DOCUMENT CONTROL

Title: Policy and Procedure Manual Basic Network Configuration

Issue: Issue 1
Date: 23 September 2016
Author: Alexander Vitadi
Distribution: ITHelp Archipelago International
Reference:
Filename:
Control: Reissue as complete document only

DOCUMENT SIGNOFF

Nature of Signoff Person Signature Date Role

Authors Alexander Vitadi Corporate IT
Reviewers

DOCUMENT CHANGE RECORD

Date Version Author Change Details

11/9/2016 1.1 Alex V Device Naming Convention
11/5/2018 1.2 Alex V Update configuration related
with newest feature from
Meraki
1. Subject

2. Purpose

3. Procedures
3.1. Cisco Meraki Network Standard Configuration
3.1.1. Network-wide
3.1.1.1. General
3.1.1.1.1. Traffic Analysis
3.1.1.1.2. Device configuration
3.1.1.1.3. Firmware upgrades
3.1.1.2. Alert & Administration
3.1.1.2.1. Client Monitoring
3.1.1.3. Group Policies
3.1.1.4. Sentry Policies
3.2. Security Appliance
3.2.1. Appliance Status
3.2.2. Addressing & VLANs :
3.3. Bandwidth Management
3.3.1. Traffic Shaping
Speedburst
Web cache content
Firewall
Layer 3
Layer 7
Daily Task list :

Appendix
Tags
Network Device Naming Convention :
Firmware Update
Factors Affecting the Throughput Test
1. Subject
Cisco Meraki Devices Policy ( MX, MS, MR )

2. Purpose
This guidance applied as a basic network standard configuration for Archipelago’s hotel. In
order the hotel network can be manage and monitor effectively.

3. Procedures
Physical Network and panel
● Data network structure should be : Security Appliance --> Core Switch --> Distribution
Switch --> Client /Access Point --> Wireless Client (​Insert picture​)
● Network Cascading Cascading switch maximum 3 level
● Electrical Supply : UPS have minimum 15 minutes backup power. In average UPS
power ratio is 60%, which is mean UPS with 1500VA capacity will able to backup
maximum 1500VA x 60% = 900 Watt electronic devices. There are some UPS have 90%
power ratio, kindly check the specifications.
● Electrical Panel must be separated from other installation.
● Working Environment : make sure panel room temperature between 20-24 celcius
degree. Have a good air circulation and proper rack (able to release heat)
● Free from dust and direct sunlight.
● Implementing VLAN.

3.1. Cisco Meraki Network Standard Configuration

3.1.1. Network-wide

3.1.1.1. General
Network Name ;
Network Notes (can be used search in dashboard);
Local time zone (using UTC +7/8/9)

3.1.1.1.1. Traffic Analysis

Detailed :collect destination hostnames;
Custom Piechart : VHP Server, defined by its IP Address
3.1.1.1.2. Device configuration
Local device status pages-enable;
Remote device status-disable;
Local credential -username:admin -password:... ;
Default block message " ";
AP LED lights (depend on AP location. If it's inside the room and considered distraction. Then
turn it off);
Client wired directly to Meraki APs "have no access";
IPv6 bridging

3.1.1.1.3. Firmware upgrades

Try beta firmware "No";
Set the Upgrade window to "Tuesday-1am" or considered your hotel occupancy. Then check
each device's firmware.
Make sure your firmware is always updated using the latest stable version.

Status & API : Disabled

3.1.1.2. Alert & Administration

Will be set by corporate IT. Additional Network admins should be acknowledge by Corporate IT
also.
Email alerts :
Sent alerts via email to : [IT Leader email account]

Network Wide ---- :

Base on Aston Banyuwangi
Security appliance alerts :
☑ The appliance goes offline for more than 10 minutes
☑ The primary uplink status changes
☑ Any DHCP lease pool is exhausted
☑ An IP conflict is detected
☐ Cellular connection state changes
☑ A rogue DHCP server is detected
☐ A warm spare failover occurs
☑ Monitored clients connect or disconnect from the LAN (list of the client: ie
interfaces)

Switch Alerts :
A switch goes offline for more than 10 minutes
Any switch port detects a cable error
 Any switch port changes link speed
A new DHCP server is seen on the network

Wireless Alerts :
A gateway goes offline for more than 10 minutes
A repeater goes offline for more than 10 minutes
A gateway becomes a repeater

Other Alerts :
Rogue APs are detected
Configuration settings are changed

3.1.1.2.1. Client Monitoring

Listed of your client to be monitored. Ie. interfaces or other system devices. PBX etc.

3.1.1.3. Group Policies

Create a group policies for each section.
Naming convention : ​ [Section]-[purposes]
i.e . : BOH-General ; BOH-SosMed ; Guest-Abuser

3.2. Security Appliance

3.2.1. Appliance Status

Update the Notes section with this content :
(firstline)
​ AN 1 ISP name​]​ ​//​​ ​[IP Public]​ ​//​​ ​[ISP DNS1]​ ​&​ ​[ISP DNS2]​ ​&​ [​ ISP DNS3]​ ​//​​ ​[Type of
[W
connection] ​//​​ ​[Bandwidth Capacity]
(secondline)
​ AN 2 ISP name​]​ ​//​​ ​[IP Public]​ ​//​​ ​[ISP DNS1]​ ​&​ ​[ISP DNS2]​ ​&​ [​ ISP DNS3]​ ​//​​ ​[Type of
[W
connection] ​//​​ ​[Bandwidth Capacity]
(thirdline)
[VHP server DNS] ​//​​ [VHP Server IP]
(fourthline)
#[​Rooms]​
(fifthline)
[ISP1 Contact Support]
[ISP2 Contact Support]
 I.e :
Telkom // 32.11.23.121 // 202.125.1.10 & 203.121.25.9 // Upto // 100 Mbps
Indosat // 65.25.32.22 // 203.22.124.9 & 203.22.124.10 // Dedicated // 2 Mbps
MadiunVHPServerMaster.astonhotels.com // 54.169.157.31
#101
Telkom, 021-4523678, 081234567890 (Tech Support)
Indosat, 021-3234523, 08562324349 (AM)

Ensure that you made a list of emergency contact (IT related vendors) and put it at
operator.

Network Tags : Name it according your hotel brand.

[​Aston​​/​Harper​​/​Fave​​/​Neo​​/​Quest​​/​Alana/Kamuela​]​ and ​City.
Address : hotel’s coordinate based on maps.google.com

3.2.2. Addressing & VLANs :

Set the network wide mode to Network Address Translation (NAT) and Client tracking by
MAC Address.

Below are basic VLAN & DHCP configurations :

VLAN 1 VLAN 100 VLAN 200 VLAN ...

Function Device Back of the Guest wireless Specific event

Management house network client default
(Router, Switch, devices​ (​ PC,
Access Point) Notebook, Printer​)

Name Device Mgmt Office Guest ...

IP Range 192.168.1.0/24 10.1.0.xxx.0/24 172.16.0.0/24 Class C

atau disesuaikan
dengan kapasitas
estimasi koneksi client
dalam periode 4 jam

Gateway / MX IP 192.168.1.1 10.1.0.xxx.1 172.16.0.1 x.x.x.1

Lease Time 1 minggu 1 minggu 4 jam

Reserved IP [Servers] [Servers]

range 192.168.1.2-10 10.1.xxx.2-10

[Network device [Printers]

distribution] 10.1.xxx.11-30
 192.168.1.11-150

DNS Proxy to CloudDC, Proxy to Proxy to

upstream DNS Google DNS, upstream DNS upstream DNS
ISP DNS

NTP yes yes no no

Firewall
No specific firewall declare. This is based on your hotel requirement.
- Deny connection to CLoud server from Other than BOH VLAN
- Isolate Guest VLAN from other VLAN

3.3. Bandwidth Management

the process of measuring and controlling the communications (traffic, packets) on a network
link, to avoid filling the link to capacity or overfilling the link, which would result in​ ​network
congestion and poor performance of the network.

There is several aspect we need to taking care of.

Traffic Shaping
Scheduling algorithms
Congestion avoidance
Bandwidth reservation algorithms
Traffic classification
In meraki we’ll do this in one page only, “Traffic Shaping” page :)

These configuration should be top of the hierarchy / general network based policy.

Pict of rule applied general and in subordinate.

3.3.1. Traffic Shaping

You need to configure the uplink configuration based on riil hotel bandwidth capacity. This
configuration will be affected on MX Load Balancing process. Ensure the downlink and uplink
capacity correctly setup.

By default WAN1 will become the Primary Uplink. Choose the WAN which has biggest capacity
as primary uplink.
When the load balancing is enabled, traffic flows will be distributed between the two uplinks.
The load distribution is based on the WAN 1 and WAN 2 throughput configured under ​Uplink
configuration ​above, such that the uplink with more throughput will distribute more flows.

Uplink Configuration Must be correctly defined in

detail . i.e : …..

Load Balancing Enabled

If you have ratio 4:1 between

WAN1 and WAN2.

Flow Preferences Set preferences for Cloud

server connection to best
latency and route ISP.

VPN traffic Only required if “custom performance classes” were set.

Uplink Statistics You may add the Cloud Server IP address to measure ISP
connection quality.

Global Bandwidth Limits A global bandwidth limit applies not only to outbound traffic,
but all routed traffic on an MX security appliance or MR
access point.

Create a custom traffic shaping rule for VLAN traffic to

exclude these VLAN (Network Distribution Devices) from
bandwidth limitation rule.

Related rules : Per-SSID Bandwidth limit (MR). Unlike a

per-client bandwidth limit, this limit cannot be bypassed with a
traffic shaping rule or​ ​group policy​.

Speedburst
To provide a better user experience when using bandwidth shaping, you may enable
SpeedBurst using the checkbox in the Bandwidth Limits section on the Access Control page. A
user is allowed up to four times their allotted bandwidth limit for a period of up to five seconds.

For testing or troubleshooting client speed you can use JPerf or iPerf
(​https://code.google.com/archive/p/xjperf/downloads​ )
Jperf is a very useful and trustworthy tool to measure throughput and jitter between two devices
in your LAN or WAN. Using Jperf allows to have an unbiased measurement of your LAN and
WLAN throughput with no delays added by uncontrollable variables.

You should create shaping policies to apply per user controls on a per application basis. This
allows the throttling of recreational applications such as peer-to-peer file sharing programs and
the prioritization of enterprise applications such as email apps, ensuring that business-critical
application performance is not compromised.

Traffic Shaping / Priority

1 PMS Cloud Server

2 E-mail
3 Audio/Video conference
4 ...

Web cache content

This should be disabled.

Firewall

Layer 3
default should be deny for all traffic. You may add exception rule if you need to open
communication between VLAN.

Layer 7
Content Filtering (jika ada fitur tersebut)
Proxies
Adult & Pornography

Specific policy will be defined based on group policy. And applied based on its requirements.
I.e. VLAN, group of client, clients, devices.

Topics to be prepared :

Switch Wireless network

Device Naming conventions SSID,Firewall, Traffic Shaping, SSID Availability, Radio
DHCP Server restrictions Settings
Routing and DHCP
 Layer 3 related rule Device naming conventions, Floor Plan, Optimizing
IPv4 Access Control List tools : Air Marshall, Heatmap, PCI Report,RF Spectrum.
Access Policies
Client restrictions Location Analytics.
Port Schedules
Switch Settings
VLAN mgmt, MTU size, QoS, STP, Port
mirroring.

Daily Task list :

Check network status :
● Internet connection. WAN1 & WAN2. Latency, traceroute, throughput, uptime. If it is
necessary to test the actual throughput capacity of an Internet/WAN link, testing can be
performed from a client on the LAN to other speed test services, such as​ ​SpeedOf.me​ or
Speedtest.net​. When doing these tests, the client should be as close as possible to the
Internet link (such as directly connected to an MX LAN port) and other traffic on the link
should be minimized (such as other client or VPN traffic). Testing from a wireless client
when 50 other clients are also active on the LAN will not yield accurate results.
● Devices status ( overview of network topology)
● LAN infrastructure quality status

Troubleshooting :
● If you find any issues from previous checking.

Appendix

Tags
Tags ( Perlu dibuat minimal naming standard tags,untuk mempermudah identifikasi konfigurasi
),misal tags wajib dari corporate : AI-BOH, AI-Staff, (Department Tags) AI-FrontOffice,
AI-Accounting … selain itu berarti additional Tag yg di buat untuk internal hotel. →
Mempermudah implementasi rule di network
Network Device Naming Convention :
All the network devices should be named following this syntax:
<Floor location>-<Location>-<Detail Location>

Floor Location​​ is 3 char information. For the device located in 1st Floor mention : F01
Function​​ is a description of device functionality; Public, Office, Room, Pool, Lounge, Lobby,
Resto, Function.
Detail Location​​ could be Room Number, Name of Meeting Room, Distribution or Core Switch
i.e.:
● For ​AP​​: ​F03-Room-103​​; Which means the AP is on ​3rd Floor​​, ​Room​​ AP and the Room
number is ​103​​.
Or ​FB1-Public-BOH ​; Which means the AP is on ​Basement 1​​, ​Public​​ AP and it is
inside ​BOH.
● For ​Switch​​: ​F05-Panel-Distribution#2​​; Which means it is a switch that is located on 5th
Floor inside ​Panel Room​​, and it is a ​Distribution​​ Switch ​number 2​​.
or ​FLB-Control-Core​​; Which means it is a switch that is located in ​Lobby​​ inside
Control room​​, and it is a ​Core​​ Switch.

Firmware Update
Firmware update should be set to automatic. And set the window update time between 3-6 AM
Tuesday.

Factors Affecting the Throughput Test

A number of factors that could affect the result of the throughput test including:
● Bandwidth allotment from the ISP (limitations of the WAN connection)
● Upstream devices on the LAN
● Latency due to high traffic or network congestion
● Latency due to physical distance to reach Dashboard
● Traffic by other users traversing the WAN connection (VPN operations as well as
general traffic)
● Operations affecting the processor speed of the device itself (content filtering, malware
detection and IDS)
● Load on Dashboard (Cisco Meraki Cloud Controller) at the time
● Overhead resulting from packet encapsulation and framing