Meraki

Community

Comma Separated Layer 3 Rules

KennyM
Conversationalist
‎Feb 6 2020 12:18 PM
‎Feb 6 2020 12:18 PM

Comma Separated Layer 3 Rules

I'm trying to streamline and organize my firewall rules a bit more and I noticed that when creating a Layer 3 rule, I can put multiple CIDRs and IP Addresses separated by commas.  I was going to allow traffic in and out to a specific device, but I assumed I'd have to make a rule for each direction.  This is how I've usually done it when allowing traffic for both directions:

oneway.png

 

 

Is it possible to make 1 rule and allow traffic in and out by separating by comma?  Is this good practice?  Like this?

 

2 way.png

NOTE: I'm blocking all other traffic on this subnet, I just want to allow access to this one device.  I'll probably break it apart by port if this actually is ideal.

 

Also, are there other keywords I can use in these SOURCE and DESTINATION (like ANY)?  Such as WAN or LAN?  Or just use the gateway address maybe?

 

Thank you

0 Kudos
5 Replies 5
Nash
Kind of a big deal
‎Feb 6 2020 12:21 PM
‎Feb 6 2020 12:21 PM

Regardless of if you can, I don't think you should.

 

Mirror rules are clear: X is allowed/denied to Y. Y is allowed/denied to X.

 

Each line shows one relationship.

 

I would rather read more, clearer lines.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 6 2020 12:47 PM
‎Feb 6 2020 12:47 PM

You could „Make a wish“ on the firewall configuration page for Firewall Objects. Maybe this will help speed up this and will bring new potential to firewall configuration on MX.

0 Kudos
In response to Nash
KennyM
Conversationalist
‎Feb 6 2020 12:49 PM
‎Feb 6 2020 12:49 PM

Excellent point.  Thanks!

0 Kudos
In response to KennyM
jdsilva
Kind of a big deal
‎Feb 6 2020 1:36 PM
‎Feb 6 2020 1:36 PM

Firewall objects are in beta 😉

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 6 2020 4:44 PM
‎Feb 6 2020 4:44 PM

I tend to create a group policy for each VLAN I want to restrict and put the firewall rules in there.  I find it much easier when there are a lot of rules.  The rules in this case only limit traffic from the VLAN towards the MX.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.