Meraki

Community

Combined or separate networks?

Adam2104
Building a reputation
‎May 3 2019 6:51 AM
‎May 3 2019 6:51 AM

Combined or separate networks?

What is everyone doing from a combined/separate network perspective? I just started out with a full Meraki stack, MX, MS, and MR, so I started with a combined network. However, it seems that within a combined network I only have one chance to apply a group policy. For example, I apply a group policy to a wireless client device to block access to a particular internal resource via a L3 firewall rule I also have to completely duplicate all the L3 firewall rules that are configured on the MX, otherwise the device bypasses all the MX firewall rules.

 

So, now I've split the networks. This seems to let me apply a group policy to my wireless clients (say, IoT devices), but also allows the MX L3 firewall rules to still apply because the group policies are only network specific. Is my understanding correct?

0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 3 2019 2:35 PM
‎May 3 2019 2:35 PM

Seperate networks are mostly a thing of the past now, and mostly people only use combined networks.

 

I typically do all my firewall rules on just the MX, rather than both the MX and MR.  Also on the client page you can select to apply the group policy by connection or SSID, so you can apply it to the client for only one type of connection it is using.

 

1.PNG

 

 

GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 4 2019 6:52 AM
‎May 4 2019 6:52 AM

The problem I have with split networks is that you can't click through on a client with problems from the MX to the switch or AP.  So troubleshooting becomes a thing where you're going back and forth between networks.

There is however the big problem with combined networks and a L3 switch that you can have duplicate traffic types from ghost clients because in combined networks you can only use track clients by MAC address.

0 Kudos
RohitRaj
Meraki Employee
Meraki Employee
‎Jun 3 2019 4:44 PM
‎Jun 3 2019 4:44 PM

It is always ideal to have a single device take care of layer 3 firewall rules in a network (either the firewall or the AP).

In a combined network, when you apply a group policy with layer 3 firewall rules, your telling the Meraki devices to handle the layer traffic at a singular level, so bypassing the global firewall rules would be expected. 

 

Additionally, it is always easier to track all layer 3 firewall rules on one page, rather than jump between multiple devices. 

 

I would recommend you add the layer 3 firewall rule at the global level (on the MX). 

 

BTW, what rule are you adding on the AP level, that cannot be added at the MX?

If this was helpful, click the Kudos button below.
If your issue was resolved, we request you to mark the post resolved so other users can benefit in future
AKW898
Here to help
‎Sep 10 2024 4:13 AM
‎Sep 10 2024 4:13 AM

After splitting networks, all my clients have different IPs - some up to 8 IPs which they once had) and different policies. How can I prevent this?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.