Group policy not working

Solved
ciscofan1
Comes here often

Group policy not working

hi,

i have the following setup....cisco sw ---mx100....trunk in between.  on mx, under vlan i have vlan1000 with a group policy attached.

 

i test on a PC that is on vlan1000, no matter what changes are done on the group policy...has not effect to the internet traffic on the pc..in order words nothing is blocked vi group policy only the default meraki filtering works

1 Accepted Solution
AjitKumar
Head in the Cloud

Hi,

I need to rectify my answer. @AdamB is correct.

Network-wide->client will the display the policy as "Normal". (However I believe even if we apply a Group Policy manually that will overridden by VLAN based Group Policy)

 

I created a LAB to test the scenario.

The topology is ISP->MX64->Unmanaged Switch->POE Injector->MR18

 

On MX64 - Created a VLAN 100

Applied a Group Policy on VLAN 100

VLAN GP 1.PNG

 

On MR - Created a SSID in Bridge Mode Tagging VLAN 100

Network-wide->Clients Displays my laptop in VLAN 100 but policy as "Normal"

IP Address is from the desired VLAN 100.

VLAN GP 3.PNG

 

Test I

Modified the Group Policy on MX.

Added the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Blocked

 

Test II

Modified the Group Policy.

Removed the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Allowed

 

So the end result is In my LAB environment the Group Policy on VLAN Works.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

View solution in original post

13 Replies 13
PhilipDAth
Kind of a big deal
Kind of a big deal

Is the default gateway for the PC the MX?

ciscofan1
Comes here often

default gw is the mx per vlan

AjitKumar
Head in the Cloud

Hi

 

This seems to be strange. Can you verify that the policy is effecting the specified client? (Network-wide->Clients)

Also match the physical MAC address of device with the MAC address detected on the dashboard.

 

Policy.PNG

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
ciscofan1
Comes here often

i checked the client...you are right its not being effective...policy listed is normal not the one i assigned per vlan

ciscofan1
Comes here often

anything else i missed ? ....the client tracking is set to use ip address instead of mac address

AdamB
Meraki Employee
Meraki Employee

If you configure a group policy at the VLAN level, this won't be reflected on a per-client basis. The policy assigned directly to the client will override any policies assigned at the VLAN level. Does the group policy assigned to the VLAN still not work even if the client device has a "normal" policy?

ciscofan1
Comes here often

>>>Does the group policy assigned to the VLAN still not work even if the client device has a "normal" policy?

well that is want i need to test weather vlan assigned policy overrides the global policy("normal policy")...any quick test ?

what i want is to see the output "AjitKumar showed above...though i am not sure if he used vlan based policy
Ramtech
Here to help

I have exactly the same issue as CiscoFan1.  VLAN policies are not applied to clients on that VLAN.  If that is the case.  What are they applied to?  I want all devices assigned to the VLAN to get the policy assigned to that VLAN, but this does not seem to happen.

Any suggestions as to how to end up with all devices assigned to a particular VLAN get that VLAN's GP?

Regards
Ross
AjitKumar
Head in the Cloud

Hi,

I need to rectify my answer. @AdamB is correct.

Network-wide->client will the display the policy as "Normal". (However I believe even if we apply a Group Policy manually that will overridden by VLAN based Group Policy)

 

I created a LAB to test the scenario.

The topology is ISP->MX64->Unmanaged Switch->POE Injector->MR18

 

On MX64 - Created a VLAN 100

Applied a Group Policy on VLAN 100

VLAN GP 1.PNG

 

On MR - Created a SSID in Bridge Mode Tagging VLAN 100

Network-wide->Clients Displays my laptop in VLAN 100 but policy as "Normal"

IP Address is from the desired VLAN 100.

VLAN GP 3.PNG

 

Test I

Modified the Group Policy on MX.

Added the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Blocked

 

Test II

Modified the Group Policy.

Removed the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Allowed

 

So the end result is In my LAB environment the Group Policy on VLAN Works.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
ciscofan1
Comes here often

ok it works per-vlan group policy using the facebook example...but the client side tracking page still shows as "normal" under the policy column.

Preben_Knudsen
Here to help

Yes...

 

And I can confirm I have the same issue on a MX84 right now - group policy works, but you cant see it - very frustrating... And if you go under the specific client and click "show details" then you can't see the rules either...

 

And quite the same goes for wireless clients - if you have ie. L7 blocking for countries in the MX default rules, then this will apply for the wireless clients due to the fact that traffic is going through the firewall - so far so good...! BUT you can't see this L7 rule either... now the funny thing is if you attach a group-policy which does nothing at all (set all options to "use network default") and attach this to the specific client, THEN you will now see the DO_NOTHING group policy AND the L7 firewall rules....! 

 

This has to be a fault in dashboard view...! - and not a "make a wish" feature... just as Meraki support suggested me to post, when I reported this issue.

 

 

Regards.

Preben Knudsen

DHAnderson
Head in the Cloud

I just tested this on my MX65 and got the same result.  Group policies are being applied, but in addition to the display problems listed by others, if you look at Network Wide -> Group Policies, the policy will show zero devices in that policy.

 

Dave Anderson
MarcoBri
Comes here often

 

Hi

I've linked a GP to default VLAN that block some subnets used in auto-vpn.

all seems configured in the right way but I'm still able to access to the resources I want to block ...

any suggestions ?

 

Thanks

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels