Cisco Meraki MX84 Security

Appliance Installation

Document 1.0
version
Prepared Mohammed
by Nurhussien
March 2022
 1. About the Document

1.1 Purpose of the Document

The purpose of this project/Document is to build a Secured Network infrastructure for MSI
that provides the foundation for enterprise services like EHR, Finance, HR, stock & inventory
management, fixed asset management and Internet service. This Network design will provide
a complete IP network solution for MSIE. The Service is hosted in the Server room and could
be accessed from each branch sites. Access Switches will be placed in respective buildings and
floors, and they will connect to the resources in the DC.
Purpose of the Document

1.2 Purpose of the Document

The Purpose of this Document is to provide the Client with detailed design document of the
network that would be implemented and may be used as a project-finalizing document. It
can also be used as a reference document for Network maintenance, troubleshooting, and
network expansion.

1.3 Intended Audience

The Intended Audience of this document are:

• Consultants
• Network Administrators
• ICT Teams

1.4 Scope
The scope shall be documenting the Local Area Network (LAN), the Wide Area Network
(WAN) and the Virtual Private Network (VPN) Infrastructures of MSIE, including the
associated access, services and configurations.

1.5 Overview
The network is based on the technology from Cisco Systems. The network includes highly
secure LAN & VPN enabled WAN, fully Gigabit Switched network within the SO Main Data
Center, Branch offices and LSO.
1.6 Assumptions and Caveats
The correct information has been supplied.
1.7 Related Documents
Cisco Documentations
Actual Device Configurations
 2. Meraki MX84 Implementations Overview

2.1. Implementation Overview

MSIE’s entire IT system is a highly secured environment. Starting from the physical Security,
MSIE’s Data centers at both SO and SRH branch sites implement a secure Access to Network
Devices & Servers, all the access switches have been secured with locks to prevent Intruders
from accessing the Internal Components. Secure access to client and server computers has
been provided by using Microsoft AD server. Each switch ports going to client PCs and
servers have also been hard coded to access ports for their respective VLANs. The Cisco
Meraki MX84 Security Appliance, provide security on OSI layer 3 -7 like: Intrusion Detection/
Protection, Layer3/Layer 7 Firewall, Site-to-site VPN, Client VPN endpoint, Identity based
policies, IPS protection, Firewall Traffic shaping, HTTP content filtering, Advanced Malware
Protection. In addition, VLAN Routing and DHCP Support.

MSIE implements Meraki MX84 layer of security other than the Campus wide Antivirus to
make MSIE more secure. Meraki MX84 appliance have been configured to operate at a
stateful firewall, DHCP Server, Wireless concentrator, VPN Concentrator, and Default gateway
to the Cisco 1941 Edge Router to access the internet.

Network Topology
2.2 IP Addressing & VLANs Configuration

IP Addressing
VLAN
A VLAN is a group of end stations with a common set of requirements, independent of
physical location. VLANs have the same attributes as a physical LAN but allow you to group
end stations even if they are not located physically on the same LAN segment.
VLANs allow you to group LAN interfaces to limit unicast, multicast, and broadcast traffic
flooding. Flooded traffic originating from a particular VLAN is only flooded out other LAN
interfaces belonging to that VLAN.
VLANs are often associated with IP subnets. For example, all the end stations in a particular
IP subnet belong to the same VLAN. Traffic between VLANs must be routed. LAN interface
VLAN membership is assigned manually on an interface-by-interface basis. When you assign
LAN interfaces to VLANs using this method, it is known as interface-based, or static, VLAN
membership.

VLAN Schema
VLANs can be assigned randomly, but to make the VLAN assignment simple and
meaningful the following VLAN schema will be used for MSIE Network.

VLAN Name VLAN ID Port Mapping

Management-VLAN 1 3
Internal 10 10
Printer 15
Guest 20
Server-Farm-VLAN 32

Configure Virtual LANs

The VLANs listed in the table above will be created on the Meraki MX84, Access
Switches and the Distribution Switch.
switch (config)#VLAN 10
IP Routing
IP Forwarding

IP forwarding, or IP routing, is simply the process of receiving an IP packet, making a

decision of where to send the packet next, and then forwarding the packet. The forwarding
process needs to be relatively simple, or at least streamlined, for a router to forward large
volumes of packets.

Inter-VLAN routing
Inter-VLAN routing will permit to have IP connectivity between VLANs and IP Subnets.
A Switched Virtual interface (SVI) will be created for each VLAN to act as a default getaway
for its respective VLAN. The Mx84 is configure in Routed mode to act as a layer 3 gateway
between the subnets and also Client traffic to the Internet is translated (NATed) so that its
source IP becomes the uplink IP of the security appliance- Network Address Translation (NAT)
allows multiple hosts that do not have a valid registered public IP address to communicate
with other hosts on the Internet. In this design the IP subnet in the inside network will be
translated to the outside interface of the Firewall for Internet Connectivity.

IP4 Addressing

The private IP address spaces 192.168.0.0/16 is used in the overall MSIE network. The
addressing standard is such that the first and second octet are same, 192.168, for all Campuses;
the third octet represents the VLAN number at the access and at the campus backbone. In the
fourth octet the first valid number, 1, is always assigned at the Firewall as the default gateway
address for the Access VLANs and as a layer 3 SVI interfaces for the backbone connectivity.
The range from 1 – 10 is always reserved for statically assigned for Devices like printers and
also reserved for future use, while the rest is assigned to client workstations dynamically.

MSI Internal IPv4 ADDRESSING

IP Address Range
VLAN
No. Default Reserved for Switches,
ID Workstations Subnet Mask
Gateway Printers and Servers

1 1 192.168.0.1 192.168.0.1 - 255.255.255.0

192.168.10.1- 192.168.10.10
2 10 192.168.10.1 192.168.0.11- 192.168.0.229 255.255.255.0
192.168.10.230- 192.168.10.254
3 15 192.168.15.1 192.168.15.1 192.168.15.2- 192.168.15.254 255.255.255.0
4 20 192.168.20.1 192.168.20.1 192.168.20.2- 192.168.20.254 255.255.255.0
5 32 192.168.0.1 192.168.0.1 192.168.0.2- 192.168.0.254 255.255.255.0
UPLINK TO CISCO 1941
213.55.76.16
ROUTER, A GATEWAY TO 213.55.76.162 255.255.255.0
1
ETHIO-TELECOM
6 -
 DHCP

DHCP

DHCP is widely used in LAN environments to dynamically assign host IP addresses from
a centralized server, which significantly reduces the overhead of administration of IP
addresses. DHCP also helps conserve the limited IP address space because IP addresses no
longer need to be permanently assigned to hosts; only those hosts that are connected to the
network consume IP addresses.
The DHCP server assigns IP addresses from specified address pools on a switch or router
to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the
requested configuration parameters from its database, it forwards the request to one or more
secondary DHCP servers defined by the network administrator.
The MX84 will be used as a DHCP server and will provide dynamic IP address to Client
PCs. The MX84 will be configured to provide the appropriate IP address to each VLAN. A
DHCP pool for one VLAN, vlan10, will be created with the VLAN name VLAN 10 (Internal).

3. Virtual Private Network (VPN)

A Virtual Private Network (VPN) is a standard defined by the IETF (Internet Engineering Task
Force) that provides data confidentiality, authentication, and integrity for IP traffic at the
network layer of the OSI (Open System Interconnection) model. VPN (both site-to-site and
client) will be set up among the LSO, SO & Branches using the Meraki MX, Z series firewalls.

Meraki Auto VPN technology is a unique solution that allows site-to-site VPN tunnel
creation with a single mouse click. When enabled through the Dashboard, each participating
MX-Z device automatically and creates a mesh site-to-site VPN. Auto VPN is enabled and set
of IPsec polices are configured to be used to setup phase 1, 2 connections between the sites.

The client VPN service uses the L2TP tunneling protocol and can be deployed without any
additional software on PCs, Macs, iOS devices, and Android devices, since all of these operating
systems natively support L2TP VPN connections.
4. Device Configuration
WAN (Internet) interface Configuration

Addressing & VLANs

Deployment Settings
Routing
DHCP
Firewall
Site-to-site VPN
Client VPN
Wireless Configuration overview