Isolete vlan

SOLVED
athan1234
Building a reputation

Isolete vlan

 

 When  I configured a vlans the target is for split my network.


I don't understand how a ping from another vlan to this vlan results in a response indicating that I can connect.

 

It is for the internal MX is not able to segregate the getways .

 

 

How I could do for isolet a vlan 5  for the rest ?

 

 

 

athan1234_0-1665647498147.png

 

therefore I can reach a host from different vlans . WHY? 

 

athan1234_0-1665648177986.png

 

 

1 ACCEPTED SOLUTION
etb
Getting noticed

I just noticed that your firewall rules are configured for /32 subnets (so I believe each rule would be effectively blocking only 1 host address).  if you are wanting the rules to apply to each entire subnet, then I'm guessing that you probably want /24.

View solution in original post

16 REPLIES 16
GreenMan
Meraki Employee
Meraki Employee

You need to configure some outbound Deny firewall rules, for the subnets configured on the VLANs:

Security & SD-WAN > Configure > Firewall   https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

The default configuration allows all traffic between VLANs (and from all VLANs out to the Internet)

athan1234
Building a reputation

It would be correct ?

 

athan1234_0-1665650668795.png

 

Pavithran
Here to help

May be use the Meraki group policy in this case to block the vlan to vlan communication.

 

1. Create a group policy . Network wide - > Group policy.

Mention the vlans that has to be allowed or blocked. You can also configure custom policies settings like IPS/IDS , AMP, Content filtering, L7 firewalls for this vlan using this group policy option.

 

Upload 3.PNG

 

 

 

 

2. Add the group policy to your Vlan to restrict the traffic.

 

 

Upload 2.jpg

This will block the inter vlan communication as desired.

 

athan1234
Building a reputation

Thanks for the response.

 

first of all I initially considered doing it using group policy, but @GreenMan advised me to use the MX firewall in his reply.

 

I think both ways to do it are ok . 

 

Do you believe it will work ifine if I set up this rule in the group policy ?

 

athan1234_0-1665658336812.png

 

 

What are you thing

 

 

GreenMan
Meraki Employee
Meraki Employee

Straightforward firewall rules do not only control traffic to/from the Internet, they can control inter-VLAN traffic too.   I'd recommend using these as they are stateful (bi-directional and understanding of direction of session initation), whereas FW rules via Group Policy are not.

 

athan1234
Building a reputation

Fantastic!!!  therefore :

 

Firewall rules are  (bi - directional). 

Group policy are not  (bi-directional)

 

 

So it would be correct these  firewall rules

 

athan1234_0-1665659462259.png

 

 

 

 

 

athan1234
Building a reputation

anyone?

 

Pavithran
Here to help

You can create a policy object with all the source subnets that has to be blocked and update it in the source section of this firewall rules. That will look nice and clean. 

 

It looks good to me.

athan1234
Building a reputation

Hi 

 

I implementd the firewall rules , I get ping yet . Why?

 

 

athan1234_1-1665729595355.png

 

 

athan1234_0-1665729456668.png

 

CptnCrnch
Kind of a big deal
Kind of a big deal

You're pinging right in from the MX itself.

athan1234
Building a reputation

Yes.

etb
Getting noticed

I'm not meaning to hijack athan1234's thread, but I stumbled across this thread while researching my own related issue. 

 

Is this to say that it is the expected behavior that the MX's Ping Live tool will basically ignore any firewall rules?

 

I have explicit deny rules configured similarly to athan1234, and I can confirm that real clients in one VLAN are successfully blocked from reaching clients in any other VLAN.  However, the MX's Ping Live tool can ping any client in any VLAN regardless of which "Source IP Address" I select. 

 

For example, although there is an explicit deny firewall rule configured in both directions between VLAN 3 and VLAN 4, the MX Ping Live tool with a "Source IP Address" of VLAN 3 can ping any device in VLAN 4.  But again, no real clients in VLANs 3 or 4 can ping each other, so I can see that the firewall rules are working for real clients.

 

I actually started this research because I discovered that any device in any VLAN could reach the management IP address of any other VLAN.  For example, any device in VLAN 3 can ping/reach the MX's management IP address for VLAN 4.  I found this article seemingly saying that this is expected behavior for AP's, but I am still searching for documentation indicating the expected behavior for MX's.  https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/All_VLANs_can_ping_the_Cisco_Meraki... 

etb
Getting noticed

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

 

Destination: Specifies the destination FQDN, IP address or network address using CIDR notation to match in outbound traffic. "Any" can also be used to specify all networks. Note that, on a network with an MX handling inter-VLAN routing, the IP address of the MX on the destination subnet may still be accessible via ping even if the rule is set to block traffic. This is due to the nature of software routing on the MX and does not pose a security risk; host devices on the destination subnet will still be blocked according to the rule.

athan1234
Building a reputation

Ohh thanks it is very interesting . So tahnks 

etb
Getting noticed

I just noticed that your firewall rules are configured for /32 subnets (so I believe each rule would be effectively blocking only 1 host address).  if you are wanting the rules to apply to each entire subnet, then I'm guessing that you probably want /24.

athan1234
Building a reputation

Yes!!! you are right is better for me /24

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels