BYOD and firewall rules.

Chris3
Here to help

BYOD and firewall rules.

Here's the scenario.

You have a some devices that you know on your network - you have setup a set of firewall rules for the trusted devices.

 

An unknown device connects you want to apply a firewall policy to give them the bare basics HTTPS DNS EMAIL. ie firewall rules.

You can then move the new device into a known devices template.

 

For the new devices can you set a CIDR firewall object that matches a new unknown device?

Is it possible to achieve this, if so how?

 

 

I think I could do this if I set fixed ip's for all my devices in sequence then can you match a set ie wild card the rest of the dynamic ips?

 

 

1 REPLY 1
Brash
Building a reputation

It sounds like you're thinking of applying static IP's to known devices and dynamic IP's to unknown devices in a completely flat network, and setting firewall rules based on whether it's a 'static range' or 'dynamic range' within the same overall subnet..
If that's the case, it's theoretically possible but pretty poor from a design perspective and I'd probably advise against it.

 

From a high level, there's probably a few better ways you could do this.

 

The cleanest way I can think of that would cover both wired and wireless clients is RADIUS 802.1x authentication.

Essentially, your devices authenticate to the RADIUS server and are placed into a VLAN (based on a designated filter). You can then apply the rules to the VLAN.

 

For your scenario, on the RADIUS server you can setup MAC address whitelisting  for your known clients, and then send all other clients to a separate VLAN using CoA.

Clients can then be 'transitioned' from unknown to known by adding the MAC address to the whitelist.

 

References:
MS Switch Access Policies (802.1X) - Cisco Meraki
Configuring RADIUS Authentication with WPA2-Enterprise - Cisco Meraki

 

 

Otherwise, you can simply separate known from unknown by applying separate VLAN's, and separate SSID's (or using Identity PSK with group policies if the same SSID is required).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.