MX67 Block All Clients Unless in Specific Group Policy

Solved
BusterDude
Conversationalist

MX67 Block All Clients Unless in Specific Group Policy

Hello all.  Very new to Meraki.  Struggling a bit.  I've followed this document and I thought I had it.  

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing....

 

Created a Group Policy "Allowed Clients" and selected "Custom network firewall & shaping rules".  The Layer 3 firewall is Allow Any Any.  Everything else in the Group Policy is default settings.

 

BusterDude_1-1729190695131.png

 

 

In the Firewall -> Outbound rules, I'm denying everything.

BusterDude_0-1729190666354.png

 

I connected a Cisco phone today for the first time and it comes into the Clients as "Normal".  My understanding is that this device will be blocked per the L3 Deny firewall rule.  However, this device is connecting fine over the Site-to-Site VPN tunnel back to Call Manager and is functional. 

 

Firewall Log shows that this phone is allowed to communicate over L7 policy and also L3(VPN) policy.  L3(LAN) policy is blocked.  Maybe the L3 VPN policy is what is allowing?  Looks like L7 policy may also be allowing?

 

BusterDude_2-1729191010927.png

BusterDude_3-1729191070173.png

 

Overall, I would like to send out these MX67s or Z4s to users but have it set so that ONLY specific clients can communicate on the network.  Ideally, communication on the LAN (same subnet) would also be blocked unless specifically allowed.  I can get around that one if the user only needs 1 connection at home.  Many require 2 ports.  Normally a Cisco phone and a PC.  I just don't understand what I'm missing.  Also thinking this type of thing would be something that almost all enterprise businesses would want when sending a device like this to a user's home.  If there is a way to better control port access using 802.1x, I may be able to do that as well but haven't even explored that yet.  Hoping for the easy button.

 

Thanks for any help.

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

If you absolutely want to block access on an MX, have a look at using 802.1x instead.  This requires a RADIUS server to authorise each client as they connect to the network.

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X)

 

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

That should work.  The MX uses a flow-based system, so sometimes, when you put in a "deny any" rule, you might have to wait 10 minutes (as it applies to new flows, not flows already happening).

 

I can see from your screenshot that some traffic was blocked from 10.255.24.4.  It might be that you just need to wait a tiny bit longer.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you absolutely want to block access on an MX, have a look at using 802.1x instead.  This requires a RADIUS server to authorise each client as they connect to the network.

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X)

 

BusterDude
Conversationalist

Looks like there's an outbound VPN firewall as well.  From what I can tell, this firewall was allowing the VPN traffic.  My guess is that 802.1x may be the only way to really lock down access on the MX.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels