Re: Layer 2 LAN isolation + allow webex audio between clients... is possible?

Marcos Rodriguez · ‎07-23-2024

Hi guys!! is possible to allo webex audio calls between clients connected to the same SSID, with "Layer 2 LAN isolation" enabled?

Thanks for all!!

Marcos

ww^ · ‎07-23-2024

Depends on the flow.

If the traffic goes from client to webex server to client, then yes.

If the flow is between the clients directly, then no

"With Client Isolation enabled, clients will only be able to communicate with the default gateway and will not be able to communicate with any other devices on the same VLAN (or broadcast domain). In order for the wireless client to communicate with another device, the upstream gateway must be used to enable this communication (e.g. inter-VLAN routing and ACLs). Any traffic bound for an address on the same VLAN as a device in client isolation will be denied. Traffic bound for other VLANs will be forwarded and routed normally."

Marcos Rodriguez · ‎07-26-2024

How can I configure Webex to send traffic to webex server? is there any guide for this? Thanks

Thomas Obbekaer Thomsen · ‎07-23-2024

I mean, in theory, you could do an ACL, something like this.

Blocking IP (L3) between clients, but permitting the L3 ports used by Webex to "any" aka, between clients, and to the rest of the network (and internet) on that SSID.

This does of course NOT block L2 traffic, but it should (will) block L3 traffic.

So if you have security concerns about pure L2 traffic, of course this will not solve your problem.

PS: above ports used are taken from the webex documentation.

I have no idea if these are the ports used for traffic (RTP) between clients. 🙂

Marcos Rodriguez · ‎07-26-2024

Many thanks for your reply, in my case I want to allow 2 different types of users in the same vlan (internal_full_access and internal_limited_access) without create a dedicated vlan for new limited_access users... and block connection between all of them like a "microsegmentation"... allowing the only service that should work between them... Webex... Then, Firewall (non Cisco/Meraki L3 Gateway) limit the access to the external services by Active Directory groups asigned in firewall rules... I have more than 100 sites and it's complicated if I have to create new dedicated vlans (and all other things for them...) only for diff both type of users in that mount of sites...

I'll test your proposal.

Thanks!!

Thomas Obbekaer Thomsen · ‎07-26-2024

If you utilize a dot1x you can have your radius server assign a Meraki GroupPolicy with specific ACL for each client type.

For example. You can have one client assigned with your "internal_full_access" GroupPolicy, and another client (on the same SSID / VLAN) assigned with the "internal_limited_access" GroupPolicy, the works very well.

If you do not use radius, you could "more or less" do the same thing with the iPSK Without radius feature of the AP.

Here each "PSK" is combined with a GroupPolicy on the same SSID.

Of course this will require you to have different PSK (on the same SSID) for the different clients.

Marcos Rodriguez · ‎07-26-2024

I know, but my area only manage the "access" service of the devices to the vlan, and other Security Dpt apply connections policies in Firewall... the don't manage Meraki... because of that, we want to allow filter "isolated connection", and the rest of filters will be applied in Firewall, and other future changes will be directly applied in Firewalls