Team,
I am trying to block a host from communication with other hosts on the same VLAN on a MX. I am setting the Device Policy as blocked for the host. The host can still communicate with other hosts on the same VLAN. The is blocked from communicating with hosts on the Internet.
I saw this in the documentation:
"...Firewall rule applied to block all communication with other devices on the Network (Only applies to traffic that traverses the Cisco Meraki Device that has the block is configured)..."
I guess what I am seeing is a L3 block at the firewall level, not the switch port level. Can anyone confirm this is the case?
If it is the case, is there any other way to achieve the results that I am looking for?
Thanks for any replies!
If the traffic is in the same VLAN it probably won't go to the MX. You'll likely have to setup a Switch ACL to do the block by going to Switch>IPv4 ACL.
Hi Adam,
Thanks for the reply. What if the only switch at the branch is in the MX, that meaning there are no MS switches?
So you have an MX firewall/router but no Meraki switches? What kind of switches do you have or are the clients only connected directly to the MX? Explain a little about your topology and I can advise.
I work at ForeScout. I have a test bed to simulate one of my customer's environments. They will have an MX, MRs and MS' at remote sites. They will be using the MX switch ports as access ports if there are not enough switch ports available in the MS' at that branch office.
Once the ForeScout appliance determines that an unauthorized device has connected to the the MX, I want to prevent it from communicating to any local device using API calls. It seems the only options I have available are DevicePolicy since the MX does not support COA.
I'm not familiar with Forescout so maybe others can chime in on that. But with a standard 802.1x Windows NPS Meraki deployment it can be configured to drop the computer into a guest VLAN if it fails 802.1x so it is isolated.
It sounds like your best option if your MX is also acting as your switch is to do the following.
Enable VLANs under routing of the addressing and vlans tab. (Make sure the current vlan is still setup properly afterwards, Check DHCP and make sure it is proper as it was before also.)
Create a new VLAN/Subnet for this specific device. Change the interface that the device is connected to and give it the native VLAN of the new VLAN you have just setup.
Setup DHCP also so the device grabs proper IP and DNS.
After this and the device is up and working properly...
You can then go into firewall rules and create rules to block the device/subnet from communicating to the other devices/subnet that you are trying to achieve.