Meraki

Dutra · ‎Jul 21 2021

Hi everyone!

In a project, part of a company's network will use Meraki and another part will not.

Communication that is initiated from any company LAN network (Meraki or not) must be allowed to enter into Meraki LAN.

The sites that will deploy Meraki devices will be in Hub spoke topology. The MX in the Data Center will operate in Routed mode. The Hub will be directly connected to a third-party Layer 3 switch Core. The core has routes to reach all the company's networks. I am considering that a remote LAN owned by the company configured with a private IP address and that is not a Meraki device is an external network from the MX point of view.

What would be best suited to allow traffic initiated from a remote LAN to the LAN behind a Meraki MX?

If Layer 3 Outbound Firewall rules are created on the MX with LAN Meraki as the source and the remote LAN networks as the destination, will communication initiated on the remote LAN in the inbound direction be allowed? Where should these rules be applied? On MX Hub and also on MX Spoke or just on one of them?

Thank you in advance!

Bruce · ‎Jul 22 2021

@Dutra the MX outbound firewall rules will be applied to any traffic that is going from the LAN side to the WAN side (but not into a VPN/SD-WAN tunnel - the Site-to-Site VPN Outbound firewall rules apply to theses), or that is going from one VLAN to another on the LAN side.

The static route will just direct traffic where to go, the firewall rules will only be applied if the traffic crosses one of the Layer 3 boundaries I mentioned above.

View solution in original post

PhilipDAth · ‎Jul 21 2021

If the traffic enters the MX via a VLAN interface for another VLAN interface it will be allowed by default.

I would connect the two different systems via a VLAN interface.

Bruce · ‎Jul 21 2021

@Dutra, creating a outbound firewall rule won’t allow the reverse inbound traffic to initiate the connection, it will only allow a flow that was initiated in the outbound direction.

As Philip stated you’ll need to connect the network to a LAN port with its own VLAN. The outbound firewall rules apply to traffic that is ‘outbound’ from any VLAN, which includes going from one VLAN to another, so you can create outbound firewall rules that apply to traffic sourced from the non-Meraki network with a destination of the Meraki networks.

All this assumes there is no AutoVPN or SD-WAN involved.

Dutra · ‎Jul 22 2021

@Bruce Thank you for your answer!

There is SD-WAN and Auto VPN between the Meraki MX Spoke and MX Hub.

The LAN port of the Hub MX is connected to a Layer 3 switch Core (Let's say I configured a single LAN with network address 10.0.0.0 /24. So the Hub MX is 10.0.0.2 and the switch core is 10.0.0.1 ). I created a default route on the Hub MX pointing the Switch Core as the Default Gateway to reach all other networks of the company (and Internet).

The static route would be 0.0.0.0 /0 next hop 10.0.0.1

Actually, the question is if I create a static route on the MX to reach some networks, the traffic coming from these networks will be subject to be processed by the firewall? Or is considered local traffic of the LAN 10.0.0.0 ?

Bruce · ‎Jul 22 2021

@Dutra the MX outbound firewall rules will be applied to any traffic that is going from the LAN side to the WAN side (but not into a VPN/SD-WAN tunnel - the Site-to-Site VPN Outbound firewall rules apply to theses), or that is going from one VLAN to another on the LAN side.

The static route will just direct traffic where to go, the firewall rules will only be applied if the traffic crosses one of the Layer 3 boundaries I mentioned above.

Dutra · ‎Jul 23 2021

@Bruce Thank you for the answer!

Meraki

Community

Inbound traffic of remote LAN

Inbound traffic of remote LAN