Meraki

ciscofan1 · ‎Aug 26 2018

hi,

i have the following setup....cisco sw ---mx100....trunk in between. on mx, under vlan i have vlan1000 with a group policy attached.

i test on a PC that is on vlan1000, no matter what changes are done on the group policy...has not effect to the internet traffic on the pc..in order words nothing is blocked vi group policy only the default meraki filtering works

AjitKumar · ‎Aug 30 2018

Hi,

I need to rectify my answer. @AdamB is correct.

Network-wide->client will the display the policy as "Normal". (However I believe even if we apply a Group Policy manually that will overridden by VLAN based Group Policy)

I created a LAB to test the scenario.

The topology is ISP->MX64->Unmanaged Switch->POE Injector->MR18

On MX64 - Created a VLAN 100

Applied a Group Policy on VLAN 100

On MR - Created a SSID in Bridge Mode Tagging VLAN 100

Network-wide->Clients Displays my laptop in VLAN 100 but policy as "Normal"

IP Address is from the desired VLAN 100.

Test I

Modified the Group Policy on MX.

Added the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Blocked

Test II

Modified the Group Policy.

Removed the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Allowed

So the end result is In my LAB environment the Group Policy on VLAN Works.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

View solution in original post

PhilipDAth · ‎Aug 26 2018

Is the default gateway for the PC the MX?

ciscofan1 · ‎Aug 27 2018

default gw is the mx per vlan

AjitKumar · ‎Aug 27 2018

Hi

This seems to be strange. Can you verify that the policy is effecting the specified client? (Network-wide->Clients)

Also match the physical MAC address of device with the MAC address detected on the dashboard.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

ciscofan1 · ‎Aug 27 2018

i checked the client...you are right its not being effective...policy listed is normal not the one i assigned per vlan

ciscofan1 · ‎Aug 27 2018

anything else i missed ? ....the client tracking is set to use ip address instead of mac address

AdamB · ‎Aug 28 2018

If you configure a group policy at the VLAN level, this won't be reflected on a per-client basis. The policy assigned directly to the client will override any policies assigned at the VLAN level. Does the group policy assigned to the VLAN still not work even if the client device has a "normal" policy?

ciscofan1 · ‎Aug 29 2018

>>>Does the group policy assigned to the VLAN still not work even if the client device has a "normal" policy?

well that is want i need to test weather vlan assigned policy overrides the global policy("normal policy")...any quick test ?

what i want is to see the output "AjitKumar showed above...though i am not sure if he used vlan based policy

Ramtech · ‎Aug 29 2018

I have exactly the same issue as CiscoFan1. VLAN policies are not applied to clients on that VLAN. If that is the case. What are they applied to? I want all devices assigned to the VLAN to get the policy assigned to that VLAN, but this does not seem to happen.

Any suggestions as to how to end up with all devices assigned to a particular VLAN get that VLAN's GP?

Regards
Ross

AjitKumar · ‎Aug 30 2018

Hi,

I need to rectify my answer. @AdamB is correct.

Network-wide->client will the display the policy as "Normal". (However I believe even if we apply a Group Policy manually that will overridden by VLAN based Group Policy)

I created a LAB to test the scenario.

The topology is ISP->MX64->Unmanaged Switch->POE Injector->MR18

On MX64 - Created a VLAN 100

Applied a Group Policy on VLAN 100

On MR - Created a SSID in Bridge Mode Tagging VLAN 100

Network-wide->Clients Displays my laptop in VLAN 100 but policy as "Normal"

IP Address is from the desired VLAN 100.

Test I

Modified the Group Policy on MX.

Added the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Blocked

Test II

Modified the Group Policy.

Removed the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Allowed

So the end result is In my LAB environment the Group Policy on VLAN Works.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

ciscofan1 · ‎Sep 10 2018

ok it works per-vlan group policy using the facebook example...but the client side tracking page still shows as "normal" under the policy column.

Preben_Knudsen · ‎Feb 21 2019

Yes...

And I can confirm I have the same issue on a MX84 right now - group policy works, but you cant see it - very frustrating... And if you go under the specific client and click "show details" then you can't see the rules either...

And quite the same goes for wireless clients - if you have ie. L7 blocking for countries in the MX default rules, then this will apply for the wireless clients due to the fact that traffic is going through the firewall - so far so good...! BUT you can't see this L7 rule either... now the funny thing is if you attach a group-policy which does nothing at all (set all options to "use network default") and attach this to the specific client, THEN you will now see the DO_NOTHING group policy AND the L7 firewall rules....!

This has to be a fault in dashboard view...! - and not a "make a wish" feature... just as Meraki support suggested me to post, when I reported this issue.

Regards.

Preben Knudsen

DHAnderson · ‎Jun 2 2019

I just tested this on my MX65 and got the same result. Group policies are being applied, but in addition to the display problems listed by others, if you look at Network Wide -> Group Policies, the policy will show zero devices in that policy.

Dave Anderson

MarcoBri · ‎Nov 1 2021

Hi

I've linked a GP to default VLAN that block some subnets used in auto-vpn.

all seems configured in the right way but I'm still able to access to the resources I want to block ...

any suggestions ?

Thanks

Meraki

Community

Group policy not working

Group policy not working