Solved
Hello Everyone,
I have a Full Stack Meraki deployment at one of my locations. We have a voice network with several SIP phones deployed through the building... I'm trying to figure out the best way to keep people from plugging their computers into these phones and getting past my firewall policies... I can't do anything physically to the devices this must be done via policies... I was thinking of group policy but wasn't sure if there is a better way...
We have over 130 SIP phones throughout the hotel... 99% of them are plugged into an MR30H so if i could find a way to do as layer 7 firewall rule to only allow SIP traffic thought that would work... but all i see is deny layer 7 rules ... is there i can do a Deny Any rule then an alow for SIP?
This should be solvable by using a tagged voice VLAN and an untagged data VLAN. Are you not using that type of setup?
No, because all the phones are connected to an MR30H I can only assign one VLAN per port unlike with switches. (Voice Vlan is 200)
Oh shoot, of course. 30H, you did say that. My bad.
I think @Nash is on the right track and the best way to solve this is to disable the ports on the phones. Failing that you could write a bunch of rules to only allow the needed flows off that VLAN. You could also implement dox1x or MAB.
@BlakeRichardson wrote:so that phones IP are statically assigned via DHCP and then disable the dynamic DHCP
Can you clarify please? I'm not following. "Statically assigned via DHCP"? And if you disable DHCP what happens when a phone's lease starts to expire and it needs to renew?
@BlakeRichardson Ah, thanks!. Your terminology threw me there, but I got you now and that makes sense.
Thinking it over I think the easiest way is a mac address filter... I already have all the mac addresses in a spreadsheet so it would not be too hard to do.
I must really be having one of those days. It started with me not understanding what @BrechtSchamp was talking about in chat this morning, then I totally spaced on what @BlakeRichardson was trying to say with his solution, and now I'm totally not groking how whitelist can help here.
MAC whitelist is only available on access switch ports. So if you want that then you can't bridge SSID's to VLANs. OK, fine, you use a flat VLAN. But then, if you don't whitelist every client that possibly ever connects to the AP then when they do connect they won't be able to do anything because they aren't whitelisted.
Unless you're using a tunneled SSID?
I'm sure I'm missing something here again so please help a guy out!
Right, that's how I understand the problem too @BlakeRichardson, but @Network-dad did say it was Meraki full stack, and the MAC whitelist feature cannot be applied per-VLAN. It's per-port only. Also with Meraki, clients are generally bridged to a VLAN for a given SSID meaning the client's MAC is seen by the switch port.
Meraki NAT or tunneled SSID overcome these issues, but if those are not being used then a MAC whitelist will certainly stop clients from plugging into the phone, as well as connecting to the AP.
Yeh, I'm really not asking my question correctly. I'm not sure how to say this differently...
OK, so if we assume that the phones are on VLAN 10, and they are connected to a port on an MR30H, then one must configure a "Wired-Only" SSID to assign to the port profile used to configure the MR30H port. Now, since MAC whitelisting is only available on access ports, the MS switch that the MR30H hangs off of MUST be configured as an access port in VLAN10. The Wired-Only SSID then must be configured to bridge to the native VLAN, which would be VLAN 10.
As a side effect of this config, any additional SSID's condifured for WiFi clients on the 30H must also be bridged to native VLAN. Since the switchport is configured for access 10, if you configured an SSID to brigde to a tagged VLAN it will be dropped on ingress to the switch port.
MAC whitelists apply to the entire port. You cannot apply a MAC whitelist to only one VLAN. And since MAC whiteslists are only avaialble on access ports this really isn't an issue (let's put aside Voice VLANs for a moment since they don't apply to this example).
Given the above example I need to put three things into the whitelist: All the MACs of the phones, all the MACs of the AP (their mgmt will be on VLAN 10 too), and all the MACs of all the wifi clients that could possible ever connect to the APs.
The only thing I don't want in there is the wired MACs of whatever I don't want connecting to the phones.
Does that make sense?
Haha all good dude! Yeh if you haven't played around with the 30H then maybe that's where you and I aren't syncing? You don't configure the wired ports on a 30H like a switchport... You basically bind a wired port to an SSID (yes, I said to an SSID). You don't have things like access or trunk or whitelistsing or BDPU Guard available on the 30H. I agree with you that your DHCP solution is much better in this situation. I appreciate you talking this out with me nonetheless!
And for now I'm going to stand by my assertion that MAC Whitelisting won't solve this problem 🙂
