Meraki

Community

Flag or Group devices and/or restrict access?

ValleyITPC
Getting noticed
‎Oct 30 2024 11:01 AM
‎Oct 30 2024 11:01 AM

Flag or Group devices and/or restrict access?

Kind of a goofy title but my goal is to take a single VLAN network (just default VLAN 1) or some 100 devices or less, and set things up such that the only devices that can join the network are ones that I approve to be on the network, but, any device that tries to join but isn't approved yet, I can capture their info (MAC address perhaps?) and add them in quickly if need be.  

 

I'm working with basic MX67/68 level hardware across several businesses, and all of them do have Advanced SEcurity for their licensing.  In some cases we have MS switches but sometimes not - in either case, the issue is that I'd need to be able to have an approval-only setup for devices connecting to the network through any means, be it WiFi or wired, so switch-specific settings like per-port type stuff I guess won't work for my needs.  

 

Or if I could maybe rephase my request, hopefully whomever reads this can interpret  my needs better than I can explain them (it's just one of those days for me..).  

 

It would be nice to have all the business computers and such connect o VLAN X, and only those pre-approved (by MAC perhaps) can be on that VLAN.  And anything else, gets shoved unto a 2nd VLAN, like for example a guest VLAN setup.    But not to have this done by way of which ports etc., because again, the majority of devices I want to shove into either VLAN will be WiFi.  

 

Thank you!  

0 Kudos
2 Replies 2
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 30 2024 11:59 AM
‎Oct 30 2024 11:59 AM

You can manually put Meraki group policies on devices that are on Wi-Fi or have to pass an MX.  In case of Wi-Fi you can effectively block them from gaining any access to the network.  In case of MX you can only block their traffic from passing the MX towards other VLAN's or the internet but you can't block local traffic if they are on switches.  Not sure what happens to clients that are on an MX68 direct LAN ports though.

To have these kind of blocks you'll need to deploy 802.1X access policies on the switches or try to work with manual port security.

GreenMan
Meraki Employee
Meraki Employee
‎Oct 31 2024 5:53 AM
‎Oct 31 2024 5:53 AM

It's not quite what you described - just wondered if you'd seen / tried this:   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing...

 

This can also be done via MAC Authentication Bypass and an appropriate central RADIUS server (like Cisco ISE), in conjunction with 802.1x - this would be the recommended way for anyone looking at mulitple sites, I'd say

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.