Meraki

Community

MX block intervlan traffic

Solved
vMXNoob
Here to help
‎Oct 14 2024 3:48 AM
‎Oct 14 2024 3:48 AM

MX block intervlan traffic

Hello all,

 

I have multiple SSIDs and I have Vlans configured for each SSID. This is working fine, how ever I want to configure a rule on the MX to stop traffic passing to the other VLANs as they are protected. 

 

I have created a deny rule on the meraki mx for outbound (as per I understand) restricting the VLANs. The rule was source - vlan 1 dest vlan 2 any any deny rule.

 

How ever I can still ping devices on the other VLAN, any pointers please?

Labels:
0 Kudos
1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal
‎Oct 14 2024 4:03 AM
‎Oct 14 2024 4:03 AM

  1. The rules only take place on new traffic flows, either reboot the devices or the MX to be sure it isn't using an old flow
  2. Where in the list is the new rule, they work from the top.  I have a rule exactly as you said and it works on 19.1.4.
If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
10 Replies 10
Shubh3738
Building a reputation
‎Oct 14 2024 3:59 AM
‎Oct 14 2024 3:59 AM

Could you please confirm if the deny rule has been applied under Firewall & Traffic Shaping in the Wireless section? To check, navigate to Wireless > Configure > Firewall & Traffic Shaping.

 

Just a quick reminder—when setting up the deny rule for VLAN traffic, you’ll need to apply the rule separately for each SSID

0 Kudos
In response to Shubh3738
vMXNoob
Here to help
‎Oct 14 2024 4:02 AM
‎Oct 14 2024 4:02 AM

I've just applied the rule at MX firewall not at the Wireless firewall.

0 Kudos
In response to vMXNoob
Shubh3738
Building a reputation
‎Oct 14 2024 4:03 AM
‎Oct 14 2024 4:03 AM

Apply the rule on a single SSID first and check if it works as expected. You can do this by navigating to Wireless > Configure > Firewall & Traffic Shaping for the specific SSID and adding the rule there.

0 Kudos
In response to vMXNoob
Shubh3738
Building a reputation
‎Oct 14 2024 4:09 AM
‎Oct 14 2024 4:09 AM

Like this 

Shubh3738_0-1728904172109.png

 

0 Kudos
jimmyt234
Building a reputation
‎Oct 14 2024 3:59 AM
‎Oct 14 2024 3:59 AM

Are you testing using the MX appliance ping tool or actually a device in the VLAN pinging across to the other VLAN?

 

The MX appliance ping test tool will not be blocked by the layer 3 outbound firewall policies.

0 Kudos
In response to jimmyt234
vMXNoob
Here to help
‎Oct 14 2024 4:01 AM
‎Oct 14 2024 4:01 AM

Pinging from device in vlan1 to a device in vlan 2

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Oct 14 2024 4:03 AM
‎Oct 14 2024 4:03 AM

  1. The rules only take place on new traffic flows, either reboot the devices or the MX to be sure it isn't using an old flow
  2. Where in the list is the new rule, they work from the top.  I have a rule exactly as you said and it works on 19.1.4.
If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
cmr
Kind of a big deal
Kind of a big deal
‎Oct 14 2024 4:06 AM
‎Oct 14 2024 4:06 AM

You can see below the top two rules that block the IoT VLAN from talking to the default VLAN except for a very specific case:

 

cmr_0-1728903950901.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
vMXNoob
Here to help
‎Oct 14 2024 4:37 AM
‎Oct 14 2024 4:37 AM

Sorted thank you - I rebooted the MX now working fine 

 

GreenMan
Meraki Employee
Meraki Employee
‎Oct 14 2024 6:06 AM
‎Oct 14 2024 6:06 AM

Bear in mind that, for the majority of flows, recent MX firmware does block traffic through a new rule, pretty much immediately.  In my experience it's only ICMP that needs to age / be removed from current flow tables to function.   So if you don't use ping as your test, you'll probably find that traffic fails straight away.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.