Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Where is the ACL settings in group policy applied, and what does it override ?

thomasthomsen
Head in the Cloud
2 weeks ago
2 weeks ago

Where is the ACL settings in group policy applied, and what does it override ?

So .. I was thinking......

If I create a Group policy with "custom network firewall and shaping rules" what happens ?

I know that if I apply this manually, directly to a VLAN interface on an MX, it will override the ACLs in the global MX firewall setting.

But if I apply this GP to a client, on a switch or AP, using Filter-ID in the dot1x radius response, does it still override the MX global firewall settings ?

(My thought process was that applying the GP will only affect the device its connected to (switch / AP), so having a fx. deny local LAN IP ACL and permit any any in the GP, the global firewall (up the stack) will still take effect on the GP permit any any traffic.)

I just wonder, and cant quite seem to find any documentation.

 

0 Kudos
Subscribe
10 Replies 10
RaphaelL
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

I would expect the L3 firewall from the GP to override the one from the network

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_Gr...

Subscribe
In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

This.

0 Kudos
Subscribe
In response to RaphaelL
thomasthomsen
Head in the Cloud
2 weeks ago
2 weeks ago

"I would expect the L3 firewall from the GP to override the one from the network" - does this translate to  : "The L3 ACL in the GP, for an client on a switch,  will override the MX ACL" ? - Just to be 100% sure.

0 Kudos
Subscribe
In response to thomasthomsen
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

As long as the clients default gateway is the MX.

0 Kudos
Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

It depends how the group policy is applied.

If you use radius on a switch with Filter-ID then it will only be used as a port ACL.
If you set a group policy on a VLAN then it will be the default of that VLAN and will apply it on the MX.
If you set it on a client then it depends if it is a wired or wireless client.  Wireless clients are enforced on the AP directly and wired clients are enforced on the MX itself.

Important notice is that group policy L3/4 rules are stateless so this can give issues where you still need vlan to vlan communication.  There have been talks about adding the "established" keyword like security ACL's on Cisco switches have to allow for returning traffic only.

0 Kudos
Subscribe
In response to GIdenJoe
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I don't believe it will act as a port ACL.  Group Policy ACLs can only be processed by an MX.  MS completely ignores them.

0 Kudos
Subscribe
In response to PhilipDAth
thomasthomsen
Head in the Cloud
a week ago
a week ago

So, from these answers, I guess I will have to test it out to be sure 🙂

I really hope that it will apply as a "Port ACL" (let's use that terminology 🙂 ) when using 802.1x on MR and MS. But my "hopes" are not always , eeehh, correct 🙂

0 Kudos
Subscribe
In response to thomasthomsen
GIdenJoe
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Hey, Philip is kinda wrong in this case 😜 sorry.  The MS can use group policy ACL's but only if they are applied as a Filter-ID in a Radius response.  When you would look at your client in dashboard you can actually have a group policy applied AND a 802.1X group policy.  It even lists it that way.

The switch can only use the L3/4 firewall rules of course.
So in fact you can see it as being applied as a Filter-ID on a Catalyst switch so in essence a session based port ACL.

You do have to read the documentation about this especially about the limitations.  You can't have many rules with L4 ports since the TCAM space on regular MS switches is more limited than Catalyst hardware.

https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists

0 Kudos
Subscribe
In response to GIdenJoe
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Thank you for the lesson!  I last tried this about 5 years ago.  It seems they have moved the group policy rule processing further down the stack.

0 Kudos
Subscribe
In response to PhilipDAth
GIdenJoe
Kind of a big deal
Kind of a big deal
a week ago
a week ago

No problem 😉  I believe this feature is about a year old now.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.