Meraki

Community

How can I block a website from the entire wireless network?

Solved
The1Metallian
Getting noticed
a week ago
a week ago

How can I block a website from the entire wireless network?

If I go to Wireless -> Firewall & Traffic Shaping, I have to go to each SSID one by one. I looked up and found that I have to go to Security & SD-WAN > Content Filtering, but I'm not finding that option, so maybe it applies to a different product.

Labels:
0 Kudos
1 Accepted Solution
Mloraditch
Kind of a big deal
a week ago
a week ago

You have two options one is you would need to hand your wireless off to a VLAN that is built in your MX and then use a group policy on that vlan to do the blocking

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

or you can use layer 7 rules per ssid https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Fi...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

8 Replies 8
Mloraditch
Kind of a big deal
a week ago
a week ago

You have two options one is you would need to hand your wireless off to a VLAN that is built in your MX and then use a group policy on that vlan to do the blocking

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

or you can use layer 7 rules per ssid https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Fi...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
The1Metallian
Getting noticed
a week ago
a week ago

@Mloraditch wrote:

You have two options one is you would need to hand your wireless off to a VLAN that is built in your MX and then use a group policy on that vlan to do the blocking

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

 

or you can use layer 7 rules per ssid https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Fi...

Well, I didn't want to go per SSID but the other option is even more involved, so I will do each SSID individually.

 

It seems to me that it should be an option to do this network-wide.

 

Thanks for the prompt reply.

0 Kudos
In response to Mloraditch
DarrenOC
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Do you have a Meraki MX in your network?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
The1Metallian
Getting noticed
a week ago
a week ago

@DarrenOC wrote:

Do you have a Meraki MX in your network?

No. Cisco ASA firewall, about to switch to FortiGate

0 Kudos
In response to The1Metallian
KFoster
Here to help
Monday
Monday

DNS sinkhole. Configure a rule to block http/https to the fqdn of the destination.

0 Kudos
In response to KFoster
The1Metallian
Getting noticed
Monday
Monday

@KFoster wrote:

DNS sinkhole. Configure a rule to block http/https to the fqdn of the destination.

I use different DNS servers per SSID. For Guest I have OpenDNS, for business associates Meraki Default, for corporate laptops my in-house DNS... I wanted one rule to block for all SSIDs

0 Kudos
In response to The1Metallian
KFoster
Here to help
Tuesday
Tuesday

I believe I understand what you are trying to describe. Ultimately, your edge firewall will make the decision to allow or block that traffic, regardless of what the endpoint is configured to point to for DNS.

 

I would recommend reviewing the DNS policy options that are available for your specific ASA platform, but here's an example: Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 7.0 - DNS Policies [...

 

Once you have a network object created with the FQDN of site you are trying to block, you can then define an ACL rule where the subnet for that specific SSID is not allowed to hit the external resource. This assumes you have a separate subnet for each SSID / network.

In response to KFoster
The1Metallian
Getting noticed
Tuesday
Tuesday

@KFoster wrote:

I believe I understand what you are trying to describe. Ultimately, your edge firewall will make the decision to allow or block that traffic, regardless of what the endpoint is configured to point to for DNS.

 

I would recommend reviewing the DNS policy options that are available for your specific ASA platform, but here's an example: Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 7.0 - DNS Policies [...

 

Once you have a network object created with the FQDN of site you are trying to block, you can then define an ACL rule where the subnet for that specific SSID is not allowed to hit the external resource. This assumes you have a separate subnet for each SSID / network.

Thank you

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.