Meraki

Community

Per VLAN Content Policies

AndyGray
Here to help
‎Apr 5 2019 9:24 AM
‎Apr 5 2019 9:24 AM

Per VLAN Content Policies

Hi Meraki folks

 

My first post!  I'm a network engineer for a UK charity who're about to embark on a rollout of MXs to all our sites, moving from MPLS and centralised firewall to direct internet access and distributed security/SD-WAN. It's a big project with tight timescales but it's a real opportunity to optimise the network for our migration of all our applications to the cloud. All to be completed in 2019 - no pressure then! But we're excited to be joining the Meraki family.

 

My question is - can the MX only support one Content Policy?   If I want to provide different content controls on a per-VLAN basis, is Layer 7 firewall group policies and a VLAN to group mapping the only way to do it?

 

Also, it would be really handy to apply more than one IP address to an MX internal L3 interface to aid transition from our old to new WAN termination - what would be a secondary IP address in traditional Cisco.   Does the MX support anything like that?


Thanks in advance.


Andy Gray

0 Kudos
3 Replies 3
jdsilva
Kind of a big deal
‎Apr 5 2019 9:31 AM
‎Apr 5 2019 9:31 AM

Hey @AndyGray ,

 

You can create custom policies via a Group Policy, and apply the GP to a VLAN to do what you're asking.

 

https://documentation.meraki.com/MX/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...

 

You can't do secondary addresses on an MX. Only just create multiple VLANs with their own IP addresses. 

http://blog.brokennetwork.ca | @jdsilva
charles07
Getting noticed
‎Apr 5 2019 10:22 PM
‎Apr 5 2019 10:22 PM

Hi Andy,

can the MX only support one Content Policy? - Yes

  1. Go to Network-wide > Configure > Group policies
  2. In "Blocked website categories" Choose override
  3. Similar for "Blocked URL patterns" and "Whitelisted URL patterns" if required
  4. click Save Changes
    >Applying above Group Policy to a VLAN
  5. Go to Security appliance > Configure > Addressing & VLANs
  6. Select the Group policy from the drop-down and save changes

 

apply more than one IP address to an MX internal L3 interface -No No No

A workaround you can try is "1:1 NAT or 1:many NAT to internal addresses" 

 

 

 

In response to charles07
Cmiller
Building a reputation
‎Apr 6 2019 5:58 AM
‎Apr 6 2019 5:58 AM

Linked Support Docs:
https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Configuring_1%3A1_NAT
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Settings
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.