Blocking routing between VLANS on my MX

JonathanShapiro
Here to help

Blocking routing between VLANS on my MX

Hello:

 

I have a Meraki MX75, and I have two VLANS carved out on the LAN side of the unit.  The first VLAN is for general LAN traffic.  I added a second VLAN working with a security vendor who needs a pathway to the Internet for the camera network.  I want his cameras to have Internet access but want to restrict routing between the general vlan and the camera network.  I have tried and tried, but nothing works.  I have tried creating an outbound block rule with the camera VLAN as the source and the general  VLAN as the destination.  Doesn't work.  I have tried doing same by subnet IP rather than VLAN name, and same issue.  Just to prove that any kind of outbound firewalling is possible, I wrote a block rule to block all traffic from any to any, and that got a higher priority than the default allow rule.  This does block outbound traffic.  Then I can layer in an allow rule to allow traffic from my general vlan to anywhere.  This works too.  OK great, but then the camera vlan needs Internet traffic but not access to my other vlan.  If I allow the camera network to any to allow the Internet, then it can get to the general vlan too.  So it seems like it would be possible to block the camera network from everywhere and then allow it to the general network, but probably not the other way around - allow the camera network to the Internet without allow it to the general network.  

 

 

7 Replies 7
cmr
Kind of a big deal
Kind of a big deal

You should be able to do this be saying traffic from (CCTV VLAN) to (General VLAN) is dropped.  The interface will still respond, but hosts on the subnet should not see any packets.

 

Are you saying that this isn't working?  What firmware are you on?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
JonathanShapiro
Here to help

Thanks for the quick reply.  Here's the firmware version:  MX 18.211.2.  Yes, my initial thought was just to create an outbound firewall rule blocking traffic from the camera vlan to the general vlan by vlan name.  Didn't work.  I tried using the subnet IDs instead.  That didn't work.  It seems like the default allow rule may be opening up traffic even as the other rules block it.  Like I said, no matter how I structured the rule, I could ping from a PC in the camera vlan to a pc in the general vlan.  The only way I could block traffic was to override the default allow rule by placing my own custom DENY from ANY to ANY above it.  Then all outbound traffic everywhere was blocked.  Now I could begin to layer in allow rules above that.  The problem with the blanket deny rule is how do you allow the cameras to the Internet (basically everywhere) while continuing to block them from the other subnet.  Full lockdown between vlans and opening up the Internet doesn't seem possible.

JonathanShapiro
Here to help

I have a Cisco switch downstream of this router.  I created an ACL and applied it to the incoming port on my switch from the Meraki.  This is accomplishing what I'm after and couldn't seem to do at the MX.  I'm blocking the camera subnet from coming into the switch.

Brash
Kind of a big deal
Kind of a big deal

The rules as you've stated should work.

A Deny rule from Camera VLAN to General VLAN should block the inter-VLAN traffic (regardless of whether you configure it via VLAN Name or Subnet).

 

One thing about the MX is that any existing sessions through the firewall will continue to be allowed until they time out, or the MX is rebooted.

I suggest applying the change and waiting at least 10 minutes before testing connectivity with ping.
MX deny rule applied working after 5 minutes on active ping - The Meraki Community

GIdenJoe
Kind of a big deal
Kind of a big deal

This is general L3/L4 firewall policy.
It does take about 20 seconds for a rulechange to actually pushdown on the MX.

Take care of the order of your access rules.

Make sure your interVLAN policies are at the top before allow rules that have any as destination.

I personally take this approach:
List all your interVLAN policies up top and make sure their ordered by source VLAN so it makes it clear to read.  Always end your source VLAN rules with a rule that denies any traffic from that VLAN going to any other VLAN or local RFC1918 addresses.
That way you are sure you won't have any fall through to the lower rules that inadvertently allow traffic between VLAN's that is not intended.

And below the interVLAN place your general LAN to WAN rules like TCP/80,443, UDP/53, etc etc.

PhilipDAth
Kind of a big deal
Kind of a big deal

I often use a group policy when I have VLANs that only need Internet access.  Under Network-Wide/Group Policies I would create something like:

 

PhilipDAth_0-1724066928678.png

The on the Security & SD-WAN/Addressing & VLANs page, apply that group policy to the VLAN.

PhilipDAth_1-1724067021861.png

 

JonathanShapiro
Here to help

Thanks for all the suggestions.  I wonder if I just didn't wait long enough when applying the policies to test.  I stopped and retried pings, but I only waiting about 2 minutes or so.  From what you are saying, it might have to be 10 minutes or more or possibly even a reboot to kick in.  This makes testing pretty hard.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels