cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Group policy not working

SOLVED
Comes here often

Group policy not working

hi,

i have the following setup....cisco sw ---mx100....trunk in between.  on mx, under vlan i have vlan1000 with a group policy attached.

 

i test on a PC that is on vlan1000, no matter what changes are done on the group policy...has not effect to the internet traffic on the pc..in order words nothing is blocked vi group policy only the default meraki filtering works

1 ACCEPTED SOLUTION

Accepted Solutions
Head in the Cloud

Re: Group policy not working

Hi,

I need to rectify my answer. @AdamB is correct.

Network-wide->client will the display the policy as "Normal". (However I believe even if we apply a Group Policy manually that will overridden by VLAN based Group Policy)

 

I created a LAB to test the scenario.

The topology is ISP->MX64->Unmanaged Switch->POE Injector->MR18

 

On MX64 - Created a VLAN 100

Applied a Group Policy on VLAN 100

VLAN GP 1.PNG

 

On MR - Created a SSID in Bridge Mode Tagging VLAN 100

Network-wide->Clients Displays my laptop in VLAN 100 but policy as "Normal"

IP Address is from the desired VLAN 100.

VLAN GP 3.PNG

 

Test I

Modified the Group Policy on MX.

Added the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Blocked

 

Test II

Modified the Group Policy.

Removed the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Allowed

 

So the end result is In my LAB environment the Group Policy on VLAN Works.

Regards
Ajit
ajitsnw@gmail.com
https://www.linkedin.com/in/ajitkumarverma/

View solution in original post

12 REPLIES 12
Kind of a big deal

Re: Group policy not working

Is the default gateway for the PC the MX?

Comes here often

Re: Group policy not working

default gw is the mx per vlan

Head in the Cloud

Re: Group policy not working

Hi

 

This seems to be strange. Can you verify that the policy is effecting the specified client? (Network-wide->Clients)

Also match the physical MAC address of device with the MAC address detected on the dashboard.

 

Policy.PNG

 

Regards
Ajit
ajitsnw@gmail.com
https://www.linkedin.com/in/ajitkumarverma/
Comes here often

Re: Group policy not working

i checked the client...you are right its not being effective...policy listed is normal not the one i assigned per vlan

Comes here often

Re: Group policy not working

anything else i missed ? ....the client tracking is set to use ip address instead of mac address

Meraki Employee

Re: Group policy not working

If you configure a group policy at the VLAN level, this won't be reflected on a per-client basis. The policy assigned directly to the client will override any policies assigned at the VLAN level. Does the group policy assigned to the VLAN still not work even if the client device has a "normal" policy?

Comes here often

Re: Group policy not working

>>>Does the group policy assigned to the VLAN still not work even if the client device has a "normal" policy?

well that is want i need to test weather vlan assigned policy overrides the global policy("normal policy")...any quick test ?

what i want is to see the output "AjitKumar showed above...though i am not sure if he used vlan based policy
Here to help

Re: Group policy not working

I have exactly the same issue as CiscoFan1.  VLAN policies are not applied to clients on that VLAN.  If that is the case.  What are they applied to?  I want all devices assigned to the VLAN to get the policy assigned to that VLAN, but this does not seem to happen.

Any suggestions as to how to end up with all devices assigned to a particular VLAN get that VLAN's GP?

Regards
Ross
Head in the Cloud

Re: Group policy not working

Hi,

I need to rectify my answer. @AdamB is correct.

Network-wide->client will the display the policy as "Normal". (However I believe even if we apply a Group Policy manually that will overridden by VLAN based Group Policy)

 

I created a LAB to test the scenario.

The topology is ISP->MX64->Unmanaged Switch->POE Injector->MR18

 

On MX64 - Created a VLAN 100

Applied a Group Policy on VLAN 100

VLAN GP 1.PNG

 

On MR - Created a SSID in Bridge Mode Tagging VLAN 100

Network-wide->Clients Displays my laptop in VLAN 100 but policy as "Normal"

IP Address is from the desired VLAN 100.

VLAN GP 3.PNG

 

Test I

Modified the Group Policy on MX.

Added the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Blocked

 

Test II

Modified the Group Policy.

Removed the Rule Deny "Social Web and Photo sharing"

Result Access to Facebook is Allowed

 

So the end result is In my LAB environment the Group Policy on VLAN Works.

Regards
Ajit
ajitsnw@gmail.com
https://www.linkedin.com/in/ajitkumarverma/

View solution in original post

Comes here often

Re: Group policy not working

ok it works per-vlan group policy using the facebook example...but the client side tracking page still shows as "normal" under the policy column.

Here to help

Re: Group policy not working

Yes...

 

And I can confirm I have the same issue on a MX84 right now - group policy works, but you cant see it - very frustrating... And if you go under the specific client and click "show details" then you can't see the rules either...

 

And quite the same goes for wireless clients - if you have ie. L7 blocking for countries in the MX default rules, then this will apply for the wireless clients due to the fact that traffic is going through the firewall - so far so good...! BUT you can't see this L7 rule either... now the funny thing is if you attach a group-policy which does nothing at all (set all options to "use network default") and attach this to the specific client, THEN you will now see the DO_NOTHING group policy AND the L7 firewall rules....! 

 

This has to be a fault in dashboard view...! - and not a "make a wish" feature... just as Meraki support suggested me to post, when I reported this issue.

 

 

Regards.

Preben Knudsen

Highlighted
Building a reputation

Re: Group policy not working

I just tested this on my MX65 and got the same result.  Group policies are being applied, but in addition to the display problems listed by others, if you look at Network Wide -> Group Policies, the policy will show zero devices in that policy.

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.