cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Wired Client Handling

SOLVED
New here

MX Wired Client Handling

Hello,
We have a MX64 security appliance and are trying to lock down the network.
What I would like to do is block all access for wired clients unless they belong to a specific group policy.
Wireless AP and VPN clients should not be affected.

Is something like this possible? I could not find anything on the Meraki dashboard or on any forums about a setup such as this.

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: MX Wired Client Handling

I really think you need to explore port-security settings on your switches and disabling unused switchports. The MX can only block traffic that flows through itself. Internal switch traffic, for instance, doesn't go through the MX.

 

So a device that connects to one of your switches will still be able to chat with at least some devices on your LAN. If you want to deny LAN access to unapproved wired devices, you're going to have to approach this from multiple angles.

View solution in original post

7 REPLIES 7
Kind of a big deal

Re: MX Wired Client Handling

Do all of your devices connect to your MX64 directly, or do you have switches involved?

New here

Re: MX Wired Client Handling

There are a few non-Meraki switches.

Kind of a big deal

Re: MX Wired Client Handling

@Seshu has it right with the group policy, from the MX point of view.

 

I do want to point out that if your goal is also to deny LAN access to wired devices, you're going to have to take measures on your switches. I.E. turn ports off unless you know they're going to be used, setup port security, all them goodies.

New here

Re: MX Wired Client Handling

Thank you all for the suggestions. What we are trying to do is deny all access (LAN, internet, etc) to unknown devices unless they are associated through vpn or access point as those have built-in authentication measures. 

 

What we want to prevent is a random person from going into an office & plugging into the network while allowing known assets to associate at that same location. We were hoping to use the MX to define a network-wide rule vs doing it at the switch level. Our IT staff is small so simplicity is key. From the sounds of it that will not be possible. 

 

Is that accurate?

 

 

 

Kind of a big deal

Re: MX Wired Client Handling

I really think you need to explore port-security settings on your switches and disabling unused switchports. The MX can only block traffic that flows through itself. Internal switch traffic, for instance, doesn't go through the MX.

 

So a device that connects to one of your switches will still be able to chat with at least some devices on your LAN. If you want to deny LAN access to unapproved wired devices, you're going to have to approach this from multiple angles.

View solution in original post

New here

Re: MX Wired Client Handling

I thought that was going to be the case but was hoping I was wrong :). 

 

Thank you!

Meraki Employee

Re: MX Wired Client Handling

Just add a Global Layer 3 outbound firewall rule to deny any any traffic. 

Then, create Group policies on the dashboard and apply them to the clients. In the policy override the Firewall rules and you can specify more specific allow/deny rules.

 

This should block all access unless a policy is applied @MG-Occam 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.