Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Layer 2 LAN isolation + allow webex audio between clients... is possible?

marquitos666
Comes here often
‎Jul 23 2024 4:42 AM
‎Jul 23 2024 4:42 AM

Layer 2 LAN isolation + allow webex audio between clients... is possible?

Hi guys!! is possible to allo webex audio calls between clients connected to the same SSID, with "Layer 2 LAN isolation" enabled?

 

Thanks for all!!

 

Marcos

Labels:
0 Kudos
Subscribe
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Jul 23 2024 6:44 AM
‎Jul 23 2024 6:44 AM

Depends on the flow.

If the traffic goes from client to webex server to client, then yes.

If the flow is between the clients directly,  then no

 

"With Client Isolation enabled, clients will only be able to communicate with the default gateway and will not be able to communicate with any other devices on the same VLAN (or broadcast domain). In order for the wireless client to communicate with another device, the upstream gateway must be used to enable this communication (e.g. inter-VLAN routing and ACLs). Any traffic bound for an address on the same VLAN as a device in client isolation will be denied. Traffic bound for other VLANs will be forwarded and routed normally."

0 Kudos
Subscribe
In response to ww
marquitos666
Comes here often
‎Jul 26 2024 12:34 AM
‎Jul 26 2024 12:34 AM

How can I configure Webex to send traffic to webex server? is there any guide for this? Thanks

0 Kudos
Subscribe
thomasthomsen
Head in the Cloud
‎Jul 23 2024 12:58 PM
‎Jul 23 2024 12:58 PM

I mean, in theory, you could do an ACL, something like this.

thomasthomsen_0-1721764515129.png

 

Blocking IP (L3) between clients, but permitting the L3 ports used by Webex to "any" aka, between clients, and to the rest of the network (and internet) on that SSID.

This does of course NOT block L2 traffic, but it should (will) block L3 traffic.

So if you have security concerns about pure L2 traffic, of course this will not solve your problem.

 

PS: above ports used are taken from the webex documentation.

I have no idea if these are the ports used for traffic (RTP) between clients. 🙂

0 Kudos
Subscribe
In response to thomasthomsen
marquitos666
Comes here often
‎Jul 26 2024 12:42 AM
‎Jul 26 2024 12:42 AM

Many thanks for your reply, in my case I want to allow 2 different types of users in the same vlan (internal_full_access and internal_limited_access) without create a dedicated vlan for new limited_access users... and block connection between all of them like a "microsegmentation"... allowing the only service that should work between them... Webex... Then, Firewall (non Cisco/Meraki L3 Gateway) limit the access to the external services by Active Directory groups asigned in firewall rules... I have more than 100 sites and it's complicated if I have to create new dedicated vlans (and all other things for them...) only for diff both type of users in that mount of sites...

 

I'll test your proposal.

 

Thanks!!

 
0 Kudos
Subscribe
In response to marquitos666
thomasthomsen
Head in the Cloud
‎Jul 26 2024 12:52 AM
‎Jul 26 2024 12:52 AM

If you utilize a dot1x you can have your radius server assign a Meraki GroupPolicy with specific ACL for each client type.

For example. You can have one client assigned with your "internal_full_access" GroupPolicy, and another client (on the same SSID / VLAN) assigned with the "internal_limited_access" GroupPolicy, the works very well.

If you do not use radius, you could "more or less" do the same thing with the iPSK Without radius feature of the AP.

Here each "PSK" is combined with a GroupPolicy on the same SSID.

Of course this will require you to have different PSK (on the same SSID) for the different clients.

0 Kudos
Subscribe
In response to thomasthomsen
marquitos666
Comes here often
‎Jul 26 2024 2:43 AM
‎Jul 26 2024 2:43 AM

I know, but my area only manage the "access" service of the devices to the vlan, and other Security Dpt apply connections policies in Firewall... the don't manage Meraki... because of that, we want to allow filter "isolated connection", and the rest of filters will be applied in Firewall, and other future changes will be directly applied in Firewalls

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.