Meraki

GIdenJoe

So I have started testing this feature by only adding Meraki switches and access points under this kind of policy.

So when I deployed this for the moment everything is working. But I started digging into the configurations and found that it is literally what it says it is. A group policy. So you can find the group policy added into the networks where you have targeted scopes.

The two major concerns I have with this is that:
1) Regular group policies are stateless by nature. So this means if you have scoped VLANs that need interVLAN communication then you have to add a policy to the other VLANs too that allow the return traffic... defeats the purpose of stateful firewalling of course.
2) I noticed that while my destination object group contains all the necessary Meraki public IP ranges, the group policy only added the first one in there...

Can someone with internal knowledge explain this further?

- Will in the future group policies be stateful? I hope so!
- I guess hitcounters will be out of the question?
- Group policies have content filter override and append and URL black/whitelist, so I guess these features will be added in the future?

GIdenJoe

Ok, I think Meraki needs to pull this feature and do some more testing.

Removing the groups and adding the individual objects does nothing, OR when changing rules they don't get pushed? Not sure yet. When you initually create the group and apply it it shows it is working. However if you edit it you don't have any indication if it is changing the local rules.

When trying to select objects and you filter then your selection is not respected and it just selects some other object for your destination addresses.. really weird.

What happens when you edit the created group policy? It does seem to allow you to just edit the thing without any repercussions.

Ryan_Miles

This feature only applies to MX/MX VLAN interfaces today. I'm not following your comment about applying it to Switch and Wireless networks.

jimmyt234

I read that as they have a dedicated VLAN that the other Meraki products are in, a Management VLAN if you will. This would (in theory) only need access to the relevant Meraki dashboard IPs/ports.

GIdenJoe

What I mean is that the Org-wide group policy only is a dashboard logic that translates into a simple old regular network-wide group policy. And that construct has always been to apply to both MX and MR and was later also used as group policy ACL on switches. The issue I have with that construct is that is is extremely limited. You can't have multiple destinations per line, you can't even have sources and you can't have comma separated ports and worst of all, a group policy is always applied statelessly (even on an MX).

This is why I see the org-wide policy construct being expanded into multiple lines on the regular group-policy to accomodate it. And here I ran into a bug where the logic failed to add multiple destinations into the group policy.

Outside of the GUI and expand problems which are simple bugs that will be resolved in the future I fear the way it is implemented makes it unsuitable for any kind of east-west traffic due to the fact that regular group policies are stateless. I would have loved to have the L3/4 firewall rules in a orgwide fashion where you do have rules that allow return traffic in due to state table. And to have the whole paradigm changed where you could choose L7 and IPS rules per L3/4 rule isntead of having to allow or block globally.

RaphaelL

L3 Firewall rules Org-Wide are coming soon.

GP are not really meant to replace the standard stateful L3 rules. Different needs imo

GIdenJoe

You sure? I haven't caught anything about that.
I know about the org-wide GPO since Cisco Live EUR 2024 already.

They could just fix the GPO's to apply it statefully on the MX.

Meraki

Community

Early Access: Organization Wide Group Policies concerns

Early Access: Organization Wide Group Policies concerns