Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Controlling access to certain subnets by certain clients

cjouglard-UDI
Here to help
‎Dec 26 2017 3:03 PM
‎Dec 26 2017 3:03 PM

Controlling access to certain subnets by certain clients

I am working on a site with four locations and a MX84 at each location. I have several subnets on each MX84 and one of the subnets is for POS devices. I need to limit access "to" these subnets/ POS devices over the network from/by "specific" clients. The clients that need access are spread across the four sites. I have reserved or set fixed IPs for the clients that require access. Has anyone made anything like this work before?

 

 

0 Kudos
Subscribe
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 26 2017 3:41 PM
‎Dec 26 2017 3:41 PM

Many times.

 

It is probably easiest to apply a group policy to the VLAN interface and then apply layer 3 firewall rules.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

Subscribe
In response to PhilipDAth
cjouglard-UDI
Here to help
‎Dec 26 2017 6:16 PM
‎Dec 26 2017 6:16 PM

Thanks PhillipDAth, I will give this a try.

0 Kudos
Subscribe
In response to PhilipDAth
cjouglard-UDI
Here to help
‎Dec 28 2017 2:19 PM
‎Dec 28 2017 2:19 PM

PhillipDAth, I have followed the guide and tried multiple options without success. I have applied the Group Policy to the clients and the VLAN and clients that are not applied to the group policy can still access the end POS devices. One challenge I have is the site has Meraki MX84's and another vendor's APs. I do not believe this should cause an issue since I am attempting to control access via the MX84's.

0 Kudos
Subscribe
In response to cjouglard-UDI
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 28 2017 2:30 PM
‎Dec 28 2017 2:30 PM

Lets try this.

 

Put the group policy on the VLAN.  Then start with a layer 3 firewall rule that blocks everything.  Once you have this first step done then try adding a single rule to give one remote device access.

 

Here is a quick screenshot of what it might look like:

Screenshot from 2017-12-29 11-29-49.png

0 Kudos
Subscribe
In response to PhilipDAth
cjouglard-UDI
Here to help
‎Dec 28 2017 2:39 PM
‎Dec 28 2017 2:39 PM

Thanks. As I stated I did apply it to the VLAN and the individual clients. And everyone was still able to access the end points. I will try this again first thing tomorrow morning.

0 Kudos
Subscribe
In response to PhilipDAth
cjouglard-UDI
Here to help
‎Dec 28 2017 2:52 PM
‎Dec 28 2017 2:52 PM

One other piece of Information I may have missed providing. The POS devices and each of the four groups of users that require access to the POS devices are each on their own seperate IP Blocks and VLANs.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 28 2017 3:10 PM
‎Dec 28 2017 3:10 PM

That is fine.  Just make sure the last firewall rule you add is a "deny everything".  Get that rule working first (so nothing can talk to the POS) and then start adding in allow rules.

 

Make sure the group policy is to to override any other firewall rules.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.