Meraki

Community

MX 84 (18.107.2) - Unable to block inter vlan routing

DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:06 AM
‎Feb 29 2024 6:06 AM

MX 84 (18.107.2) - Unable to block inter vlan routing

This should be really simple in blocking two VLANs from communicating with each other but this failing miserably.  I've created the two L3 outbound firewall rules as per below:

 

 

DarrenOC_0-1709215318707.png

 

When testing via the MX itself i'm able to ping through to devices on the 10.228.139.0/24 subnet from 10.228.138.0/24.

 

This can also be seen via a packet capture on the LAN:

 

DarrenOC_1-1709215482483.png

 

I'm 200 miles away from site so can't test locally before anyone asks 😉

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Labels:
0 Kudos
11 Replies 11
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:10 AM
‎Feb 29 2024 6:10 AM

Is 10.228.138.1 a SVI on your MX ? 

 

I think that behavior is expected. I don't think you are able to ping hosts with that rule , but you can ping the default gateways. 

In response to RaphaelL
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:22 AM
‎Feb 29 2024 6:22 AM

hi @RaphaelL the SVI's are on the MX itself.  Agree that pinging the SVI's may be possible due to traffic/packet flow but i shouldn't be able to ping the hosts which in this instance i can.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:32 AM
‎Feb 29 2024 6:32 AM

Correct. 


I believe I saw that behavior in the documentation but I can't find it ... 

 

I believe locally sourced traffic will not abide by your layer 3 policies.  <-- This is probably the reason why. So you would probably need 2 hosts on the 2 vlans to test.

0 Kudos
In response to RaphaelL
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:52 AM
‎Feb 29 2024 6:52 AM

I could request a support ticket 😂 😉

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:12 AM
‎Feb 29 2024 6:12 AM

I expect that this is something like it's also on the ASA. Traffic generated from the box itself is not subject to ACLs.

 

Can't you test it locally? 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
jimmyt234
Building a reputation
‎Feb 29 2024 6:21 AM
‎Feb 29 2024 6:21 AM

+1, I believe locally sourced traffic will not abide by your layer 3 policies.

In response to jimmyt234
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:25 AM
‎Feb 29 2024 6:25 AM

so what we're saying is these rules could be working but there's just no way of me testing using the dashboard remotely?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:33 AM
‎Feb 29 2024 6:33 AM

I even bet that these rules will work. 😉

In response to DarrenOC
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:41 AM
‎Feb 29 2024 6:41 AM

I would be highly disappointed in you if you didn't deploy a full stack so that you can test from the APs for example ... 😉

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:51 AM
‎Feb 29 2024 6:51 AM

off to build a full-stack.....

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to KarstenI
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:23 AM
‎Feb 29 2024 6:23 AM

😂- there's always one.  Better get in the car

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.