Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX84 - Access list not applying

Dougbert
New here
‎Jul 24 2020 6:40 AM
‎Jul 24 2020 6:40 AM

MX84 - Access list not applying

So we just got an MX84 to handle our guest internet traffic. We use Umbrella to provide basic filtering via DNS (block adult sites, malware, p2p, illegal sites, etc) and I created a rule to allow DNS to Umbrella's servers but block DNS to anything else, but the firewall still appears to allow the DNS traffic to pass to google's DNS (8.8.8.8) when I manually set DNS on a client on the network. I did a wireshark on the client to confirm the traffic is in fact going to port 53/UDP and it is but the firewall is NOT applying the configuration. The appliance says it's config is up to date. 

 

Dougbert_0-1595598040931.png

 

0 Kudos
Subscribe
3 Replies 3
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jul 24 2020 7:30 AM
‎Jul 24 2020 7:30 AM

Well, if using Umbrella via MX, you're applying those via Group Policy to endpoints / users. How do those (that are using Umbrella) look? Are you by any chance allowing DNS freely there?

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 24 2020 12:26 PM
‎Jul 24 2020 12:26 PM

First thing of note - you do realise DNS uses both UDP and TCP?  UDP is typically used for small queries and the initial query.  TCP is often used for larger responses (over 512 bytes).  Many DNS responses these days are over 512 bytes.

https://support.microsoft.com/en-us/help/556000#:~:text=DNS%20uses%20TCP%20for%20Zone,information%20... 

 

Typically you use the option to directly integrate the MX with Umbrella.  This causes it to intercept the DNS queries.  The client's think they are still talking to 8.8.8.8 (for example) but they actually get redirected to Umbrella.

https://documentation.meraki.com/MR/Other_Topics/Manually_Integrating_Cisco_Umbrella_with_Meraki_Net... 

Then you would create a group policy and apply it to your guest VLAN interface.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

0 Kudos
Subscribe
In response to PhilipDAth
Dougbert
New here
‎Jul 24 2020 12:43 PM
‎Jul 24 2020 12:43 PM

Philip,

 

Thanks for the reply, I'm aware of TCP/UDP, however when I wiresharked on my laptop from the network, it was passing the traffic over UDP. I will investigate Group Policy settings next. Appreciate your time and attention on this!

 

Doug

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.