Security / SD-WAN Vlan 1 and unknown IP address

samgbuyi
Getting noticed

Security / SD-WAN Vlan 1 and unknown IP address

i have successfully setup our organisation Meraki but i can see some MAC address with default Vlan 1 and unknown Ip address connected on the device, how can i stop the vlan and the ip address?

 

 

thanks 

11 REPLIES 11
PhilipDAth
Kind of a big deal
Kind of a big deal
nuo
Getting noticed

Perhaps they are on the wired network - LAN - (VLAN1). Are you positive they are connected to a WLAN?

samgbuyi
Getting noticed

Thanks for your response.

 

sorry we dont have any wire connection else VoIP phone and they are not configured on Vlan 1


@samgbuyi wrote:

Thanks for your response.

 

sorry we dont have any wire connection else VoIP phone and they are not configured on Vlan 1


All kinds of sh1t turns up on VLAN 1.

 

I never use LAN 1 / VLAN 1, ever. When something turns up on VLAN 1, alarm bells should go off, or, in my case, "fit sonner le klaxon", as I caught the Électricité de France(EDF)  supplied smart power meter, trying to weasel into the network using ZigBee and the BLE on the MR. Because the allegedly smart meter had attempted to use VLAN1, it stood out like a zizi d'âne. Unlike WC Fields, I do not keep a snake handy, but I do have VLAN 101 - which, as you might expect, goes nowhere.

 

Guess what? One of the smart meter component suppliers was Huawei, and some other bits were sourced from one of the "dark-side" Israeli firms, much used by governments around the world for their covert snooping activities. Unfortunately, it is becoming harder to refuse to allow the installation of a smart meter.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

How best do you think I can deal with this?


@samgbuyi wrote:

How best do you think I can deal with this?


Simple steps:

  • stop using the default VLAN/LAN
  • set up a Management LAN
  • implement a VLAN architecture that reflects the logical user classes within the user population, as a whole
  • set up a separate isolated Guest VLAN
  • treat any "smart" device as risky
  • explicitly declare the VLANs to be passed on the trunks

That isn't everything, but its a good starting place. Because your network exists in the real world, it will get more complicated.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
cta102
Building a reputation

For the last 20 years anywhere I have worked has the policy of disabling VLAN 1 on all networks unless the network infrastructure doesn't permit that.

Always assume that anything unpleasant will attempt to exploit VLAN1 at some point.


nuo
Getting noticed

Try and track down the device. As mentioned, I suspect it is somehow connected to the wired LAN rather than the WALN. You have the IP address. A fingerprinting tool such as nmap or if you want a GUI Ring (available for iOS / Android) may be able to assist you with determining what the heck is connected.

 

You will need to put the fingerprinting device onto VLAN (I suspect) in order to get a fingerprint.

 

 

nuo
Getting noticed

Try and track down the device. As mentioned, I suspect it is somehow connected to the wired LAN rathe than the WALN. You have the IP address. A fingerprinting tool such as nmap or if you want a GUI Ring (available for iOS / Android) may be able to assist you with determining what the heck is connected.

You will need to put the fingerprinting device onto VLAN (I suspect) in order to get a fingerprint.
nuo
Getting noticed

Perhaps they are on the wired network - LAN - (VLAN1). Are you positive they are connected to a WLAN?
cta102
Building a reputation

May be worthwhile looking up the vendor of the MAC address as it can give an reasonable hint as to what the mystery device may be.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels