Meraki

Community

detecting rogue devices on Meraki switches

gagan239
Comes here often
yesterday
yesterday

detecting rogue devices on Meraki switches

Hi,

I have got a task to provide a solution to customer to detect (and possibly block) rogue devices that are connected to the network involving Meraki switches? Customer has several ports that are internet only, which we could ignore. But for production ports, how do we lock those down or at least alert when a rogue device is connected?

 

As far as I know, we have the following options available on Meraki switch to enhance port security -
- Port schedule - disables/enable port based on a schedule
- Access policy which involves Open, MAC allow list, Sticky MAC allow list and User-defined access policy - includes 802.1x authentication(looks like the best option)
- STP Guard which involves Root guard, BPDU guard and Loop guard
- Trusted DAI - protects networks against man-in-the-middle ARP spoofing attacks
- UDLD

 

Need expert guidance on this.

0 Kudos
2 Replies 2
Mloraditch
Kind of a big deal
yesterday
yesterday

The most effective option would be an 802.1x solution. 

 

Meraki is slowly rolling out the preview of their built in solution: https://documentation.meraki.com/Access_Manager

 

Cisco ISE would be a more full featured end-to-end Cisco solution.

 

You can also use products like NPS.

 

You would then rely on a combination of those systems and the various syslogs generated to capture alerts about rogue devices.

 

These solutions offer TONs of features and can be quite complex to setup. Depending on the customer size and need, you may want to engage with a partner who has familiarity in doing these sorts of installs.


Everything else you are discussing provides related bit and pieces that do some things, but not near everything. You should still use STP/UDLD functions in most cases to complement things and prevent issues that 802.1x doesn't handle

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
12 hours ago
12 hours ago

The main hurdle is that you need a way to differentiate between what is a known device, and what is a rogue device, and make a decision on network access based on that information. And for that you most likely will need a 802.1x solution, as @Mloraditch suggests. Essentially, the customer would have to implement some sort of asset management.

If that is out of the question there may be alternate ways.

 

For a BYOD type of solution, you could look into Trusted Access

Otherwise you could implement a Splash-Page access with sponsored email addresses. This may also work for Wired. You'd configure a domain-name that will recieve access requests, where the reciever would then have to acknowledge and accept the access request.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.