Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX block intervlan traffic

Solved
vMXNoob
Here to help
Monday
Monday

MX block intervlan traffic

Hello all,

 

I have multiple SSIDs and I have Vlans configured for each SSID. This is working fine, how ever I want to configure a rule on the MX to stop traffic passing to the other VLANs as they are protected. 

 

I have created a deny rule on the meraki mx for outbound (as per I understand) restricting the VLANs. The rule was source - vlan 1 dest vlan 2 any any deny rule.

 

How ever I can still ping devices on the other VLAN, any pointers please?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal
Monday
Monday

  1. The rules only take place on new traffic flows, either reboot the devices or the MX to be sure it isn't using an old flow
  2. Where in the list is the new rule, they work from the top.  I have a rule exactly as you said and it works on 19.1.4.

View solution in original post

0 Kudos
Subscribe
10 Replies 10
Shubh3738
Building a reputation
Monday
Monday

Could you please confirm if the deny rule has been applied under Firewall & Traffic Shaping in the Wireless section? To check, navigate to Wireless > Configure > Firewall & Traffic Shaping.

 

Just a quick reminder—when setting up the deny rule for VLAN traffic, you’ll need to apply the rule separately for each SSID

0 Kudos
Subscribe
In response to Shubh3738
vMXNoob
Here to help
Monday
Monday

I've just applied the rule at MX firewall not at the Wireless firewall.

0 Kudos
Subscribe
In response to vMXNoob
Shubh3738
Building a reputation
Monday
Monday

Apply the rule on a single SSID first and check if it works as expected. You can do this by navigating to Wireless > Configure > Firewall & Traffic Shaping for the specific SSID and adding the rule there.

0 Kudos
Subscribe
In response to vMXNoob
Shubh3738
Building a reputation
Monday
Monday

Like this 

Shubh3738_0-1728904172109.png

 

0 Kudos
Subscribe
jimmyt234
Building a reputation
Monday
Monday

Are you testing using the MX appliance ping tool or actually a device in the VLAN pinging across to the other VLAN?

 

The MX appliance ping test tool will not be blocked by the layer 3 outbound firewall policies.

0 Kudos
Subscribe
In response to jimmyt234
vMXNoob
Here to help
Monday
Monday

Pinging from device in vlan1 to a device in vlan 2

0 Kudos
Subscribe
cmr
Kind of a big deal
Kind of a big deal
Monday
Monday

  1. The rules only take place on new traffic flows, either reboot the devices or the MX to be sure it isn't using an old flow
  2. Where in the list is the new rule, they work from the top.  I have a rule exactly as you said and it works on 19.1.4.
0 Kudos
Subscribe
In response to cmr
cmr
Kind of a big deal
Kind of a big deal
Monday
Monday

You can see below the top two rules that block the IoT VLAN from talking to the default VLAN except for a very specific case:

 

cmr_0-1728903950901.png

 

Subscribe
In response to cmr
vMXNoob
Here to help
Monday
Monday

Sorted thank you - I rebooted the MX now working fine 

 

Subscribe
GreenMan
Meraki Employee
Meraki Employee
Monday
Monday

Bear in mind that, for the majority of flows, recent MX firmware does block traffic through a new rule, pretty much immediately.  In my experience it's only ICMP that needs to age / be removed from current flow tables to function.   So if you don't use ping as your test, you'll probably find that traffic fails straight away.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.