Meraki

Community

Cisco MX64W

BrianVanoy
New here
‎Jan 16 2025 9:09 AM
‎Jan 16 2025 9:09 AM

Cisco MX64W

We are needing to restrict printing down to a select few hosts within our network to a specific printer on the same network. When going into the Firewall portion of our Cisco MX64W, in the Layer 7 section, I've noticed it only allows us to create a Deny rule with no Allow being selectable. 

 

In short, can anyone tell me if creating such a rule on a MX64W is possible?

 

Thanks for any direction and advice.

Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
‎Jan 16 2025 9:13 AM
‎Jan 16 2025 9:13 AM

Why don't you create a rule of 3 blocking the source IPs to the printer's destination IP?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
BrianVanoy
New here
‎Jan 16 2025 9:49 AM
‎Jan 16 2025 9:49 AM

Thank you, Alemabrahao

 

I've noticed in the Layer 3 there's only an Inbound and Outbound option, nothing to restrict inside traffic talking to each other.  Is this typical of the MX64W not allowing rules for inside traffic?

0 Kudos
In response to BrianVanoy
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jan 16 2025 10:04 AM
‎Jan 16 2025 10:04 AM

Hi @BrianVanoy , as previously mentioned, you can restrict inter vlan but not intra.  You would need to move the printers into a new IP subnet and restrict that way.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Mloraditch
Kind of a big deal
‎Jan 16 2025 9:20 AM
‎Jan 16 2025 9:20 AM

Is the printer on the same vlan or a different vlan? If a different VLAN you can create a group policy with the relevant Layer 3 rules and attach it to that VLAN. If it's the same VLAN the MX is not involved in that layer 2  communication and I would recommended moving to seperate vlans to facilitate with a group policy.


You can do intra-vlan blocking with more advanced switching options, if you wanted to investigate that, but if the site is small enough for a MX64W then its likely not worth it, in most cases.



If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
BrianVanoy
New here
‎Jan 16 2025 9:51 AM
‎Jan 16 2025 9:51 AM

Thanks Mloraditch,

 

Unfortunately, they are on the same VLAN which I always encourage that printers be placed on their own within the network for security reasons/purposes. It doesn't appear the Layer 3 rules allows for any restriction of inside traffic at this time. If I specify the printers address it wants me to restrict the entire VLAN rather than a specific IP address on both the Source and Destiation.

In response to BrianVanoy
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 16 2025 11:05 AM
‎Jan 16 2025 11:05 AM

You will either need a Meraki switch and apply the ACL there:

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

Or, as others have mentioned, move the printer into its own subnet/VLAN.

BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Jan 16 2025 8:17 PM
‎Jan 16 2025 8:17 PM

The easier option might be to enable IP filtering on the printer itself. Just make sure you include your IP so that the device can be managed and you don't lock yourself out. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.