Mini-Lab- Network Topology Overview

...

2.1.1 Disable previous AutoVPN configuration (2 min)

- Navigate to the Security Appliance -> Configure-> AutoVPN and select “Off” in the Topology options

2.1.2 Adding a MPLS link to the network (15 minutes)

- Navigate to the Security Appliance -> Addressing and VLANs screen and create the SVI interface below:

- Name: MPLS, Subnet: 192.168.0.0 /24 , Interface: 192.168.0.X (where “X” is your pod number), VLAN: 600, Default gateway: 192.168.0.254, Disable DHCP

- Create a static route for the “Legacy” subnet with gateway IP address 192.168.0.254 (next hop)

- Destination subnet must summarize all networks behind both Data Center MXs and common LAN2LAN

- Hint: Identify the common subnet bits for all 3 networks and calculate the appropriate mask

- “In VPN” option should be “No”

- In “Active” select “While next hop responds to ping”

- Save the configuration

- Let the instructor know that you have reached this point and ask them to enable the private network for your UTM

- Start the following ping tests from your MX to (hint: Use Live Tools):

- 10.0.252.1

- 10.0.251.1

- 10.0.250.23

- Does the MX reach all destination host?

- What is path used to reach out to 10.0.250.23? (hint: use Live Tools – Traceroute)

2.1.3 MPLS to VPN failover (10 minutes)

- Without modifying previous routing to MPLS network, prepare a new AutoVPN configuration to enable MPLS to failover:

- Navigate to Security Appliance -> Configure->AutoVPN

- Select “Topology” option as “Spoke”

- Choose Data Center 1 as the primary hub and Data Center 2 as the Secondary hub

- Hint: If DC1 is not listed as primary, drag its name to position #1 using your mouse

- Select VLANs Corp and Voice to be published to the VPN

- Indicate to the instructor the completion of previous configurations, so he can shut down the MPLS link to your MX.

- Wait for the rest of your classmates to complete the configurations

- Perform the previous ping and traceroute tests

- Does the MX reach all destination host?

- What is path used to reach out to 10.0.250.23?

LAB 3 | Distributed Enterprise

Nightingale Medical Associates has been using their Meraki network for an entire year now. Their Cloud Managed Network has helped them rollout electronic medical records, ensure HIPAA compliance, and has accommodated the demand for guest Internet. To keep up with the growing number of doctor’s offices joining the group and increase the level of performance and reliability required by a growing distributed network, they will need to add centralized Data Center services, increase redundancy, and ensure that their business critical applications are always preferring the best performing WAN path.

3.1.1 Data Center Redundancy (20 minutes)

- Use the previously created the Hub-and-Spoke topology, where:

- Your site is the spoke and has both “Data Center 1” and “Data Center 2” as hubs.

- This time, prioritize “Data Center 2”

- Configure a full tunnel VPN by configuring both hubs with a default route

- Verify that you can still ping each other’s lab MX LAN IP’s just as you did earlier with the full mesh configuration

- Verify connectivity to all 3 Data Center subnets. Hint: use MX ping tool as well as check Route Table on your MX

- 10.0.250.0/24 (Shared)

- 10.0.251.0/24 (DC1)

- 10.0.252.0/24 (DC2)

- Let the instructor know that you have reached this point and ask them to initiate a failure at Data Center 2 by disabling its uplink

- Verify that Data Center 2 in unreachable by pinging the default gateway of its unique subnet (10.0.252.1)

- Verify that the DC shared subnet is still reachable by pinging its default gateway (10.0.250.1)

- Verify connectivity to your neighbors despite the data center failure by pining their MX

- Again, navigate to the ISP Switches network -> Switches -> WAN1 switch and check the routing table. Did the next hop for your corporate route change?

3.1.2 SD-WAN (iWAN) (60 minutes)

- Navigate to Security appliance > Configure > Traffic shaping

- Configure uplink bandwidths: WAN 1 = 10Mb, WAN 2 = 5Mb

- Enable load balancing

- Configure a flow preference for “Guest” internet traffic to prefer WAN2

- Create a customer performance class named “Acceptable Delay” with a setting of 250ms of latency

- Under VPN traffic, configure the following rules:

- Any traffic destined to 8.8.8.8/32 should prefer WAN 2 unless performance is worse than “Acceptable Delay”

- Any traffic from the “Corp” subnet should load balance on uplinks that meet “Acceptable Delay

- Any traffic from the “Voice” subnet should use the best uplink for VoIP

- Verify path selection by initiating a ping