Meraki

aml

What is the recommended best way to securely allow/deny access to a specific host on a network using a Meraki MS250 switch?

I have a site with two separate networks (Trusted network LAN A & Untrusted network LAN B), but I require to access a single host (IIS server) on the untrusted network from a small number of hosts on the trusted network.

The firewalls are not Meraki and inbound traffic is not permitted through firewall B so I am looking to secure access at the Meraki switch/port.

A very-simplified diagram is as follows:

Screenshot 2025-03-21 104517.jpg

Requirements:

There is no routing/other traffic between LAN A & LAN B

Only specific hosts on LAN A (e.g. PC A1, PC A2) can access Server LANA address, and I would like to restrict this further to specific ports (i.e. HTTP/HTTPS)

Unless specified, no other hosts (e.g PC A3) on LAN A can access the server

The server can not access any other devices on LAN A

The server has multiple NICs so one (simpler?) option is to configure a network card for each network - would i be better off configuring an ACL at the Switching level, or create a Group Policy/firewall at the network-wide level and apply that to the switch port?

Or would another option be to configure a dedicated VLAN/SVI for the server's connection to LAN A?

Appreciate any thoughts/suggestions

alemabrahao

Edited

I see two possibilities, you can either configure ACLs directly on the Meraki MS250 switch to control traffic between LAN A and LAN B or create and apply group policies (If the Firewalls are an MX) can provide more granular control and can be applied to specific switch ports or VLANs.

Configuring ACLs - Cisco Meraki Documentation

Creating and Applying Group Policies - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

alemabrahao

Edited

I see two possibilities, you can either configure ACLs directly on the Meraki MS250 switch to control traffic between LAN A and LAN B or create and apply group policies (If the Firewalls are an MX) can provide more granular control and can be applied to specific switch ports or VLANs.

Configuring ACLs - Cisco Meraki Documentation

Creating and Applying Group Policies - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aml

Thanks, but is there any particular reason I would chose one over the other?

alemabrahao

If the firewall is the default gateway IP and you create the ACLs on the switch, there will be no effect because the firewall is the one that forwards the traffic.

The same explanation applies to the switch if it is the gateway, all the traffic will be forwarded through it and not to the firewall.

When I refer to all the traffic, I mean LAN traffic, whatever goes to the internet, I believe that your firewall is the default gateway for outgoing internet.

Did you get that?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

In your case, by topology, it is understood that the firewall is the gateway for these networks.

So you need to create the rules in both firewalls of network A and B.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth

You can't apply a group policy to a switch port or a switch vlan. But I agree about using switch ACLs.

alemabrahao

That's right, very well remembered, but I thought about that part taking into consideration that the Firewall could be an MX.

But I forgot to ask.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aml

Thanks I wasn't aware of this, so it looks like ACLs are my best option

alemabrahao

Oh, one question I forgot, what is the default Gateway for these networks? The firewall or the switch?

If it is the firewall, you must configure the rules on it, if it is the switch, configure the rules on it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aml

Default Gateway for LAN A is the Meraki switch, DG for LAN B is the firewall

For all intents and purposes all network clients on LAN B are not aware of LAN A (apart from the server, but that would be on LAN A with the 2nd NIC connection)

alemabrahao

So in LAN A you need to create the ACLs on the Switch and in LAN B on the firewall.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Meraki

Community

Network security via Switch firewall/ACL?

Network security via Switch firewall/ACL?