Help with MX64 security settings.

Solved
Roskaju
Here to help

Help with MX64 security settings.

Hello everyone.

I am new to this forum and to networking in general, and I was wondering if anyone can help me as to how to set up an MX64 properly in terms of security.

In the security appliance, a Cisco Webex SX10 will be connected, and along with it a  wifi access point for guests  (non-meraki), and a security camera.

Primarily, I want to make sure that all the Webex meetings are safe from let's say Ghosting, but I absolutely have no idea how to do it especially since I have to connect the access point and the camera to the appliance as well.

 

 How do I go about this?

1 Accepted Solution
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @Roskaju 

 

Can you tell us a little bit more about your setup and company?

 

 - is it just those 3 devices connecting to the MX?

 - any company laptops, computers, printers?

 - number of users

 - which MX license do you have

 - is the AP solely for Guest use?

 

You can make this as easy or as complex as you like.

 

 - option 1, make it plug and play, fresh out of the box deployment. Single vlan and dhcp scope. Connect your devices. Turn in Advanced security features if you have the Advanced Security MX lic.

 

Or, depending on your answers above. Create multiple VLANS and IP subnets for each of your network segments. Define firewall rules that keep the networks separate. Again, turn on Advanced security features, AMP, IPS/IDS.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

View solution in original post

6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @Roskaju 

 

Can you tell us a little bit more about your setup and company?

 

 - is it just those 3 devices connecting to the MX?

 - any company laptops, computers, printers?

 - number of users

 - which MX license do you have

 - is the AP solely for Guest use?

 

You can make this as easy or as complex as you like.

 

 - option 1, make it plug and play, fresh out of the box deployment. Single vlan and dhcp scope. Connect your devices. Turn in Advanced security features if you have the Advanced Security MX lic.

 

Or, depending on your answers above. Create multiple VLANS and IP subnets for each of your network segments. Define firewall rules that keep the networks separate. Again, turn on Advanced security features, AMP, IPS/IDS.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Roskaju
Here to help

Thank you very much for the reply!

 

Yes, only the 3 devices will be connected to the MX64, as the company laptops, computers and printers are connected on an entirely different network. And yes, the AP will solely be used for guest use.
As for the license edition, it is Enterprise. 

The priority is to keep the Webex meetings away from prying eyes so I want to make it as easy as possible.

DarrenOC
Kind of a big deal
Kind of a big deal

Morning @Roskaju , lets keep it simple (ish) then 😁

 

 - Create 3 new VLAN's and subnets on your MX, for example:

 - VLAN 10 - Guest 10.10.10.0/24

 - VLAN 20 - Camera 10.10.20.0/24

 - VLAN 30 - SX 10.10.30.0/24

 - By default a DHCP scope will also be created for each of the above

 

Now configure your firewall rules to stop inter-vlan communications.  You could configure individual rules for each subnet but I've gone all in and configured one rule.

 

UCcert_0-1654754482409.png

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Roskaju
Here to help

Hey there @DarrenOC

 Terribly sorry for being a novice here. I will be able to find my way to the firewall configuration but I need some help with the VLAN settings.
In the Routing → LAN Setting → VLANs → Subnets, there is a default subnet and MX IP (192.168.1.254) with an ID number of 1.

Can I just basically create the VLANs say like the following? All while keeping the default one?

 - VLAN 2 - Guest 192.168.2.0/24

 - VLAN 3 - Camera 192.168.3.0/24

 - VLAN 4 - SX 192.168.4.0/24

EDIT:

 

I think I figured it out but I cannot make changes as of yet so I'll just update you once I get to make the changes. Thank you once again for the suggestion!

DarrenOC
Kind of a big deal
Kind of a big deal

Hi @Roskaju , sorry for the delayed response. You’ve probably discovered that you need to remove the default VLAN to be able to add new.  Nothing to stop you adding that default one back in once you go ahead and create your new ones

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Roskaju
Here to help

Sorry for the late response regarding this matter.

I was finally able to do the setup and I can say that it is working like a charm (so far :D)!

Thank you very much!!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels