cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block connections to the internet

SOLVED
Go to solution
JohnUK
Here to help
‎12-27-2017 12:06 PM
‎12-27-2017 12:06 PM

Block connections to the internet

We are using MX65 at sites which give out a DHCP address which allows lan connections to get to the internet via the MX65

 

Is there anyway I can block all connections except the ones I authorise without using 802.1x?  I want to stop users just plugging in pc/printers into the MX65.

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
In response to Mr_IT_Guy
JohnUK
Here to help
‎12-29-2017 10:49 PM
‎12-29-2017 10:49 PM

Thanks MR-IT-GUY, that will work.

View solution in original post

0 Kudos
Subscribe
6 REPLIES 6
Adam
Kind of a big deal
‎12-27-2017 01:57 PM
‎12-27-2017 01:57 PM

Couldn't you just disable the unused ports?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
MilesMeraki
Head in the Cloud
‎12-27-2017 11:29 PM
‎12-27-2017 11:29 PM

Isn't this the whole point of 802.1x? I.e If a client doesn't authenticate it doesn't get an IP/Connection? Therefore devices which can't authenticate via a wired connection regardless if it's a printer/laptop/pc won't get internet connection

 

Have a read of this knowledge base article, it also gives you examples of how to configure - https://documentation.meraki.com/MX-Z/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X) 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
Subscribe
In response to MilesMeraki
JohnUK
Here to help
‎12-28-2017 12:50 AM
‎12-28-2017 12:50 AM

Adam - I use a standard switch connected to the MX65 so cannot block every port

 

WANKiller - I realise I can use 802.1x, but didnt want to goto the expense or hassle of implementing 802.1x

 

On previous firewall I have used you can just authorise MAC addresses

0 Kudos
Subscribe
In response to JohnUK
Adam
Kind of a big deal
‎12-28-2017 06:22 AM
‎12-28-2017 06:22 AM

Only somewhat inexpensive option I can think of then would be to get a small Meraki switch so you can go back to MAC authentication.  Otherwise 802.1x is the only other feasible option but far more complex.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
Mr_IT_Guy
A model citizen
‎12-29-2017 08:08 PM
‎12-29-2017 08:08 PM

Looks like I forgot to hit post on this yesterday. There is a easy way to do this, but requires a bit of setup.

  1. Create group policies for your network based on client needs. This is found under Network Wide > Configure > Group Policies
  2. Navigate to Security Appliance > Configure > Firewall
  3. In the Outbound Rules area under Layer 3, create a rule to Deny Any traffic from Any Source to Any Destination.

Now that you've done all this, for any client you want to allow Internet access, just assign them a group policy. If someone tries to plug into the MX device and they do not have a group policy assigned to them, they will not get Internet access. If you know the MAC address of the device prior to them connecting, you can add it under the clients page and assign a policy so that they will have access right away.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Subscribe
In response to Mr_IT_Guy
JohnUK
Here to help
‎12-29-2017 10:49 PM
‎12-29-2017 10:49 PM

Thanks MR-IT-GUY, that will work.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki