cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content Filtering

SOLVED
Highlighted
Here to help

Content Filtering

We have a strict network policy with quite a bit of filtering enabled, no personal devices within the building except the lunch room and outside on breaks

Firewall - both Layer 7 rules and content filtering for social network, any file transfer, external storage systems email etc.

This is suitable for our normal staff using the LAN and internal wireless networks which access the LAN, some AD group policies for overrides etc which works well.

We have a staff WiFi which cannot access the LAN, but we want open access to the Internet, the staff can use any personal device such as phone, tablet or laptop and we don't want to have to use MDM

I can add layer 7 rules but not override the firewall ones, and the content is still filtered even though the option to filter content is switched off on the access page of the WiFi configuration.

Any ideas how I can accomplish this?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Here to help

Re: Content Filtering

Hi and thanks for your reply.

I am restarting this thread up again, as I still have the same issue, and have tested a few more scenarios

 

default vlan 1 for all infrastructure, mx64 dhcp

Lan on vlan10 dhcp via windows server

 

wireless ssid 1 , L3 roaming, access to lan and internet

    filtered by the normal content filter, can be overridden by group policy

wireless ssid 2, Meraki DHCP, no access to lan, access to internet

    filtered by the normal content filter, cannot be overridden by group policy OR client whitelisting.

 

I have tried windows laptop and android clients, same effect, it seems that the Meraki DHCP ssid which is perfect for our staff to use their personal phones, where they have no access to the LAN or each other but would like unfettered access to internet. Unfortunately the content filter is always applied.

The content filter is used on the LAN and other SSID's with L3 roaming to restrict approved devices (i.e. non personal phones) yet I can apply whitelisting or group policies on various clients which can easily bypass the content filter.

 

 

However, I think I found the answer

Created a new VLAN with group policy attached to override the content filter

Created a new staff SSID, used L3 Roaming, tagged to the VLAN and denied access to LAN

 

seems to have fixed it.

 

Steve

 

 

 

View solution in original post

6 REPLIES 6
Highlighted
A model citizen

Re: Content Filtering

Hi @Steve-Potter

 

I had a similar issue that I ran into a while back. It turned out that the content filtering was still being applied to the access point itself. I created a Group Policy with a content filtering override and applied that to the management vlan that the access points fell into. You might check there? 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
Highlighted
Kind of a big deal

Re: Content Filtering

I haven't tested this, but under Wireless>Access Control.  Then select your SSID.  There is a section for Content Filtering that may give you the settings you need?  I think you can opt out of Content Filtering or use Custom DNS.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Highlighted
Here to help

Re: Content Filtering

I like that idea, not sure how to apply a GP to the management vlan though, all our infrastructure is on the same default vlan, the data/phone and cctv vlans are separate though

 

Highlighted
Here to help

Re: Content Filtering

Yes I have seen that, and despite it having the same label "Content Filtering" its is I think a different animal

I have tried a few settings but not had any success bypassing the MX content filtering JUST for clients of 1 SSID

Steve

 

 

Highlighted
Kind of a big deal

Re: Content Filtering

Sorry I'm having trouble fully understanding your topology and goal in this request.

 

Are you using the Meraki DHCP for this public SSID?  And do you have Wireless>Firewall & Traffic Shaping rule for that SSID set to Deny Any Local LAN?  If those above two options are set then it shouldn't really matter what Vlan you are on unless you are trying to do any kind of special routing to send it out a different path.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Highlighted
Here to help

Re: Content Filtering

Hi and thanks for your reply.

I am restarting this thread up again, as I still have the same issue, and have tested a few more scenarios

 

default vlan 1 for all infrastructure, mx64 dhcp

Lan on vlan10 dhcp via windows server

 

wireless ssid 1 , L3 roaming, access to lan and internet

    filtered by the normal content filter, can be overridden by group policy

wireless ssid 2, Meraki DHCP, no access to lan, access to internet

    filtered by the normal content filter, cannot be overridden by group policy OR client whitelisting.

 

I have tried windows laptop and android clients, same effect, it seems that the Meraki DHCP ssid which is perfect for our staff to use their personal phones, where they have no access to the LAN or each other but would like unfettered access to internet. Unfortunately the content filter is always applied.

The content filter is used on the LAN and other SSID's with L3 roaming to restrict approved devices (i.e. non personal phones) yet I can apply whitelisting or group policies on various clients which can easily bypass the content filter.

 

 

However, I think I found the answer

Created a new VLAN with group policy attached to override the content filter

Created a new staff SSID, used L3 Roaming, tagged to the VLAN and denied access to LAN

 

seems to have fixed it.

 

Steve

 

 

 

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.