Hi,
If I want to isolate a vlan from reaching all other vlans should I create a rule for it like Deny, any protocol, specify the source, destination "Any", and destination port "Any"! Because I have created this rule, and also another rule, thus I have denied the ICMP (I thought maybe there should be another one for ICMP), but still when I ping other vlans gateway, I get a reply?
Solved! Go to solution.
Hi @nikmagashi,
Firewall rules on the MX are not able to filter traffic that is destined for any interface on the MX. So your example where you say that you can still reach the gateway IP of other VLANs is normal operation, assuming those gateway IP's are all on the MX. This is a quirk of the MX and unfortunately not something you can prevent.
Generally speaking, when setting up secure networks, it simplifies the configuration if the following principles are adhered to:
As a frugal person, I like to be parsimonious with my use of rules, get profligate with these and you will soon lose the plot. 😎
The infrastructure which we use is a bit flat and do not offer those possibilities you have mentioned (which of course are excellently listed by you). My client has a virtual environment which they create their virtual machine there and this VM in particular should be isolated from any other VM in any other vlan. For that purpose I have created the vlan in the MX and then assigned the subnet and MX IP as I mentioned on the first post. Then I created the rules. The interesting part is that the rules seems to work if I try and ping other servers on the other vlans. But if I do ping the default gateway of these serves aka the MX IP of other vlans I do get a reply. So my question is, is this a default behavior for the MX or is there anything I am missing? Because as I said this server should be isolated very strictly as it will be opened to be reachable from the internet!
I usually get another member of the team to do the VM stuff, so in this forum, you would be much better off asking @PhilipDAth or @BrechtSchamp for guidance.
I have come across the issue of devices on VLAN xx "seeing" devices on VLAN yy previously, on various manufacturers' kit. One is usually assured it doesn't matter. In the real world, I have stopped it occurring by ensuring that the underlying LAN is not the same for both VLANs. I don't know if that is an option, in the circumstances you describe.
Hi @nikmagashi,
Firewall rules on the MX are not able to filter traffic that is destined for any interface on the MX. So your example where you say that you can still reach the gateway IP of other VLANs is normal operation, assuming those gateway IP's are all on the MX. This is a quirk of the MX and unfortunately not something you can prevent.
Well I think this is the only explanation that fits to my topic! Thank you!
Take a look at these links which may help you
https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation
I always create a "Deny All" rule for my entire local subnet. This blocks all inter-vlan traffic. All inter-vlan traffic that I want to permit I put above that line, and everything else goes below it. In your case, you would put the ICMP rule above the Deny All rule.
Here is an example: