Hey Gurus,
So we have a customer that is pushing hard for implicit deny. We spoke with Meraki support and they said they do support implicit deny, however in practice it doesn't work. That is because in order for a VLAN to reach the WAN, they said the destination must be set to ANY. So really for a VLAN to reach WAN it needs ANY which means it talks to all VLANs, are we are no where close to implicit deny.
Hey @IT_Magician ,
Not to be pedantic, but as soon as you manually specify a rule it's no longer implicit, that's an explicit rule. Implicit rules are those rules that you cannot change or modify, they are just there. Your rule 3 is an explicit rule. The "Default rule" on the end is an implicit rule.
As for your problem, you are going to have to put deny rules before your permit any that deny intranet traffic accordingly. There isn't really a way around this. The point to take away here though is that your permit any statements have specific sources and don't "permit any any" thereby maintaining a higher level of security.
Thanks for sharing, I didn't think there would be a work around. We replaced their Fortigate and the IT team is used to everything being blocked by default and you allow what you want. The concern they have is it opens up for human error to forget to block a new VLAN because everything is allow.
@IT_Magician wrote:Thanks for sharing, I didn't think there would be a work around. We replaced their Fortigate and the IT team is used to everything being blocked by default and you allow what you want. The concern they have is it opens up for human error to forget to block a new VLAN because everything is allow.
As long as you have specific sources in your permit any rules this shouldn't be a concern.
What are you trying to achieve?
Do you want the VLAN to only be able to talk to the Internet, or only be able to talk to internal VLANs and not the Internet?
I am not sure if I really get the problem, but with my customers that want the strictest access-control I typically have 3 or 4 statements per VLAN:
1) Allow to internal ressources (this could be multiple entries)
2) Deny to RFC1918
3) Allow to Internet-Ressources (this could be multiple entries)
(4 Deny to any)
And not to forget to place similar rules indo the S2S-Firewall.
I never came back to update this post so doing this now. We did end up figuring out the best way for us to implement implicit deny which I wrote up a guide to hopefully save others the headaches we went through. Implicit deny is possible and the link below shares what we learned and how we do it.
Cisco Meraki firewall with implicit deny? Yes, its possible.