Friday, January 27, 2017

Meraki Dashboard Packet Capture and Group Policies

The Meraki dashboard uses Google map and will initially place the AP somewhere in Palo Alto California, USA. You can use the Search/Find tool (click on the magnifying glass icon) and press Enter to replace the map. To relocate the AP, click Place APs on map > click and drag the AP on the map > click Done placing APs.

You can also configure the same by going to Wireless > Map & floor plans.

You can perform packet capture by going to go to Network-wide > Monitor > Packet capture. You can choose either All or Specific Access Point (in this case I only have one), capture either the Wired or Wireless interface of the Meraki AP and display the output either View output below or Download .pcap file (for Wireshark). Click Stop to stop the packet capture or clear output to start all over.

To configure general settings on the Meraki dashboard, go to Network-wide > Configure > General.

To add a new administrator for the Meraki dashboard, click Create new user. Optionally put a description, type the email address which will be used as user login for the Meraki dashboard and click Create user. The initial password will be sent to the new admin’s email address.

You can modify the User Privileges such as Full (default), Monitor-only, Read-only and Guest ambassador.

You can change the Network time zone by choosing your country’s time zone in the drop-down menu then click Save on the lower-right hand corner or Save Changes at the bottom of the page. This is important for scheduled firmware upgrades, syslogs and event logs.

To configure "global" Group policies, go to Network-wide > Configure > Group policies. Click Add a group. 

You can put a Name for the Group policy and choose Scheduling enabled for the policy to take effect on certain periods of time. You can choose the built-in Template or customize by choosing which Day, State and time period (During). I chose 8 to 5 daily template and it automatically sets the State and time period (During).

You can limit the bandwidth by choosing Use custom bandwidth limit and set the preferred bandwidth. 

Click details if you want to provision asymmetric bandwidth or different download and upload speed.

You can configure Layer 3 firewall rules (traditional or legacy firewall) by choosing Custom SSID firewall & shaping rules and click Add a firewall rule. I created a rule to Deny ICMP to (Google DNS). There’s a default rule at the bottom which allows all traffic.

You can configure Layer 7 firewall by clicking Add a layer 7 firewall rule. The default policy is to Deny the chosen Application. I’ve blocked Yahoo Mail, Playstation and Facebook as an example.

To configure Traffic shaping, click Add a new shaping rule. Go to Definition > Add+ > Custom Expression > type and click Add Expression. I chose Per-client bandwidth limit: Choose a limit and set it to 250 Kbps. Click Save Changes at the bottom

To apply the Group policies, go to Wireless > Configure > SSIDs. Under the specific SSID, go to Access control > edit settings.

Choose Enabled: assign group policies automatically by device type.

Click Add group policy for a device type.

Choose a specific device (iPhone in this example).

Choose the group policy created (default Group policy Actions are either whitelist and blocked) then click Save Changes (at the bottom of the screen). Just wait for 1-2 minutes for changes to take effect.

To verify if policy is working, go again to Network-wide > Configure > Group policies. Notice there’s a number of clients (only iPhones in this example) under Affecting

To delete a group, just click on the X mark (beside Clone) under Actions > then click Confirm Delete. You can’t automatically delete a Group policy if it’s assigned to an SSID. You have to remove it first on the specific SSID under Groups for device types and click on the X mark under Actions.

Below are some screenshots taken from my iPhone connected to the SSID where the Group Policy was applied. The Youtube app just kept on loading due to the Traffic shaping that was applied. Yahoo Mail and Facebook were blocked due to Layer 7 firewall rules that were configured.

You can raise a support case by going to Help > Get Help. You can search Meraki’s Knowledge Base (KB), click the links to product manuals and support hotline numbers. Click Submit a Case > New Case to raise a TAC case.