Port ACL / MAC filter

Solved
Davidc2478
Here to help

Port ACL / MAC filter

Hello all, please forgive if this is a stupid question. I'm still learning my way around. I did some searching but still feel like I don't understand. I was tasked with configuring a Meraki MX68W. 2 Users will connect direct to ports, 3 users will connect wirelessly.

 

I would like to lock down physical ports only to MACs that I allow. If joe schmo tries to plug in, he will get blocked. Is this a firewall setting or am I missing an Access Control setting somewhere?

 

I also would like to so the same thing with the wireless SSID I created. I don't have a Radius server. My setup is simple, I think.

 

I was hoping for a simple solution of entering allowed MACs and if someone is't on the list, they just don't get in.

 

Can someone please guide me in the right direction?

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

What you can do is block all traffic at  network firewall level. And then whitelist or assign a specific group policy to the clients that need access to the network

View solution in original post

9 Replies 9
Davidc2478
Here to help

In further reading I guess I could disable unused ports. I also did see I can set a port as Trunk or Access. But seems like this will require a Radius server to compare against.

 

I'm still trying to figure out wireless. I'm already hiding SSID broadcast but am stuck at my original post.

ww
Kind of a big deal
Kind of a big deal

What you can do is block all traffic at  network firewall level. And then whitelist or assign a specific group policy to the clients that need access to the network

Davidc2478
Here to help

ok, I see what you're saying...if there is a template applied to other Meraki's, and I go to Network-wide to create a group policy for my network (which is not under any template) will this affect other Meraki's? I'm just trying to be cautious I don't break other things lol

Davidc2478
Here to help

OK, maybe I have this down. Here are my steps. Can someone please confirm

 

1. Make sure I'm under the Network I created

2. Go to Security & SD WAN  - Firewall

3. Add rule Deny Any Any

4. Go to Network-Wide  - Clients

5. Add Clients to : Allowed List

 

Does this look right?

ww
Kind of a big deal
Kind of a big deal

I would whitelist them first. Then deny any any

Davidc2478
Here to help

Interesting thing, it kind of worked.

 

It blocked a unauthorized user from outside network access but I was hoping to block internal network access as well.

I had to create a L7 rule that blocked my entire network to somewhat achieve what I wanted. Of course making sure my authorized users are getting my Allow group policy.

 

I guess it'll do for the needs I have. Thanks.

SCampisi
Just browsing

did you ever get a definitive solution that worked reliably?  i am needing to do the same thing and i am also unfamiliar with the dashboard.

 

I saw  your steps and i done have a "Security and SD Wan" - Firewall setting in my menus?  can you give me more detail on that steps you followed?

 

thanks for any help you can give me

Davidc2478
Here to help

Hey there, sticking with the steps I did was good enough.

 

I go to Network to make sure I'm on correct group. Then below that I have access to Security and SD Wan

Davidc2478_0-1630422005377.png

 

If you don't see it, you might not have rights? If you see Appliance Status then you know you're in the right place.

 

Davidc2478
Here to help

I appreciate the info, can you look at my steps and see if they will work?

Get notified when there are additional replies to this discussion.