Meraki

Community

Where is the ACL settings in group policy applied, and what does it override ?

thomasthomsen
Kind of a big deal
‎Apr 18 2024 6:31 AM
‎Apr 18 2024 6:31 AM

Where is the ACL settings in group policy applied, and what does it override ?

So .. I was thinking......

If I create a Group policy with "custom network firewall and shaping rules" what happens ?

I know that if I apply this manually, directly to a VLAN interface on an MX, it will override the ACLs in the global MX firewall setting.

But if I apply this GP to a client, on a switch or AP, using Filter-ID in the dot1x radius response, does it still override the MX global firewall settings ?

(My thought process was that applying the GP will only affect the device its connected to (switch / AP), so having a fx. deny local LAN IP ACL and permit any any in the GP, the global firewall (up the stack) will still take effect on the GP permit any any traffic.)

I just wonder, and cant quite seem to find any documentation.

 

0 Kudos
10 Replies 10
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 18 2024 8:43 AM
‎Apr 18 2024 8:43 AM

I would expect the L3 firewall from the GP to override the one from the network

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_Gr...

In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 18 2024 2:33 PM
‎Apr 18 2024 2:33 PM

This.

0 Kudos
In response to RaphaelL
thomasthomsen
Kind of a big deal
‎Apr 18 2024 11:07 PM
‎Apr 18 2024 11:07 PM

"I would expect the L3 firewall from the GP to override the one from the network" - does this translate to  : "The L3 ACL in the GP, for an client on a switch,  will override the MX ACL" ? - Just to be 100% sure.

0 Kudos
In response to thomasthomsen
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 19 2024 11:27 AM
‎Apr 19 2024 11:27 AM

As long as the clients default gateway is the MX.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Apr 21 2024 1:50 AM
‎Apr 21 2024 1:50 AM

It depends how the group policy is applied.

If you use radius on a switch with Filter-ID then it will only be used as a port ACL.
If you set a group policy on a VLAN then it will be the default of that VLAN and will apply it on the MX.
If you set it on a client then it depends if it is a wired or wireless client.  Wireless clients are enforced on the AP directly and wired clients are enforced on the MX itself.

Important notice is that group policy L3/4 rules are stateless so this can give issues where you still need vlan to vlan communication.  There have been talks about adding the "established" keyword like security ACL's on Cisco switches have to allow for returning traffic only.

0 Kudos
In response to GIdenJoe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 21 2024 1:55 AM
‎Apr 21 2024 1:55 AM

I don't believe it will act as a port ACL.  Group Policy ACLs can only be processed by an MX.  MS completely ignores them.

0 Kudos
In response to PhilipDAth
thomasthomsen
Kind of a big deal
‎Apr 23 2024 4:29 AM
‎Apr 23 2024 4:29 AM

So, from these answers, I guess I will have to test it out to be sure 🙂

I really hope that it will apply as a "Port ACL" (let's use that terminology 🙂 ) when using 802.1x on MR and MS. But my "hopes" are not always , eeehh, correct 🙂

0 Kudos
In response to thomasthomsen
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Apr 23 2024 7:19 AM
‎Apr 23 2024 7:19 AM

Hey, Philip is kinda wrong in this case 😜 sorry.  The MS can use group policy ACL's but only if they are applied as a Filter-ID in a Radius response.  When you would look at your client in dashboard you can actually have a group policy applied AND a 802.1X group policy.  It even lists it that way.

The switch can only use the L3/4 firewall rules of course.
So in fact you can see it as being applied as a Filter-ID on a Catalyst switch so in essence a session based port ACL.

You do have to read the documentation about this especially about the limitations.  You can't have many rules with L4 ports since the TCAM space on regular MS switches is more limited than Catalyst hardware.

https://documentation.meraki.com/MS/Access_Control/Meraki_MS_Group_Policy_Access_Control_Lists

0 Kudos
In response to GIdenJoe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 23 2024 12:15 PM
‎Apr 23 2024 12:15 PM

Thank you for the lesson!  I last tried this about 5 years ago.  It seems they have moved the group policy rule processing further down the stack.

0 Kudos
In response to PhilipDAth
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Apr 24 2024 11:32 AM
‎Apr 24 2024 11:32 AM

No problem 😉  I believe this feature is about a year old now.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.