L3 Firewall Port Range

merakiinsanity
Here to help

L3 Firewall Port Range

Hi again

 

Our org uses a cloud platform that requires destination UDP ports 10000-60000 to be open to their ip range. Unfortunately, Cisco hasn't given the ability to enter ranges (for both ports and IPs other than CIDR) for some reason known only to themselves.

 

Before I do something I really don't want to do, namely allow any port number, is there some other way I can tell the rule to only look at port 10000-60000 without having to put in 10000, 10001, 10002 etc etc. Even then, I'm sure I'll hit a limit at some point. This seems like really basic functionality that should be catered.

 

Screenshot 2021-05-06 at 06.37.57.png

 

EDIT: Ok, so I've found a workaround. It seemingly can't cope with having a range in a list. So I can have 10000-60000 in it's own rule, but having 3478, 10000-60000 is beyond its capability. Have to have a separate rule for port 3478, despite it all being UDP.

 

Apologies if I sound frustrated, it's because I'm extremely frustrated.

2 REPLIES 2
cmr
Kind of a big deal
Kind of a big deal

Thanks for the update @merakiinsanity, I tried to apply some rules to a switch and you cannot have ranges at all there...  I am planning to move those SVIs to the MXs and am glad that you can do a range there (even if it is on its own)!  As you say, it does seem somewhat basic!

I've had to expand 2 rules on my Watchguard's, into 6 rules on Meraki. Although I could put the 3 port TCP range for Avaya into the rule above.

 

Screenshot 2021-05-06 at 08.02.27.png

 

I've also noticed that you can't put subnets from the Switch Routing & DHCP, or even the VLANs configured on the MX itself, into the source of the firewall rule, so I've created a Network Object for it so if I need to update the subnet, I'l just have to update the Switch subnet and remember to do the Network Object

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels