Meraki

Community

Device Policy - Blocked on MX

TedS
Conversationalist
‎Sep 11 2018 6:36 AM
‎Sep 11 2018 6:36 AM

Device Policy - Blocked on MX

Team,

 

I am trying to block a host from communication with other hosts on the same VLAN on a MX.  I am setting the Device Policy as blocked for the host.  The host can still communicate with other hosts on the same VLAN.  The is blocked from communicating with hosts on the Internet.

 

I saw this in the documentation:

"...Firewall rule applied to block all communication with other devices on the Network (Only applies to traffic that traverses the Cisco Meraki Device that has the block is configured)..."

 

 

I guess what I am seeing is a L3 block at the firewall level, not the switch port level.  Can anyone confirm this is the case?

 

If it is the case, is there any other way to achieve the results that I am looking for?

 

 

Thanks for any replies!

0 Kudos
6 Replies 6
Adam
Kind of a big deal
‎Sep 11 2018 6:55 AM
‎Sep 11 2018 6:55 AM

If the traffic is in the same VLAN it probably won't go to the MX.  You'll likely have to setup a Switch ACL to do the block by going to Switch>IPv4 ACL. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
In response to Adam
TedS
Conversationalist
‎Sep 11 2018 7:01 AM
‎Sep 11 2018 7:01 AM

Hi Adam,

 

Thanks for the reply.  What if the only switch at the branch is in the MX, that meaning there are no MS switches?

0 Kudos
In response to TedS
Adam
Kind of a big deal
‎Sep 11 2018 7:12 AM
‎Sep 11 2018 7:12 AM

So you have an MX firewall/router but no Meraki switches?  What kind of switches do you have or are the clients only connected directly to the MX?  Explain a little about your topology and I can advise. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
TedS
Conversationalist
‎Sep 11 2018 8:00 AM
‎Sep 11 2018 8:00 AM

I work at ForeScout.  I have a test bed to simulate one of my customer's environments.  They will have an MX, MRs and MS' at remote sites.  They will be using the MX switch ports as access ports if there are not enough switch ports available in the MS' at that branch office. 

 

Once the ForeScout appliance determines that an unauthorized device has connected to the the MX, I want to prevent it from communicating to any local device using API calls.  It seems the only options I have available are DevicePolicy since the MX does not support COA.

0 Kudos
In response to TedS
Adam
Kind of a big deal
‎Sep 11 2018 8:35 AM
‎Sep 11 2018 8:35 AM

I'm not familiar with Forescout so maybe others can chime in on that.  But with a standard 802.1x Windows NPS Meraki deployment it can be configured to drop the computer into a guest VLAN if it fails 802.1x so it is isolated.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
NSGuru
Getting noticed
‎Sep 12 2018 10:59 AM
‎Sep 12 2018 10:59 AM

It sounds like your best option if your MX is also acting as your switch is to do the following.

 

Enable VLANs under routing of the addressing and vlans tab. (Make sure the current vlan is still setup properly afterwards, Check DHCP and make sure it is proper as it was before also.)

 

Create a new VLAN/Subnet for this specific device. Change the interface that the device is connected to and give it the native VLAN of the new VLAN you have just setup. 

 

Setup DHCP also so the device grabs proper IP and DNS. 

 

After this and the device is up and working properly...

 

You can then go into firewall rules and create rules to block the device/subnet from communicating to the other devices/subnet that you are trying to achieve. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.