Meraki

Community

Network Appliance L3 Firewall Rules

Solved
as_
Here to help
‎Mar 8 2023 9:04 PM
‎Mar 8 2023 9:04 PM

Network Appliance L3 Firewall Rules

Suppose you have an mx64 with outbound L3 firewall rules in place that are denying traffic to all three private subnet ranges, but then allowing to any other destination.  Will the host be able to reach internet, or traffic will be denied unless you specifically allow traffic to the gateway IP address for the host subnet on the MX?

0 Kudos
1 Accepted Solution
In response to as_
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 9 2023 8:07 AM
‎Mar 9 2023 8:07 AM

It won't block intra-vlan traffic ( L2 ). Simply L3 trafic.

View solution in original post

5 Replies 5
sungod
Kind of a big deal
‎Mar 9 2023 12:21 AM
‎Mar 9 2023 12:21 AM

The default outbound rule is allow any-any.

 

Any additional rules you add are higher priority than the default rule.

 

Traffic is tested against each rule, top-down in priority order.

 

If traffic does not match any of the deny/allow rules that you added, it will eventually match the default rule and be allowed.

 

This explains rule processing in more detail: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

In response to sungod
as_
Here to help
‎Mar 9 2023 7:48 AM
‎Mar 9 2023 7:48 AM

Thank you for the link.  I am just wondering if a host is able to talk to it's gateway IP address on the MX, if you deny all private IP addressing.  
So for example, lets say you have a hosts on 192.168.0.0/24, with mx 192.168.0.1 and host is 192.168.0.5.  
And you first firewall rule say 192.168.0.5 is denied to 192.168.0.0/24.  Will the host still be able to reach the gateway?  Thank you.

0 Kudos
In response to as_
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 9 2023 8:07 AM
‎Mar 9 2023 8:07 AM

It won't block intra-vlan traffic ( L2 ). Simply L3 trafic.

GIdenJoe
Kind of a big deal
Kind of a big deal
‎Mar 9 2023 1:25 PM
‎Mar 9 2023 1:25 PM

You don't need to allow traffic to your MX IP for clients to be able to connect to the internet.  The MX will evaluate SRC and DST IP's by the rules that are configured.  So if a deny to private addresses is present but an allow any behind it then your devices will reach the internet just fine.  This is in fact the way you can have internet only VLANs.

0 Kudos
In response to GIdenJoe
as_
Here to help
‎Mar 9 2023 2:42 PM
‎Mar 9 2023 2:42 PM

So for example, if you have a host 192.168.0.5 that needs to talk to the gateway 192.168.0.1/24, and your first outbound l3 firewall rule is that 192.168.0.5 is denied to 192.168.0.0/24, traffic will still go through because it's intra-vlan traffic, right?  

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.