Meraki

Community

L3FirewallRules source/dest set to VLAN

Solved
diablo24
Building a reputation
‎Sep 20 2023 9:16 AM
‎Sep 20 2023 9:16 AM

L3FirewallRules source/dest set to VLAN

Hello,

 

I'm trying to figure out what the following source/dest means from calling the L3FirewallRules on an MX device:

{
"comment": "Deny Inter-VLAN Communication",
"policy": "deny",
"protocol": "any",
"srcPort": "Any",
"srcCidr": "VLAN(1).*",
"destPort": "Any",
"destCidr": "VLAN(50).*",
"syslogEnabled": false
},

 

What does the ".*" mean at the end of the srcCidr and the destCidr? I've search all the docs on outbound firewall rules on an MX and it does not mention anything regarding this when using a VLAN as the source/dest. 

 

Thanks in advance,

-Jerome

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 20 2023 1:07 PM
‎Sep 20 2023 1:07 PM

You get this when using templates.

 

Because templates use a different subnet per site (usually), you can't create a firewall rule based on IP addressing.  What the above rule does is say allow anything with an IP address that is assigned to VLAN1 to talk to anything else with an IP address assigned to VLAN50.  You can also specify a specific address, such as .50.

 

https://documentation.meraki.com/General_Administration/Templates_and_Config_Sync/Managing_Multiple_... 

 

 

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 20 2023 10:16 AM
‎Sep 20 2023 10:16 AM

Generally the asterisk "*" is a wildcard, that is, it allows anything, in this case I understand that it is including any address.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
diablo24
Building a reputation
‎Sep 20 2023 10:47 AM
‎Sep 20 2023 10:47 AM

@alemabrahaoThanks. So does it mean "all traffic that we send over VLAN X, including to other VLANs beyond?"

 

0 Kudos
In response to diablo24
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 20 2023 10:56 AM
‎Sep 20 2023 10:56 AM

What I'm talking about is the meaning of the asterisk "*", but I find it strange because as far as I know it's not possible to use an asterisk in the rules.
 
So I can't say for sure, it's just an assumption.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
diablo24
Building a reputation
‎Sep 20 2023 11:12 AM
‎Sep 20 2023 11:12 AM

@alemabrahaoYeah, I'm trying to configure it now and I can't even get the dashboard to accept VLAN# or what's shown in the output I added. Somehow, our customer is able to do this cause there's a lot of MXs in their network with these rules set.

0 Kudos
In response to diablo24
diablo24
Building a reputation
‎Sep 20 2023 11:43 AM
‎Sep 20 2023 11:43 AM

Looks like you can configured this by using the VLAN name not the number. There's options to select either IPv4 or IPv6 or Dual. I'm guess with the default setting as dual, that's the ".*" you get from the API. However, this still doesn't answer my question on what this means:

whether a filter about VLAN X is just using the IP's of stuff in VLAN X, or does it mean "all traffic that we send over VLAN X, including to other VLANs beyond?"

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 20 2023 1:07 PM
‎Sep 20 2023 1:07 PM

You get this when using templates.

 

Because templates use a different subnet per site (usually), you can't create a firewall rule based on IP addressing.  What the above rule does is say allow anything with an IP address that is assigned to VLAN1 to talk to anything else with an IP address assigned to VLAN50.  You can also specify a specific address, such as .50.

 

https://documentation.meraki.com/General_Administration/Templates_and_Config_Sync/Managing_Multiple_... 

 

 

In response to PhilipDAth
diablo24
Building a reputation
‎Sep 20 2023 1:44 PM
‎Sep 20 2023 1:44 PM

Thanks @PhilipDAth 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.