Meraki

Community

Locking down unused ports while allowing Internet Access

Solved
Wrandall
New here
‎Mar 18 2022 11:57 AM
‎Mar 18 2022 11:57 AM

Locking down unused ports while allowing Internet Access

Forgive my ignorance, but I'm fairly new to custom Meraki configurations.

 

We have multiple locations with Meraki switches and are seeing users plug in devices without approval.  I'd prefer to just disable ports that aren't used, but the higher ups want the ports to allow Internet access to allow a user to still email IT to have the port configured.  What's the easiest way to do this?

0 Kudos
1 Accepted Solution
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 18 2022 12:27 PM
‎Mar 18 2022 12:27 PM

Create a new VLAN and apply a group policy by VLAN and only allow access to certain resources such as email. Then tag any unused port with the new VLAN that you created. 

 

Creating a Group Policy

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

Apply group policy by VLAN:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

View solution in original post

3 Replies 3
DarrenOC
Kind of a big deal
Kind of a big deal
‎Mar 18 2022 12:24 PM
‎Mar 18 2022 12:24 PM

Hi @Wrandall , we typically shut down all unused ports and place them into a non-routed vlan to stop anyone connecting devices into a network that isn’t authorised to do so.

 

You also have other options such as Radius authentication for devices and users that are authorised to be on the network. Anything that shouldn’t connect into placed again into either a guest vlan or de-authorised.

 

Also look at Cisco ISE.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Make_IT_Simple
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Mar 18 2022 12:27 PM
‎Mar 18 2022 12:27 PM

Create a new VLAN and apply a group policy by VLAN and only allow access to certain resources such as email. Then tag any unused port with the new VLAN that you created. 

 

Creating a Group Policy

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

Apply group policy by VLAN:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Mar 20 2022 1:36 PM
‎Mar 20 2022 1:36 PM

Glad I had the same thoughts as everyone else, while you can disable ports its probably easier to untag them with a unused VLAN and that add a Port TAG as well with something like "SPARE" 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.