Block All users from Internal ip device allow some

Comes here often

Block All users from Internal ip device allow some

I need to be able to block everyone from accessing xx.xx.229.49 (internal ip)

but i need a few people to be able to access it internally. 


How do i go about doing this?




Kind of a big deal

First you need to block access to xx.xx.229.49 (internal ip) by going to the "firewall". Then create a group policy in the "Network Wide" tab and select "group policies". In this policy set an allow to xx.xx.229.49 (internal ip). Test it.

Under firewall where do i add the ip address?

The only option i see for blocking is Outbound rules
Kind of a big deal

Does all your traffic hit the MX before being able to go to that IP's subnet?


If it is, you probably really need a switch (with L3 if you've got multiple subnets). MXes aren't routers.


If not, then the outbound rules on the firewall won't help you here. If your traffic is on the same subnet, or if routing between subnets is handled by a proper L3 device, then it won't hit your MX's rules.


You'll need to setup an ACL on the appropriate switch(es) in order to a) first allow your wanted traffic then b) issue a blanket deny to that IP.

Kind of a big deal

You can use the MX firewall for inter-vlan firewalling too if it's the L3 device routing between subnets.


Basically you setup a rule that blocks all access to the IP address in the L3 firewall settings in Firewall & SD-WAN > Firewall.


And then you indeed define a group policy in Network-Wide > Group Policies that has specific L3 firewall rules for that special group of people and assign it to them. Keep in mind that this will only work if the destination IP address you're blocking access to is on a different subnet than the source subnet the clients are on.


If the special group of people are on their own VLAN you could use the regular firewall. Just add another rule with the source subnet set.

Kind of a big deal

True fact, but I thought one was discouraged from using MX as the router itself. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.