Full Stack

Meraki Labs Student Guide

Introduction
You have recently been hired to manage the network for a growing manufacturing company based in
San Francisco.

Nightingale’s Ultimate Widgets has managed to survive with a consumer ISP-provided gateway for
many years, but recent company mandates, compliance requirements, more customers and with new
offices opening up, the demand on the network has grown and requires an enterprise-class solution
that is also simple to configure, manage at scale, and troubleshoot.

As their new network admin, you suggest that Nightingale’s Ultimate Widgets deploy Cisco Meraki as
their solution. This will not only meet their needs now, but can scale with them as they grow their
main location and open new offices, as well as provide them with a simple, intuitive management
interface and rich application visibility, reporting and analytics, along with an API for programmatic
management at scale.

In order to get started, you’ve decided to equip them with a stack of Meraki gear, and today you’ll be
configuring that gear for one of the offices.

HOW TO PERFORM LAB WORK

1) Open the URL provided by the proctor. This will log you directly into Meraki Dashboard.
It is recommended to use Google Chrome.

2) Feel free to use the Cisco Meraki documentation articles to assist with the lab.
They can be found at: http://documentation.meraki.com

3) You can also use the Dashboard search box for assistance, which is very helpful.
Time for “exploring” Dashboard and for finding/using help has been worked into the suggested
times for each lab section.

REFERENCE MATERIALS:
Meraki Main Page – meraki.cisco.com
Cloud Architecture Overview – meraki.com/trust
Meraki Product Documentation – documentation.meraki.com
Meraki Webinars & Training – meraki.cisco.com/webinars
Meraki YouTube Channel – www.youtube.com/user/milesmeraki/videos
How to Read the Lab Guide
Throughout the lab guide you will see various notations that serve to call out different types of
information. These are classified into the following categories:

Important: These are high priority, critical bits of instructions that you must read carefully and pay
close attention to performing correctly or they could have an adverse effect on your lab station.

Note: These are typically warnings that usually serve as reminders as they are sometimes easily
overlooked or missed.

Hint: These are useful pieces of advice that could help point you in the right direction or help draw
your attention to hard-to-find or confusing configurations.

Information: These serve as additional footnotes and reference materials sourced from the official
Meraki documentation portal (https://documentation.meraki.com) for various topics or technologies.
Accessing your Lab
As you log into Dashboard, you should pay close attention to ensure that you are working within the
right lab network. For example, if you have been assigned to Lab Station 2 within POD 3, then you
should see very clearly at the top that you are signed in using the right user account and working in the
right lab station network. Your instructor should let you know what POD you’re working in today.

Example of verification for Lab Station 2, POD 3:

Hint: The Cisco Meraki Dashboard is compatible with the most recent version of Firefox, Internet
Explorer, Safari and Chrome web browsers. However, the most recommended browser is Chrome as it
provides the best and most consistent user interface experience. It should also be noted that MV
security camera streaming is not supported on Windows 7 + Internet Explorer 11.
Lab Station References (IP Addressing)
Throughout the lab exercises, you will occasionally see instructions that reference your lab station
number. These references appear as a green n whereby it should be immediately replaced by your lab
station number:

Example Instruction: Rename the MX’s name as MX n

Lab Station 7’s results: MX 7

Lab Station 12’s results: MX 12

A similar but slightly different instruction may tell you to add your lab station number – again
referenced as n – to an existing value. This should be treated as a simple add (+) operation, as
illustrated in the following example:

Example Instruction: Use the following as the subnet: 10.0. [10 + n ] .0/24

Lab Station 7’s correct results: 10.0.17.0/24 (10 + 7 = 17)

Lab Station 12’s correct results: 10.0.22.0/24 (10 + 12 = 22)

Important: It would be incorrect if a concatenation were to be used, such as 10.0.107.0/24 for Lab
Station 7 or 10.0.1018.0/24 for Lab Station 18 – these are incorrect and possibly invalid values.

This type of replacement applies not just to subnets but also to IP addressing and VLAN instructions in
the lab guide. Here are some more examples:

Example Instruction: Use the following as the IP address: 10.0. [ 150 + n ] .1

Lab Station 7’s correct results: 10.0.157.1 (150 + 7 = 157)

Lab Station 12’s correct results: 10.0.162.1 (150 + 12 = 162)

Example Instruction: Configure the access port to be in VLAN [ 600 + n ].

Lab Station 7 would configure the port to be in VLAN 607 (600 + 7 = 607)
Lab Station 12 would configure the port to be in VLAN 612 (600 + 12 = 612)
Your Station’s Network Topology Overview

n is your lab station number

LAB 1 (Step 1.1):
Security Appliance
Configuration:

VLAN 10 (Corp)
Subnet: 10.0.10+n.0/24
Interface: 10.0.10+n.1

VLAN 30 (Voice)
Subnet: 10.0.30+n.0/24
Interface: 10.0.30+n.1

VLAN 100 (Guest)

Subnet: 10.0.100+n.0/24
Interface: 10.0.100+n.1

LAB 2 (Step 2.1):

Switch Configuration:

VLAN 10 (Corp)
Subnet: 10.0.10+n.0/24
Interface: 10.0.10+n.201
Default gateway:
10.0.10+n.1

VLAN 150 (Legacy)

Subnet: 10.0.150+n.0/24
Interface: 10.0.150+n.1

VLAN 600 (OSPF)

Subnet: 192.168.0.0./24
Interface: 192.168.0.n
LAB 1 | Small / Medium Site (90-120 minutes)
To get started, let’s set up your first three pieces (full stack) of Meraki gear in your local branch office
of Nightingale’s Ultimate Widgets. Meraki Support has already set up a Dashboard account and added
the MX, MS and MR equipment to a network. In this exercise, you will create an initial configuration
for a branch office, create a baseline security policy, configure a guest wireless network, and
interconnect all of the remote branches over a secure VPN.

Important: Make sure you are in the CORRECT POD and the CORRECT NETWORK that corresponds to
your Lab Number. (See page 4 of this lab guide.)

1.1 Initial MX Setup (20-30 minutes)

Hint: If you need help to find where commands are located use the search function in the upper left
corner, right of the POD number, or Cisco Meraki logo. It says “Search Dashboard”

1) Verify that your MX is operational and green in Dashboard and the WAN uplinks are healthy.

2) Edit the name of your MX such as Lab n MX and assign a city/address (refer to your topology
sheet), and use the live tools to ping the appliance, maybe run a traceroute to google.com.
Check the status of your WAN1 and WAN2 uplinks using the Uplinks tab.

3) VLAN configuration

a) On the Addressing and VLANs page, first Enable VLANs and then create VLANs 10 (Corp), 30
(Voice) and 100 (Guest) as per your topology diagram.
See additional notes b/c/d below.

b) Do not remove/modify VLAN 1 (default/untagged VLAN) which is there by default.

c) Use the Add a Local VLAN link to configure VLANs 10, 30 and 100.

d) All non-tagged traffic will be part of VLAN1 (default vlan).

4) On VLAN 10 (Corp) reserve IP addresses .150 through .250 under DHCP Settings.
Note: This addressing section is required before moving on to any further lab

1.2 Setting a Security Policy (20-30 minutes)

1) Apply the following global default policies:

Hint: This first part does not use group policies.

a) Completely block peer-to-peer BitTorrent traffic.

b) Set a maximum bandwidth of 5Mbps per client.

c) For Netflix and Pandora, shape traffic to 1M down, 500K up and ensure they are low priority.

d) For all voice and video conferencing, remove all bandwidth restrictions and ensure they are
high priority.

e) Apply content filtering to block adult and gambling websites but allow 777.com.

2) Enable Advanced Malware Protection (AMP) and Intrusion detection with Balanced Ruleset.

3) Enable network alerts if the MX goes offline for more than 10 minutes or a DHCP pool is
exhausted.

4) Create a group-policy called Guest to ensure that guest users will conform to below restrictions

a) Guests will be restricted to 2M per client.

b) Guest group policies will only be turned on during working hours 8am–5pm Mon-Fri.

c) No traffic can communicate to/from North Korea or Syria.

d) Add another L7 firewall rule to block all gaming applications.

e) Append the default content filter to add all sports web sites.

f) Now that all sports sites are blocked, allow [Hint: Append to Allow List] sports.yahoo.com.

5) Apply the Guest group policy to the Guest VLAN. (Hint: Addressing & VLANs page)
1.3 Interconnect Sites via Full-Mesh AutoVPN (20 mins)

1) Configure a full-mesh VPN between all sites, and enable VPN for the Corp and Voice VLANs, but
not the default or guest VLANs.

Hint: Navigate to Site-to-site VPN and configure your site as a hub (and do not configure an exit hub)

2) Verify connectivity by pinging the data center core switch (10.0.250.1) from the Live tools on the
Appliance status screen. What is your latency to the data center?
Navigate to VPN Status to verify connectivity to other branches. Note: If you don’t see site-to-site
peers listed, try clicking the View old version link on the right-hand side and you can then verify
connectivity to other branches.

3) Examine the MX’s routing table.

Do you see your local VLANs and VPN peer networks?
Can you ping any of the VPN peers? (Check with your neighbors if they have also reached this
step.)

1.4 Switch Configuration (20-30 minutes)

1) Verify that your MS switch is operational (green status, passing traffic)

2) Edit the name of your switch and apply the tag(s) and city/location from your topology handout.

3) Customize your flex table view under Switch > Switches to include local IP, Tags and S/N.

4) Configure ports 4 – 7 for VoIP phone access

a) Tag these 4 ports with the voip tag.

b) Make them access ports on VLAN 1 with voice VLAN 30.

c) Create a QoS rule for the network to mark all traffic in voice VLAN 30 as DSCP 46 (EF) for voice.

5) Create an energy-saving port schedule to turn off ports (power down phones) during off hours.

a) First confirm (or set) the appropriate time zone for your network. (Network-Wide > General)

b) Apply the port schedule to ports 4 – 7 simultaneously (try searching for voip).
6) Cable test and packet capture

a) Go to the Switch monitoring page and click on port 2.

b) In the Troubleshooting section, run a cable test on port 2 by clicking on the arrow next to it.

c) Run a packet capture on port 1 of your switch for 30 seconds. View the output in Dashboard
or download to a .pcap file if you have Wireshark installed on your device.

7) Extra Credit: Server ports

a) Configure ports 23 and 24 to be access ports on VLAN 1.

b) Give them a name of File Server and a Server tag.

c) Set up an email alert if any switch port with a tag of Server goes down for > 5 minutes

1.5 Guest and Corporate Wireless (30-60 minutes)

1) Begin by first verifying that your MR access point is online and operational (i.e., MR is in good
health status, firmware & configuration are up to date, etc.) – you should see only one AP listed on
the Monitor > Access points page.

2) By default, the MR’s name will appear as its MAC address - look for and click on the pencil icon
which will allow you to change/edit the name. Proceed to rename the MR’s name as Lab n AP
where n is your station number. You can also edit the street address and the tags from your
topology sheet.

3) Navigate to the “Tools” tab to ping the Access Point from Dashboard to confirm it is online. You
should also be able to ping your station’s MX at 10.0.10+n.1 or even other stations MR’s across the
VPN. Try running a traceroute and viewing the ARP table.

Important: At this point in the wireless lab, you have two options to complete the next step. You can
complete step 4 below using the Meraki Dashboard, or you can complete it using the API. To proceed
using Dashboard, simply continue below. To do it via API, skip to the next optional Section 1.6, and
then return back here to continue with step 5 below when complete.

4) Navigate to Wireless > Configure > SSIDs and proceed to enable as well as rename two SSIDs.
Rename the first SSID as Corp-n and the other as Guest-n (where n is your station number.) – be
sure to save your changes before leaving the page.
Hint: You should rename/repurpose the default SSID (usually named “LabX – Wireless WiFi”) as one of
the two SSIDs you are creating for Corp and Guest.

1) To configure settings for these SSIDs, go Configure > Access control where you must first make
sure that the Corp-n SSID has been selected from the SSID drop-down menu at the top. This SSID
needs to have the following settings:

Association Requirements: PreShared Key with WPA2

Password: ‘meraki123’
Client IP Assignment: Bridge mode
VLAN tagging: enabled
VLAN ID: 10

2) Switch to the Guest SSID by using the drop-down menu, and use these settings:

Splash page: Click-through

Client IP Assignment: Bridge mode
VLAN tagging: enabled
VLAN ID: 100

1) Because we are using a click-through splash page for our guest wireless network, we will want to
have them re-authenticate every day. Navigate to Configure > Splash page and change the
frequency to every 24 hours.

2) We want to ensure that our wireless guest users have no way of accessing any of the internal local
network resources while also restricting their usage. Go to Configure > Firewall & traffic shaping
and make the following configurations on the Guest-n SSID:

a) Edit the default Layer 3 firewall by adjusting the policy to deny access to the Local LAN for all
wireless clients that might try to access the LAN

b) Add three Layer 7 firewall rules to block P2P, File sharing, and Gaming services

c) Limit the per-client bandwidth to 2 Mbps and enable speedburst

d) Also make the Guest-n SSID unavailable on weekends. (SSID Availability page)

3) Let’s implement some best & common practices for the RF settings.
 a) For the Corporate SSID, make it dual-band operation, but use band steering to get more users
onto the cleaner 5GHz radio.

b) For all SSIDs, disallow very old legacy 802.11b devices.

c) Ensure the AP isn’t able to transmit all the way to 100% Tx power on each radio.

d) Ensure a default 5GHz channel width of 40MHz.

e) Ensure the AP is choosing its channel assignment automatically.

f) Let’s say we have a reason to make a change, and lock the 5GHz radio to channel 48.

g) Also force the 5GHz radio to transmit at a specific Tx power, like 3dBm.

Hint: These items might be on different pages, as some controls are per-SSID, and some are for the AP
as whole. Be sure to check out both Access Control and Radio Settings pages.

4) Let’s check on the RF utilization of the 2.4Ghz band of the AP. It’s in a very busy place, so we want
to see how badly over-utilized that band is. Check out both the RF Spectrum page and click into
the AP’s spectrogram page, and also go to the AP’s status page and click into the RF tab on the far
right.

5) Extra Credit – Systems Manager: Create a 3rd SSID called BYOD to be used for mobile device
onboarding, force iOS and Android clients to have Meraki Systems Manager installed to join the
SSID and get network access, while Windows or Mac laptops will just see a splash page – Mobile
clients will download System Manager upon joining the BYOD SSID, the firewall blocks everything
else.

Hint: This is done on the access control page for the SSID
LAB 2 | Large Site / Campus (90-110 minutes)
Since deploying their enterprise network, Nightingale’s Ultimate Widgets has grown and acquired
another company that has a legacy private network interconnecting all of their sites. In order to
increase collaboration during the acquisition, Nightingale’s Ultimate Widgets has rolled out the private
network to all sites. Also, to protect their new records and archiving systems, they need to increase
the security of their wired and wireless network.

2.1 Layer 3 Routing on the Switch (30-60 minutes)

1) Navigate to the Switch > Routing and DHCP page and create the interfaces below:

a) Name: Corp
Subnet: 10.0.10+n.0/24
Interface: 10.0.10+n.201
VLAN: 10
Default gateway: 10.0.10+n.1
Disable DHCP

b) Name: Legacy
Subnet: 10.0.150+n.0/24
Interface: 10.0.150+n.1
VLAN: 150
DHCP Enabled

c) Name: OSPF
Subnet: 192.168.0.0/24
Interface IP: 192.168.0.n
VLAN: 600
Disable DHCP

2) Go to the MX Appliance and create a static route to the Legacy subnet using the IP address on your
L3 switch SVI in the Corp VLAN as next hop. Reference the topology sheet for supplemental
information.

a) In VPN option should be Yes

Hint: The Legacy network now lives on the MS only so we need to tell the MX where this network is
now. The answers can be found in 1.a and 1.b above.

3) On the switch, configure OSPF with following settings:

a) First configure switch port 24 on your lab station switch to be access VLAN 600

b) Enable OSPF with default Area 0

c) Edit Legacy and OSPF interfaces to use the default Area 0 and Cost 1

d) Edit the default static route to be preferred over OSPF routes

NOTE: Let the instructor know you reached this point, ask them to enable the private network for
exercise 2 (they will enable the DC switch port 1–15 corresponding to your lab station number)
Remind them it needs to be enabled and it should be an access port in VLAN 600.

4) Navigate to the switch monitoring page

a) Verify that port 24 is now operational

b) Verify that your switch is using 192.168.0.n as the Router ID. If not, change it.

5) Start a ping to the data center switch (192.168.0.254) from the Legacy Source interface
(10.0.150+n.1).

a) Ping 10.0.250.1 again with port 24 disabled. Wait about 30 seconds after disabling the port.

b) What path is the switch now taking to get to 10.0.250.1?

c) Does the switch still have OSPF neighbors?

d) See the diagram at the end of this document to better understand the logical data flow /
topology.

6) Re-enable port 24.

2.2 Wired 802.1X and DHCP protection (20 minutes)

1) Create an Access policy (Switch > Configure > Access Policies)

a) Give it a name of Test Policy 1 or something similar.

 b) Use Radius host IP 10.0.250.100. Port 1812. Secret = “meraki123”

c) Place clients into VLAN 100 if they are unable to participate in 802.1x via a guest VLAN.

d) Allow phones (Voice VLAN Clients) to bypass authentication.

Hint: MS switches support hybrid auth, so they’ll try 802.1X 1st and fall back to MAB 2nd.

2) Navigate to Switch > Switch Ports

a) Apply the access policy to ports 4 – 7 simultaneously.

b) On the switch ports page, update the flex table to include the “Access Policy” column.

Note you can type “voip” or “4-7” in the search box, then select all 4 ports at once.

3) Navigate to Switch -> DHCP Servers

a) In order to improve the security of the LAN, change the default DHCP server policy to block
DHCP servers.

b) Allow any existing DHCP servers detected within the last day (If there are some you simply
click the “allow” link in the policy column)

2.3 Wireless IPS and 802.1X Authentication (20-30 minutes)

1) On your “Corp” SSID, use WPA2-Enterprise for authentication and add a RADIUS server with IP
address 10.0.250.100, port 1812 and shared key “meraki123”.

2) Configure the AP to act as a dynamic authorization server by responding to Change-of-

Authorization messages coming from the RADIUS server.

Hint: This is below the RADIUS server configuration section in the same general location.

3) All of your devices should be newer corporate-issued devices. Let’s ensure maximum security and
performance on this SSID by:
 a) Allowing Apple devices to use FastLane automatically (hint: It’s also known as adaptive
802.11r)

b) Turning on protected management frames (802.11w)

c) Blocking all Windows Phone and Blackberry devices from connecting. (Hint: Group policies by
device type, still on the Access Control page)

4) Navigate to the Air Marshal screen and configure the Access Points to block users from connecting
to Rogues seen on the LAN.

5) Configure the access point to automatically contain any SSIDs [Hint: SSID Block List] being
broadcast with “Nightingale” in the name of the SSID. This should automatically contain any other
local SSIDs with “Nightingale” in the SSID name.

6) Navigate to “Other SSID’s” and find your neighbor’s Corp SSID. Add to the SSID Allow List it so it
doesn’t ever get contained.

2.4 Advanced Wireless RF Design (20-30 minutes)

1) Navigate to RF Spectrum, and identify top interfering AP’s on your AP’s 2.4Ghz radio.

2) Nightingale corporate IT has identified that as the site grows, we will need to have a more
advanced RF Profile applied to very dense offices. Navigate to Radio Settings, and create a new RF
Profile for future AP’s at this location, called “Nightingale High Density” from scratch:

a) Ensure the 5Ghz band is the only one used, and ignore 2.4Ghz.

b) Ensure a narrower channel width of 20Mhz.

c) Ensure Client Load balancing is enabled.

d) Leave the full range of power settings for Auto Power.

e) Set the minimum bitrate to 24Mbit, for the entire AP (not per SSID)

f) Set the RX-SOP (Minimum received power) to ignore any clients weaker than -80dBm.

3) Navigate back to Wireless > Radio Settings, and select your AP, and apply the High Density profile
to it. (Accept any overrides) [Hint: Check out the Edit Settings button]

4) We need to prioritize new wireless VoIP phones on the network, from the AP itself. Navigate to
Wireless > Firewall & Traffic Shaping.
a) Turn on traffic shaping for your Corp SSID.

b) Prioritize All Voice & Video applications.

c) Ignore any bandwidth restrictions for this rule.

d) Place this traffic in PCP 6 (a priority queue), and tag it with DSCP “EF” (46) so other network
devices will prioritize the traffic upstream.
LAB 3 | Distributed Enterprise (60-90 minutes)
Nightingale’s Ultimate Widgets has been using their Meraki network for an entire year now. Their
Cloud Managed Network has helped them successfully roll out new back-end systems, ensure PCI and
GDPR compliance, and has accommodated the higher demand for guest Internet. To keep up with the
growing number of offices and increase the level of performance and reliability required by a growing
distributed network, they will need to add centralized Data Center services, increase redundancy, and
ensure that their business-critical applications are always preferring the best performing WAN path.

3.1 VPN Topology & Redundancy (30-45 minutes)

1) Evolve the lab VPN design to a more scalable model using the Hub-and-Spoke topology.

a) Configure your site as a spoke and add both “Data Center 1” and “Data Center 2” as hubs.

b) Prioritize “Data Center 2”.

c) Configure a full tunnel VPN by configuring both hubs with a default route.

d) Enable VPN for only Corp and Voice networks.

2) Verify that you can still ping each other’s lab MX LAN IP’s just as you did earlier with the full mesh
configuration.

3) Verify connectivity to all 3 Data Center subnets.

a) 10.0.250.0/24 (Shared)

b) 10.0.251.0/24 (DC1)

c) 10.0.252.0/24 (DC2)

Hint: Use MX ping tool as well as check the Route Table on your MX.
Note: Let the instructor know that you have reached this point and ask them to initiate a failure at
Data Center 2 by disabling its uplink for your lab pod.

4) Perform the following verification tasks.

a) Verify that Data Center 2 in unreachable by pinging the default gateway of its unique subnet
(10.0.252.2).

b) Verify that the DC shared subnet is still reachable by pinging its default gateway (10.0.250.1).

c) Verify connectivity to your neighbors despite the data center failure by pinging their MX.

3.2 Software Defined WAN (SD-WAN) (30-45 minutes)

1) Navigate to Security appliance > Configure > Traffic shaping.

a) Configure uplink bandwidths: WAN 1 = 10Mbps, WAN 2 = 5Mbps.

b) Enable load balancing.

c) Configure a flow preference for “Guest” internet traffic to prefer WAN2. Hint: any traffic with a
source IP of 10.0.100+x.0/24 should prefer WAN2.

2) Create a custom performance class named “Acceptable Delay” with a setting of 200ms of latency.

3) Under VPN traffic, configure the following rules:

a) Any traffic destined to 8.8.8.8/32 should prefer WAN 2 unless performance is worse than
“Acceptable Delay”.

b) Any traffic from the “Corp” subnet should load balance on uplinks that meet “Acceptable
Delay”.

c) Any traffic from the “Voice” subnet should use the best uplink for VoIP.

4) Verify path selection by navigating to the Uplink Decision section of the VPN status page.

a) Which uplink is used for traffic destined for 8.8.8.8?

i) WAN2 is cycling between 50ms and 400ms of latency every 20 seconds resulting is the
uplink cycling between WAN1 and WAN2.
 b) Click one of the links in the uplink decision column.

i) What is the average latency and MOS score between your branch and Data Center 2 for
both of your branch’s WAN links?

5) (Optional) Feel free to adjust the “Acceptable Delay” latency setting and see how the uplink cycling
between WAN1 and WAN2 changes.
Final Logical Data Flow
LAB 4 | Physical Security (30-45 minutes)
Nightingale Medical Associates has decided to replace their legacy CCTV systems and NVRs with
Meraki MV, and they already have a few cameras set up. In this lab, we’ll explore some of the
management aspects and configuration settings for the MV cameras and their capabilities.

4.1 Initial Configuration

1) From the Dashboard Organization drop-down, select the MV Lab network.

2) Go to Cameras > Cameras and click into one of your cameras.

3) Explore the live video window.

a) Click to an earlier time on the timeline.

b) Zoom in and out using the + and – buttons on the far right.

c) Click on the date/time box and type in “2 hours ago” or “yesterday 3pm” for example.

d) Hover over a light yellow box to see a motion recap thumbnail image. Find one of interest,
then click on that yellow box to watch that segment of video.

e) Pause the video, go forward / backward frame by frame, or 10 seconds at a time.

f) What codec is being used? (Hint: hover over the icon in the lower left corner.)

g) Experiment with the show/hide objects button.

4.2 Finding, Exporting and Sharing Video

1) Click on the Motion Search box to bring up the grid.

Search a specific area, and select something of interest from the motion recap images.
Play that video and wait for the video of interest and pause it.
Click the Share button and export a 30-second clip to your local machine.

a) Notice the “Recent Exports” at the bottom of the screen, when ready use the save link.

b) Download and watch the exported video, note the camera and timestamp watermarks.

c) Think about how we can be sure the video has not been tampered with.
1) Click on the Analytics tab to the right of the Video tab.

a) Start with a resolution of 1 day.

b) Click into the busiest day, then the busiest hour, then the busiest minute.

c) See what was going on at that moment.

2) To the left of the timeline, click the “Now” button to view live video.

a) Click on the Share button and select Share Stream Externally.

b) Input an email address and share (where you can receive a live email if possible).

c) Perhaps bring up an incognito browser window and use a personal gmail address.

d) Receive the email and click the link, confirm you get the live stream.

e) Back in the primary Dashboard window, revoke/delete the live stream access.

f) Go back to your other browser/window viewing the live stream, and refresh/reload.

g) Confirm you now see an error and the access has been removed.

4.3 Configuring Video Settings

1) Note: This is read-only access, not all settings will be exposed, such as optical zoom, privacy
windows, sensor crop, high dynamic range and aperture/focus settings.

2) Go to the camera’s settings page and then the quality and retention tab.
How many days of footage can the camera contain with the existing settings?

3) Set the resolution to 1080p and try the different video quality settings.
Take note of the video retention with each of the settings.

4) Enable motion based retention and do not enable an area of interest.

Again take note of the retention with different quality settings.
Now enable an area of interest for motion based retention.
Try different areas to see how much it might boost retention.

5) You can also set cameras to record on a schedule.

Choose “Scheduled” instead of “Always” and create a new schedule as you desire.
Note that it’s read-only, no ability to save or apply the schedule.

6) Explore the “Profile Assignment” configuration method, and explore how you can create quality
and retention templates to be able to apply to multiple cameras at once.

7) Make sure the IR illuminators are automatically turning on during automatic night mode.

4.4 Motion Based Alerts

1) Go to the Motion Alerts tab and configure the camera to always send alerts.

2) Alert on events longer than 2 seconds with a sensitivity of 100%.

a) How many alerts per day can you expect to receive?

3) Adjust the trigger duration to 8 seconds and sensitivity to 75%.

a) How many alerts per day can you expect to receive?

4) Configure an area of interest, see how much the daily alerts might improve.

5) Now alert only on “people events” and see if daily alerts improves further.

4.5 4.5 Video Wall

1) Go to the Video Wall for you network.

2) If able, perform another motion search right from the video wall.

3) If there are multiple video walls, examine the video wall rotation option.

4) If there is write/edit access, create a new video wall.

a) Make one camera larger and one smaller in the view.

b) How much bandwidth will the video wall require?

4.6 4.6 Troubleshooting

1) Modify the flex table on the Cameras > Cameras page.

 a) Add some columns like bit rate, frame rate, audio recording, etc.

2) Configure alerts for motion events, and if a camera goes offline for more than 5 minutes.

Hint: Cameras > Configure > Alerts

3) Click into one of the cameras.

a) What model camera is it?

b) What switch port is the camera connected to?

(a) What kind of switch is it? (Click the link to see)

c) What is the IP address of the camera? Ping the camera using the live tool.

d) Run a traceroute from the camera to www.meraki.com.

e) Examine the connectivity timeline for the last month. Has the camera been offline at all? If so,
hover over any red portions to see when it was offline.

f) Examine the Network Wide > Event Log to see all night mode on/off transitions.

g) Go to Cameras > Monitor > Video Access Log.

(a) Do you see the export you created (and perhaps downloaded) earlier?

h) What firmware is the camera running, and is there an update available?

Hint: Organization > Firmware Upgrades

4) When was this MV network last upgraded, how long on this firmware?

Hint: Click the wrench to see which columns are available.

5) Click into the current firmware version, see release notes for this and other versions.
4.7 4.7 Mobile Access (Optional Extra Credit)

1) Download the Meraki Dashboard app to your mobile device (if you don’t have it already!)

2) Log in with your Minilab credentials and view the live video on one of your cameras.

3) Use the mobile app to ping the camera.

4) Use the mobile app to find the camera’s S/N and MAC address.

MORE ON MV
https://meraki.cisco.com/products/security-cameras/
https://meraki.cisco.com/blog/?s=MV
MV Commercial: https://youtu.be/I0eCD6kT8UY
LAB 5 | Meraki Dashboard API Labs
There are multiple API labs at your disposal, and you can complete these anytime, you do not
necessarily need to be sitting in a Minilab class with a reserved Minilab pod.

These self-guided labs are available at https://developer.cisco.com/meraki/ and these three labs
below may be of interest for getting started with the Meraki Dashboard API. There are several others.
The Meraki developer’s site is now a part of Cisco DevNet.

Also check out the Meraki app store at https://apps.meraki.io/apps/ when you can!

5.1 5.1 Introduction to the Dashboard API

If you are new to programming or a seasoned software engineer, knowing what’s possible is half the
battle. Postman is a popular free graphical tool for working with REST APIs. Use this tool to explore
and work with the Meraki Dashboard API quickly and easily by entering URLs and parameters into API
calls to interact with Dashboard programmatically.

https://developer.cisco.com/meraki/build/meraki-postman-collection-getting-started/

5.2 5.2 Meraki Dashboard Automation with Python

This lab will help get you familiar with using the Dashboard API with the Python programming
language. It consists of a few exercises to get you up and running quickly. It starts with getting the
prerequisites installed and configured. Then we will modify a pre-written Python script to interact
with the API. You only need a basic understanding of programming and Meraki to complete this lab.
Even if you’re a non-programmer, try it out and you’ll be surprised, it’s easy to start learning.

https://developer.cisco.com/meraki/build/automation-with-python-api-lab/

5.3 5.3 Meraki Dashboard Reports with Google Sheets Lab

Easily import Meraki Network data from your own Meraki Dashboard into Google Sheets using the
Meraki Dashboard API. This lab gives you the opportunity to build your own utility in a short time that
you can continue to use and expand upon after the Minilab event.

https://developer.cisco.com/meraki/build/meraki-dashboard-reports-with-google-sheets/#1
LAB 6 | Congratulations!
Thanks to you, Nightingale’s Ultimate Widgets has been able to adopt an enterprise solution that has
scaled with the group’s growth. You’ve expanded their original location to a larger enterprise
deployment, supporting a multi-site architecture that meets all of their security and reliability
requirements. You have saved them a lot of time and money given the single-pane-of-glass
management across their full stack of infrastructure, zero-touch deployment model, simple
troubleshooting and reporting, and great visibility and analytics to improve business practices.