Device Policy - Blocked on MX

TedS
Conversationalist

Device Policy - Blocked on MX

Team,

 

I am trying to block a host from communication with other hosts on the same VLAN on a MX.  I am setting the Device Policy as blocked for the host.  The host can still communicate with other hosts on the same VLAN.  The is blocked from communicating with hosts on the Internet.

 

I saw this in the documentation:

"...Firewall rule applied to block all communication with other devices on the Network (Only applies to traffic that traverses the Cisco Meraki Device that has the block is configured)..."

 

 

I guess what I am seeing is a L3 block at the firewall level, not the switch port level.  Can anyone confirm this is the case?

 

If it is the case, is there any other way to achieve the results that I am looking for?

 

 

Thanks for any replies!

6 REPLIES 6
Adam
Kind of a big deal

If the traffic is in the same VLAN it probably won't go to the MX.  You'll likely have to setup a Switch ACL to do the block by going to Switch>IPv4 ACL. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
TedS
Conversationalist

Hi Adam,

 

Thanks for the reply.  What if the only switch at the branch is in the MX, that meaning there are no MS switches?

Adam
Kind of a big deal

So you have an MX firewall/router but no Meraki switches?  What kind of switches do you have or are the clients only connected directly to the MX?  Explain a little about your topology and I can advise. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
TedS
Conversationalist

I work at ForeScout.  I have a test bed to simulate one of my customer's environments.  They will have an MX, MRs and MS' at remote sites.  They will be using the MX switch ports as access ports if there are not enough switch ports available in the MS' at that branch office. 

 

Once the ForeScout appliance determines that an unauthorized device has connected to the the MX, I want to prevent it from communicating to any local device using API calls.  It seems the only options I have available are DevicePolicy since the MX does not support COA.

Adam
Kind of a big deal

I'm not familiar with Forescout so maybe others can chime in on that.  But with a standard 802.1x Windows NPS Meraki deployment it can be configured to drop the computer into a guest VLAN if it fails 802.1x so it is isolated.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
NSGuru
Getting noticed

It sounds like your best option if your MX is also acting as your switch is to do the following.

 

Enable VLANs under routing of the addressing and vlans tab. (Make sure the current vlan is still setup properly afterwards, Check DHCP and make sure it is proper as it was before also.)

 

Create a new VLAN/Subnet for this specific device. Change the interface that the device is connected to and give it the native VLAN of the new VLAN you have just setup. 

 

Setup DHCP also so the device grabs proper IP and DNS. 

 

After this and the device is up and working properly...

 

You can then go into firewall rules and create rules to block the device/subnet from communicating to the other devices/subnet that you are trying to achieve. 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels