So .. I was thinking......
If I create a Group policy with "custom network firewall and shaping rules" what happens ?
I know that if I apply this manually, directly to a VLAN interface on an MX, it will override the ACLs in the global MX firewall setting.
But if I apply this GP to a client, on a switch or AP, using Filter-ID in the dot1x radius response, does it still override the MX global firewall settings ?
(My thought process was that applying the GP will only affect the device its connected to (switch / AP), so having a fx. deny local LAN IP ACL and permit any any in the GP, the global firewall (up the stack) will still take effect on the GP permit any any traffic.)
I just wonder, and cant quite seem to find any documentation.
I would expect the L3 firewall from the GP to override the one from the network
This.
"I would expect the L3 firewall from the GP to override the one from the network" - does this translate to : "The L3 ACL in the GP, for an client on a switch, will override the MX ACL" ? - Just to be 100% sure.
As long as the clients default gateway is the MX.
It depends how the group policy is applied.
If you use radius on a switch with Filter-ID then it will only be used as a port ACL.
If you set a group policy on a VLAN then it will be the default of that VLAN and will apply it on the MX.
If you set it on a client then it depends if it is a wired or wireless client. Wireless clients are enforced on the AP directly and wired clients are enforced on the MX itself.
Important notice is that group policy L3/4 rules are stateless so this can give issues where you still need vlan to vlan communication. There have been talks about adding the "established" keyword like security ACL's on Cisco switches have to allow for returning traffic only.
I don't believe it will act as a port ACL. Group Policy ACLs can only be processed by an MX. MS completely ignores them.
So, from these answers, I guess I will have to test it out to be sure 🙂
I really hope that it will apply as a "Port ACL" (let's use that terminology 🙂 ) when using 802.1x on MR and MS. But my "hopes" are not always , eeehh, correct 🙂
Hey, Philip is kinda wrong in this case 😜 sorry. The MS can use group policy ACL's but only if they are applied as a Filter-ID in a Radius response. When you would look at your client in dashboard you can actually have a group policy applied AND a 802.1X group policy. It even lists it that way.
The switch can only use the L3/4 firewall rules of course.
So in fact you can see it as being applied as a Filter-ID on a Catalyst switch so in essence a session based port ACL.
You do have to read the documentation about this especially about the limitations. You can't have many rules with L4 ports since the TCAM space on regular MS switches is more limited than Catalyst hardware.
https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists
Thank you for the lesson! I last tried this about 5 years ago. It seems they have moved the group policy rule processing further down the stack.
No problem 😉 I believe this feature is about a year old now.