cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deny Local LAN Question

Highlighted
Here to help

Deny Local LAN Question

Greetings,

 

I've set up the firewall and traffic shaping for two different SSIDs on my network to "deny any local LAN' .  One is in NAT mode, the other is in bridge mode.

 

I don't have any group policies set up.  I don't have any whitelisting or blocking set up.

 

I've noticed that if someone connects with a laptop that is a member of the domain it seems to override this rule and they have full access to the LAN connecting to either of the SSIDs.  Is that how it's supposed to work?

15 REPLIES 15
Highlighted
Kind of a big deal

Re: Deny Local LAN Question

Have they disconnected and reconnected to the network since you setup the deny rule?

Highlighted
Here to help

Re: Deny Local LAN Question

Yes, I've connected and disconnected multiple times to both SSIDs.

Highlighted
Kind of a big deal

Re: Deny Local LAN Question

That's strange behavior. I can't think of any mechanism that would do this. Other than the standard group policies, whitelists and blacklists.

Highlighted
Here to help

Re: Deny Local LAN Question

It looks like it may be working correctly now.  I need to do a little more testing.  Last night I made the changes and saw the behavior, but this afternoon I don't.

Highlighted
Kind of a big deal

Re: Deny Local LAN Question

They should only be able to access DNS and DHCP and nothing else on the local LAN.

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_... 

"Note: DNS and DHCP traffic is exempt from this rule. If the SSID is in NAT mode, only DNS traffic is exempt since the AP acts as a DHCP server for connecting clients."

Highlighted
Here to help

Re: Deny Local LAN Question

This is how I expected it to work, and it did for one device, but not for another.

 

So, now it seems to be even more strange.  It's a Microsoft Surface Pro device.  It is connecting to Wi-Fi.  It doesn't matter which SSID it connects to, it has full access to the LAN.

 

When I search for this device in the dashboard I can't see it being connected to any APs.

 

When I search by name, I find the device and it shows that it's status is an "offline wired client" and it's associated with one of my Meraki switches.

 

How is this even possible?

Highlighted
Kind of a big deal

Re: Deny Local LAN Question

>but not for another

 

If you whitelist the device or apply a group policy which overrides the firewall rules they you could get this happening.

Highlighted
Here to help

Re: Deny Local LAN Question

I don't have any whitelists, blocking or group policies in effect.

 

Even then I would think it would still show the device connected to an AP/SSID and not show it being an offline wired device connected straight to a switch.

Highlighted
Getting noticed

Re: Deny Local LAN Question

Yeah, we noticed same problem (wireless clients are recognized as wired clients, like Ipads, Macbook...) on our network... then network policy to wireless clients do not work.

 

Supports don't know either.....

Here are some iPads

2019-11-15 08_35_22-Window.png

Highlighted
Kind of a big deal

Re: Deny Local LAN Question

Is there a non-meraki switch in between the Meraki AP to the Meraki switch/MX ?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Highlighted
Here to help

Re: Deny Local LAN Question

No, it's all Meraki switches and Meraki APs.

Highlighted
Kind of a big deal

Re: Deny Local LAN Question

What's actually connected on the port the client is reported to have been connected to last?

Getting noticed

Re: Deny Local LAN Question

It's the port connecting to Access Point

Highlighted
Kind of a big deal

Re: Deny Local LAN Question

Do you have the"forget client" button in your dashboard? If you do I'd try using that to see if it's some kind of weird caching behavior.

 

sketch-1574232607663.png

 

Highlighted
Here to help

Re: Deny Local LAN Question

I don't seem to have that button in my dashboard.  Just the Policy drop down box.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.