Meraki

Community

ECMS Practice Question - April 2nd

Solved
DavidLowe
Meraki Employee
Meraki Employee
‎Apr 2 2021 7:13 AM
‎Apr 2 2021 7:13 AM

ECMS Practice Question - April 2nd

Hello again! Another simple-'ish' question for you all.

 

As always, comment below with what you think is the correct answer and remember: If you like the question or the ECMS questions initiative, leave us some kudos.

 

See you in a week with the correct answer!

 

ECMS practice question

 

Select the correct firewall rule processing order for the MX security appliance:

 

A.) L3 allow/deny > L3 implicit deny > L7 deny

B.) L3 allow/deny > L3 implicit allow > L7 deny

C.) L3 allow/deny > L7 deny > L3 default deny

D.) L7 deny >  L3 allow/deny > L3 implicit allow

 

P.S. We will be sharing new practice questions weekly! If you'd like to receive updates when we do, click the "ECMS Practice" label below and then "Subscribe

Here you can find previous questions

Labels:
1 Accepted Solution
DavidLowe
Meraki Employee
Meraki Employee
‎Apr 9 2021 9:24 AM
‎Apr 9 2021 9:24 AM

Another week, another answer.

 

First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!!

 

This time we were looking for...

 

B. L3 allow/deny > L3 implicit allow > L7 deny

 

The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet.

 

The wording of  'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall.

 

 

As before more info here:

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

 

 

View solution in original post

9 Replies 9
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 2 2021 7:30 AM
‎Apr 2 2021 7:30 AM

I really had to scratch my head to understand what the provided answers mean, but:

Spoiler
- We can rule out A.) and C.) as there is no implicit or default deny.
- It can not be D.) as the L3 rules are processed first

The Answer has to be B.)

But I still have no idea how to consistently map this answer to the documented processing flow:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
DarrenOC
Kind of a big deal
Kind of a big deal
‎Apr 2 2021 8:08 AM
‎Apr 2 2021 8:08 AM

B

 

i don’t like that implicit Allow that the MXs ship with.  I understand it helps with getting these devices up and running quickly but people should be removing and setting to an implicit Deny All

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
Inderdeep
Kind of a big deal
‎Apr 2 2021 8:17 AM
‎Apr 2 2021 8:17 AM

I am confused between option A and B. but as expert @DarrenOC  @KarstenI says B, so it should be B of course 🙂 

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
0 Kudos
In response to Inderdeep
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 3 2021 12:38 AM
‎Apr 3 2021 12:38 AM

@Inderdeep wrote:

I am confused between option A and B. but as expert @DarrenOC  @KarstenI says B, so it should be B of course 🙂 

This approach will not help you in the real exam ... 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
AB_LaDigue67
Getting noticed
‎Apr 3 2021 3:38 AM
‎Apr 3 2021 3:38 AM

To

Spoiler
B

or not to

Spoiler
B

that answers the question.

briangallagher
Conversationalist
‎Apr 7 2021 5:43 AM
‎Apr 7 2021 5:43 AM

I'll go with B

Looking at the Firewall rules, Layer 3 processing comes first and the MX ships with a default  L3 Implicit Allow. When a rule is added, it is added as either an L3 Allow or Deny, depending on the policy and is inserted above the default. So L3 Allow/Deny is processed first, then L3 implicit allow. L7 Firewall rules are only created with Deny as the policy option.

0 Kudos
DavidLowe
Meraki Employee
Meraki Employee
‎Apr 9 2021 9:24 AM
‎Apr 9 2021 9:24 AM

Another week, another answer.

 

First up, apologies if the wording wasn't of the question wasn't quite clear - Although it looks like most of you managed anyway!!

 

This time we were looking for...

 

B. L3 allow/deny > L3 implicit allow > L7 deny

 

The MX begins by checking if there is a matching Layer 3 (L3) rule - if so, it will make the appropriate decision based on the allow/deny parameters, else the MX will fall back on its L3 implicit allow rule. After this, the MX will check for any Layer 7 (L7) rule matches. If there is then the MX will discard the traffic/packet.

 

The wording of  'Layer 7 Deny' might have caught a few off guard - It was included because on the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule. The same cannot be said for our MR access points, which will bypass the L7 firewall altogether if traffic matches an allow rule on the L3 firewall.

 

 

As before more info here:

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

 

 

In response to DavidLowe
Inderdeep
Kind of a big deal
‎Apr 9 2021 9:31 AM
‎Apr 9 2021 9:31 AM

@DavidLowe Thanks for the explanation !

Cisco Awarded Blogs 2020/2021 https://www.thenetworkdna.com/
In response to DavidLowe
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Apr 9 2021 10:43 AM
‎Apr 9 2021 10:43 AM

Just one thing to add to this;   there's only an implicit allow if the packet is received on a LAN interface.  If it's on a WAN / Internet port (with no matching outbound session), it hits an implicit deny - of course!

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.