How to prevent inter-vlan communication on mx? firewall layer 3 seems not working

Qing
Getting noticed

How to prevent inter-vlan communication on mx? firewall layer 3 seems not working

HI, How to prevent inter-vlan communication on mx? firewall layer 3 seems not working. Anyone, please advise, thanks in advance.

 

6 REPLIES 6
MarcP
Kind of a big deal

Can you please provide your settings?

 

Did you deny all or just TCP Traffic so you still would be ablet to do pings (ICMP)

May take some seconds to update 

BrechtSchamp
Kind of a big deal

It should be. The info note next to the L3 firewall states:

"Filter traffic from LAN clients to the Internet, to hosts on other VLANs, or to hosts across static LAN routes.

You can enter IP networks as your Source or Destination using CIDR notation (A.B.C.D/X). You can also enter a range of ports into the Src port or Dst port fields. For instance, a rule could be configured to block any traffic on ports 1024 through 60000 by entering 1024-60000 into the Dst port field."

 

Keep in mind that it may take some time for these to become active, the config needs a few seconds to synchronized and existing connection might be unaffected. Disconnecting and reconnecting the client you're using to test might help.

Could be wrong, but if memory serves, even if you block communications from VLAN 1 to VLAN 2 (example), you can still ping the gateway of both, from either VLAN. And if I am remembering that correctly, then I also remember not liking that and wishing it would block the VLANs 100% instead of 99%
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Thanks all of you guys for your kind reply, I will try again and let you know the result.

Any luck?  I am unable to block any traffic between vlans.  I have the following rule at the top of my outbound rules:

Policy - Deny

Protocol - Any

Source - 10.1.1.40/32

Src port - Any

Destination - 192.168.1.0/24

Dst port - Any

 

I can ping all hosts on 192.168.1.0/24 from 10.1.1.40. 

Solve!  at least for me...

 

My MX is integrated with Umbrella and in order to make this work you must apply Group Policies to devices and the Group Policy must be set to 'Custom Network Firewall & Traffic Shaping Rules'.  This means any host in that group will ignore the Firewall rules and must be configured in the group.

 

Once I configured the rules in the policy all traffic was blocked.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels