Isolate vlan from all other vlans!

SOLVED
nikmagashi
Getting noticed

Isolate vlan from all other vlans!

Hi,

 

If I want to isolate a vlan from reaching all other vlans should I create a rule for it like Deny, any protocol, specify the source, destination "Any", and destination port "Any"! Because I have created this rule, and also another rule, thus I have denied the ICMP (I thought maybe there should be another one for ICMP), but still when I ping other vlans gateway, I get a reply?

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

Hi @nikmagashi,

 

Firewall rules on the MX are not able to filter traffic that is destined for any interface on the MX. So your example where you say that you can still reach the gateway IP of other VLANs is normal operation, assuming those gateway IP's are all on the MX. This is a quirk of the MX and unfortunately not something you can prevent. 

View solution in original post

7 REPLIES 7
Uberseehandel
Kind of a big deal

Generally speaking, when setting up secure networks, it simplifies the configuration if the following principles are adhered to:

  • use a Management VLAN for network devices
  • create VLANs to meet all logical device/user classifications, without exception
  • explicitly declare the VLANs each port may pass
  • never use the ALL option when configuring uplinks
  • Ensure that the VLAN reserved for guests is configured to isolate guests from each other

As a frugal person, I like to be parsimonious with my use of rules, get profligate with these and you will soon lose the plot. 😎

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

The infrastructure which we use is a bit flat and do not offer those possibilities you have mentioned (which of course are excellently listed by you). My client has a virtual environment which they create their virtual machine there and this VM in particular should be isolated from any other VM in any other vlan. For that purpose I have created the vlan in the MX and then assigned the subnet and MX IP as I mentioned on the first post. Then I created the rules. The interesting part is that the rules seems to work if I try and ping other servers on the other vlans. But if I do ping the default gateway of these serves aka the MX IP of other vlans I do get a reply. So my question is, is this a default behavior for the MX or is there anything I am missing? Because as I said this server should be isolated very strictly as it will be opened to be reachable from the internet!

@nikmagashi 

 

I usually get another member of the team to do the VM stuff, so in this forum, you would be much better off asking @PhilipDAth or @BrechtSchamp for guidance.

I have come across the issue of devices on VLAN xx "seeing" devices on VLAN yy previously, on various manufacturers' kit. One is usually assured it doesn't matter. In the real world, I have stopped it occurring by ensuring that the underlying LAN is not the same for both VLANs. I don't know if that is an option, in the circumstances you describe.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
jdsilva
Kind of a big deal

Hi @nikmagashi,

 

Firewall rules on the MX are not able to filter traffic that is destined for any interface on the MX. So your example where you say that you can still reach the gateway IP of other VLANs is normal operation, assuming those gateway IP's are all on the MX. This is a quirk of the MX and unfortunately not something you can prevent. 

Well I think this is the only explanation that fits to my topic! Thank you!

JohnT
Getting noticed

I always create a "Deny All" rule for my entire local subnet.  This blocks all inter-vlan traffic.  All inter-vlan traffic that I want to permit I put above that line, and everything else goes below it.  In your case, you would put the ICMP rule above the Deny All rule.

 

Here is an example:

 

meraki.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels