We ran into several cases where flipping a device in the client list from "normal" (Group Policy applied) to "allow-listed" (no rules) has no effect. (That is, until there's some other unrelated change to the same appliance - and only then it kicks in...)
Is there something I've missed in the instructions or documentation, or perhaps I am encountering a known bug, or doing something wrong?
We followed Meraki "Blocking and Allowing Clients" instructions to allow-list a device.
Steps to reproduce:
(The same is true in reverse: flipping the device from "allow-listed" to "normal" takes no effect until some other change is made.)
Anyone else is seeing this?
(The device is MX67, firmware MX 18.107.2 (marked "Up to date" by Meraki))
Thanks!
One question, isn't this Group policy applied to VLAN as well?
It's applied primarily to a VLAN.
Does this change anything?
See what the documentation says.
When a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN.
I am not sure how to read it, or what it means for my case.
If allow-listing a device is not supposed to work at all due to "network default" policies, then why does making an unrelated change to a group policy all of a sudden allow-lists the device anyway? (See "how to reproduce" step 4 above.)
What happens is that the Group policy applied to the VLAN has higher priority than the other forms, that is, what counts is what is applied to the VLAN.
Edited:
Since multiple Group Policies can affect the same settings, or overwrite network default settings, there is an order of priority in place for which settings will affect a client. This order is as follows, from top priority to lowest:
You can find this information here: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_Gr...
I suggest you open a support case.
Sorry that I am so slow.
You're saying that explicitly allow-listing a device in a VLAN with a GP applied to it will have no effect with respect to active VLAN Group Policy rules. Does that sound right?
(That - despite "Policy - Show Details" showing no Layer 3, 7 or traffic shaping rules applied to the device at all...)
(It doesn't sound right to me - it's not what Meraki docs say - but OK. Let's assume for a second you're right.)
What I am saying is this:
How does this make sense?
Did you see my previous (corrected) post? What does the documentation say about priority?
Yes, thank you, saw it.
In other words, the behavior I am describing (if I am describing it accurately) - is unexpected, runs counter to Meraki docs, and does not represent a known bug?
I suggest you open a support case. They will help you.
Done before I even posted here. As I mentioned in my original post, the goal of this thread was to rule out me doing something wrong, or known Meraki (mis)behavior. Looks like it's neither - which is strange given seemingly a lot of orgs using Meraki, VLAN GPs, and allow-listing being a common tool to troubleshoot issues.
Thanks for the help with this!