Cisco Cloud Networking Workshop Presenter: Jay Bradford CNG SE

2

Housekeeping Notes May 13, 2015

3

Thank you for attending Cisco Connect Toronto 2015, here are a few housekeeping notes to ensure we all enjoy the session today.

§  Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session

§  A power bar is available under each desk in case you need to charge your laptop (Labs only)

House Keeping Notes

4

§  Cisco dCloud is a self-service platform that can be accessed via a browser, a high-speed Internet connection, and a cisco.com account

§  Customers will have direct access to a subset of dCloud demos and labs

§  Restricted content must be brokered by an authorized user (Cisco or Partner) and then shared with the customers (cisco.com user).

§  Go to dcloud.cisco.com, select the location closest to you, and log in with your cisco.com credentials

§  Review the getting started videos and try Cisco dCloud today: https://dcloud-cms.cisco.com/help

dCloud

Customers now get full dCloud experience!

5

20 min Welcome and Introduction

30 min Dashboard Demo

5 min Local MX, MS and MR configuration

30 min MX | Security Appliances Lab

45 min MS | Access Switches Lab

30 min MR | Wireless Access Points Lab

15 min SM | System Manager Demo

5 min Q&A and Wrap-Up

Agenda

6

Complete cloud-managed networking solution Wireless, switching, security, WAN optimization, and MDM, centrally managed over the web Built from the ground up for cloud management Integrated hardware, software, and cloud services

Cloud Networking Leader Cisco’s fastest-growing acquisition ever: over 100% annual growth 300,000+ customer networks in 147 countries Tens of millions of devices connected worldwide

Recognized for innovation Gartner Magic Quadrant InfoWorld Technology of the Year TechWorld Mobility product of the year CRN Coolest Technologies

About Cisco cloud-managed networking

7

Bringing the cloud to enterprise networks

Meraki MS Ethernet Switches

Meraki SM Mobile Device Management

Meraki MR Wireless LAN

Meraki MX Security

Appliances

8

Scalable Unlimited throughput, no bottlenecks Add devices or sites in minutes

Reliable Highly available cloud with multiple datacenters Network functions even if connection to cloud is interrupted 99.99% uptime SLA

Secure No user traffic passes through cloud Fully HIPAA / PCI DSS 3.0 compliant (level 1 certified) 3rd party security audits, daily penetration testing Automatic firmware and security updates (user-scheduled)

Reliability and security information at meraki.cisco.com/trust

Management data (1 kb/s) WAN

Out-of-band management in every product

9

Cloud Licensing Model is Simple

Simple Cloud Licensing model No per-feature or per-user licenses Licensing options: 1 Year, 3 Year, 5 Year, 7 Year & 10 Year

Cloud License price is all inclusive Cloud Management UI 24 x 7 phone support Automated software updates Advanced hardware replacement All features built on the platform All new features

10

Dashboard Demo

11

Hands-on Labs

12

Go to dashboard.meraki.com and login with: username: ciscolabX@ikarem.215332.com password: meraki123 X is your station ID Please select your network # on the top pull-down menu

13

Your lab gear lives in our SF office

14

Network Topology Firewall Configuration: VLAN1 (Default) Subnet: 192.168.(200+x).0/24 Interface: 192.168.(200+x).1 Switch Configuration: VLAN1 (Route to MX) Subnet: 192.168.(200+x).0/24 Interface: 192.168.(200+x).2 VLAN100 (Student) Subnet: 10.0.(100+x).0/24 Interface: 10.0.(100+x).1 VLAN200 (Staff) Subnet: 10.0.(200+x).0/24 Interface: 10.0.(200+x).1 VLAN600 (OSPF) Subnet: 192.168.0.0/24 Interface: 192.168.0.x “X” is your lab station number

Firewall

L3 Switch

MR18

15

MX Security Appliance

16

A Complete Unified Thread Management Solution

Application Control WAN Optimization, Traffic Shaping, Content Filtering

Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS, Anti-Malware, Geo-Firewall

Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing

17

Choosing the right MX for your environment

MX64/64W

MX80

MX100

MX400

MX600

Z1

Small branches (~50 users)

Where FW Throughput

200 Mbps

Large branch/campus (~10,000 users)

Large branch/campus (~2,000 users)

Mid-size branches (~100 users)

Mid-size branches (~500 users)

Unique Features

802.11ac Wireless (MX64W)

8 x GbE Gigabit uplinks Built-in redundancy 8 x GbE (SPF), 4 x 10GbE (SPF+) Built-in redundancy

250 Mbps 5 x GbE Gigabit uplinks (up to 2 WAN)

750 Mbps 8 x GbE Gigabit uplinks (up to 2 WAN) 2 x GbE (SPF)

1 Gbps

2 Gbps

8 x GbE Gigabit uplinks (up to 2 WAN) 8 x GbE (SPF), 4 x 10GbE (SPF+) Built-in redundancy

For teleworkers (1-5 users) Dual-radio wireless FW throughput: 50 Mbps

All devices support 3G/4G

18

Automated site-to-site VPN

Site-to-site IPsec VPN in just two clicks in the Dashboard

Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard

Automatic Comparable to Cisco DMVPN, it creates a mesh or hub-and-spoke VPN tunnel between all peers and adjusts to IP changes

Resilient Automatic failover over to secondary WAN link or 3G/4G USB modem

19

Ironclad security

Best IPS SOURCEfire IDS / IPS, updated every day

Content Filtering

4+ billions URLS, updated in real-time

Geo-based security

Block attackers from rogue countries

AV / anti-phishing

Kaspersky AV, updated every hour

PCI compliance

PCI L1 certified cloud-based management

20

MX Configuration Enable VLANs under Configure / Addressing and change the address per the diagram.

Ensure that non-tagged traffic will be part of VLAN1 (native VLAN) Reserve IP addresses .1 through .10 under DHCP Settings

Enable site-to-site VPN with following settings: mesh site-to-site VPN, check VPN health & status

Split tunnel mode, Hub-and-spoke topology (the “SEVT – Security Appliance” as the Hub) Advertise the default subnet to your neighbors Check the Route Table and VPN Status under Monitoring

Apply the following global default policies (Hint: Below section does not use group policies)

Completely block BitTorrent For Netflix and Pandora, shape traffic to 100K down, 50 K up. Ensure they are low priority and are marked appropriately. For all voice and video conferencing, remove all bandwidth restrictions and apply priority/marking as needed. Apply content filtering for adult websites Restrict traffic to and from North Korea (hint: this is a L7 firewall policy)

21

Complete Campus Switching Portfolio

•  14 models scaling from access to campus aggregation

•  Enterprise-class performance and reliability including non-blocking Gigabit performance, 802.3af/at PoE/PoE+ on all ports, 10GbE uplinks, and voice and video QoS

Voice and video QoS

Dynamic Routing

Layer 7 app visibility

Virtual stacking

Enterprise security, ACLs

Remote packet capture, cable testing

Feature highlights

22

MS Switching: Models

MS220 MS320 MS420 Features

•  8, 24, 48 port models •  Layer 2 •  Gigabit SFP uplinks •  Supports rack-mounted RPS

23001 •  Integrated fans

•  24, 48 port models •  Layer 3 •  10Gb SFP+ uplinks •  Hot-swappable, redundant PSU

(with integrated fans)

•  24, 48 port models •  Layer 3 •  10Gb SFP+ interfaces •  Hot-swappable, redundant PSUs •  Field-replacement fans •  Management port

Ideal scenarios

•  Access switching at branch sites •  Deep visibility into clients,

applications •  Energy savings (PoE/PoE+

models)

•  Mission critical access switching •  Fast uplink requirements •  High availability environments •  Next-generation 802.11ac wireless

(MR34) •  Deep visibility into clients,

applications •  Energy savings (PoE/PoE+

models)

•  Campus aggregation switching •  Unified management from access

to aggregation layer •  Space-constrained locations

1 except 8-port models

23

2014 Release – Mission critical features OSPF Dynamic routing with intuitive, browser-based configuration

IPv6 visibility and tracking Usage statistics for IPv6 address now in Dashboard

DHCP server Integrated DHCP service to help prevent single points of network failure

IPv4 Access Control Lists (ACLs) Granular security boundaries configurable by subnet, protocol, port range, or host.

Virtual Router Redundancy Protocol (VRRP) with DHCP Failover support High availability via a warm spare with automatic failover and DHCP failover support

 Addressing evolving customer needs around redundancy, campus connectivity, and reducing complexity

24

MS Configuration Part 1 Verify that your switch is operational under Monitoring page (green status, passing traffic) Click on “Initialize layer 3 features” link to add following SVIs:

Name: Route to MX, Subnet: 192.168.(200+X).0/24 Interface IP: 192.168.(200+X).2 Gateway: 192.168.(200+X).1 Name: Student, Subnet: 10.0.(100+X).0/24, Interface IP: 10.0.(100+X).1, VLAN: 100 Name: Staff, Subnet: 10.0.(200+X).0/24, Interface IP: 10.0.(200+X).1, VLAN: 200 Name: OSPF, Subnet: 192.168.0.0/24, Interface IP: 192.168.0.X, VLAN: 600

Enable DHCP Server for the Student and Staff subnets Go back to MX Appliance and create static routes for the Student and Staff subnets with gateway IP address to your L3 switch SVI. Also “In VPN” option checked. Configure OSPF with following settings:

First configure switch port 25 to be access VLAN 600 Enable OSPF with default Area 0 Edit Student, Staff and OSPF interfaces to use the default Area 0 Below make sure that statically assigned routes override OSPF

Verify the OSPF neighbors and routes on the switch Monitoring page Start a ping to 192.168.221.1 and try again with port 25 disabled (wait about 30 sec).

25

So what is going on?

26

MS Configuration Part 2 Configure VOIP:

Under Configure / Switch Ports, select ports 5-10 and hit Edit on top Update the tag field with the word “Phone” Change the type to Access and update the VLANs to 100 and 600 for data and voice respectively Save the changes

Create a new port schedule Name “energy-saving” Select “8 to 5 on weekdays only” template Save the changes

Go back to port configuration and apply the port schedule to all the ports with the tag “phone” (Optional) Cable test and packet capture:

Go to Switch monitoring page and click on port 1 Run a cable test by clicking on the little arrow next to it When that’s successful, click on the “run a packet capture on this port” link Change the output “Stream to CloudShark” and duration to 10 sec Wait for the link to CloudShark appear under the capture button and click on it to view

27

Wireless Access Points

•  7 models including indoor / outdoor, high performance and value-priced

•  Enterprise-class silicon including RF optimization, PoE, voice / video support

•  Lifetime warranty on indoor APs

BYOD policies

Application traffic shaping

Guest access

Enterprise security

Location analytics

WIPS – 3rd Security Radio

Feature highlights

28

Outdoor APs

3 Stream Triple-Radio 802.11ac 1.75 Gbit/s

MR18 MR26 2 Stream Triple-Radio 802.11a/b/g/n 600 Mbit/s

3 Stream Triple-Radio 802.11a/b/g/n 900 Mbit/s

MR34

Making room for new MRs

2 Stream Triple-Radio 802.11ac 1.2 Gbit/s

MR32

2 Stream Triple-Radio 802.11ac 1.2 Gbit/s

MR72

NEW

NEW

Indoor APs

MR66 Dual-Radio 802.11a/b/g/n 600 Mbit/s

MR62 Single-Radio 802.11b/g/n 300 Mbit/s

29

Third radio tames hostile RF environments

Radio dedicated to scanning and protecting RF environment Instantly detects and mitigates interference, vulnerabilities, and attacks on all channels Third radio enables full-time scanning with full-performance client access on 2.4 GHz and 5 GHz radios

Deeply-integrated with cloud-based software solutions: Air Marshal (security), Auto RF (performance)

No added cost or complexity Typical deployments: radio operates in background (zero-config) Power users: rich tools available for security and RF management No added cost: no extra hardware, software, or licenses

30

Bluetooth and Beacons

 Bluetooth & BLE integrated in many consumer devices already

 Beacons use BLE for location services like asset tracking, mobile commerce, and nav iBeacon is Apple’s BLE trademark

 Gaining traction as an opt-in alternative to WiFi-based location services

MR32, MR72: Integrated Bluetooth to drive location trends

31

Use Case: Location Engagement with Beacons

Seamless site-wide deployment by integrating

Beacons into the AP

Better consumer experience with opt-in mobile app integration

Increased customer visibility with both WiFi and Bluetooth analytics

built-in

32

Use Case: Asset Tracking with Bluetooth

Seamless site-wide deployment with

Bluetooth integrated into the AP

Track Beacon-tagged assets with Bluetooth scanning and location

estimation

Increased administrative visibility with both WiFi and Bluetooth inventory

built-in

33

MR Configuration (APs have been turned off) Verify that your AP is operational under Monitoring page (green status, passing traffic) Rename existing SSID under Configuration to “LAB X - Student” and enable two additional SSIDs for Staff and Guest On your Staff SSID, use WPA2-Enterprise for authentication and add a RADIUS server with IP address 192.168.221.1, port 1812 and shared key “meraki123”. Change client IP assignment to “Bridge Mode” and VLAN tagging to 200 On your Student SSID, leave association Open but change the splash page to “Sign on with my AD server” and add the same IP address as above with any admin credentials. Change client IP assignment to “Bridge Mode” and VLAN tagging to 100 On the guest SSID, ensure the users sign on with a simple click-through splash page that refreshes every half hour (hint: customize it under Configure / Splash Page). Select NAT Mode for client IP assignment to use the Meraki AP as DHCP Server. Under Configure / Firewall & Traffic Shaping, select the guest SSID and create L7 firewall rules to block P2P File Sharing and Gaming on this SSID. Also, limit the per-client bandwidth to 1 Mbps

34

Cloud-managed Device Mobility

Flexible, easy provisioning

Centrally scale 100,000s devices worldwide

Auto-tagging, dynamic security compliance

Integrate seamlessly with the rest of your Cisco Meraki network

35

Deployment & Rollout One-step Enrollment

Browser: m.meraki.com with NetworkID SM app: NetworkID or QR code Email/SMS: enrollment link

Automatic Enrollment Meraki integrates directly with Apple’s DEP portal Supervise devices, disable profile removal, skip setup

Secure Enrollment by user/group Authenticate device enrollment Automatically inventory devices Automatically license and push apps Automatically configure email, network access

36

Software & App Management Grant and revoke VPP licenses directly from the Meraki Dashboard

Remotely install and inventory MSI and PKG files across devices

Auto push and remove apps by department/student/class/school using AD groups and bulk tagging

Blacklist/monitor for inappropriate apps and automatically restrict/lock-down

37

SM Demo

38

Bonus Lab Demonstration Onboarding:

Clients will download System Manager upon joining. Firewall blocks everything else. More Security with MDM:

Only allow clients with SM installed on this SSID. Use MR as DHCP server. Just for Fun: Try wishing for “konami code”

Thank you.