Meraki

Community

Block connections to the internet

Solved
JohnUK
Here to help
‎Dec 27 2017 12:06 PM
‎Dec 27 2017 12:06 PM

Block connections to the internet

We are using MX65 at sites which give out a DHCP address which allows lan connections to get to the internet via the MX65

 

Is there anyway I can block all connections except the ones I authorise without using 802.1x?  I want to stop users just plugging in pc/printers into the MX65.

0 Kudos
1 Accepted Solution
In response to Mr_IT_Guy
JohnUK
Here to help
‎Dec 29 2017 10:49 PM
‎Dec 29 2017 10:49 PM

Thanks MR-IT-GUY, that will work.

View solution in original post

0 Kudos
6 Replies 6
Adam
Kind of a big deal
‎Dec 27 2017 1:57 PM
‎Dec 27 2017 1:57 PM

Couldn't you just disable the unused ports?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
MilesMeraki
Head in the Cloud
‎Dec 27 2017 11:29 PM
‎Dec 27 2017 11:29 PM

Isn't this the whole point of 802.1x? I.e If a client doesn't authenticate it doesn't get an IP/Connection? Therefore devices which can't authenticate via a wired connection regardless if it's a printer/laptop/pc won't get internet connection

 

Have a read of this knowledge base article, it also gives you examples of how to configure - https://documentation.meraki.com/MX-Z/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X) 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to MilesMeraki
JohnUK
Here to help
‎Dec 28 2017 12:50 AM
‎Dec 28 2017 12:50 AM

Adam - I use a standard switch connected to the MX65 so cannot block every port

 

WANKiller - I realise I can use 802.1x, but didnt want to goto the expense or hassle of implementing 802.1x

 

On previous firewall I have used you can just authorise MAC addresses

0 Kudos
In response to JohnUK
Adam
Kind of a big deal
‎Dec 28 2017 6:22 AM
‎Dec 28 2017 6:22 AM

Only somewhat inexpensive option I can think of then would be to get a small Meraki switch so you can go back to MAC authentication.  Otherwise 802.1x is the only other feasible option but far more complex.

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Mr_IT_Guy
A model citizen
‎Dec 29 2017 8:08 PM
‎Dec 29 2017 8:08 PM

Looks like I forgot to hit post on this yesterday. There is a easy way to do this, but requires a bit of setup.

  1. Create group policies for your network based on client needs. This is found under Network Wide > Configure > Group Policies
  2. Navigate to Security Appliance > Configure > Firewall
  3. In the Outbound Rules area under Layer 3, create a rule to Deny Any traffic from Any Source to Any Destination.

Now that you've done all this, for any client you want to allow Internet access, just assign them a group policy. If someone tries to plug into the MX device and they do not have a group policy assigned to them, they will not get Internet access. If you know the MAC address of the device prior to them connecting, you can add it under the clients page and assign a policy so that they will have access right away.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
JohnUK
Here to help
‎Dec 29 2017 10:49 PM
‎Dec 29 2017 10:49 PM

Thanks MR-IT-GUY, that will work.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.