Meraki

Community

Restricting DNS Firewall Rules and Management Traffic

passta
Just browsing
‎Jul 3 2021 9:13 AM
‎Jul 3 2021 9:13 AM

Restricting DNS Firewall Rules and Management Traffic

Hello.  I am trying to accomplish the following:

 

Here is my setup

MX100

MS390 all networks are L3 on the 390.

4 MR45 AP's off the 390.

 

I'm trying to use the MX outbound firewall to block DNS unless it is specifically pointed at the internal DNS.  I created 4 outbound rules in order from 1st to last, 2 rules to allow DNS UDP/TCP out from my internal DNS servers, and 2 rules to block all TCP/UDP DNS from any to any, last rule is allow all.    

 

This seems to be working fine, I can test when the rules are enabled, that I am only able to resolve DNS from our internal servers as desired.   What is weird, is the summary pages for my MS and MR's, are all saying that DNS is not configured correctly shortly after I enable the rules.    These devices are all getting Management IP's via DHCP, and the Management VLAN DHCP Server on the MS is configured with our internal DNS servers.  I can see the right DNS IP's are being picked up on the summary page for each AP and the MS390.  Not sure what is up, if its something with the FW rules all on the MX and I am doing all L3 at the MS390?

0 Kudos
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
‎Jul 3 2021 12:31 PM
‎Jul 3 2021 12:31 PM

I would allow the management subnet (or ip from the meraki ap/switch) to access any any.  Meraki does some health checks, dns lookups, reverse dns lookups, some kind of ping on port 53 to 8.8.8.8

In response to ww
passta
Just browsing
‎Jul 6 2021 8:04 AM
‎Jul 6 2021 8:04 AM

I tried that, and it did fix the DNS errors on all of the AP's, but the switch is still showing DNS as misconfigured.   I'm wondering if it's just an issue with the switch or something, because I have tried completely disabling the rules I put in place and the switch always reports DNS misconfiguration.   Even after a reboot.    

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 3 2021 2:10 PM
‎Jul 3 2021 2:10 PM

What DNS is your MX using? I try and get our customers to place their Meraki devices in a separate mgmt VLAN and then point their DNS to Cisco Umbrella.  I don’t like relying on their internal DNS. We then know exactly what to open on the firewall and takes reliance off their internal infrastructure.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
passta
Just browsing
‎Jul 6 2021 8:06 AM
‎Jul 6 2021 8:06 AM

MX is using basically my ISP DNS.  MX is behind my ATT Gateway in Bridge mode.   

0 Kudos
In response to passta
Bruce
Kind of a big deal
‎Jul 6 2021 3:23 PM
‎Jul 6 2021 3:23 PM

@passta, is your management VLAN being issued IP addresses from the DHCP server on the MS390 stack, and is the the MS390 switch stack receiving its IP address from itself? If so, this might be causing the DNS mis-configuration error. There is this caveat regarding management IP addresses and Layer 3 addresses, “The management interface for a switch (stack) performing L3 routing cannot have a configured gateway of one of its own L3 interfaces”. You might need to reconfigure your network so the management VLAN has its Layer 3 interface on the MX.

 

Reference: https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing, Layer 3 Interface Caveats

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.