cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Whitelisting clients network wide

New here

Whitelisting clients network wide

We are looking to prevent rogue devices connecting to our business LAN, where we use Meraki MS350's as our access switches.

I have seen one way of doing this is by whitelisting MACs for specific ports, which could be done by using sticky MAC and then tell it to block any other devices by default after it learns 1 MAC address. Although it is secure, this is not very versatile for when PCs get replaced for example or a user requires a desk move - it would lead to additional administration or difficulties if IT staff are tied up with something else.

 

One promising method I have seen as a possible solution is whitelisting clients:

https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Blocking_and_Whitelisting_Clie...

 

This looks to be the easiest way if you think it would work for us, as we could  simply whitelist ALL clients who are currently connected or known to our business VLAN. Having done that we would like to by default block traffic from any unknown devices, we already have rogue detection setup incase someone plugs in a personal device, but there is currently nothing setup to block this traffic. I cannot see how to set up a policy to default block non-whitelisted clients.

 

Please could you give me a suggestion on either the easiest thing to do or best thing to do in our situation? Lets say that we are an SMB with 65 devices, for the purposes of this example. The MAC Authentication Bypass  seems like a big task to set up as an alternative to the above possibilities.

 

Many thanks in advance for your assistance.

2 REPLIES 2
Head in the Cloud

Re: Whitelisting clients network wide

Have you looked at 802.1x? In your example, you could look at doing MAB (MAC authentication bypass) - https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Kind of a big deal

Re: Whitelisting clients network wide

+1 to @WANKiller.

 

The second option is to go:

Switch/IPv4ACL

And to add a "Deny" rule that blocks everything.  Then use your white listing to override this rule.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.