No policy show on clients on network-wide menu

Japimil
Just browsing

No policy show on clients on network-wide menu

Hello, i have a combined network in my organization with a MX84 as firewall.

The problem is when i try to apply a group policy to a client and i enter to network.wide menu, client tab and i select my client. When i go i dont see the policy section to apply the group policy or block the client.

6 Replies 6
Adam
Kind of a big deal

Can you provide a screenshot?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
RodrigoC
Meraki Employee
Meraki Employee

Hi @Japimil,

 

Can you see the policy section on the client page if you select 'only security appliance clients' in the following drop-down?

 

client_dropdown.png

Japimil
Just browsing

Yes i can see it, but cant see all my clients.

I need apply to a client that is behind a MS225 switch, wich have the layer 3 interface for the network

RodrigoC
Meraki Employee
Meraki Employee

Ah!

 

So the issue is going to be that combine networks track clients by MAC address and your L3 switch is creating a L3 boundary between the client and the MX.

 

THIS KB has more info as to why the problem is occurring as well as instructions on how to fix it. To summarize, having a L3 switch between your clients and MX means that all traffic sent through that L3 switch will show with the switch's MAC address as the source (Normal L3 boundary behavior) on the MX's side. Since the network is tracking clients based on their MAC address, this means that the MX thinks all traffic coming through the switch belongs to the switch and not individual clients.

 

To fix this issue, all that needs to happen is the following:

1 ) Split the MX into its own network [Relevant KB] (Switch, APs, etc. can remain combined)

2) Set MX's network to track by IP [Relevant KB]

3 ) MX should now be able to identify clients based on their unique IPs rather than MAC address and you should be able to assign per client policy

 

NOTE: For this to be effective, you will want clients to keep their IP addresses. Static IPs or fixed DHCP IP assignments are definitely recommended

 

Hope this helps! 😃 

Japimil
Just browsing

I have that configuration at first but we are trying to config AD integration for group policy assignment at MX84 and not working.

I open a case with support and tell me to combine the network because if you do a mac tracking you get the name of PC.

Principal problem is that firewall must be the perimeter firewall of my organization and all branch office go to internet behind this firewall (branch are connected by MPLS network) so make all computer static ip (we have lots of employee with mobility) is not a valid option this time sorry.

 

¿Is some roadmap for this?

 

Japimil
Just browsing

With no policyno policy.JPG

 

Same corporative network with policy:

with policy.JPG

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels