cancel
Showing results for 
Search instead for 
Did you mean: 

Port Security equivalent

Conversationalist

Port Security equivalent

Hi All,

 

I was wondering if there was a Port Security equivalent like the feature on Cisco Catalyst range - I can see there is a mac address Sticky option but wondering if there is a way of just limiting the number of mac addresses seen on a port.

 

Wanting a simple solution to control the number of mac addresses seen on a port to prevent rogue switches being connected to an access port - specifically ones that do not run spanning tree as we cannot use BPDU guard to detect them.

 

Also waiting to avoid having to look at 802.1x or mac based authentication for this setup. just something where we can limit the port to 2 mac addresses (Phone and PC)

 

Cheers,
Dave

10 REPLIES
Head in the Cloud

Re: Port Security equivalent

There isn't a maximum MACs feature right now. I've also been hoping this gets added at some point.

Getting noticed

Re: Port Security equivalent

Once you set the port to Access, you can set the policy to Sticky whitelist. That will bring up two fields. One is whitelist size limit. You can put down the limit there.

 

This may be what you're looking for.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
Meraki Employee

Re: Port Security equivalent

You can do this, should be no problem.  Make sure you set any port or combination of ports to access (not trunk) mode and you should then see the configuration option for "Access Policy" and you can set that to either "MAC Whitelist" or "Sticky MAC Whitelist".  You can select the Sticky MAC Whitelist, and either specify the number of MAC addresses (whitelist limit) you want to allow, 1, 2 up to 20 max I think, and/or you can populate the whitelist with specific MAC addresses if you need to.  More info here: https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports

 

Conversationalist

Re: Port Security equivalent

Thank you Both for this information - however, I would like to avoid a Sticky Mac address list as these systems change.  I just want to prevent too many devices being connected to an access point at any one time for example if they connected a dumb switch that is not seen by BPDU guard.

 

The mac whitelist from what I can see you have to know the Mac addresses to allow.

 

For the Sticky whitelist, I assume once the limit is reached no further devices can be connected even if the others have been disconnected as it stores the mac addresses?

 

Thanks,

Dave

Head in the Cloud

Re: Port Security equivalent

In spite of everyone effort to help, this feature does not exist in Meraki today. I've looked, and tried all the whitelist features and it's not what you (or I) are after Smiley Sad

Conversationalist

Re: Port Security equivalent

that is a pity Smiley Sad

Here to help

Re: Port Security equivalent

I was just wondering if Meraki had this on the cards for the near future?

essentially just a timeout value on the mac address learnt for each port to say 15 mins.
Meraki Employee

Re: Port Security equivalent

Just a quick one on this - wondering why you 'cannot use BPDU guard to detect them' (people attaching switches that don't run STP..?)
Getting noticed

Re: Port Security equivalent

Because STP is what generating BPDU and switches that don't have STP or disable them won't generate BPDU.

BPDU is basically the cornerstone of STP function.

Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
New here

Re: Port Security equivalent

This is a deal breaker! C'mon Meraki! You are losing potential customers because of this.

Labels