If you’re trying to secure your organization’s switch infrastructure, we’ve got great news for you: Cisco Meraki switches now support

• MAC-based RADIUS authentication

• DHCP server containment

• MAC whitelisting

MAC-based RADIUS authentication

All Meraki MS switches support 802.1X wired authentication, which allows the configuration of port-based access policies by using user credentials for authentication, but until now our switches didn’t allow for device-based policies. Furthermore, not all devices support 802.1X authentication, limiting the security scope of the port-based approach.

Enter MAC-based RADIUS authentication. When enabled, this feature requires authentication for each MAC address accessing a switch port. Now, you can dictate port access at the device level, enabling more granular control.

Enabling MAC-based RADIUS authentication in a policy to be applied to specific ports.

DHCP server containment

MS switches now perform DHCP snooping to identify which devices are responding to DHCP requests on your network, so you can automatically detect and block unauthorized, rogue devices. Configuring a DHCP server policy is easy. Simply set a policy to allow or block identified DHCP servers, then specify any exceptions to the rule. In the image below, for example, we’ve blocked all DHCP servers by default, except for our authorized server with MAC address aa:bb:cc:dd:ee:ff—this helps secure us from rogue DHCP servers which may be added to the network at any time.

Configuring rogue DHCP server containment for a Cisco Meraki network only takes one click.

MAC whitelisting

MAC whitelisting is valuable for networks that aren’t hosting an on-site RADIUS server. Enabling the feature in this case will block all access to a switch port except for the specified MAC addresses. Branch retailers, for example, might find MAC whitelisting useful if they wish to allow only certain devices on their network but don’t want to manage the added complexity of a RADIUS server.

Additionally, you may want to allow specific devices to be whitelisted through a switch port even though MAC-based authentication is required. If you normally enforce device-level authentication on a particular port but wish to make an exception for the CEO’s personal laptop, you can now easily do so.

Enabling MAC whitelisting for selected ports.

This new set of features can help you lock down Layer 2 access to your network, and refine policies on a per-device level.

These enhancements will be generally available during the first week of July as we roll out our next switch firmware update. If you would like earlier access to these features you can call Support to enable them in your switch network.

For more information on our MS line of switches, including some recently announced new models, check out our MS family datasheet or our website.