Meraki

Community

About Chris3

Re: Encrypted client hello

by Meraki Employee in Security & SD-WAN
‎Oct 13 2023 2:11 PM
2 Kudos
‎Oct 13 2023 2:11 PM
2 Kudos
To be explicit here, yes, ECH will pose a problem for some features on MX. Explicitly, Content Filtering relies on being able to see the domain the client is attempting to communicate with, which is contained in the Server Name Information (SNI) field of a TLS header during the initial handshake.   This works just fine for TLS 1.2, and TLS1.3 when ECH is NOT in use, but any extensions to TLS1.3 that obfuscate this information will prevent it from functioning. ... View more

Re: BYOD and firewall rules.

by Kind of a big deal in Wireless
‎Oct 11 2021 10:49 PM
5 Kudos
‎Oct 11 2021 10:49 PM
5 Kudos
It sounds like you're thinking of applying static IP's to known devices and dynamic IP's to unknown devices in a completely flat network, and setting firewall rules based on whether it's a 'static range' or 'dynamic range' within the same overall subnet.. If that's the case, it's theoretically possible but pretty poor from a design perspective and I'd probably advise against it.   From a high level, there's probably a few better ways you could do this.   The cleanest way I can think of that would cover both wired and wireless clients is RADIUS 802.1x authentication. Essentially, your devices authenticate to the RADIUS server and are placed into a VLAN (based on a designated filter). You can then apply the rules to the VLAN.   For your scenario, on the RADIUS server you can setup MAC address whitelisting  for your known clients, and then send all other clients to a separate VLAN using CoA. Clients can then be 'transitioned' from unknown to known by adding the MAC address to the whitelist.   References: MS Switch Access Policies (802.1X) - Cisco Meraki Configuring RADIUS Authentication with WPA2-Enterprise - Cisco Meraki     Otherwise, you can simply separate known from unknown by applying separate VLAN's, and separate SSID's (or using Identity PSK with group policies if the same SSID is required). ... View more

Re: Stealthwatch in meraki appliance

by in Security & SD-WAN
‎Sep 28 2021 12:12 PM
‎Sep 28 2021 12:12 PM
Hi Janice,   Was wondering if you had any more information on using both Meraki and Stealthwatch together. ... View more

Re: IPv6 Teredo Blocking

by Kind of a big deal in Security & SD-WAN
‎Aug 12 2021 6:29 PM
‎Aug 12 2021 6:29 PM
Server 2019 will use IPv6 native and tunnel if it can't get there.   Disable IPv6 on your server to solve the problem. ... View more

Re: port 53 traffic redirection

by in Security & SD-WAN
‎Jun 14 2020 11:26 PM
1 Kudo
‎Jun 14 2020 11:26 PM
1 Kudo
The purpose of port forwarding is different. It's meant to be used for traffic coming in to the MX's WAN interface.   Let's say for example you have a webserver running in your local network on port 80 on a server with the local IP address of 192.168.50.1. You would then setup port forwarding like this:   It doesn't work like that for outgoing traffic.   You could configure the firewall to only allow DNS traffic to your DNS server and block everything else. Then your users would be obliged to use your DNS server (unless they proxy/VPN their way out).   ... View more
My Top Kudoed Posts
View all
© 2024 Cisco Systems, Inc.