Meraki

Community

No policy show on clients on network-wide menu

Japimil
Just browsing
‎Dec 11 2017 6:03 AM
‎Dec 11 2017 6:03 AM

No policy show on clients on network-wide menu

Hello, i have a combined network in my organization with a MX84 as firewall.

The problem is when i try to apply a group policy to a client and i enter to network.wide menu, client tab and i select my client. When i go i dont see the policy section to apply the group policy or block the client.

0 Kudos
6 Replies 6
Adam
Kind of a big deal
‎Dec 11 2017 7:31 AM
‎Dec 11 2017 7:31 AM

Can you provide a screenshot?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
RodrigoC
Meraki Employee
Meraki Employee
‎Dec 11 2017 8:52 AM
‎Dec 11 2017 8:52 AM

Hi @Japimil,

 

Can you see the policy section on the client page if you select 'only security appliance clients' in the following drop-down?

 

client_dropdown.png

0 Kudos
In response to RodrigoC
Japimil
Just browsing
‎Dec 11 2017 8:59 AM
‎Dec 11 2017 8:59 AM

Yes i can see it, but cant see all my clients.

I need apply to a client that is behind a MS225 switch, wich have the layer 3 interface for the network

0 Kudos
In response to Japimil
RodrigoC
Meraki Employee
Meraki Employee
‎Dec 11 2017 10:57 AM
‎Dec 11 2017 10:57 AM

Ah!

 

So the issue is going to be that combine networks track clients by MAC address and your L3 switch is creating a L3 boundary between the client and the MX.

 

THIS KB has more info as to why the problem is occurring as well as instructions on how to fix it. To summarize, having a L3 switch between your clients and MX means that all traffic sent through that L3 switch will show with the switch's MAC address as the source (Normal L3 boundary behavior) on the MX's side. Since the network is tracking clients based on their MAC address, this means that the MX thinks all traffic coming through the switch belongs to the switch and not individual clients.

 

To fix this issue, all that needs to happen is the following:

1 ) Split the MX into its own network [Relevant KB] (Switch, APs, etc. can remain combined)

2) Set MX's network to track by IP [Relevant KB]

3 ) MX should now be able to identify clients based on their unique IPs rather than MAC address and you should be able to assign per client policy

 

NOTE: For this to be effective, you will want clients to keep their IP addresses. Static IPs or fixed DHCP IP assignments are definitely recommended

 

Hope this helps! 😃 

0 Kudos
In response to RodrigoC
Japimil
Just browsing
‎Dec 12 2017 12:10 AM
‎Dec 12 2017 12:10 AM

I have that configuration at first but we are trying to config AD integration for group policy assignment at MX84 and not working.

I open a case with support and tell me to combine the network because if you do a mac tracking you get the name of PC.

Principal problem is that firewall must be the perimeter firewall of my organization and all branch office go to internet behind this firewall (branch are connected by MPLS network) so make all computer static ip (we have lots of employee with mobility) is not a valid option this time sorry.

 

¿Is some roadmap for this?

 

0 Kudos
In response to Adam
Japimil
Just browsing
‎Dec 11 2017 8:57 AM
‎Dec 11 2017 8:57 AM

With no policyno policy.JPG

 

Same corporative network with policy:

with policy.JPG

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.