Comma Separated Layer 3 Rules

KennyM
Conversationalist

Comma Separated Layer 3 Rules

I'm trying to streamline and organize my firewall rules a bit more and I noticed that when creating a Layer 3 rule, I can put multiple CIDRs and IP Addresses separated by commas.  I was going to allow traffic in and out to a specific device, but I assumed I'd have to make a rule for each direction.  This is how I've usually done it when allowing traffic for both directions:

oneway.png

 

 

Is it possible to make 1 rule and allow traffic in and out by separating by comma?  Is this good practice?  Like this?

 

2 way.png

NOTE: I'm blocking all other traffic on this subnet, I just want to allow access to this one device.  I'll probably break it apart by port if this actually is ideal.

 

Also, are there other keywords I can use in these SOURCE and DESTINATION (like ANY)?  Such as WAN or LAN?  Or just use the gateway address maybe?

 

Thank you

5 REPLIES 5
Nash
Kind of a big deal

Regardless of if you can, I don't think you should.

 

Mirror rules are clear: X is allowed/denied to Y. Y is allowed/denied to X.

 

Each line shows one relationship.

 

I would rather read more, clearer lines.

CptnCrnch
Kind of a big deal
Kind of a big deal

You could „Make a wish“ on the firewall configuration page for Firewall Objects. Maybe this will help speed up this and will bring new potential to firewall configuration on MX.

KennyM
Conversationalist

Excellent point.  Thanks!

jdsilva
Kind of a big deal

Firewall objects are in beta 😉

PhilipDAth
Kind of a big deal
Kind of a big deal

I tend to create a group policy for each VLAN I want to restrict and put the firewall rules in there.  I find it much easier when there are a lot of rules.  The rules in this case only limit traffic from the VLAN towards the MX.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels