You can do this, should be no problem.  Make sure you set any port or combination of ports to access (not trunk) mode and you should then see the configuration option for "Access Policy" and you can set that to either "MAC Whitelist" or "Sticky MAC Whitelist".  You can select the Sticky MAC Whitelist, and either specify the number of MAC addresses (whitelist limit) you want to allow, 1, 2 up to 20 max I think, and/or you can populate the whitelist with specific MAC addresses if you need to.  More info here: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports

Thank you Both for this information - however, I would like to avoid a Sticky Mac address list as these systems change.  I just want to prevent too many devices being connected to an access point at any one time for example if they connected a dumb switch that is not seen by BPDU guard.

The mac whitelist from what I can see you have to know the Mac addresses to allow.

For the Sticky whitelist, I assume once the limit is reached no further devices can be connected even if the others have been disconnected as it stores the mac addresses?

Thanks,

Dave

In spite of everyone effort to help, this feature does not exist in Meraki today. I've looked, and tried all the whitelist features and it's not what you (or I) are after 😞

http://blog.brokennetwork.ca | @jdsilva

that is a pity 

Waiting for this feature to implement a false sense of security? C‘mon guys, implementing security via MAC addresses is hardly security at all. Why should Meraki implement something that has been a bad idea when it was done ages ago because of any other ways to do it?!

@CptnCrnch There are plenty of use cases where maximum MACs is a totally valid solution. Judging from your comment I don't think you understand what's being asked for. 

http://blog.brokennetwork.ca | @jdsilva

Well, possibly I‘m not able to see to value to this, but until now, I never understood any of use case brought up for this. 🤔

Why care how many devices are connected to a switch port? If you really want to control who‘s able to access your network: implement proper 802.1x 

@CptnCrnch @jdsilva 

I'm still waiting because in a lot of cases cases we can't use 802.1x or mac adress white list and this is why :

- 802.1X :

Our network is not in domain so not applicable.

We Try 802.1X MAB (with radius always accept). We don'tthink is the best thing because if radius servers are not reachebale computer can't access to the network and could be a major problem for all the network if radius are down for hours/days.

- Mac adsress White list :

Can't do that because there is too many moove in our network. Using white list add a lot of support time in our call center.

- Sticky Mac :

Same problem than the Mac Adress White List

Port security was and still the best option for us with this settings :

switchport access vlan XXX
switchport mode access
switchport port-security maximum 1
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity

Why we use that ?

Because it's actually the only way to prevent more than 1 MAC Adress by switch port in our network dynamically

Thoses settings allow us to prevent "dumb-switch" or router to be plugged in our network.

Also this solution is not dependent of a external server or other things. The switch do the job and nothing else.

If 2 Mac address is detected, the security flag and we can see where it is very quickly.

So thats why I'm still waiting a CLI port security equivalent in Meraki products.

I love Meraki for a lot of thing but this missing feature is a big black point for me.

Who ever said you need a „domain“ to leverage 802.1x? Of course having a directory / central configuration für your endpoints helps a lot, but it can be done without it. It only takes more effort, but more effort doesn‘t means „not applicable“.

Also I‘m not getting the point about “RADIUS servers pose a point of failure in our network“. The same thing goes for DHCP, DNS, Domain Controllers, whatever kind of server you‘re ever referring to. Implement them as failsafe as possible and you‘ll sleep a little better. 😉

The only thing missing from Meraki switches is the ability to implement a Critical-Fail VLAN as seen on Cisco Enterprise switches. This would make for a more „failsafe“ option for this use case.

I have implemented network access control for years now from small shops to multi-national companies. I‘m not saying it‘s always easy, I‘m not saying there never have been failures but never ever has a complete network been shut down after implementing access control.

My point still is: there‘s no use in controlling how many devices are connecting as long as you‘re not able to control if these are the allowed to access your network.

@CptnCrnch 

We have other control than thoses type of security.

We just want to not authorise addition of dumb equipement in our network and Meraki havent got any solution to block this kind of devices.

Port security, I admit is not the best thing but, but he proved and do the job in our network for the last 15 years. I haven't any dumb equipement (throught hundred of distant sites)  thanks to the port security, where Meraki can't do that (or dont purpose this kind of feature without be dependent of an external service)

You make a valid point Damien.

I don't see how you could prevent dumb switches from being installed if you can't use dot1x and limit to single hosts authentication and have nothing like port security doing the job.

I mean it's still supported on Cisco Catalyst switches for a reason.
It's a more static authentication not really geared for malicious users but simply employees unplugging a device and putting a switch in between to get access.

Clearly you have never been to a factory / manufacturing environment where you have to deal with devices which don't speak 802.1 x at all (and thus you cannot make use of it for auth.).