Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Isolete vlan

Solved
athan1234
A model citizen
‎Oct 13 2022 12:53 AM
‎Oct 13 2022 12:53 AM

Isolete vlan

 

 When  I configured a vlans the target is for split my network.


I don't understand how a ping from another vlan to this vlan results in a response indicating that I can connect.

 

It is for the internal MX is not able to segregate the getways .

 

 

How I could do for isolet a vlan 5  for the rest ?

 

 

 

athan1234_0-1665647498147.png

 

therefore I can reach a host from different vlans . WHY? 

 

athan1234_0-1665648177986.png

 

 

0 Kudos
1 Accepted Solution
In response to athan1234
etb
Getting noticed
‎Oct 14 2022 7:22 PM
‎Oct 14 2022 7:22 PM

I just noticed that your firewall rules are configured for /32 subnets (so I believe each rule would be effectively blocking only 1 host address).  if you are wanting the rules to apply to each entire subnet, then I'm guessing that you probably want /24.

View solution in original post

16 Replies 16
GreenMan
Meraki Employee
Meraki Employee
‎Oct 13 2022 1:29 AM
‎Oct 13 2022 1:29 AM

You need to configure some outbound Deny firewall rules, for the subnets configured on the VLANs:

Security & SD-WAN > Configure > Firewall   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

The default configuration allows all traffic between VLANs (and from all VLANs out to the Internet)

In response to GreenMan
athan1234
A model citizen
‎Oct 13 2022 1:44 AM
‎Oct 13 2022 1:44 AM

It would be correct ?

 

athan1234_0-1665650668795.png

 

0 Kudos
Pavithran
Here to help
‎Oct 13 2022 3:29 AM
‎Oct 13 2022 3:29 AM

May be use the Meraki group policy in this case to block the vlan to vlan communication.

 

1. Create a group policy . Network wide - > Group policy.

Mention the vlans that has to be allowed or blocked. You can also configure custom policies settings like IPS/IDS , AMP, Content filtering, L7 firewalls for this vlan using this group policy option.

 

Upload 3.PNG

 

 

 

 

2. Add the group policy to your Vlan to restrict the traffic.

 

 

Upload 2.jpg

This will block the inter vlan communication as desired.

 

0 Kudos
In response to Pavithran
athan1234
A model citizen
‎Oct 13 2022 3:53 AM
‎Oct 13 2022 3:53 AM

Thanks for the response.

 

first of all I initially considered doing it using group policy, but @GreenMan advised me to use the MX firewall in his reply.

 

I think both ways to do it are ok . 

 

Do you believe it will work ifine if I set up this rule in the group policy ?

 

athan1234_0-1665658336812.png

 

 

What are you thing

 

 

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
‎Oct 13 2022 4:06 AM
‎Oct 13 2022 4:06 AM

Straightforward firewall rules do not only control traffic to/from the Internet, they can control inter-VLAN traffic too.   I'd recommend using these as they are stateful (bi-directional and understanding of direction of session initation), whereas FW rules via Group Policy are not.

 

In response to GreenMan
athan1234
A model citizen
‎Oct 13 2022 4:11 AM
‎Oct 13 2022 4:11 AM

Fantastic!!!  therefore :

 

Firewall rules are  (bi - directional). 

Group policy are not  (bi-directional)

 

 

So it would be correct these  firewall rules

 

athan1234_0-1665659462259.png

 

 

 

 

 

0 Kudos
athan1234
A model citizen
‎Oct 13 2022 7:58 AM
‎Oct 13 2022 7:58 AM

anyone?

 

0 Kudos
Pavithran
Here to help
‎Oct 13 2022 11:55 AM
‎Oct 13 2022 11:55 AM

You can create a policy object with all the source subnets that has to be blocked and update it in the source section of this firewall rules. That will look nice and clean. 

 

It looks good to me.

0 Kudos
athan1234
A model citizen
‎Oct 13 2022 11:40 PM
‎Oct 13 2022 11:40 PM

Hi 

 

I implementd the firewall rules , I get ping yet . Why?

 

 

athan1234_1-1665729595355.png

 

 

athan1234_0-1665729456668.png

 

0 Kudos
In response to athan1234
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 1:47 AM
‎Oct 14 2022 1:47 AM

You're pinging right in from the MX itself.

0 Kudos
In response to CptnCrnch
athan1234
A model citizen
‎Oct 14 2022 1:52 AM
‎Oct 14 2022 1:52 AM

Yes.

0 Kudos
In response to CptnCrnch
etb
Getting noticed
‎Oct 14 2022 4:27 PM
‎Oct 14 2022 4:27 PM

I'm not meaning to hijack athan1234's thread, but I stumbled across this thread while researching my own related issue. 

 

Is this to say that it is the expected behavior that the MX's Ping Live tool will basically ignore any firewall rules?

 

I have explicit deny rules configured similarly to athan1234, and I can confirm that real clients in one VLAN are successfully blocked from reaching clients in any other VLAN.  However, the MX's Ping Live tool can ping any client in any VLAN regardless of which "Source IP Address" I select. 

 

For example, although there is an explicit deny firewall rule configured in both directions between VLAN 3 and VLAN 4, the MX Ping Live tool with a "Source IP Address" of VLAN 3 can ping any device in VLAN 4.  But again, no real clients in VLANs 3 or 4 can ping each other, so I can see that the firewall rules are working for real clients.

 

I actually started this research because I discovered that any device in any VLAN could reach the management IP address of any other VLAN.  For example, any device in VLAN 3 can ping/reach the MX's management IP address for VLAN 4.  I found this article seemingly saying that this is expected behavior for AP's, but I am still searching for documentation indicating the expected behavior for MX's.  https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/All_VLANs_can_ping_the_Cisco_Meraki... 

In response to etb
etb
Getting noticed
‎Oct 14 2022 7:18 PM
‎Oct 14 2022 7:18 PM

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

 

Destination: Specifies the destination FQDN, IP address or network address using CIDR notation to match in outbound traffic. "Any" can also be used to specify all networks. Note that, on a network with an MX handling inter-VLAN routing, the IP address of the MX on the destination subnet may still be accessible via ping even if the rule is set to block traffic. This is due to the nature of software routing on the MX and does not pose a security risk; host devices on the destination subnet will still be blocked according to the rule.

In response to etb
athan1234
A model citizen
‎Oct 18 2022 1:11 AM
‎Oct 18 2022 1:11 AM

Ohh thanks it is very interesting . So tahnks 

0 Kudos
In response to athan1234
etb
Getting noticed
‎Oct 14 2022 7:22 PM
‎Oct 14 2022 7:22 PM

I just noticed that your firewall rules are configured for /32 subnets (so I believe each rule would be effectively blocking only 1 host address).  if you are wanting the rules to apply to each entire subnet, then I'm guessing that you probably want /24.

In response to etb
athan1234
A model citizen
‎Oct 18 2022 1:11 AM
‎Oct 18 2022 1:11 AM

Yes!!! you are right is better for me /24

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.