Can not set group policies to clients

big-net
Getting noticed

Can not set group policies to clients

Hello,

 

last year we introduced a new meraki environment. Everything works fine.

Now we would like to activate the content filtering.

The Active Directory connection is set up and group policies have also been configured.

However, I cannot whitelist some clients. I have a guess what the problem is:

 

A MS120 is connected to the router of our provider.

Our MX250 cluster is attached to the MS120.

The MX250 is connected to our core switch, a Dell S4048T-ON.

So that the MS120 can access the internet to connect to the Meraki Cloud, the MS120 is connected to the Core via a separate VLAN. The subnet on the core is allowed to connect to the internet.

 

Because the MS120 is connected to the core, the topology shows that all clients are behind the MS120.

The Clients are also shown as offline / disconnected.

Thats wrong.

 

The right way would be Core, MX250, MS120.

For all affected clients, the policy section is missing under network-wide/Clients.

The subnets connected direct to the MX250 are not affected by the problem.

 

How can I fix this?

 

I am grateful for any help.

 

Thanks, Oliver

6 REPLIES 6
CptnCrnch
Kind of a big deal
Kind of a big deal

Internet -> MS120 -> MX250 -> Core

                              ---------------->

 

Is that your setup? Sounds to me like you're building yourself a firewall bypass. From my point of view, MS120 should perfectly be able to contact the Meraki cloud without that one.

Yes, this is our setup.

No, there is no bypass.

The traffic flows through the MX250, checked with trace route.

The firewall rules are also working.

But your are right, once die MS120 is connected direct to the core and once through the MX250.

Let me explain why we did that.

 

We have a range of public IP's from our ISP.

In order for the MS120 to be able to access the Internet, we would have had to offer a public IP.

Because there is no free public IP, we connected the MS120 to our core-switch.

The public subnet and the link to the core on the MS120 are seperated in 2 VLAN's.

The subnet on the core is allowed to access the internet.

 

A think the topology detection is the problem.

The direct connection must be ignored.

Only the connection to MX250 must be visible.

I removed the bypass.

Now the setup is:

 

Internet -> MS120 -> MX250 -> Core

                              ---------------->

 

All clients who were behind the switch before are now gone.

So I still can't use the policie.

I solved it by changing the client tracking from mac address to ip address.

PhilipDAth
Kind of a big deal
Kind of a big deal

To be able to do per-ser group policy the users have to be using the MX as their default gateway.

Yes, I know.

The clients use the mx as their default gateway.

I checked this.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels