Solved
Hello all. Very new to Meraki. Struggling a bit. I've followed this document and I thought I had it.
Created a Group Policy "Allowed Clients" and selected "Custom network firewall & shaping rules". The Layer 3 firewall is Allow Any Any. Everything else in the Group Policy is default settings.
In the Firewall -> Outbound rules, I'm denying everything.
I connected a Cisco phone today for the first time and it comes into the Clients as "Normal". My understanding is that this device will be blocked per the L3 Deny firewall rule. However, this device is connecting fine over the Site-to-Site VPN tunnel back to Call Manager and is functional.
Firewall Log shows that this phone is allowed to communicate over L7 policy and also L3(VPN) policy. L3(LAN) policy is blocked. Maybe the L3 VPN policy is what is allowing? Looks like L7 policy may also be allowing?
Overall, I would like to send out these MX67s or Z4s to users but have it set so that ONLY specific clients can communicate on the network. Ideally, communication on the LAN (same subnet) would also be blocked unless specifically allowed. I can get around that one if the user only needs 1 connection at home. Many require 2 ports. Normally a Cisco phone and a PC. I just don't understand what I'm missing. Also thinking this type of thing would be something that almost all enterprise businesses would want when sending a device like this to a user's home. If there is a way to better control port access using 802.1x, I may be able to do that as well but haven't even explored that yet. Hoping for the easy button.
Thanks for any help.
