MX L3 rules FQDN Support - DNS traffic on different VLANs...

ShySteamer
New here

MX L3 rules FQDN Support - DNS traffic on different VLANs...

Hello,

 

I don't know whether what I'd like to achieve is possible with the MX...  Having read the FQDN support documentation here I read under [consideration 1.] that "the communication between the client and DNS server cannot be intra-VLAN (this DNS traffic is not snooped)."  If I have a sub-netted Windows domain client that is on a different VLAN than my DNS/DC server, then L3 FQDN support will not (and in my experience does not) function.

 

The client in this case is in a locked down subnet that has no Internet access - for security purposes.  I'm allowed to whitelist specific URLs on this subnet, but as described above, the MX will not see the DNS requests, so that whitelisting using a L3 FQDN rule does not work.

 

(I have tried working around this by setting my client's DNS manually to use an external DNS rather than the DC, whilst setting a NRPT rule to direct internal DNS queries to the local server and providing a "lmhost" file to seed the IP address of the DC for finding the domain.  This hasn't been successful - the machine will not find the domain controller and authenticate.)

 

Is there any way at all to get L3 FQDN rules to work when I need internal DNS and DC to function whilst the client and server are on separate VLANs? 

 

Thank you for your time.

 

Shy

 

    

2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal

Can you share your configuration please?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Is this correct - you are trying to create an FQDN rule to allow the locked-down host to access specific FQDNs on the Internet.  Is this correct?

 

If so, this should work.  Your host should send the request to the internal DNS server, which will then forward the DNS request out to the Internet through the MX.  At this point in time, the DNS requested will be snooped, and then should allow your client to gain access.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels