Layer 3 firewall rules - WHERE TO APPLY?

asdfasdfasdfasd
Conversationalist

Layer 3 firewall rules - WHERE TO APPLY?

Hello,

 

I've been setting up Meraki devices for a few years now, and have noticed (invariably) there is more than one place to configure Layer 3 firewall rules. You can do it in the Addressing & VLANS section, and apply it to an entire VLAN and you can also apply it in the Wireless --> Firewall & Traffic Shaping section. [long silent pause]. I think just by typing this I may have answered my question, but, what is the difference in adding a Layer 3 firewall rule on the VLAN (in Addressing & VLANS) versus applying/configuring the Layer 3 firewall rules in Wireless --> Firewall & Traffic Shaping? In the wireless section, would those rules only apply to wireless clients, and, if a client is on the same VLAN, but WIRED, those rules would NOT apply? 

 

I ask because I have about 5 MR42 access points connected to a MX67 and I created Layer 3 firewall rules on the VLAN on the MX67, rather than in the Wireless --> Firewall & Traffic Shaping section. This VLAN is dedicated entirely for wireless, so the fact I mentioned a WIRED client on this same VLAN might be irrelevant. I'm just wondering what the differences of applying these rules in each area are, or, if it's all the same.

 

I read on THIS PAGE that "All other settings would be inherited from network defaults". So if I leave the Wireless --> Firewall & Traffic Shaping section alone, am I good since these Layer 3 ruels are applied on the VLAN defined on the MX67? I have already tested VLAN interconnectivity, and it behaves the way I imagined/configured but am wondering if I am doing it the wrong way.

 

Thanks!

3 REPLIES 3
MarcP
Kind of a big deal

If you setup layer 3 rules on the MRs Wifi Clients will be affected of the rules on the MR.

If the Clients passed the FW on the MR and then goes to the MX they will be run the rules on the MX as well.

 

If the client is already, for example, blocked at the MR, the MX won´t even see this. 

 

 

https://community.meraki.com/t5/Security-SD-WAN/Firewall-hierarchy-between-MR-and-MX/m-p/33619

PhilipDAth
Kind of a big deal

If you apply the firewall rules to an SSID it only affects WiFi clients attaching to the SSID.

 

If you apply it to the VLAN that it affects WiFi clients going through that VLAN as well as wired clients using that VLAN.

asdfasdfasdfasd
Conversationalist

Thanks for the answers everyone! Had to double-check, and I didn't see that hierarchy page until you sent it. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels