Content Filtering blocking some clients to access the internet

Getting noticed

Content Filtering blocking some clients to access the internet



we would like to use the content filtering.

For this we would like to work with group policies.

We are currently looking for a way to prohibit individual clients from accessing the Internet.

Unfortunately, the "block list" is not a solution, as internal access is also blocked here.

Therefore we have defined a group policy "block all" with a catch-all (*).

However, access to internal websites is also blocked here (e.g. via VPN).


We are looking for a solution to block internet access for individual clients, although access to internal web services should still be possible.


This is our current setup:


all clients are wired.
We are using site-to-site vpn.

We have a layer 3 switch behind the MX.
The clients are connected to the Layer 3 switch.
The MX has a static route to the subnet on the switch.

1. - some clients are allowed to access the internet directly, works with a firewall rule
2. - some clients are allowed to access the internet via a proxy server (squid proxy), which also does the content filtering
3. - all other clients are not able to access the internet


Now we want to use the content filtering of the MX.
The clients from point 1 and 2 should go directly to the internet, content filtering does the MX with a default set.
To implement this, the firewall rule from point 1 is changed, so that the entire subnet is allowed to access the internet.


Now i need a solution, how to block the clients which are not allowed to access the internet.


I am grateful for any help


Thanks Oliver

3 Replies 3
Getting noticed

Hi @big-net,


Content Filtering usually used when blocking categories or sites. If you use this to block all, it will both block internet and internal access. One possible solution is to create a firewall rules on your MX to allow only specific IP (like proxy, internal networks) and the last rule is block any source to any destination using any ports. In this way, users cannot access internet directly.








Kind of a big deal
Kind of a big deal

Why not simply add L3/4 rules to your group policy only allowing internal IP's?

That immediately cuts off any internet access without having to resort to some fancy regex matches in your content filter.


If you have subnets all over the place then you can just allow access to the RFC-1918 address space and block anything else.


Rule 1: Allow protocol any to destination

Rule 2: Allow protocol any to destination

Rule 3: Allow protocol any to destination

Rule 4: Deny protocol any to any

Here to help

Try block port 80,443,53 on L3 rules.

create group policies name internet access and allow 80,443,53 for the user to access the internet.
Group policies override L3 rules.

content filtering can be customized here too.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.