Alloow Laptop on one port, deny on all others

Solved
Matt_C
Here to help

Alloow Laptop on one port, deny on all others

Hello all

 

Looking for some advice please from you loverly people:-

 

We have a laptop, we need this laptop to have access to one switch port on our MS210-24P and deny the laptop access to all other ports.

 

(As an aside I am going to put this port into a seperate Vlan to segregate data traffic from the office Vlan, trunking and DHCP all will be setup,so all good there.)

 

Any advice on optimal/most secure method to do this please?

 

Many thanks and kind regards

 

Matt

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

The only way is to allow the MAC on the port you want and not on the others.

Or you can also use 802.1x authentication on the ports. There's no way to do it the way you want.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

MAC allow list: Only devices with MAC addresses specified in this list will have access to this port. Up to 20 MAC addresses can be defined.

 

Sticky MAC allow list: The switch will dynamically learn the MAC addresses of devices connected to the port and place the address in the MAC Whitelist. The administrator can define the size of this list. When this list is full, all subsequent devices will be denied access to this port. It can take up to 5 minutes for the learned MAC to appear in dashboard.

 

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Many thanks for the reply, but I want the opposite, I want to disallow the Laptop MAC address on all ports EXCEPT one, so the Laptop only has access to the switch on one port.

 

Kind regards

 

Matt

alemabrahao
Kind of a big deal
Kind of a big deal

The only way is to allow the MAC on the port you want and not on the others.

Or you can also use 802.1x authentication on the ports. There's no way to do it the way you want.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi alemabrahao,

 

Many thanks for he reply and answer, yes you are correct, Meraki support said same thing, no explicit MAC deny capability as yet.

Time to get skilled up  on Dot1x it is then 😃

 

Kind regards

 

Matt

BlakeRichardson
Kind of a big deal
Kind of a big deal

Meraki MAC filtering works based on Allowing devices not denying them so you would have to add all of the allowed devices to each port. 

 

Can you not restrict access to a single port on the switch at a physical level instead? 

PhilipDAth
Kind of a big deal
Kind of a big deal

Not a great solution - but would disabling all unused ports help?

Matt_C
Here to help

Hello all,

 

Many thanks for all your suggestions and help, awesome community this is. I also had a ticket out with Meraki and they have confirmed no explicit deny MAC address capability just yet on a port by port basis. So Dot1x it is, always good to learn new stuff 😀👍

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels