Locking down unused ports while allowing Internet Access

SOLVED
Wrandall
New here

Locking down unused ports while allowing Internet Access

Forgive my ignorance, but I'm fairly new to custom Meraki configurations.

 

We have multiple locations with Meraki switches and are seeing users plug in devices without approval.  I'd prefer to just disable ports that aren't used, but the higher ups want the ports to allow Internet access to allow a user to still email IT to have the port configured.  What's the easiest way to do this?

1 ACCEPTED SOLUTION
Make_IT_Simple
Meraki Employee

Create a new VLAN and apply a group policy by VLAN and only allow access to certain resources such as email. Then tag any unused port with the new VLAN that you created. 

 

Creating a Group Policy

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

Apply group policy by VLAN:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

View solution in original post

3 REPLIES 3
UCcert
Kind of a big deal

Hi @Wrandall , we typically shut down all unused ports and place them into a non-routed vlan to stop anyone connecting devices into a network that isn’t authorised to do so.

 

You also have other options such as Radius authentication for devices and users that are authorised to be on the network. Anything that shouldn’t connect into placed again into either a guest vlan or de-authorised.

 

Also look at Cisco ISE.

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Make_IT_Simple
Meraki Employee

Create a new VLAN and apply a group policy by VLAN and only allow access to certain resources such as email. Then tag any unused port with the new VLAN that you created. 

 

Creating a Group Policy

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

Apply group policy by VLAN:

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

BlakeRichardson
Kind of a big deal

Glad I had the same thoughts as everyone else, while you can disable ports its probably easier to untag them with a unused VLAN and that add a Port TAG as well with something like "SPARE" 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels