Solved: Port ACL / MAC filter

Davidc24781 · ‎02-08-2021

Hello all, please forgive if this is a stupid question. I'm still learning my way around. I did some searching but still feel like I don't understand. I was tasked with configuring a Meraki MX68W. 2 Users will connect direct to ports, 3 users will connect wirelessly.

I would like to lock down physical ports only to MACs that I allow. If joe schmo tries to plug in, he will get blocked. Is this a firewall setting or am I missing an Access Control setting somewhere?

I also would like to so the same thing with the wireless SSID I created. I don't have a Radius server. My setup is simple, I think.

I was hoping for a simple solution of entering allowed MACs and if someone is't on the list, they just don't get in.

Can someone please guide me in the right direction?

ww^ · ‎02-08-2021

What you can do is block all traffic at network firewall level. And then whitelist or assign a specific group policy to the clients that need access to the network

View solution in original post

Davidc24781 · ‎02-08-2021

In further reading I guess I could disable unused ports. I also did see I can set a port as Trunk or Access. But seems like this will require a Radius server to compare against.

I'm still trying to figure out wireless. I'm already hiding SSID broadcast but am stuck at my original post.

ww^ · ‎02-08-2021

What you can do is block all traffic at network firewall level. And then whitelist or assign a specific group policy to the clients that need access to the network

Davidc24781 · ‎02-08-2021

ok, I see what you're saying...if there is a template applied to other Meraki's, and I go to Network-wide to create a group policy for my network (which is not under any template) will this affect other Meraki's? I'm just trying to be cautious I don't break other things lol

Davidc24781 · ‎02-09-2021

OK, maybe I have this down. Here are my steps. Can someone please confirm

1. Make sure I'm under the Network I created

2. Go to Security & SD WAN - Firewall

3. Add rule Deny Any Any

4. Go to Network-Wide - Clients

5. Add Clients to : Allowed List

Does this look right?

ww^ · ‎02-11-2021

I would whitelist them first. Then deny any any

Davidc24781 · ‎02-11-2021

Interesting thing, it kind of worked.

It blocked a unauthorized user from outside network access but I was hoping to block internal network access as well.

I had to create a L7 rule that blocked my entire network to somewhat achieve what I wanted. Of course making sure my authorized users are getting my Allow group policy.

I guess it'll do for the needs I have. Thanks.

SCampisi · ‎08-31-2021

did you ever get a definitive solution that worked reliably? i am needing to do the same thing and i am also unfamiliar with the dashboard.

I saw your steps and i done have a "Security and SD Wan" - Firewall setting in my menus? can you give me more detail on that steps you followed?

thanks for any help you can give me

Davidc24781 · ‎08-31-2021

Hey there, sticking with the steps I did was good enough.

I go to Network to make sure I'm on correct group. Then below that I have access to Security and SD Wan

If you don't see it, you might not have rights? If you see Appliance Status then you know you're in the right place.

Davidc24781 · ‎02-10-2021

I appreciate the info, can you look at my steps and see if they will work?