Вы находитесь на странице: 1из 26

Last update: 30 August 2016

Training Manual

Certified Meraki Networking Associate program

Introduction
You have recently been hired to manage the IT systems for a local,
family-owned coffee and sandwich shop in San Francisco. Mission
Sandwiches has managed to survive with a consumer ISP-provided
gateway for many years, but the recent rise in online orders, increased
sales, and the demand for guest Internet access has them excited
about an enterprise solution.
As their new IT admin, you suggest that Mission Sandwiches try Cisco
Meraki as a solution that will not only fit their needs now, but can
also scale with them as they grow their existing location or expand to
multiple locations.
In order to get started, youve decided to equip them with some
Meraki gear.

Your Site
1 x MX80 - Security Gateway
1 x MS220-24P - 24 port Gigabit PoE Switch (with 4 SFP ports)
1 x MR32 (or MR26) - triple-radio 802.11ac (or 802.11n) wireless access point
4 x CAT5e Cable - 3 Ethernet patch cable
1 x iPad - Apple iPad tablet

Dashboard Access
Your Dashboard login credentials (where n is your lab station number):
Site: dashboard.meraki.com
Username: labn@meraki.com.test
Password: meraki123

Apple ID Information
The iPad may ask you to login with Apple ID credentials when installing apps:
Username: partner.training@meraki.com
Password: Meraki2016
Important note: Be sure you are selecting the correct Organization for your CMNA session.
Your instructor will provide the correct session number.

Please take note of how your lab station is arranged and keep all the components to your lab station as you will be asked to reset it to exactly the way you
found it.

CMNA technical training

Network Diagram

CMNA technical training

Network Configuration Information


Subnet Information
(Parts 1 & 2)

VLAN 1
Name: Native
Subnet: 10.0. [ n ] .0/24
Gateway (MX IP): 10.0. [ n ] .1
VLAN 100
Name: Corporate
Subnet: 10.0. [ 100 + n ] .0/24
Gateway (MX IP): 10.0. [ 100 + n ] .1
VLAN 200
Name: Voice
Subnet: 10.0. [ 200 + n ] .0/24
Gateway (MX IP): 10.0. [ 200 + n ] .1
Where n is your lab station number

CMNA technical training

LAB A | Small / Medium Site


To get started, lets set up your first three pieces of Meraki gear and
a Point-of-sale iPad. Meraki Support has already set up a Dashboard
account and added the gear to a network.
Also, the gear has already been powered up for you.
Have a setup question? Product manuals are available at: http://docs.meraki.com

Exercise 1 - Initial MX Security Appliance Setup (15 mins)


1.

Make sure you are connected to the CMNA wireless network (DO NOT connect
your computer to MX via Ethernet yet). Disable any client VPN software running
on your laptop.

2.

Sign in to dashboard.meraki.com using the credentials provided. Select the


appropriate Session number. If you do not know your Session number, ask
your trainer. From the network drop-down at the top of the page, choose your
Lab [n] network.

3.

Under the Security Appliance > Monitor > Appliance status tab, edit the
configuration to change the name of your MX security appliance to Lab [n]
Security Appliance and update the physical address to your current city.

4.

Blink the LEDs of the MX to make sure youre configuring the correct stack.

5.

Since this network is pretty basic, you dont need to segment it into VLANs.
However, you will need to update the default addressing space to match the
table below:

Local LAN Subnet

Local LAN (Default)


Subnet: 10.0. [ n ] .0/24
Gateway (MX IP): 10.0. [ n ] .1
Where n is your lab station number

6.

Verify that DHCP is running on your Local LAN

Note: Make sure you disable your wireless card before testing the step below.

7.

Plug your computer into LAN port 4 on the MX and confirm that you get a DHCP
lease in the IP space you configured previously. You can do this by navigating to
wired.meraki.com, the local status page hosted on the MX.

CMNA technical training

Exercise 2 - Initial MS Switch Setup (5 mins)


Note: The Access switch you are setting up is the bottom switch in your stack.

1.

Navigate to the Switch > Switches page. Select your switch and rename it
ACCESS and update the physical address to your current city.

2.

On the Switch ports page, rename port 1 WIRELESS and port 24 UPLINK.

3.

Using one of your patch cables, connect port 24 on your switch to port 2 on the
MX Security Appliance.

Exercise 3 - Initial MR Wireless Access Point Setup (10 mins)


1.

Connect your wireless access point to port 1 on your connected switch.

2.

Rename the access point Lab [n] AP and update the physical location to your
current city.

3.

On the AP details page, you should be able to see how the AP is connected back
into the network. Confirm the AP is plugged into port 1, and click the port. This
should bring you to the details page for port 1 on your switch.

4.

Ensure that your AP is connected at 1 Gbps to a trunk port with native VLAN 1,
all VLANs allowed.

Exercise 4 - Guest WiFi Setup (15 mins)


One of the most common requests the owner hears from their customers is for Guest
WiFi access when theyre in the shop.
1.

On the Wireless > SSIDs tab, rename the only enabled SSID to Lab [n] GUEST.

2.

Secure the SSID with a WPA2-PSK password California.

3.

Create a click-through splash page so that guests have to acknowledge your


terms and conditions before they are allowed on the network.

4.

The AP itself should handle DHCP for this SSID, so ensure NAT mode is enabled.

5.

On the Wireless > Firewall and traffic shaping page, apply a bandwidth limit of
500 Kbps per device to prevent guests from hogging all of the bandwidth.

CMNA technical training

6.

Guests shouldnt have any access to internal resources, so Deny all traffic to the
Local LAN.

The owners dont want guests to be able access the SSID outside business hours, so
you decide to take advantage of the SSID availability feature.

Note: Make sure to set & verify your local network time zone.

7.

On the SSID availability page, enable Scheduled availability for business hours
only (8:00 - 19:00 (7 pm)).

8.

Disconnect the Ethernet cable from your laptop. Connect to your new guest
SSID.

9.

Confirm the bandwidth limit you set in Step 5 is functioning using a site like
speedtest.net and check your IP information.

Note: After testing, make sure you connect back to the CMNA SSID so your laptop
isnt subject to the 500 Kbps limit for the rest of the lab.

In order to better track sales and make transactions more efficient, the owners have
expressed interest in utilizing an iPad as a Point-of-Sale system. You will enroll the
iPad and set up a group policy to test the viability of this solution.
Cisco Merakis Systems Manager mobile device management (MDM) platform is
an enterprise-grade solution that will allow you to manage the iPad from the same
Dashboard you use to manage the rest of your Meraki networking gear.

Exercise 4 - Systems Manager Enrollment (5 mins)


Select the Systems Manager network from the list of networks on the left side of the
Dashboard.
1.

On your iPad, make sure you are connected to the CMNA SSID. Open the
Safari browser. Navigate to m.meraki.com, and enter your network ID from
Dashboard.

Hint: Your Network ID can be found by clicking the blue Add devices button in the
clients section.

2.

Follow the instructions on the iPad to complete the setup.

CMNA technical training

3.

Verify that you can see your iPad client in Dashboard under Monitor > Clients.
Click on your device and check the available battery and storage space.

4.

When prompted to install the Meraki SM app on your iPad, click Install.

Exercise 5 - Creating a Group Policy (10 mins)


In preparation for the iPad connecting to the network as your point-of-sale device,
navigate to the Network-wide > Group policies page and create a group policy with
the following attributes:
1.

Name the policy Cashier iPads.

2.

Set up a Custom firewall and shaping rule to block all Social web and Gaming
websites.

3.

Additionally, you dont want the cashier to be shopping on the payment


terminal so in the security appliance only section append shopping to the
blocked website categories.

We wont apply the group policy to a client yet. That will come in a later section.

Great Job!
Youve completed the setup for your small, single location and have a full Meraki
network up and running. The cash register and credit card machine can get secure
access via their wired connections, and guests have isolated, Internet-only access.
Feel free to move onto the next section prior to the product overview section or
feel free to complete the following bonus exercise:

Bonus Exercise - MAC Whitelisting on Access Ports (5 min)


Only authorized devices should be connected at the store to the access switch.
Create a MAC whitelist rule so that the only device that can pass traffic on a
particular port is their company workstation.
1.

10

Create a MAC Whitelist entry on ports 2-10 on the access switch using a MAC
address of aa:bb:cc:aa:bb:cc. Test it by plugging your laptop into one of those
switch ports. Your laptop shouldnt get an IP address or be able to pass any
traffic.
CMNA technical training

LAB B | Large Site / Campus


Since deploying their enterprise network, Mission Sandwiches is
beginning to achieve national brand recognition! Theyve just secured
their first round of financing and are preparing to franchise out the
brand to multiple stores around the country.
In preparation for expansion, the company has acquired the upper
floors of their building for space to house the business development,
marketing, and finance departments of the quickly growing company.
Have a technical question or having issues? The Cisco Meraki Knowledge Base
is available at: http://documentation.meraki.com

Exercise 1 - Logically Segment the Corporate Network (10 mins)


In order to segment the network for better control and security, you decide to use
VLANs to separate internal Corporate and Voice traffic from network control traffic on
the native VLAN.

Note: To connect back to Dashboard connect your laptop back to port 4 on the MX.

1.

Enable VLANs on the Security Appliance. Create two new VLANs: Corporate and
Voice, based on the subnet information below:

Corporate & Voice


VLAN Subnets

VLAN 100
Name: Corporate
Subnet: 10.0. [ 100 + n ] .0/24
Gateway (MX IP): 10.0. [ 100 + n ] .1
VLAN 200
Name: Voice
Subnet: 10.0. [ 200 + n ] .0/24
Gateway (MX IP): 10.0. [ 200 + n ] .1
Where n is your lab station number

2.

Verify that all ports in the per-port VLAN configuration on the MX are enabled
and set as trunks for the native VLAN and all VLANs are allowed.

3.

On the DHCP page, verify that DHCP is running for each of the new VLANs you
set up.

4.

Youll want to make sure you save some IP addresses for your internal use.
Reserve DHCP addresses .1-.20 on the native VLAN for that use.

12

CMNA technical training

Exercise 2 - Network Security with Systems Manager (10 mins)


One of the major security risks for any network comes from mobile devices. In many
cases, these devices have access to sensitive internal documents or enterprise apps,
yet they can be easily lost or stolen. Now that your iPad is enrolled in your Systems
Manager network, create a policy to make sure its secured with a passcode.
1.

Navigate to settings in your Systems Manager network found on the left side of
Dashboard in the network listing.

2.

On the Settings tab, click the large + icon to create a New Meraki managed
profile.

3.

Name the profile Cashier iPads and define the Scope to apply the profile to
devices with any of the following tags.

4.

In the Device tags section, create a cashier tag and Save Changes at the bottom
of the page.

Hint: To create the tag, you will need to select the add option link after typing in the
desired tag string.

5.

Navigate to Systems Manager > Settings and add a simple value, alphanumeric passcode with a minimum length of 6 characters, and at least 1
complex character on the device.

6.

Since the iPad will only be used for transactions, make sure that the camera is
disabled and that screenshots are not allowed.

7.

Apply the cashier tag to the iPad you enrolled previously to push the profile to
the device.

8.

Navigate to the home screen. When prompted, set the passcode to abc123!
without the quotes. Make sure you cannot take a screenshot on the iPad.

Exercise 3 - Add a New Core Switch (5 mins)


Given that Mission Sandwiches has grown significantly, there has been contention for
port density and bandwidth on the network. You need to deploy a second switch to
meet the new requirements. Luckily, Meraki has shipped an additional MS220 to the
site. Now, you must add it to the company Organization within Dashboard.

13

Note: The Core switch you are setting up is the top switch in your gear stack.
CMNA technical training

1.

On the Switch > Switches page, click the Add Switches button on the top right,
above the list of available switches.

2.

Now on the Inventory page, claim your Core switch into the Organization using
the serial number on the front or back of the device. This option can be found at
the right of the page.

3.

Select your switch and add it to your Lab station switching network.

4.

Rename your new switch CORE and update the physical address to your
current city.

Exercise 4 - Connect the Core Switch (10 mins)


1.

On the Monitor > Switch ports page, rename port 24 on your Core switch to
MX80. This is the port youll use to uplink your new core switch directly to the
MX Security Appliance.
Hint: Use the search bar to easily find the ports for your newly-named Core switch.

2.

You also want increased throughput from your Access switch to the Core.
Aggregate ports 20 and 21 on your Core switch and rename the aggregate port
to Access.

Hint: You can use the help link next to the search box on the Switch ports page to
learn the syntax neccesary to search only for ports 20 and 21.

3.

Using the same search string, aggregate ports 20 and 21 on the Access switch.
Rename the aggregate port to Core.

4.

Physically connect ports 20/21 on both switches, and disconnect the uplink from
the MX to your Access switch. Going forward, traffic from the access layer should
flow through the Core before getting to the Security Appliance, so connect port
24 on your Core switch to port 3 on the MX.

5.

On the port status page in Dashboard, verify that youre getting 2Gb/s between
your switches rather than the standard 1Gb/s.

14

CMNA technical training

Exercise 5 - Switch Port Configuration (5 min)


1.

In the same manner that you searched for ports using virtual stacking in Exercise
4, select ports 2-5 on your Access switch and configure these selected ports as
access ports on VLAN 100. Name each port DATA.

2.

Now, select ports 6-10 on your Access switch and configure them as access ports
on VLAN 200, with each port named as VoIP.



3.

Note: We are not using the Voice VLAN field yet. We will use that in a later exercise.
Select only the access ports labeled DATA and VoIP (ports 2-10) and enable
BPDU Guard to protect against non-authorized switches. Be sure that you do
not enable this on your trunk ports or on your uplink ports as it will break the
connection between your switches.
Hint: You can search for is:access to fnd all of your access ports.

Exercise 6 - Configure STP / RSTP for Your Switch (5 min)


1.

Verify that RSTP is enabled for your switch. For more information on RSTP, refer
to the Meraki RSTP Documentation.

2.

Update the Core switch bridge priority to ensure that it will always remain the
root switch in the network.

3.

Verify that Core was indeed elected as the root switch for your campus.

Exercise 7 - Voice VLAN & Packet Capture (10 mins)


Mission Sandwiches recently purchased a top notch Cisco VoIP solution. Normally,
employees plug their laptops into the secondary Ethernet port of their phone. It is
your job to re-configure and test interoperability with the VoIP solution and your PoE
switch.
1.

15

Configure ports 11-15 on the Access switch as access ports to VLAN 100 with

CMNA technical training

a Voice VLAN configured as VLAN 200 and name them Workstation as these
ports will be used for desks using both a computer and a phone.
2.

Once configured, plug your laptop into port 11 on the Access switch to bring the
port up.

3.

Go to switch.meraki.com and verify that you have an IP address on VLAN100.

4.

Use the live packet capture tool to stream a high verbosity packet capture on
port 11 to Dashboard with a filter expression of:

ether proto 0x88cc




This capture should contain evidence that your voice VLAN is working properly.
Hint: The filter expression will filter for LLDP advertisements that show the switch is
advertising the Voice VLAN for the applicable ports. Once the capture is complete,
search the page for the Application Type field under the Network Policy subtype. If
nothing appears, try the capture again. If you still dont see anything, verify your port
configuration with your instructor.

Exercise 8 - Configure a Port Schedule for your VoIP Ports (5 min)


You want to save power and secure your environment after hours. Use the port
schedule feature to configure this functionality.
1.

Navigate to Configure > Port Schedules.

2.

Create a new schedule named Power Saving to turn off ports during nonbusiness hours (assume a work schedule of (8:00 - 19:00 (7 pm)).

3.

Apply the port schedule to ports 6-10 on your Access switch (your VoIP ports).
Do not apply to your switchs uplink ports.

16

Note: Be sure the correct local time zone is set on the network.

CMNA technical training

Exercise 9 - Corporate WiFi Setup (15 min)


Set up a Corporate SSID on your wireless network. Rename it Lab [n] CORP (where n
is your station number), enable the SSID, then navigate to Wireless > Access Control
and configure the following settings:
1.

Use a WPA2-PSK of ikarem123.

2.

Enable a splash page with the Meraki Authentication option.

3.

This network needs access to your internal resources, so put it in Bridge mode
under client IP assignment.

4.

Use VLAN tagging and assign all APs to VLAN 100 for the Corp SSID.

5.

Disable bit rates below 12 Mbps (legacy bitrates).

6.

Ensure all LAN access is permitted in the wireless firewall settings.

7.

Restrict the per-client bandwidth to 2 Mbps.

8.

Use Cisco Merakis traffic shaping rules to set a 500 Kbps limit on software
updates to limit unnecessary background resource utilization and throttle
YouTube traffic to 20 Kbps up/down.

9.

Take it one step further and show management Cisco Merakis layer 7 firewall
rules. Deny applications: iTunes and Peer-to-Peer. Finally, deny HTTP hostname
of espn.com.

10. Navigate to Network-wide > Users. The credentials you used to log into
Dashboard will be automatically populated. Authorize your lab [n] account to
grant it the ability to be used to login on the configured splash page.
11. Connect to your new Corporate SSID and confirm that the YouTube site is very
slow to load.

Exercise 10 - Traffic Prioritization and Bandwidth Control (5 mins)


Now that so many more devices are on the network you want to make sure certain
types of traffic, like the VoIP and video conferencing solutions you are leveraging
within your environment, take priority over other types of traffic.
1.

17

Navigate to the traffic shaping section for the MX security appliance.

CMNA technical training

2.

Create a new traffic shaping rule to give VoIP and video traffic unlimited
bandwidth and High priority on the network.

Note: The goal of this is not to limit VoIP traffic but rather to prioritize it. For more
information on how the priority is calculated, refer to the Traffic Priorities KB article.

Exercise 11 - Pushing Apps with Systems Manager (5 mins)


Rmember, the iPad is going to be used as a point-of-sale device. In preparation for
being shipped out to one of the new locations, the iPad needs to have the Square
Register app installed.
1.

In Systems Manager, push the Square Register app to any device with the
cashier tag.

Exercise 12 - Increasing Network Security with the MX (15 mins)


1.

Many basic security threats can be taken care of simply by blocking access to
risky websites. Create content filtering rules to block the following categories:
Bot Nets, Confirmed Spam, Malware Sites, Spyware & Adware.

2.

Additionally, some of the content on the site thehackerblog.com might inspire


malcious behavoir. Create a Blocked URL pattern to block the site. Save the
changes and move on for now.

3.

Peer-to-peer traffic on the network presents a security threat and can also hog
valuable bandwidth on the network. Create a Layer 7 firewall rule on your MX to
block all Peer-to-peer and Web file sharing traffic.

4.

In order to cover threats that may be arriving via malicious methods, enable
Malware detection and Intrusion Detection and Prevention (IDS/IPS). For now, a
Balanced approach to blocking threats should be sufficient.

5.

Now open a web browser and attempt to browse to thehackerblog.com to test


your blocked URL pattern.

18

CMNA technical training

Nice Work!
In that short amount of time you connected a core switch, setup link aggregation for
higher switch capacity and density in the corporate environment and configured
RSTP for your switch fabric to reduce unnecessary broadcast overhead on the
network. You also created a port schedule and configured port security for better
power and port management.
Furthermore, you created a Corporate SSID to support the ever growing needs of
wireless devices on network.
Feel free to move onto the next lab if you are finished prior to the Distributed
Enterprise presentation or you can add additional security to the network in the
following bonus exercises:

Bonus Exercise 1 - Prepare Switches for RADIUS Authentication (10


min)
In order to leverage the new RADIUS server that will be handling authentication at
the campus, we will need to configure a static IP address on both of the Access and
Core switches for this branch. The static IP address information is below:
Core

10.0. [ n ] .2/24

Access

10.0. [ n ] .3/24

1.

Set the static IP addresses on the Access switch first and then the Core switch
and verify both still have connectivity to the cloud.

2.

Test connectivity to the RADIUS servers by pinging them at 10.0.60.10 and


10.0.70.10 from your computer.

19

CMNA technical training

Bonus Exercise 2 - Configure Switch Access Policies (15 min)


1.

Corporate policy now favors 802.1X port authentication in place of local MAC
whitelisting. We now need to configure an 802.1X access policy and place
that on the ports that originally had MAC whitelisting in place.

2.

Navigate to Switch > Access policies and add an Access policy.

3.

Name the access policy Lab [n] RADIUS where n is your lab station number.

4.

Configure an access policy with two RADIUS servers using the information
below. The access policy should have the following attributes:

Host (1)
10.0.60.10

Host (2)
10.0.70.10
Port (1 & 2) 1812

Secret (1 & 2) meraki123

Access Policy Type 802.1X
Guest VLAN
Disabled
5.

Upon successful configuration apply this access policy to ports configured for
MAC whitelisting if you did the last bonus, if not, configure this on your DATA
ports.

Note: You can find all ports with a MAC whitelist applied by using the omnibox to
search for the term: mac_whitelist:*

20

CMNA technical training

LAB C | Distributed Enterprise


So far, weve seen the Meraki solution scale nicely alongside Mission
Sandwiches. The company is now ready to franchise out their business
to many different locations. As part of this move, upper management
wants you to set up a branch pilot.
You will utilize your stack of gear as the stack for the branch pilot, the
campus will be represented in the HQ stack.
Looking for datasheets, whitepapers or solution guides?
Check out the Meraki Library at: http://meraki.cisco.com/library/

Exercise 1 - Site-to-Site VPN Configuration (10 min)


To make the pilot easier youve taken some gear from the campus for this deployment which already has minimal configuration on it for Internet connectivity.
Your branch will connect via VPN back to the corporate campus and also leverage
services such as RADIUS that have been set up over the VPN connection. Lets get this
branch connected back to HQ via a site-to-site VPN tunnel.
1.

Connect your laptop to an MX port and verify you get a DHCP address and still
have an internet connection.

2.

Configure a hub-and-spoke, split-tunnel VPN with your branch MX as a spoke


and the HQ MX as the hub.

3.

Make sure your Default (Native) and Corporate VLANs are the only subnets
being advertised in the VPN.

4.

Determine if other branch pilot labs are online using the Security Appliance >
Monitor > VPN Status Page.

Note: The VPN status page will not populate until you have configured your site-tosite VPN. If you dont not see this option, try refreshing your browser page.

5.

Verify that you can ping the internal address of your neighbors MX. This address
should be 10.0.[n].1 where n is their lab station number.

Exercise 2 - Group Policies with Systems Manager Sentry (25 min)


Now that a number of iPads will be out in the field to process credit card transactions,
its time to enroll your iPad in the Cashier iPads group policy you created in Part A
of the lab. Systems Manager Sentry policies allow you to enroll devices in network
group policies based on device tags, so youll leverage the fact that youve already
tagged the iPad with cashier in Part B.
1.

Under Network-wide, navigate to the Sentry policies page.

2.

Add a new group policy MDM scope and select your Systems Manager network
from the Dashboard network listing on the left side of the page.

22

CMNA technical training

3.

Elect to have the Cashier iPads group policy you created in Part A applied to
any device with the cashier Systems Manager tag. This setting will associate
the Cashier iPads group policy to your device because it is tagged with the
cashier tag.

4.

Navigate back to the network client listing.

5.

Verify that the cashier iPads group policy applied to the iPad correctly.

Exercise 3 - Securing the Switch Fabric (10 minutes)


Now that we are connected via VPN to the HQ network, new policies need to be
put into place to deny certain types of traffic across the switch fabric. In particular
corporate IP traffic from the remote branch should not be able to access the human
resources file server. Configure an IPv4 ACL to block this traffic.
1.

Move your laptop connection from the MX to an access port on the access
switch and verify you get an IP address in the Corporate VLAN & internet access.

2.

Navigate to Switch > IPv4 ACL and add a rule.

3.

Configure a rule to deny any traffic from the Corporate IP subnet to the human
resources file server at 10.0.50.100. Be sure that the protocol drop down is
set to any so that all traffic will be blocked to the file server.

4.

Attempt to ping the HR file server from your computer, this should fail.

Exercise 4 - Securing Corporate Wireless (10 min)


Recent security concerns necessitate enabling WPA2-Enterprise for the corporate
SSID to bring an added layer of security to the network. You will need to configure
the Corporate SSID to authenticate against the Corporate RADIUS server over the
VPN.
1.

Navigate to the Access control settings for the Corporate SSID.

2.

The Corporate SSID is currently set to have users associate with a pre-shared key
and sign into a splash page using Meraki authentication. Change this so that
users associate with WPA2-Enterprise & a RADIUS server and disable the sign on
splash page.

23

CMNA technical training

3.

Configure the RADIUS server using the same information you used for port
authentication on the switch:

Host (1)
10.0.60.10

Host (2)
10.0.70.10
Port (1 & 2) 1812

Secret (1 & 2) meraki123
4.

Test authentication to the RADIUS server again with the following credentials:

User lab[n]@meraki.com.test
Password meraki123
5.

If the test was successful, connect to the Corporate SSID again and this time
you should be prompted to login. Use the above credentials to associate.

Exercise 5 - Preventing Stolen iPads (10 min)


In order to be notified in the event of theft you need to configure a Geofence that
will alert you in the event the iPad is removed from the branch location.
1.

Navigate to Systems Manager > Geofencing and select Add new, located at
the right side of the page.

2.

Name the Geofencing policy Lab_n_Geofence (where n is the lab station


number).

3.

This Geofence should apply to devices with the cashier tag and should
encompass the area around your current location.

4.

After you save the configuration, navigate to Systems Manager > Alerts and
configure Dashboard to alert you if a device violates a Geofence policy.

Exercise 6 - Summary Reports (10 min)


As part of managing many more locations, reporting is more important than ever.
You will need to test network summary reporting from Dashboard. For this pilot
you just want to see information about switch port utilization.
1.
24

Navigate to Network-wide > Summary report.


CMNA technical training

2.



3.

Set a search parameter in the dropdown at the top of the page for Lab[n] Switch with All devices. You also want to see information for the last week.
Note: You may not see any information when the report is generated given the
small amount of time your network has been online.
You also want these reports to be emailed on a scheduled basis, a week at a time
to the CEO of the company at ceo@missionsandwiches.com.

Exercise 7 - Dealing with Stolen Devices (10 min)


Your branch pilot has been running smoothly for the last few weeks. Everything
seems to be working fine and management of the new company is satisfied with the
solution.
Today, however, one of the cashier iPads was stolen by a disgruntled employee.
Youve received an alert that is has violated the geofence, but the employee is long
gone. You decide to wipe the iPad to remove any sensitive information and access.
1.

Navigate to your Systems Manager network and locate the Clients page.

2.

Select the iPad.

3.

Completely erase the iPad so that it is set back to factory default settings.

25

CMNA technical training

Congratulations!
Thanks to you, Mission Sandwiches has been able to adopt an enterprise solution
that has scaled with the companys growth. Youve expanded their small original
location to a large enterprise and even helped the company support a multi-site
architecture.
Before you leave, theres just one last task to complete...

Be sure your trainer has signed off on your lab before leaving for the day!

Branch Pilot Reset


1.

Reset the lab station to the way it was when you found it (bundled cables, neat
and tidy, power off your APs). Your station should look exactly the way it was
when you found it.

2.

Confirm that you properly wiped your iPad in the final step of the System
Manager exercises and plug the iPad into a charger and have your lab checked
by your trainer before leaving.

26

CMNA technical training

Оценить