Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX 84 (18.107.2) - Unable to block inter vlan routing

DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:06 AM
‎Feb 29 2024 6:06 AM

MX 84 (18.107.2) - Unable to block inter vlan routing

This should be really simple in blocking two VLANs from communicating with each other but this failing miserably.  I've created the two L3 outbound firewall rules as per below:

 

 

DarrenOC_0-1709215318707.png

 

When testing via the MX itself i'm able to ping through to devices on the 10.228.139.0/24 subnet from 10.228.138.0/24.

 

This can also be seen via a packet capture on the LAN:

 

DarrenOC_1-1709215482483.png

 

I'm 200 miles away from site so can't test locally before anyone asks 😉

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Labels:
0 Kudos
Subscribe
11 Replies 11
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:10 AM
‎Feb 29 2024 6:10 AM

Is 10.228.138.1 a SVI on your MX ? 

 

I think that behavior is expected. I don't think you are able to ping hosts with that rule , but you can ping the default gateways. 

Subscribe
In response to RaphaelL
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:22 AM
‎Feb 29 2024 6:22 AM

hi @RaphaelL the SVI's are on the MX itself.  Agree that pinging the SVI's may be possible due to traffic/packet flow but i shouldn't be able to ping the hosts which in this instance i can.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Subscribe
In response to DarrenOC
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:32 AM
‎Feb 29 2024 6:32 AM

Correct. 


I believe I saw that behavior in the documentation but I can't find it ... 

 

I believe locally sourced traffic will not abide by your layer 3 policies.  <-- This is probably the reason why. So you would probably need 2 hosts on the 2 vlans to test.

0 Kudos
Subscribe
In response to RaphaelL
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:52 AM
‎Feb 29 2024 6:52 AM

I could request a support ticket 😂 😉

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:12 AM
‎Feb 29 2024 6:12 AM

I expect that this is something like it's also on the ASA. Traffic generated from the box itself is not subject to ACLs.

 

Can't you test it locally? 😉

Subscribe
In response to KarstenI
jimmyt234
Getting noticed
‎Feb 29 2024 6:21 AM
‎Feb 29 2024 6:21 AM

+1, I believe locally sourced traffic will not abide by your layer 3 policies.

Subscribe
In response to jimmyt234
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:25 AM
‎Feb 29 2024 6:25 AM

so what we're saying is these rules could be working but there's just no way of me testing using the dashboard remotely?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Subscribe
In response to DarrenOC
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:33 AM
‎Feb 29 2024 6:33 AM

I even bet that these rules will work. 😉

Subscribe
In response to DarrenOC
KarstenI
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:41 AM
‎Feb 29 2024 6:41 AM

I would be highly disappointed in you if you didn't deploy a full stack so that you can test from the APs for example ... 😉

Subscribe
In response to KarstenI
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:51 AM
‎Feb 29 2024 6:51 AM

off to build a full-stack.....

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
In response to KarstenI
DarrenOC
Kind of a big deal
Kind of a big deal
‎Feb 29 2024 6:23 AM
‎Feb 29 2024 6:23 AM

😂- there's always one.  Better get in the car

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.