Controlling access to certain subnets by certain clients

Here to help

Controlling access to certain subnets by certain clients

I am working on a site with four locations and a MX84 at each location. I have several subnets on each MX84 and one of the subnets is for POS devices. I need to limit access "to" these subnets/ POS devices over the network from/by "specific" clients. The clients that need access are spread across the four sites. I have reserved or set fixed IPs for the clients that require access. Has anyone made anything like this work before?



7 Replies 7
Kind of a big deal
Kind of a big deal

Many times.


It is probably easiest to apply a group policy to the VLAN interface and then apply layer 3 firewall rules.


Thanks PhillipDAth, I will give this a try.

PhillipDAth, I have followed the guide and tried multiple options without success. I have applied the Group Policy to the clients and the VLAN and clients that are not applied to the group policy can still access the end POS devices. One challenge I have is the site has Meraki MX84's and another vendor's APs. I do not believe this should cause an issue since I am attempting to control access via the MX84's.

Lets try this.


Put the group policy on the VLAN.  Then start with a layer 3 firewall rule that blocks everything.  Once you have this first step done then try adding a single rule to give one remote device access.


Here is a quick screenshot of what it might look like:

Screenshot from 2017-12-29 11-29-49.png

Thanks. As I stated I did apply it to the VLAN and the individual clients. And everyone was still able to access the end points. I will try this again first thing tomorrow morning.

One other piece of Information I may have missed providing. The POS devices and each of the four groups of users that require access to the POS devices are each on their own seperate IP Blocks and VLANs.

Kind of a big deal
Kind of a big deal

That is fine.  Just make sure the last firewall rule you add is a "deny everything".  Get that rule working first (so nothing can talk to the POS) and then start adding in allow rules.


Make sure the group policy is to to override any other firewall rules.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.