what's the most efficient way to block this vlan from other vlans?

trunolimit
Building a reputation

what's the most efficient way to block this vlan from other vlans?

So here is a list of vlans I have. I need to keep them all from talking to each other but still access the internet. What's the most efficient way to accomplish this?

 

Screen Shot 2020-03-25 at 3.04.25 PM.png

12 REPLIES 12
Jwiley78
Building a reputation

Do they need to talk to other devices on the same subnet?

 

You could play around with some deny statements and try to summarize the subnets.

trunolimit
Building a reputation

there is 1 printer that they all need to talk to but i think that could be handled by a single allow statement.

PhilipDAth
Kind of a big deal
Kind of a big deal

Create a group policy and apply it directly to the VLAN.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applyin... 

 

In that group policy create layer 3 firewall rules denying access to the other VLANs.  Depending on what the VLAN needs to talk to, you might be able to just block access to 10.0.0.0/8 and 192.168.1.0/24.

trunolimit
Building a reputation

So here's a question:

 

you think its less resource intensive to implement group policies rather than a bunch of firewall rules?

 

>you think its less resource intensive to implement group policies rather than a bunch of firewall rules?

 

I'm not sure it makes any difference to resource utilisation - but it is much easier to manage.  You have one place to look at understand all the firewall rules acting on the VLAN.

 

If you end up with 10 VLANs and firewall rules for each and you try and use the global rules - it becomes a nightmare to make changes.

 

 

Meraki OS is a Linux based derivative.  The Linux kernel has two major firewall filtering engines.  I suspect bpfilter may be used, but this is a pretty deep kernel layer concept and most people configuring Linux firewall rules would not be aware of.

bpfilter itself compiles the rules presented to it, and the concept of how you configuring firewall rules as to how the kernel processes them is far removed.  If everything is using bpfilter then weather you are using "vlan" or "global" based firewall rules is simply a GUI concept and bares no relation to how the kernel is processing those rules.  I suspect the resource usage would be almost identical based on this.

https://linux-audit.com/bpfilter-next-generation-linux-firewall/ 

colinster
Getting noticed

If you want to do this on the MX, I'd suggest first add your printer access rule. Then just add rules to block all LAN access for 10.0.0.0/19, 172.16.0.0/12, 192.168.0.0/16 

 

Screen Shot 2020-03-25 at 1.44.36 PM.png

 

Also, I did have to deny Local LAN access on the MR access points firewall to block communication between clients on the same VLAN. Just set "Deny - Any - Local LAN" on the L3 firewall rules. You can also enable L2 LAN isolation (not sure if that's still beta).

colinster_1-1585166720572.png

 

Colin Lowenberg
wireless engineer and startup founder, formerly known as "the API guy", now I run a Furapi, the therapy dog service, and Lowenberg Labs, an IT consulting company.
jdsilva
Kind of a big deal

I humbly submit the following as my solution to this problem:

 

image.png

 

The parts that are cut off are "10.0.0.0/8,192.168.0.0/16" in both the Source and Destination fields. This single line ACL will prevent all of your subnets from talking to each other, while allowing all your subnets to talk to the Internet. 

trunolimit
Building a reputation

wouldn't this block all access on the LAN? even access to the default gateway?

jdsilva
Kind of a big deal


@trunolimit wrote:

wouldn't this block all access on the LAN? even access to the default gateway?


Nope. You cannot block, even with an explicit dedicated rule, traffic to and from the MX IP address itself. 

 

Intra-subnet traffic, i.e. between hosts on the same VLAN, does not transit the MX, and therefore it cannot block it. 

No, the MX is the gateway for the VLAN in this architecture so they can reach it already. I just tested it on my own network and was able to post here. I was however able to ping clients on the same VLAN, so I added the suggestion for MR firewall rules as well.
Colin Lowenberg
wireless engineer and startup founder, formerly known as "the API guy", now I run a Furapi, the therapy dog service, and Lowenberg Labs, an IT consulting company.
jdsilva
Kind of a big deal

Oh, sorry @colinster ! My solution is just a repeat of your solution, just on one line. I like the way you think! 

I gotta give you credit though. I forgot you can add commas to simplify rules. I fixed my mistake after seeing your genius simplification. Also I expanded the solution to include all of entire private subnets, you know, just in case. 10.0.0.0/19, 172.16.0.0/12, 192.168.0.0/16 
Colin Lowenberg
wireless engineer and startup founder, formerly known as "the API guy", now I run a Furapi, the therapy dog service, and Lowenberg Labs, an IT consulting company.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels