Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About MarshMadness
MarshMadness
Here to help
Member since Feb 1, 2020
Dec 19 2021
Community Record
11
Posts
2
Kudos
0
Solutions
Badges
Mar 8 2020
8:15 PM
Can client isolation be accomplished for a single wired client similar to what what is done for an SSID on our MRs? Internet is all this system needs... It will be plugged directly into our MX84. I don't have much access to this endpoint to do a lot of testing of theory so i am looking to the community... My thoughts are: 1) Set up a dedicated /30 VLAN for this client or 2) Set it as a fixed IP assignment on my guest VLAN (has only been for wireless until now) then Could i simply use a "Deny - Client fixed IP assignment - Any - 192.168.0.0/24 - Any" rule in the MX firewall? It would need to be located near the top of the ruleset to avoid any potential "allow" conflicts. The way the MR accomplishes Client Isolation is with a "Local LAN" definition, but the MX firewall rule wont allow that. Thanks in advance for your consideration!
... View more
Mar 8 2020
7:48 AM
2 Kudos
Thanks again @MerakiDave, this worked out great. I had to take a methodical approach to cutting over specific VLANs first in prep for the guest and student network move, but with them all moved to their new home it appears to be working great. An ancillary benefit that i did not "ask for" but was one that was pointed out in the @NolanHerring response is in regards to impacts for roaming clients (this is looking much better now.)
... View more
Mar 1 2020
5:33 PM
Thank you @MerakiDave and @NolanHerring for the analysis of my setup. As this is a departure from current state, I do have some follow-up questions... If i understand correctly (forgive me, networking is decidedly NOT my strong suit), i should: Change the current Guest SSID out of NAT mode and move to bridge mode using tagging to a VLAN set up on the MX specifically for Guests (I would also to do the same for students [dedicate MX VLAN and config SSID in bridge mode]) Ensure Client isolation (layer 2) on for Guest and Student VLANs I presume the client isolation would be done in Wireless\Firewall Traffic & Shaping\Block IPs and ports\Layer 2 LAN isolation. Would i also need to add any rules (layer 3) specially in the MX\Firewall area to block as well? Is Deny "Any" "Local LAN" "Any" specific enough of a rule or do i need to be more so since I am VLAN'ing out my network? Change to MAC tracking from IP tracking In the config section for tracking, it states "Clients are identified by their IP addresses. You should use this if there are non-Meraki layer 3 devices routing downstream clients." As i have Aruba 2530 switches, is this advisable? I assume what little Layer 7 we do continues to occur at the MR/SSID level? This will allow for all the clients on the network the benefits of Advanced Security and provide better insight to individual devices? Do i keep Content Filtering turned off at the SSID? Thankfully, i have a spare AP that i can play around with and test this out... Any last gotchas to prepare for? Again, major thanks for taking the time out on a Sunday to help out!
... View more
Mar 1 2020
8:12 AM
We have an MX84 with Advanced Security and a variety of MR's connected by Aruba PoE switches Currently set up as a flat network, just about done VLAN'ing segmentation for security reasons primarily (cutover in next couple of weeks) Mixed bag of Windows 10 and Chromebook for LAN and Guest network is obviously diverse in type 3 SSIDs - Faculty (LAN), Guests and Student (both using MR DHCP) LAN DHCP is currently Active Directory, about to move to MX VLAN DHCP (minimal internal DNS needs any longer, so DC is going away) Tracking clients by IP We are filtering on numerous content categorizations at the MX We do not have any specific filtering done on the MR's, relying only on the MX Is this the proper approach or should additional config be done on MR's? When i see blocks in the event logs based on content filtering for devices on the Guest network, i only see the IP of the MR the client is attached to, no info about the client What can be done to investigate and identify the offending client(s)? Would syslog be helpful or necessary? MR's dont seem to provide any correlating events or am i missing something? Are there adjustable logging levels that might provide more detail? Thank you in advance for any help!
... View more
Feb 22 2020
6:52 AM
I am a volunteer IT guy for a small school using an MX84 with Advanced Security and various MR's. I want to make the school as secure as possible and reduce my likelihood of any incidents etc. so i am thinking about adding Umbrella. I have spoken with someone from sales and i really do see value in all the abilities Umbrella brings, i just dont have the time or resources to config, manage and monitor yet another system. It seems like Umbrella does a lot of the same things that Advanced Security does natively with the exception of granularity of policy and investigation etc. I am using Umbrella/OpenDNS IPs for my DNS resolution already. What am i overlooking; what is the compelling argument for an Umbrella subscription given i am looking to reduce my admin workload not to mention additional cost? Thank you in advance for your insights...
... View more
Feb 22 2020
6:36 AM
As it turns out after getting off of a call with ATT Support, our DSL MODEM is required as you indicated to be inline but can be put in pass-thru mode simple enough via a couple of clicks and configuring the MX MAC. If anyone can think of any "gotchas" or make sure to do XXXX, please let me know. I may give this a go on Sunday afternoon when i can get some uninterrupted time (volunteer IT guy for a non-profit...)
... View more
Feb 21 2020
9:46 PM
Thank you for your input. If my ISP will allow for it, it would seem that this is the way to go. I should have included that we do have the Advanced Security license and i am actively looking into supplementing with Umbrella as well. Next steps I will look into whether i can ditch the AT&T gear.
... View more
Feb 21 2020
9:39 PM
Thank you for your input. If my ISP will allow for it, it would seem that this is the way to go. I am sure that i will be posting again shortly for some VLAN questions.
... View more
Feb 21 2020
9:35 PM
Thank you for your input. If my ISP will allow for it, it would seem that this is the way to go.
... View more
Feb 21 2020
9:33 PM
Thank you for your input. If my ISP will allow for it, it would seem that this is the way to go.
... View more
Feb 20 2020
7:16 PM
We are a smaller elementary/preschool/church with 1 MX84, 3 Aruba 2530's and 12 MR's of various models. Just looking to see how common of a practice it is to place an MX84 directly on the internet (meaning not behind any ISP equipment.) I am in the process of VLAN'ing the network and wondered if i should consider removing the AT&T provided hardware as well. Thanks in advance for any input or advice.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 3167 |
© 2024 Cisco Systems, Inc.
