MX Wired Client Handling

SOLVED
MG-Occam
New here

MX Wired Client Handling

Hello,
We have a MX64 security appliance and are trying to lock down the network.
What I would like to do is block all access for wired clients unless they belong to a specific group policy.
Wireless AP and VPN clients should not be affected.

Is something like this possible? I could not find anything on the Meraki dashboard or on any forums about a setup such as this.

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

I really think you need to explore port-security settings on your switches and disabling unused switchports. The MX can only block traffic that flows through itself. Internal switch traffic, for instance, doesn't go through the MX.

 

So a device that connects to one of your switches will still be able to chat with at least some devices on your LAN. If you want to deny LAN access to unapproved wired devices, you're going to have to approach this from multiple angles.

View solution in original post

7 REPLIES 7
Nash
Kind of a big deal

Do all of your devices connect to your MX64 directly, or do you have switches involved?

There are a few non-Meraki switches.

Nash
Kind of a big deal

@Seshu has it right with the group policy, from the MX point of view.

 

I do want to point out that if your goal is also to deny LAN access to wired devices, you're going to have to take measures on your switches. I.E. turn ports off unless you know they're going to be used, setup port security, all them goodies.

Thank you all for the suggestions. What we are trying to do is deny all access (LAN, internet, etc) to unknown devices unless they are associated through vpn or access point as those have built-in authentication measures. 

 

What we want to prevent is a random person from going into an office & plugging into the network while allowing known assets to associate at that same location. We were hoping to use the MX to define a network-wide rule vs doing it at the switch level. Our IT staff is small so simplicity is key. From the sounds of it that will not be possible. 

 

Is that accurate?

 

 

 

Nash
Kind of a big deal

I really think you need to explore port-security settings on your switches and disabling unused switchports. The MX can only block traffic that flows through itself. Internal switch traffic, for instance, doesn't go through the MX.

 

So a device that connects to one of your switches will still be able to chat with at least some devices on your LAN. If you want to deny LAN access to unapproved wired devices, you're going to have to approach this from multiple angles.

I thought that was going to be the case but was hoping I was wrong :). 

 

Thank you!

Seshu
Meraki Employee
Meraki Employee

Just add a Global Layer 3 outbound firewall rule to deny any any traffic. 

Then, create Group policies on the dashboard and apply them to the clients. In the policy override the Firewall rules and you can specify more specific allow/deny rules.

 

This should block all access unless a policy is applied @MG-Occam 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels