Meraki

Community

Inter VLAN Routing.

Solved
Johnfnadez
Building a reputation
‎Apr 30 2020 3:32 PM
‎Apr 30 2020 3:32 PM

Inter VLAN Routing.

Hi Merakiers!!

 

I`ve been trying to block intervlan routing in my outbound firewall rules, but if i perform a ping from my computer in 192.168.22.0/24 to 172.16.101.0/24 but ping suceed.

 

Screen Shot 2020-04-30 at 4.31.28 PM.png

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 30 2020 3:57 PM
‎Apr 30 2020 3:57 PM

That shouldn't be working.

 

I'll tell you the way I tend to do it.  I create a group policy per VLAN, assign the group policy to the VLAN, and then apply the firewall rules in the group policy.

It helps break up big firewall rule bases and makes it obvious might network segment the firewall rules are acting on.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 30 2020 3:57 PM
‎Apr 30 2020 3:57 PM

That shouldn't be working.

 

I'll tell you the way I tend to do it.  I create a group policy per VLAN, assign the group policy to the VLAN, and then apply the firewall rules in the group policy.

It helps break up big firewall rule bases and makes it obvious might network segment the firewall rules are acting on.

In response to PhilipDAth
MerakiDave
Meraki Employee
Meraki Employee
‎Apr 30 2020 7:39 PM
‎Apr 30 2020 7:39 PM

Are you pinging the interface IP of the MX itself?  That might still work due to the process flow.  But if the source and destination of the pings are other devices beyond the MX interface itself, I'd open a support case to assist with a packet walk since it should be blocked, and of course make sure there's not some other alternate path apart from the MX itself to get between VLANs.  Also confirm first, via packet capture on the LAN side of the MX, that you are in fact seeing the ICMP traffic ingress and egress.  Also, as a test, create 2 permit statements for the same traffic and place them higher in the list and see if their hit counters increase, then remove them and test again to confirm they're skipping the deny statements somehow.  

0 Kudos
In response to MerakiDave
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Apr 30 2020 10:11 PM
‎Apr 30 2020 10:11 PM

In addition to what @MerakiDave mentioned, I would try pinging a different device in the other subnet. Or try pinging from a different computer. If you were pinging before you implemented the firewall rule then it will continue to respond to pings and needs time to expire. 

 

 

0 Kudos
In response to PhilipDAth
whistleblower
Building a reputation
‎Dec 9 2023 11:48 PM
‎Dec 9 2023 11:48 PM

but there is an important thing to notice! the difference in using a Group-Policy with Layer3 Firewalling is, that the behavior is stateless while it`s stateful doing it on the firewall page of the Security Appliance!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.