This document provides an agenda and instructions for a Cisco Cloud Networking Workshop. The agenda includes demonstrations of the Cisco Meraki dashboard, MX security appliances, MS switches, MR wireless access points, and SM device management. Attendees are given instructions to log into the Meraki dashboard for a hands-on lab exploring configuration of MX firewalls, MS switches, wireless SSIDs on MR access points, and network policies. The document also provides overviews of Cisco Meraki's cloud-managed networking portfolio and features for network security, management, and device mobility.

1. Cisco Cloud Networking Workshop
Presenter: Jay Bradford CNG SE

2. 2
Housekeeping Notes
May 13, 2015

3. 3
Thank you for attending Cisco Connect Toronto 2015, here are a few
housekeeping notes to ensure we all enjoy the session today.
§ Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session
§ A power bar is available under each desk in case you need to charge your laptop (Labs only)
House Keeping Notes

4. 4
§ Cisco dCloud is a self-service platform that can be accessed via a browser, a high-speed Internet
connection, and a cisco.com account
§ Customers will have direct access to a subset of dCloud demos and labs
§ Restricted content must be brokered by an authorized user (Cisco or Partner) and then shared with the
customers (cisco.com user).
§ Go to dcloud.cisco.com, select the location closest to you, and log in with your cisco.com credentials
§ Review the getting started videos and try Cisco dCloud today: https://dcloud-cms.cisco.com/help
dCloud
Customers now get full dCloud experience!

5. 5
20 min Welcome and Introduction
30 min Dashboard Demo
5 min Local MX, MS and MR configuration
30 min MX | Security Appliances Lab
45 min MS | Access Switches Lab
30 min MR | Wireless Access Points Lab
15 min SM | System Manager Demo
5 min Q&A and Wrap-Up
Agenda

6. 6
Complete cloud-managed networking solution
Wireless, switching, security, WAN optimization, and MDM, centrally managed over the web
Built from the ground up for cloud management
Integrated hardware, software, and cloud services
Cloud Networking Leader
Cisco’s fastest-growing acquisition ever: over 100% annual growth
300,000+ customer networks in 147 countries
Tens of millions of devices connected worldwide
Recognized for innovation
Gartner Magic Quadrant
InfoWorld Technology of the Year
TechWorld Mobility product of the year
CRN Coolest Technologies
About Cisco cloud-managed networking

7. 7
Bringing the cloud to enterprise networks
Meraki MS
Ethernet Switches
Meraki SM
Mobile Device
Management
Meraki MR
Wireless LAN
Meraki MX
Security
Appliances

8. 8
Scalable
Unlimited throughput, no bottlenecks
Add devices or sites in minutes
Reliable
Highly available cloud with multiple datacenters
Network functions even if connection to cloud is interrupted
99.99% uptime SLA
Secure
No user traffic passes through cloud
Fully HIPAA / PCI DSS 3.0 compliant (level 1 certified)
3rd party security audits, daily penetration testing
Automatic firmware and security updates (user-scheduled)
Reliability and security information at meraki.cisco.com/trust
Management
data (1 kb/s)
WAN
Out-of-band management in every product

9. 9
Cloud Licensing Model is Simple
Simple Cloud Licensing model
No per-feature or per-user licenses
Licensing options: 1 Year, 3 Year, 5 Year, 7 Year & 10 Year
Cloud License price is all inclusive
Cloud Management UI
24 x 7 phone support
Automated software updates
Advanced hardware replacement
All features built on the platform
All new features

10. 10
Dashboard Demo

11. 11
Hands-on Labs

12. 12
Go to dashboard.meraki.com and login with:
username: ciscolabX@ikarem.215332.com
password: meraki123
X is your station ID
Please select your network # on the top pull-
down menu

13. 13
Your lab gear lives in our SF office

14. 14
Network Topology
Firewall Configuration:
VLAN1 (Default)
Subnet: 192.168.(200+x).0/24
Interface: 192.168.(200+x).1
Switch Configuration:
VLAN1 (Route to MX)
Subnet: 192.168.(200+x).0/24
Interface: 192.168.(200+x).2
VLAN100 (Student)
Subnet: 10.0.(100+x).0/24
Interface: 10.0.(100+x).1
VLAN200 (Staff)
Subnet: 10.0.(200+x).0/24
Interface: 10.0.(200+x).1
VLAN600 (OSPF)
Subnet: 192.168.0.0/24
Interface: 192.168.0.x
“X” is your lab station number
Firewall
L3 Switch
MR18

15. 15
MX Security Appliance

16. 16
A Complete Unified Thread Management Solution
Application Control
WAN Optimization, Traffic
Shaping, Content Filtering
Security
NG Firewall, Client VPN,
Site to Site VPN, IDS/IPS,
Anti-Malware, Geo-Firewall
Networking
NAT/DHCP, 3G/4G Cellular,
Static Routing, Link Balancing

17. 17
Choosing the right MX for your environment
MX64/64W
MX80
MX100
MX400
MX600
Z1
Small branches
(~50 users)
Where FW Throughput
200 Mbps
Large branch/campus
(~10,000 users)
Large branch/campus
(~2,000 users)
Mid-size branches
(~100 users)
Mid-size branches
(~500 users)
Unique Features
802.11ac Wireless
(MX64W)
8 x GbE Gigabit uplinks
Built-in redundancy
8 x GbE (SPF), 4 x 10GbE (SPF+)
Built-in redundancy
250 Mbps
5 x GbE Gigabit uplinks
(up to 2 WAN)
750 Mbps
8 x GbE Gigabit uplinks
(up to 2 WAN)
2 x GbE (SPF)
1 Gbps
2 Gbps
8 x GbE Gigabit uplinks
(up to 2 WAN)
8 x GbE (SPF), 4 x 10GbE (SPF+)
Built-in redundancy
For teleworkers
(1-5 users)
Dual-radio wireless
FW throughput: 50 Mbps
All devices support 3G/4G

18. 18
Automated site-to-site VPN
Site-to-site IPsec VPN in just two
clicks in the Dashboard
Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard
Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN
tunnel between all peers and adjusts to IP changes
Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem

19. 19
Ironclad security
Best IPS
SOURCEfire IDS / IPS,
updated every day
Content
Filtering
4+ billions URLS,
updated in real-time
Geo-based
security
Block attackers from
rogue countries
AV / anti-
phishing
Kaspersky AV, updated
every hour
PCI
compliance
PCI L1 certified cloud-
based management

20. 20
MX Configuration
Enable VLANs under Configure / Addressing and change the address per the diagram.
Ensure that non-tagged traffic will be part of VLAN1 (native VLAN)
Reserve IP addresses .1 through .10 under DHCP Settings
Enable site-to-site VPN with following settings: mesh site-to-site VPN, check VPN health & status
Split tunnel mode,
Hub-and-spoke topology (the “SEVT – Security Appliance” as the Hub)
Advertise the default subnet to your neighbors
Check the Route Table and VPN Status under Monitoring
Apply the following global default policies (Hint: Below section does not use group policies)
Completely block BitTorrent
For Netflix and Pandora, shape traffic to 100K down, 50 K up. Ensure they are low priority and are
marked appropriately.
For all voice and video conferencing, remove all bandwidth restrictions and apply priority/marking as
needed.
Apply content filtering for adult websites
Restrict traffic to and from North Korea (hint: this is a L7 firewall policy)

21. 21
Complete Campus Switching Portfolio
• 14 models scaling from access to campus aggregation
• Enterprise-class performance and reliability including non-blocking Gigabit
performance, 802.3af/at PoE/PoE+ on all ports, 10GbE uplinks, and voice and video QoS
Voice and video QoS
Dynamic Routing
Layer 7 app visibility
Virtual stacking
Enterprise security, ACLs
Remote packet capture, cable testing
Feature highlights

22. 22
MS Switching: Models
MS220 MS320 MS420
Features
• 8, 24, 48 port models
• Layer 2
• Gigabit SFP uplinks
• Supports rack-mounted RPS
23001
• Integrated fans
• 24, 48 port models
• Layer 3
• 10Gb SFP+ uplinks
• Hot-swappable, redundant PSU
(with integrated fans)
• 24, 48 port models
• Layer 3
• 10Gb SFP+ interfaces
• Hot-swappable, redundant PSUs
• Field-replacement fans
• Management port
Ideal scenarios
• Access switching at branch sites
• Deep visibility into clients,
applications
• Energy savings (PoE/PoE+
models)
• Mission critical access switching
• Fast uplink requirements
• High availability environments
• Next-generation 802.11ac wireless
(MR34)
• Deep visibility into clients,
applications
• Energy savings (PoE/PoE+
models)
• Campus aggregation switching
• Unified management from access
to aggregation layer
• Space-constrained locations
1 except 8-port models

23. 23
2014 Release – Mission critical features
OSPF
Dynamic routing with intuitive, browser-based configuration
IPv6 visibility and tracking
Usage statistics for IPv6 address now in Dashboard
DHCP server
Integrated DHCP service to help prevent single points of network failure
IPv4 Access Control Lists (ACLs)
Granular security boundaries configurable by subnet, protocol, port range, or host.
Virtual Router Redundancy Protocol (VRRP) with DHCP Failover support
High availability via a warm spare with automatic failover and DHCP failover support
Addressing evolving customer needs around redundancy, campus connectivity, and
reducing complexity

24. 24
MS Configuration Part 1
Verify that your switch is operational under Monitoring page (green status, passing traffic)
Click on “Initialize layer 3 features” link to add following SVIs:
Name: Route to MX,
Subnet: 192.168.(200+X).0/24
Interface IP: 192.168.(200+X).2
Gateway: 192.168.(200+X).1
Name: Student, Subnet: 10.0.(100+X).0/24, Interface IP: 10.0.(100+X).1, VLAN: 100
Name: Staff, Subnet: 10.0.(200+X).0/24, Interface IP: 10.0.(200+X).1, VLAN: 200
Name: OSPF, Subnet: 192.168.0.0/24, Interface IP: 192.168.0.X, VLAN: 600
Enable DHCP Server for the Student and Staff subnets
Go back to MX Appliance and create static routes for the Student and Staff subnets with gateway IP address
to your L3 switch SVI. Also “In VPN” option checked.
Configure OSPF with following settings:
First configure switch port 25 to be access VLAN 600
Enable OSPF with default Area 0
Edit Student, Staff and OSPF interfaces to use the default Area 0
Below make sure that statically assigned routes override OSPF
Verify the OSPF neighbors and routes on the switch Monitoring page
Start a ping to 192.168.221.1 and try again with port 25 disabled (wait about 30 sec).

25. 25
So what is going on?

26. 26
MS Configuration Part 2
Configure VOIP:
Under Configure / Switch Ports, select ports 5-10 and hit Edit on top
Update the tag field with the word “Phone”
Change the type to Access and update the VLANs to 100 and 600 for data and voice respectively
Save the changes
Create a new port schedule
Name “energy-saving”
Select “8 to 5 on weekdays only” template
Save the changes
Go back to port configuration and apply the port schedule to all the ports with the tag “phone”
(Optional) Cable test and packet capture:
Go to Switch monitoring page and click on port 1
Run a cable test by clicking on the little arrow next to it
When that’s successful, click on the “run a packet capture on this port” link
Change the output “Stream to CloudShark” and duration to 10 sec
Wait for the link to CloudShark appear under the capture button and click on it to view

27. 27
Wireless Access Points
• 7 models including indoor / outdoor, high performance and value-priced
• Enterprise-class silicon including RF optimization, PoE, voice / video support
• Lifetime warranty on indoor APs
BYOD policies
Application traffic shaping
Guest access
Enterprise security
Location analytics
WIPS – 3rd Security Radio
Feature highlights

28. 28
Outdoor
APs
3 Stream Triple-Radio
802.11ac
1.75 Gbit/s
MR18 MR26
2 Stream Triple-Radio
802.11a/b/g/n
600 Mbit/s
3 Stream Triple-Radio
802.11a/b/g/n
900 Mbit/s
MR34
Making room for new MRs
2 Stream Triple-Radio
802.11ac
1.2 Gbit/s
MR32
2 Stream Triple-Radio
802.11ac
1.2 Gbit/s
MR72
NEW
NEW
Indoor
APs
MR66
Dual-Radio
802.11a/b/g/n
600 Mbit/s
MR62
Single-Radio
802.11b/g/n
300 Mbit/s

29. 29
Third radio tames hostile RF environments
Radio dedicated to scanning and protecting RF environment
Instantly detects and mitigates interference, vulnerabilities, and attacks on
all channels
Third radio enables full-time scanning with full-performance client access on
2.4 GHz and 5 GHz radios
Deeply-integrated with cloud-based software solutions:
Air Marshal (security), Auto RF (performance)
No added cost or complexity
Typical deployments: radio operates in background (zero-config)
Power users: rich tools available for security and RF management
No added cost: no extra hardware, software, or licenses

30. 30
Bluetooth and Beacons
Bluetooth & BLE integrated in many
consumer devices already
Beacons use BLE for location services like
asset tracking, mobile commerce, and nav
iBeacon is Apple’s BLE trademark
Gaining traction as an opt-in alternative to
WiFi-based location services
MR32, MR72: Integrated Bluetooth to drive location trends

31. 31
Use Case: Location Engagement with Beacons
Seamless site-wide
deployment by integrating
Beacons into the AP
Better consumer
experience with opt-in
mobile app integration
Increased customer
visibility with both WiFi
and Bluetooth analytics
built-in

32. 32
Use Case: Asset Tracking with Bluetooth
Seamless site-wide
deployment with
Bluetooth integrated into
the AP
Track Beacon-tagged
assets with Bluetooth
scanning and location
estimation
Increased administrative
visibility with both WiFi
and Bluetooth inventory
built-in

33. 33
MR Configuration (APs have been turned off)
Verify that your AP is operational under Monitoring page (green status, passing traffic)
Rename existing SSID under Configuration to “LAB X - Student” and enable two additional SSIDs for Staff
and Guest
On your Staff SSID, use WPA2-Enterprise for authentication and add a RADIUS server with IP address
192.168.221.1, port 1812 and shared key “meraki123”. Change client IP assignment to “Bridge Mode” and
VLAN tagging to 200
On your Student SSID, leave association Open but change the splash page to “Sign on with my AD server”
and add the same IP address as above with any admin credentials. Change client IP assignment to “Bridge
Mode” and VLAN tagging to 100
On the guest SSID, ensure the users sign on with a simple click-through splash page that refreshes every
half hour (hint: customize it under Configure / Splash Page). Select NAT Mode for client IP assignment to
use the Meraki AP as DHCP Server.
Under Configure / Firewall & Traffic Shaping, select the guest SSID and create L7 firewall rules to block P2P
File Sharing and Gaming on this SSID. Also, limit the per-client bandwidth to 1 Mbps

34. 34
Cloud-managed Device Mobility
Flexible, easy
provisioning
Centrally scale 100,000s
devices worldwide
Auto-tagging, dynamic
security compliance
Integrate seamlessly with the rest
of your Cisco Meraki network

35. 35
Deployment & Rollout
One-step Enrollment
Browser: m.meraki.com with NetworkID
SM app: NetworkID or QR code
Email/SMS: enrollment link
Automatic Enrollment
Meraki integrates directly with Apple’s DEP portal
Supervise devices, disable profile removal, skip setup
Secure Enrollment by user/group
Authenticate device enrollment
Automatically inventory devices
Automatically license and push apps
Automatically configure email, network access

36. 36
Software & App Management
Grant and revoke VPP licenses directly
from the Meraki Dashboard
Remotely install and inventory MSI and
PKG files across devices
Auto push and remove apps by
department/student/class/school using AD
groups and bulk tagging
Blacklist/monitor for inappropriate apps
and automatically restrict/lock-down

37. 37
SM Demo

38. 38
Bonus Lab Demonstration
Onboarding:
Clients will download System Manager upon joining. Firewall blocks everything else.
More Security with MDM:
Only allow clients with SM installed on this SSID. Use MR as DHCP server.
Just for Fun: Try wishing for “konami code”

39. Thank you.