Dear all, my organization is requesting the following configuration, and we are encountering some issues or limitations.
Request: The business is requesting that we limit access to a specific Wi-Fi network, which is accessed using MR36, 33, etc. devices with Enterprise licensing.
This network is only accessible to IoT or PINpad devices, which must access a specific domain list; all other traffic would have to be denied or discarded.
Technical scenario: As previously mentioned, the Wi-Fi network is comprised of MR devices. We distribute it using Catalyst C9200 equipment. The default gateway for that network is a Catalyst 9407r, which connects to an MX-250 to access the Internet.
Client tracking is done through IP addressing, since the MX-250 doesn't have direct addressing. The device that has the VLANs and addressing is the C9407r.
Note: The MX-250 has an Advanced Security licensing level.
What would be your recommendation for applying this type of request?
We used the MX-250's Firewall rule set, but it didn't work very well, as it drops traffic and doesn't handle URLs very well.
We've noticed that the Layer 7 firewall only has the option to deny and disallow a specific list of URLs, for example.
Would it be possible to apply a whitelist only to a specific IP segment?
You could drop the SSID to a VLAN terminating on the MX and then do something like the below in a group policy. It's not perfect, but at least for a similar need we have it works.
