Meraki

Community

Device "allow-listing" has no effect?

cabricharme
Getting noticed
‎Apr 4 2024 11:22 AM
‎Apr 4 2024 11:22 AM

Device "allow-listing" has no effect?

We ran into several cases where flipping a device in the client list from "normal" (Group Policy applied) to "allow-listed" (no rules) has no effect. (That is, until there's some other unrelated change to the same appliance - and only then it kicks in...)

Is there something I've missed in the instructions or documentation, or perhaps I am encountering a known bug, or doing something wrong?

We followed Meraki "Blocking and Allowing Clients" instructions to allow-list a device.

Steps to reproduce:

  1. Locate a device where the applied group policy doesn't allow certain traffic, e.g. no ICMP or other traffic from another device.
  2. Allow-list the device following Meraki "Blocking and Allowing Clients" instructions
  3. Observe the traffic still being blocked. (Elapsed time doesn't matter, it will be still blocked e.g. 24 hours later unless some other change triggers the allow-listing to take effect.)
  4. Make a change to e.g. a group policy on the same security appliance and save it. (The policy does not have to be related to the device in question, it can be entirely unrelated and not scoped for the device in question. Reversing the GP change does not change this behavior.)
  5. Once the change is applied (10-30 seconds), observe the allow listing to take effect, as well: the traffic is now allowed.

(The same is true in reverse: flipping the device from "allow-listed" to "normal" takes no effect until some other change is made.)

Anyone else is seeing this?

(The device is MX67, firmware MX 18.107.2 (marked "Up to date" by Meraki))

Thanks!

Labels:
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2024 12:07 PM
‎Apr 4 2024 12:07 PM

One question, isn't this Group policy applied to VLAN as well?

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cabricharme
Getting noticed
‎Apr 4 2024 12:10 PM
‎Apr 4 2024 12:10 PM

It's applied primarily to a VLAN.

Does this change anything?

0 Kudos
In response to cabricharme
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2024 12:12 PM
‎Apr 4 2024 12:12 PM

See what the documentation says.

When a group policy is applied to a VLAN, that policy becomes the new "network default" for any other group policies applied to clients in that VLAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cabricharme
Getting noticed
‎Apr 4 2024 12:18 PM
‎Apr 4 2024 12:18 PM

I am not sure how to read it, or what it means for my case.

If allow-listing a device is not supposed to work at all due to "network default" policies, then why does making an unrelated change to a group policy all of a sudden allow-lists the device anyway? (See "how to reproduce" step 4 above.)

0 Kudos
In response to cabricharme
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2024 12:22 PM
‎Apr 4 2024 12:22 PM

What happens is that the Group policy applied to the VLAN has higher priority than the other forms, that is, what counts is what is applied to the VLAN.

Edited:

 

What is the order of priority for Group Policies?

Since multiple Group Policies can affect the same settings, or overwrite network default settings, there is an order of priority in place for which settings will affect a client. This order is as follows, from top priority to lowest:

  1. Policies set manually for a specific client (on their client details page) take top priority. This includes the Whitelisting and Blocking default rules. 
  2. Network-wide policies applied automatically by device type, VLAN, SSID, etc. will override network default settings, but be overridden by manual policies.
  3. Network settings will be overridden by any policies applied to the client.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2024 12:27 PM
‎Apr 4 2024 12:27 PM

You can find this information here: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_Gr...

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cabricharme
Getting noticed
‎Apr 4 2024 12:30 PM
‎Apr 4 2024 12:30 PM

Sorry that I am so slow.

You're saying that explicitly allow-listing a device in a VLAN with a GP applied to it will have no effect with respect to active VLAN Group Policy rules. Does that sound right?

(That - despite "Policy - Show Details" showing no Layer 3, 7 or traffic shaping rules applied to the device at all...)

(It doesn't sound right to me - it's not what Meraki docs say - but OK. Let's assume for a second you're right.)

What I am saying is this:

  1. Allow-list a device. Observe the traffic still being blocked.
  2. Add a random "deny" rule to the Group Policy. (Adding such a rule should not allow any traffic from anywhere to anywhere, least of all from/to non-existent IP addresses... correct?)
  3. Observe the previously blocked traffic now flowing.

How does this make sense?

0 Kudos
In response to cabricharme
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2024 12:33 PM
‎Apr 4 2024 12:33 PM

Did you see my previous (corrected) post? What does the documentation say about priority?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cabricharme
Getting noticed
‎Apr 4 2024 12:40 PM
‎Apr 4 2024 12:40 PM

Yes, thank you, saw it.

In other words, the behavior I am describing (if I am describing it accurately) - is unexpected, runs counter to Meraki docs, and does not represent a known bug?

0 Kudos
In response to cabricharme
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2024 12:51 PM
‎Apr 4 2024 12:51 PM

I suggest you open a support case. They will help you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
cabricharme
Getting noticed
‎Apr 4 2024 1:01 PM
‎Apr 4 2024 1:01 PM

Done before I even posted here. As I mentioned in my original post, the goal of this thread was to rule out me doing something wrong, or known Meraki (mis)behavior. Looks like it's neither - which is strange given seemingly a lot of orgs using Meraki, VLAN GPs, and allow-listing being a common tool to troubleshoot issues.

Thanks for the help with this!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.