Block Application on Specific AP's only

Solved
VinceR
Comes here often

Block Application on Specific AP's only

I've submitted an email ticket with this question to support, but thought I'd post it here also.


Is it possible to block an application, i.e. Facebook, when connected to specific AP's? We have a store that's on the same network as our office, and we want to block Facebook access for users who are connected to the stores two AP's while still allowing Facebook access on the two office AP's. Physically speaking, the office AP's and store AP's are not physically close enough to each other for there to be any overlapping coverage as they are in two separate buildings. I know you can easily create a layer 7 rule that'll block applications, but it blocks that application for the entire network.

 

We do have an SSID that employees can connect their cell phones to, it is WPA2 protected. We have considered creating another SSID that enforces the layer 7 rule blocking Facebook but did not want to have to go through the steps of creating it and then going to each cell phone and entering in the SSID password for the store users as we do not give it to anyone for security reasons. Any input or advice would be greatly appreciated!

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

You just can apply L7 Rules on SSID, it's not possible configure on AP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

You just can apply L7 Rules on SSID, it's not possible configure on AP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

You should really have APs that are in different sites placed in different Dashboard Networks, within your Organization.   Your requirement could be addressed if you did that  (and there are other benefits too).   Consider creating the new Network by basing it on the existing one, to save yourself time

VinceR
Comes here often

While these are two separate buildings that are about 20 feet apart, it is technically one site. We also have a mechanics shop that's close by, about 20 feet apart also, so there are three buildings on this site that share one ISP connection. No, we can not add another connection for each building, it's not feasible. We have not considered a separate network for a variety of reasons which are far too many to list in a post on here. I do appreciate the feedback though!

alemabrahao
Kind of a big deal
Kind of a big deal

Why don't you create a SSID for each locations?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
VinceR
Comes here often

We currently do have an SSID at all of our locations that is specifically for employee cell phones and IOT devices, it is segmented from the LAN at all these locations. The SSID is named the same at all locations and has the same WPA2 password as several of our employees travel between our locations.

 

I believe for now that we are just going to block Facebook using the layer 7 rule for that specific SSID.

pjc
A model citizen

As @GreenMan has already mentioned, create a new network (clone if from the existing network) and move these 2 stores AP's into it.  You then modify the employee SSID L7 Firewall settings in this new network to block Facebook.  Job done

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels