I was wondering if there was a Port Security equivalent like the feature on Cisco Catalyst range - I can see there is a mac address Sticky option but wondering if there is a way of just limiting the number of mac addresses seen on a port.
Wanting a simple solution to control the number of mac addresses seen on a port to prevent rogue switches being connected to an access port - specifically ones that do not run spanning tree as we cannot use BPDU guard to detect them.
Also waiting to avoid having to look at 802.1x or mac based authentication for this setup. just something where we can limit the port to 2 mac addresses (Phone and PC)
Once you set the port to Access, you can set the policy to Sticky whitelist. That will bring up two fields. One is whitelist size limit. You can put down the limit there.
This may be what you're looking for.
You can do this, should be no problem. Make sure you set any port or combination of ports to access (not trunk) mode and you should then see the configuration option for "Access Policy" and you can set that to either "MAC Whitelist" or "Sticky MAC Whitelist". You can select the Sticky MAC Whitelist, and either specify the number of MAC addresses (whitelist limit) you want to allow, 1, 2 up to 20 max I think, and/or you can populate the whitelist with specific MAC addresses if you need to. More info here: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports
Thank you Both for this information - however, I would like to avoid a Sticky Mac address list as these systems change. I just want to prevent too many devices being connected to an access point at any one time for example if they connected a dumb switch that is not seen by BPDU guard.
The mac whitelist from what I can see you have to know the Mac addresses to allow.
For the Sticky whitelist, I assume once the limit is reached no further devices can be connected even if the others have been disconnected as it stores the mac addresses?
Waiting for this feature to implement a false sense of security? C‘mon guys, implementing security via MAC addresses is hardly security at all. Why should Meraki implement something that has been a bad idea when it was done ages ago because of any other ways to do it?!
Well, possibly I‘m not able to see to value to this, but until now, I never understood any of use case brought up for this. 🤔
Why care how many devices are connected to a switch port? If you really want to control who‘s able to access your network: implement proper 802.1x
I'm still waiting because in a lot of cases cases we can't use 802.1x or mac adress white list and this is why :
- 802.1X :
Our network is not in domain so not applicable.
We Try 802.1X MAB (with radius always accept). We don'tthink is the best thing because if radius servers are not reachebale computer can't access to the network and could be a major problem for all the network if radius are down for hours/days.
- Mac adsress White list :
Can't do that because there is too many moove in our network. Using white list add a lot of support time in our call center.
- Sticky Mac :
Same problem than the Mac Adress White List
Port security was and still the best option for us with this settings :
switchport access vlan XXX
switchport mode access
switchport port-security maximum 1
switchport port-security maximum 1 vlan access
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
Why we use that ?
Because it's actually the only way to prevent more than 1 MAC Adress by switch port in our network dynamically
Thoses settings allow us to prevent "dumb-switch" or router to be plugged in our network.
Also this solution is not dependent of a external server or other things. The switch do the job and nothing else.
If 2 Mac address is detected, the security flag and we can see where it is very quickly.
So thats why I'm still waiting a CLI port security equivalent in Meraki products.
I love Meraki for a lot of thing but this missing feature is a big black point for me.
Who ever said you need a „domain“ to leverage 802.1x? Of course having a directory / central configuration für your endpoints helps a lot, but it can be done without it. It only takes more effort, but more effort doesn‘t means „not applicable“.
Also I‘m not getting the point about “RADIUS servers pose a point of failure in our network“. The same thing goes for DHCP, DNS, Domain Controllers, whatever kind of server you‘re ever referring to. Implement them as failsafe as possible and you‘ll sleep a little better. 😉
The only thing missing from Meraki switches is the ability to implement a Critical-Fail VLAN as seen on Cisco Enterprise switches. This would make for a more „failsafe“ option for this use case.
I have implemented network access control for years now from small shops to multi-national companies. I‘m not saying it‘s always easy, I‘m not saying there never have been failures but never ever has a complete network been shut down after implementing access control.
My point still is: there‘s no use in controlling how many devices are connecting as long as you‘re not able to control if these are the allowed to access your network.
We have other control than thoses type of security.
We just want to not authorise addition of dumb equipement in our network and Meraki havent got any solution to block this kind of devices.
Port security, I admit is not the best thing but, but he proved and do the job in our network for the last 15 years. I haven't any dumb equipement (throught hundred of distant sites) thanks to the port security, where Meraki can't do that (or dont purpose this kind of feature without be dependent of an external service)
You make a valid point Damien.
I don't see how you could prevent dumb switches from being installed if you can't use dot1x and limit to single hosts authentication and have nothing like port security doing the job.
I mean it's still supported on Cisco Catalyst switches for a reason.
It's a more static authentication not really geared for malicious users but simply employees unplugging a device and putting a switch in between to get access.
Clearly you have never been to a factory / manufacturing environment where you have to deal with devices which don't speak 802.1 x at all (and thus you cannot make use of it for auth.).