We are looking to prevent rogue devices connecting to our business LAN, where we use Meraki MS350's as our access switches.
I have seen one way of doing this is by whitelisting MACs for specific ports, which could be done by using sticky MAC and then tell it to block any other devices by default after it learns 1 MAC address. Although it is secure, this is not very versatile for when PCs get replaced for example or a user requires a desk move - it would lead to additional administration or difficulties if IT staff are tied up with something else.
One promising method I have seen as a possible solution is whitelisting clients:
This looks to be the easiest way if you think it would work for us, as we could simply whitelist ALL clients who are currently connected or known to our business VLAN. Having done that we would like to by default block traffic from any unknown devices, we already have rogue detection setup incase someone plugs in a personal device, but there is currently nothing setup to block this traffic. I cannot see how to set up a policy to default block non-whitelisted clients.
Please could you give me a suggestion on either the easiest thing to do or best thing to do in our situation? Lets say that we are an SMB with 65 devices, for the purposes of this example. The MAC Authentication Bypass seems like a big task to set up as an alternative to the above possibilities.