Limiting Internal traffic between two subnets

SOLVED
bpinet
Conversationalist

Limiting Internal traffic between two subnets

New to the Meraki and I have been reading documentation but do not feel I have found the right solution, hoping for some clearer direction here.

 

After a security breach, we bought new Meraki MX-95 and MS125-48 to build out an entirely new network on a 172 network.  Our old network was a 192.  We will need to do a one-way trust to transition users over.  The original plan was to dedicate one port on the MX-95 for the old 192 network then limit traffic to just let in the needed ports and protocols for the one way trust to come in to the new 172, but exclude all other traffic as we feel there is probably still issues on the old network.  We currently use Sonicwall and are finding the new Meraki rules a whole new way of thinking. 

 

I guess the question we have is are we on the right track using the firewall rules to exclude incoming traffic on one port.  If we are, any suggestions are appreciated.  We are still educating ourselves on the MX-95.  Thank You. 

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

I think you are basically on the right track:

  1. Configure multiple VLANs on the MX, at least one for the legacy 192 network, one for the new 172 network. Or directly implement multiple different new VLANs for Servers, Users, Printers, IoT, Voice, and so on.
  2. Either assign the VLANs to two of the ports where you use your old and your new infrastructure, or use a Trunk for the connection to the switch and implement VLANs on the switch.

If you are quite new to networking, I would hire a consultant to design you a new secure environment based on your needs.

View solution in original post

2 REPLIES 2
KarstenI
Kind of a big deal
Kind of a big deal

I think you are basically on the right track:

  1. Configure multiple VLANs on the MX, at least one for the legacy 192 network, one for the new 172 network. Or directly implement multiple different new VLANs for Servers, Users, Printers, IoT, Voice, and so on.
  2. Either assign the VLANs to two of the ports where you use your old and your new infrastructure, or use a Trunk for the connection to the switch and implement VLANs on the switch.

If you are quite new to networking, I would hire a consultant to design you a new secure environment based on your needs.

bpinet
Conversationalist

Great, I do have a VLAN for both networks and the old 192 is isolated to one port.  Glad to know I got that part right.  I think the rest I need to do with Network Objects and Rulesets.  I think I found better documentation to clarify the rules/policy part.  We are used to using inbound rules which is where I think we were confused as Meraki has a different way of looking at firewall rules.  Thank You for verifying I am not wasting my time trying to do something I cant do with the firewall.  We were trying to apply rules to the port versus the subnet.  I think I am good.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.