Last update: 30 August 2016
Training Manual Certifed Meraki Networking Associate program
Introduction You have recently been hired to manage the IT systems for a local, family-owned coffee and sandwich shop in San Francisco. Mission Sandwiches has managed to survive sur vive with a consumer ISP-provided gateway for many years, but the recent rise in online orders, increased sales, and the demand for guest Internet access has them excited about an enterprise solution. As their new IT admin, you suggest that Mission Sandwiches try Cisco Meraki as a solution that will not only fit their needs now, but can also scale with them as they grow their existing location or expand to multiple locations. In order to get started, star ted, you’ve you’ve decided to equip them with some Meraki gear.
Your Site 1 x MX80 - Security Gateway 1 x MS220-24P - 24 port Gigabit PoE Switch (with 4 SFP ports) 1 x MR32 (or MR26) - triple-radio 802.11ac (or 802.11n) wireless access point 4 x CAT5e Cable - 3’ Ethernet patch cable 1 x iPad - Apple iPad tablet
Dashboard Access Your Dashboard login credentials (where n is your lab station number): Site: dashboard.meraki.com Username:
[email protected] Password: meraki123
Apple ID Information The iPad may ask you to login with Apple ID credentials when installing apps: Username:
[email protected] Password: Meraki2016 Important note: Be sure you are selecting the correct Organization for your CMNA session. Your instructor will provide the correct session number.
Please take note of how your lab station is arranged and keep all the components to your lab station as you will be asked to reset it to exactly the way you found it.
3
CMNA technical training
Network Diagram
4
CMNA technical training
Network Configuration Information Subnet Information (Parts 1 & 2)
VLAN 1 Name: Native Subnet: 10.0. [ n ] .0/24 Gateway (MX IP): 10.0. [ n ] .1 VLAN 100 Name: Corporate Subnet: 10.0. [ 100 + n ] .0/24 Gateway (MX IP): 10.0. [ 100 + n ] .1 VLAN 200 Name: Voice Subnet: 10.0. [ 200 + n ] .0/24 Gateway (MX IP): 10.0. [ 200 + n ] .1 Where n is your lab station number
5
CMNA technical training
LAB A |
Small / Medium Site
To get started, let’s set up your first three pieces of Meraki gear and a Point-of-sale iPad. Meraki Support has already set up a Dashboard account and added the gear to a network. Also, the gear has already been powered up for you. Have a setup question? Product manuals are available at: http://docs.meraki.com
Exercise 1 - Initial MX Security Appliance Setup (15 mins) 1.
Make sure you are connected to the CMNA wireless network (DO NOT connect your computer to MX via Ethernet yet). Disable any client VPN software running on your laptop.
2.
Sign in to dashboard.meraki.com using the credentials provided. Select the appropriate Session number. If you do not know your Session number, ask your trainer. From the network drop-down at the top of the page, choose your “Lab [n]” network.
3.
Under the Security Appliance > Monitor > Appliance status tab, edit the configuration to change the name of your MX security appliance to “Lab [ n] Security Appliance” and update the physical address to your current city.
4.
Blink the LEDs of the MX to make sure you’re configuring the correct stack.
5.
Since this network is pretty basic, you don’t need to segment it into VLANs. However, you will need to update the default addressing space to match the table below: Local LAN Subnet
Local LAN (Default) Subnet: 10.0. [ n ] .0/24 Gateway (MX IP): 10.0. [ n ] .1 Where n is your lab station number
6.
Verify that DHCP is running on your Local LAN Note: Make sure you disable your wireless card before testing the step below.
7.
7
Plug your computer into LAN port 4 on the MX and confirm that you get a DHCP lease in the IP space you configured previously. You can do this by navigating to wired.meraki.com, the local status page hosted on the MX.
CMNA technical training
Exercise 2 - Initial MS Switch Setup (5 mins) Note: The Access switch you are setting up is the bottom switch in your stack. 1.
Navigate to the Switch > Switches page. Select your switch and rename it “ACCESS” and update the physical address to your current city.
2.
On the Switch ports page, rename port 1 “WIRELESS” and port 24 “UPLINK”.
3.
Using one of your patch cables, connect port 24 on your switch to port 2 on the MX Security Appliance.
Exercise 3 - Initial MR Wireless Access Point Setup (10 mins) 1.
Connect your wireless access point to port 1 on your connected switch.
2.
Rename the access point “Lab [n] AP” and update the physical location to your current city.
3.
On the AP details page, you should be able to see how the AP is connected back into the network. Confirm the AP is plugged into port 1, and click the port. This should bring you to the details page for port 1 on your switch.
4.
Ensure that your AP is connected at 1 Gbps to a trunk port with native VLAN 1, all VLANs allowed.
Exercise 4 - Guest WiFi Setup (15 mins) One of the most common requests the owner hears from their customers is for Guest WiFi access when they’re in the shop. 1.
On the Wireless > SSIDs tab, rename the only enabled SSID to “Lab [n] GUEST”.
2.
Secure the SSID with a WPA2-PSK password – “California”.
3.
Create a click-through splash page so that guests have to acknowledge your terms and conditions before they are allowed on the network.
4.
The AP itself should handle DHCP for this SSID, so ensure NAT mode is enabled.
5.
On the Wireless > Firewall and traffic shaping page, apply a bandwidth limit of 500 Kbps per device to prevent guests from hogging all of the bandwidth.
8
CMNA technical training
6.
Guests shouldn’t have any access to internal resources, so Deny all traffic to the Local LAN.
The owners don’t want guests to be able access the SSID outside business hours, so you decide to take advantage of the SSID availability feature. Note: Make sure to set & verify your local network time zone. 7.
On the SSID availability page, enable Scheduled availability for business hours only (8:00 - 19:00 (7 pm)).
8.
Disconnect the Ethernet cable from your laptop. Connect to your new guest SSID.
9.
Confirm the bandwidth limit you set in Step 5 is functioning using a site like speedtest.net and check your IP information. Note: After testing, make sure you connect back to the CMNA SSID so your laptop isn’t subject to the 500 Kbps limit for the rest of the lab.
In order to better track sales and make transactions more efficient, the owners have expressed interest in utilizing an iPad as a Point-of-Sale system. You will enroll the iPad and set up a group policy to test the viability of this solution. Cisco Meraki’s Systems Manager mobile device management (MDM) platform is an enterprise-grade solution that will allow you to manage the iPad from the same Dashboard you use to manage the rest of your Meraki networking gear.
Exercise 4 - Systems Manager Enrollment (5 mins) Select the Systems Manager network from the list of networks on the left side of the Dashboard. 1.
On your iPad, make sure you are connected to the CMNA SSID. Open the Safari browser. Navigate to m.meraki.com, and enter your network ID from Dashboard. Hint: Your Network ID can be found by clicking the blue “Add devices” button in the clients section.
2. 9
Follow the instructions on the iPad to complete the setup. CMNA technical training
3.
Verify that you can see your iPad client in Dashboard under Monitor > Clients. Click on your device and check the available battery and storage space.
4.
When prompted to install the Meraki SM app on your iPad, click Install.
Exercise 5 - Creating a Group Policy (10 mins) In preparation for the iPad connecting to the network as your point-of-sale device, navigate to the Network-wide > Group policies page and create a group policy with the following attributes: 1.
Name the policy “Cashier iPads”.
2.
Set up a Custom firewall and shaping rule to block all Social web and Gaming websites.
3.
Additionally, you don’t want the cashier to be shopping on the payment terminal so in the ‘security appliance only’ section append shopping to the blocked website categories.
We won’t apply the group policy to a client yet. That will come in a later section.
Great Job! You’ve completed the setup for your small, single location and have a full Meraki network up and running. The cash register and credit card machine can get secure access via their wired connections, and guests have isolated, Internet-only access. Feel free to move onto the next section prior to the product overview section or feel free to complete the following bonus exercise:
Bonus Exercise - MAC Whitelisting on Access Ports (5 min) Only authorized devices should be connected at the store to the access switch. Create a MAC whitelist rule so that the only device that can pass traffic on a particular port is their company workstation. 1.
10
Create a MAC Whitelist entry on ports 2-10 on the access switch using a MAC address of aa:bb:cc:aa:bb:cc. Test it by plugging your laptop into one of those switch ports. Your laptop shouldn’t get an IP address or be able to pass any traffic. CMNA technical training
LAB B |
Large Site / Campus
Since deploying their enterprise network, Mission Sandwiches is beginning to achieve national brand recognition! They’ve just secured their first round of financing and are preparing to franchise out the brand to multiple stores around the country. In preparation for expansion, the company has acquired the upper floors of their building for space to house the business development, marketing, and finance departments of the quickly growing company. Have a technical question or having issues? The Cisco Meraki Knowledge Base is available at: http://documentation.meraki.com
Exercise 1 - Logically Segment the Corporate Network (10 mins) In order to segment the network for better control and security, you decide to use VLANs to separate internal Corporate and Voice traffic from network control traffic on the native VLAN. Note: To connect back to Dashboard connect your laptop back to port 4 on the MX. 1.
Enable VLANs on the Security Appliance. Create two new VLANs: Corporate and Voice, based on the subnet information below: Corporate & Voice VLAN Subnets
VLAN 100 Name: Corporate Subnet: 10.0. [ 100 + n ] .0/24 Gateway (MX IP): 10.0. [ 100 + n ] .1 VLAN 200 Name: Voice Subnet: 10.0. [ 200 + n ] .0/24 Gateway (MX IP): 10.0. [ 200 + n ] .1 Where n is your lab station number
2.
Verify that all ports in the per-port VLAN configuration on the MX are enabled and set as trunks for the native VLAN and all VLANs are allowed.
3.
On the DHCP page, verify that DHCP is running for each of the new VLANs you set up.
4.
You’ll want to make sure you save some IP addresses for your internal use. Reserve DHCP addresses .1-.20 on the native VLAN for that use.
12
CMNA technical training
Exercise 2 - Network Security with Systems Manager (10 mins) One of the major security risks for any network comes from mobile devices. In many cases, these devices have access to sensitive internal documents or enterprise apps, yet they can be easily lost or stolen. Now that your iPad is enrolled in your Systems Manager network, create a policy to make sure it’s secured with a passcode. 1.
Navigate to settings in your Systems Manager network found on the left side of Dashboard in the network listing.
2.
On the Settings tab, click the large + icon to create a New Meraki managed profile.
3.
Name the profile “Cashier iPads” and define the Scope to apply the profile to devices with “any of the following tags.”
4.
In the Device tags section, create a “cashier” tag and Save Changes at the bottom of the page. Hint: To create the tag, you will need to select the ‘add option’ link after typing in the desired tag string.
5.
Navigate to Systems Manager > Settings and add a simple value, alphanumeric passcode with a minimum length of 6 characters, and at least 1 complex character on the device.
6.
Since the iPad will only be used for transactions, make sure that the camera is disabled and that screenshots are not allowed.
7.
Apply the “cashier” tag to the iPad you enrolled previously to push the profile to the device.
8.
Navigate to the home screen. When prompted, set the passcode to ‘abc123!’ without the quotes. Make sure you cannot take a screenshot on the iPad.
Exercise 3 - Add a New Core Switch (5 mins) Given that Mission Sandwiches has grown significantly, there has been contention for port density and bandwidth on the network. You need to deploy a second switch to meet the new requirements. Luckily, Meraki has shipped an additional MS220 to the site. Now, you must add it to the company Organization within Dashboard. Note: The Core switch you are setting up is the top switch in your gear stack. 13
CMNA technical training
1.
On the Switch > Switches page, click the “Add Switches” button on the top right, above the list of available switches.
2.
Now on the Inventory page, claim your Core switch into the Organization using the serial number on the front or back of the device. This option can be found at the right of the page.
3.
Select your switch and add it to your Lab station switching network.
4.
Rename your new switch “CORE” and update the physical address to your current city.
Exercise 4 - Connect the Core Switch (10 mins) 1.
On the Monitor > Switch ports page, rename port 24 on your Core switch “to MX80”. This is the port you’ll use to uplink your new core switch directly to the MX Security Appliance. Hint: Use the search bar to easily find the ports for your newly-named Core switch.
2.
You also want increased throughput from your Access switch to the Core. Aggregate ports 20 and 21 on your Core switch and rename the aggregate port “to Access”. Hint: You can use the ‘help’ link next to the search box on the Switch ports page to learn the syntax neccesary to search only for ports 20 and 21.
3.
Using the same search string, aggregate ports 20 and 21 on the Access switch. Rename the aggregate port “to Core”.
4.
Physically connect ports 20/21 on both switches, and disconnect the uplink from the MX to your Access switch. Going forward, traffic from the access layer should flow through the Core before getting to the Security Appliance, so connect por t 24 on your Core switch to port 3 on the MX.
5.
On the port status page in Dashboard, verify that you’re getting 2Gb/s between your switches rather than the standard 1Gb/s.
14
CMNA technical training
Exercise 5 - Switch Port Configuration (5 min) 1.
In the same manner that you searched for ports using virtual stacking in Exercise 4, select ports 2-5 on your Access switch and configure these selected ports as access ports on VLAN 100. Name each port “DATA”.
2.
Now, select ports 6-10 on your Access switch and configure them as access ports on VLAN 200, with each port named as “VoIP”. Note: We are not using the “Voice VLAN” field yet. We will use that in a later exercise.
3.
Select only the access ports labeled DATA and VoIP (ports 2-10) and enable BPDU Guard to protect against non-authorized switches. Be sure that you do not enable this on your trunk ports or on your uplink ports as it will break the connection between your switches. Hint: You can search for “is:access” to fnd all of your access ports.
Exercise 6 - Configure STP / RSTP for Your Switch (5 min) 1.
Verify that RSTP is enabled for your switch. For more information on RSTP, refer to the Meraki RSTP Documentation.
2.
Update the Core switch bridge priority to ensure that it will always remain the root switch in the network.
3.
Verify that Core was indeed elected as the root switch for your campus.
Exercise 7 - Voice VLAN & Packet Capture (10 mins) Mission Sandwiches recently purchased a top notch Cisco VoIP solution. Normally, employees plug their laptops into the secondary Ethernet port of their phone. It is your job to re-configure and test interoperability with the VoIP solution and your PoE switch. 1.
15
Configure ports 11-15 on the Access switch as access ports to VLAN 100 with
CMNA technical training
a Voice VLAN configured as VLAN 200 and name them “Workstation” as these ports will be used for desks using both a computer and a phone. 2.
Once configured, plug your laptop into port 11 on the Access switch to bring the port up.
3.
Go to switch.meraki.com and verify that you have an IP address on VLAN100.
4.
Use the live packet capture tool to stream a high verbosity packet capture on port 11 to Dashboard with a filter expression of: ether proto 0x88cc This capture should contain evidence that your voice VLAN is working properly. Hint: The filter expression will filter for LLDP advertisements that show the switch is advertising the Voice VLAN for the applicable ports. Once the capture is complete, search the page for the Application Type field under the Network Policy subtype. If nothing appears, try the capture again. If you still don’t see anything, verify your port configuration with your instructor.
Exercise 8 - Configure a Port Schedule for your VoIP Ports (5 min) You want to save power and secure your environment after hours. Use the port schedule feature to configure this functionality. 1.
Navigate to Configure > Port Schedules. Note: Be sure the correct local time zone is set on the network.
2.
Create a new schedule named “Power Saving” to turn off ports during nonbusiness hours (assume a work schedule of (8:00 - 19:00 (7 pm)).
3.
Apply the port schedule to ports 6-10 on your Access switch (your VoIP ports). Do not apply to your switch’s uplink ports.
16
CMNA technical training
Exercise 9 - Corporate WiFi Setup (15 min) Set up a Corporate SSID on your wireless network. Rename it “Lab [ n] CORP” (where n is your station number), enable the SSID, then navigate to Wireless > Access Control and configure the following settings: 1.
Use a WPA2-PSK of ikarem123.
2.
Enable a splash page with the “Meraki Authentication” option.
3.
This network needs access to your internal resources, so put it in Bridge mode under client IP assignment.
4.
Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.
5.
Disable bit rates below 12 Mbps (legacy bitrates).
6.
Ensure all LAN access is permitted in the wireless firewall settings.
7.
Restrict the per-client bandwidth to 2 Mbps.
8.
Use Cisco Meraki’s traffic shaping rules to set a 500 Kbps limit on software updates to limit unnecessary background resource utilization and throttle YouTube traffic to 20 Kbps up/down.
9.
Take it one step further and show management Cisco Meraki’s layer 7 firewall rules. Deny applications: iTunes and Peer-to-Peer. Finally, deny HTTP hostname of “espn.com”.
10. Navigate to Network-wide > Users. The credentials you used to log into Dashboard will be automatically populated. Authorize your lab [ n] account to grant it the ability to be used to login on the configured splash page. 11. Connect to your new Corporate SSID and confirm that the YouTube site is very slow to load.
Exercise 10 - Traffic Prioritization and Bandwidth Control (5 mins) Now that so many more devices are on the network you want to make sure certain types of traffic, like the VoIP and video conferencing solutions you are leveraging within your environment, take priority over other types of traffic. 1.
17
Navigate to the traffic shaping section for the MX security appliance.
CMNA technical training
2.
Create a new traffic shaping rule to give VoIP and video traffic unlimited bandwidth and High priority on the network. Note: The goal of this is not to limit VoIP traffic but rather to prioritize it. For more information on how the priority is calculated, refer to the Traffic Priorities KB article.
Exercise 11 - Pushing Apps with Systems Manager (5 mins) Rmember, the iPad is going to be used as a point-of-sale device. In preparation for being shipped out to one of the new locations, the iPad needs to have the Square Register app installed. 1.
In Systems Manager, push the Square Register app to any device with the “cashier” tag.
Exercise 12 - Increasing Network Security with the MX (15 mins) 1.
Many basic security threats can be taken care of simply by blocking access to risky websites. Create content filtering rules to block the following categories: Bot Nets, Confirmed Spam, Malware Sites, Spyware & Adware.
2.
Additionally, some of the content on the site ”thehackerblog.com” might inspire malcious behavoir. Create a Blocked URL pattern to block the site. Save the changes and move on for now.
3.
Peer-to-peer traffic on the network presents a security threat and can also hog valuable bandwidth on the network. Create a Layer 7 firewall rule on your MX to block all Peer-to-peer and Web file sharing traffic.
4.
In order to cover threats that may be arriving via malicious methods, enable Malware detection and Intrusion Detection and Prevention (IDS/IPS). For now, a Balanced approach to blocking threats should be sufficient.
5.
Now open a web browser and attempt to browse to “thehackerblog.com” to test your blocked URL pattern.
18
CMNA technical training
Nice Work! In that short amount of time you connected a core switch, setup link aggregation for higher switch capacity and density in the corporate environment and configured RSTP for your switch fabric to reduce unnecessary broadcast overhead on the network. You also created a port schedule and configured port security for better power and port management. Furthermore, you created a Corporate SSID to support the ever growing needs of wireless devices on network. Feel free to move onto the next lab if you are finished prior to the Distributed Enterprise presentation or you can add additional security to the network in the following bonus exercises:
Bonus Exercise 1 - Prepare Switches for RADIUS Authentication (10 min) In order to leverage the new RADIUS server that will be handling authentication at the campus, we will need to configure a static IP address on both of the Access and Core switches for this branch. The static IP address information is below: Core
10.0. [ n ] .2/24
Access
10.0. [ n ] .3/24
1.
Set the static IP addresses on the Access switch first and then the Core switch and verify both still have connectivity to the cloud.
2.
Test connectivity to the RADIUS servers by pinging them at 10.0.60.10 and 10.0.70.10 from your computer.
19
CMNA technical training
Bonus Exercise 2 - Configure Switch Access Policies (15 min) 1.
Corporate policy now favors 802.1X port authentication in place of local MAC whitelisting. We now need to configure an 802.1X access policy and place that on the ports that originally had MAC whitelisting in place.
2.
Navigate to Switch > Access policies and add an Access policy.
3.
Name the access policy “Lab [n] RADIUS” where n is your lab station number.
4.
Configure an access policy with two RADIUS servers using the information below. The access policy should have the following attributes: Host (1) Host (2) Port (1 & 2) Secret (1 & 2) Access Policy Type Guest VLAN
5.
10.0.60.10 10.0.70.10 1812 meraki123 802.1X Disabled
Upon successful configuration apply this access policy to ports configured for MAC whitelisting if you did the last bonus, if not, configure this on your DATA ports. Note: You can find all ports with a MAC whitelist applied by using the omnibox to search for the term: mac_whitelist:*
20
CMNA technical training
LAB C |
Distributed Enterprise
So far, we’ve seen the Meraki solution scale nicely alongside Mission Sandwiches. The company is now ready to franchise out their business to many different locations. As part of this move, upper management wants you to set up a branch pilot. You will utilize your stack of gear as the stack for the branch pilot, the campus will be represented in the HQ stack. Looking for datasheets, whitepapers or solution guides? Check out the Meraki Library at: http://meraki.cisco.com/library/
Exercise 1 - Site-to-Site VPN Configuration (10 min) To make the pilot easier you’ve taken some gear from the campus for this deployment which already has minimal configuration on it for Internet connectivity. Your branch will connect via VPN back to the corporate campus and also leverage services such as RADIUS that have been set up over the VPN connection. Let’s get this branch connected back to HQ via a site-to-site VPN tunnel. 1.
Connect your laptop to an MX port and verify you get a DHCP address and still have an internet connection.
2.
Configure a hub-and-spoke, split-tunnel VPN with your branch MX as a spoke and the HQ MX as the hub.
3.
Make sure your Default (Native) and Corporate VLANs are the only subnets being advertised in the VPN.
4.
Determine if other branch pilot labs are online using the Security Appliance > Monitor > VPN Status Page. Note: The VPN status page will not populate until you have configured your site-tosite VPN. If you don’t not see this option, try refreshing your browser page.
5.
Verify that you can ping the internal address of your neighbor’s MX. This address should be 10.0.[n].1 where n is their lab station number.
Exercise 2 - Group Policies with Systems Manager Sentry (25 min) Now that a number of iPads will be out in the field to process credit card transactions, it’s time to enroll your iPad in the “Cashier iPads” group policy you created in Part A of the lab. Systems Manager Sentry policies allow you to enroll devices in network group policies based on device tags, so you’ll leverage the fact that you’ve already tagged the iPad with “cashier” in Part B. 1.
Under Network-wide, navigate to the Sentry policies page.
2.
Add a new group policy MDM scope and select your Systems Manager network from the Dashboard network listing on the left side of the page.
22
CMNA technical training
3.
Elect to have the “Cashier iPads” group policy you created in Part A applied to any device with the “cashier” Systems Manager tag. This setting will associate the “Cashier iPads” group policy to your device because it is tagged with the “cashier” tag.
4.
Navigate back to the network client listing.
5.
Verify that the ‘cashier iPads’ group policy applied to the iPad correctly.
Exercise 3 - Securing the Switch Fabric (10 minutes) Now that we are connected via VPN to the HQ network, new policies need to be put into place to deny certain types of traffic across the switch fabric. In particular corporate IP traffic from the remote branch should not be able to access the human resources file server. Configure an IPv4 ACL to block this traffic. 1.
Move your laptop connection from the MX to an access port on the access switch and verify you get an IP address in the Corporate VLAN & internet access.
2.
Navigate to Switch > IPv4 ACL and add a rule.
3.
Configure a rule to deny any traffic from the Corporate IP subnet to the human resources file server at 10.0.50.100. Be sure that the protocol drop down is set to ‘any’ so that all traffic will be blocked to the file server.
4.
Attempt to ping the HR file server from your computer, this should fail.
Exercise 4 - Securing Corporate Wireless (10 min) Recent security concerns necessitate enabling WPA2-Enterprise for the corporate SSID to bring an added layer of security to the network. You will need to configure the Corporate SSID to authenticate against the Corporate RADIUS server over the VPN. 1.
Navigate to the ‘Access control’ settings for the Corporate SSID.
2.
The Corporate SSID is currently set to have users associate with a pre-shared key and sign into a splash page using Meraki authentication. Change this so that users associate with WPA2-Enterprise & a RADIUS server and disable the sign on splash page.
23
CMNA technical training
3.
Configure the RADIUS server using the same information you used for port authentication on the switch: Host (1) Host (2) Port (1 & 2) Secret (1 & 2)
4.
Test authentication to the RADIUS server again with the following credentials: User Password
5.
10.0.60.10 10.0.70.10 1812 meraki123
lab[n]@meraki.com.test
meraki123
If the test was successful, connect to the Corporate SSID again and this time you should be prompted to login. Use the above credentials to associate.
Exercise 5 - Preventing Stolen iPads (10 min) In order to be notified in the event of theft you need to configure a Geofence that will alert you in the event the iPad is removed from the branch location. 1.
Navigate to Systems Manager > Geofencing and select ‘Add new,’ located at the right side of the page.
2.
Name the Geofencing policy Lab_n_Geofence (where n is the lab station number).
3.
This Geofence should apply to devices with the ‘cashier’ tag and should encompass the area around your current location.
4.
After you save the configuration, navigate to Systems Manager > Alerts and configure Dashboard to alert you if a device violates a Geofence policy.
Exercise 6 - Summary Reports (10 min) As part of managing many more locations, reporting is more important than ever. You will need to test network summary reporting from Dashboard. For this pilot you just want to see information about switch port utilization. 1. 24
Navigate to Network-wide > Summary report. CMNA technical training
2.
Set a search parameter in the dropdown at the top of the page for Lab[n] Switch with All devices. You also want to see information for the last week. Note: You may not see any information when the report is generated given the small amount of time your network has been online.
3.
You also want these reports to be emailed on a scheduled basis, a week at a time to the CEO of the company at
[email protected].
Exercise 7 - Dealing with Stolen Devices (10 min) Your branch pilot has been running smoothly for the last few weeks. Everything seems to be working fine and management of the new company is satisfied with the solution. Today, however, one of the cashier iPads was stolen by a disgruntled employee. You’ve received an alert that is has violated the geofence, but the employee is long gone. You decide to wipe the iPad to remove any sensitive information and access. 1.
Navigate to your Systems Manager network and locate the Clients page.
2.
Select the iPad.
3.
Completely erase the iPad so that it is set back to factory default settings.
25
CMNA technical training
Congratulations! Thanks to you, Mission Sandwiches has been able to adopt an enterprise solution that has scaled with the company’s growth. You’ve expanded their small original location to a large enterprise and even helped the company support a multi-site architecture. Before you leave, there’s just one last task to complete...
Be sure your trainer has signed off on your lab before leaving for the day!
Branch Pilot Reset 1.
Reset the lab station to the way it was when you found it (bundled cables, neat and tidy, power off your APs). Your station should look exactly the way it was when you found it.
2.
Confirm that you properly wiped your iPad in the final step of the System Manager exercises and plug the iPad into a charger and have your lab checked by your trainer before leaving.
26
CMNA technical training
