Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Geoblocking Question

ktv-meraki
Here to help
‎Aug 9 2023 9:41 AM
‎Aug 9 2023 9:41 AM

Geoblocking Question

Probably a simple question so here goes.  We just configured a site to block everything except the US and Canada and learned that a specific IP in Australia needs to be allowed.  As a quick fix, I added Australia as an allowed country.  How would I go about prohibiting Australia but allowing a single IP from the country?

0 Kudos
Subscribe
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 9 2023 10:00 AM
‎Aug 9 2023 10:00 AM

You can create a L3 rule, but it probably will not work.

 

 

Traffic Blocked by Layer 7 Rule

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether. On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 9 2023 1:09 PM
‎Aug 9 2023 1:09 PM

You can't.

Subscribe
pmhaske
Meraki Employee
Meraki Employee
‎Aug 9 2023 1:48 PM
‎Aug 9 2023 1:48 PM

Hello!

As stated above MR will bypass the L7 rule if there is a matching allow rule for the IP address in the L3 rule, so only wireless clients that connect to MR will be able to access the IP address.

 

Unfortunately, MR L7 rules don't have an option for country block, so you don't have option block Australia and then allow one IP address in L3 rules.

MX L7 rules are all or nothing type of configuration, so you would need to remove geo-block for Australia which is what you have done already. However, it will be a good Feature to that will allow certain IPs from geo blocked countries, I encourage adding a feedback on the dashboard via Feedback button. 

0 Kudos
Subscribe
ktv-meraki
Here to help
‎Aug 9 2023 5:26 PM
‎Aug 9 2023 5:26 PM

Thank you for the feedback! Much appreciated!

 

I will certainly add this feature to a feedback suggestion.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.