware grew 136% to 410,000 apps between 2013 and first three quarters of 2014, giving attackers access to personal information such as contacts, which can subsequently be used to launch phishing attacks
• Mobile Device Management = Critical in Preventing Breaches22% of breaches reported by network security decision makers involve lost / stolen devices
Are the devices on your network secure?
Cisco Confidential 45© 2015 Cisco and/or its affiliates. All rights reserved.
SM Dashboard Demo
Thank you.