Post Isolation

Osberg
Here to help

Post Isolation

Hi all,

 

So I have been playing around with the port isolation on the MS, and if you read the documentation, it would solved a lof problems with communication on network (If you read this nice article about it: New switch feature provides port isolation | Cisco Meraki Blog) ..... BUUUT hang on a bit.... Why is it that port isolation is only blocking from the same vlan and not from all other vlan?? I really cant see the use of this feature for this then. 

Frankly I am chocked that Meraki would make this solution half not make it 100% from the start. 

 

I my mind what they should have done, is they should have blocked ALL traffic incl what is going over the SD-WAN (VPN) to these devices that are using port isolation. And if you wanted something to gain access to the devices, you make a firewall rule. 

 

Is it only me that are seeing things like this or does anybody else follow here 🙂 (crossing my finger's on this. :D)

 

@Meraki Can you might comment on this, if this feature will change or what your plans are. 🙂 

Frank Osberg | Domain Architect @ Solar A/S
LinkedIn - Twitter
Found this helpful? Give me some Kudos! Much Thanks
5 Replies 5
Brash
Kind of a big deal
Kind of a big deal

To me, this feature makes complete sense.

Port isolation can prevent communication between devices on the same L2.

Devices in different VLAN's have to cross and L3 boundary somewhere in the network so it makes more sense to apply ACL's or firewall rules there.

Osberg
Here to help

I can follow you on this, but "normal" you would have a default deny between vlan if you are running with acl / firewall rules.

But Meraki has choses to make permit any, so you need to make rules that you want to deny traffic here.

 

Quick example, if you do the same on a Fortinet setup, and you enable the port isolation here, you would have to enable the traffic you allow to the device, and not here where you need to deny traffic from all other vlan even on the same device, simple because you have a default deny rule that state this. 

Frank Osberg | Domain Architect @ Solar A/S
LinkedIn - Twitter
Found this helpful? Give me some Kudos! Much Thanks
PhilipDAth
Kind of a big deal
Kind of a big deal

This is a common feature across network brands, and Meraki has implemented how it is normally done.  This will help network engineers who work on other brands to easily transfer their knowledge and skills across.

 

>Why is it that port isolation is only blocking from the same vlan and not from all other vlan??

 

It is only used on access ports, which only have access to a single VLAN.  To talk to any other VLAN you have to use the default gateway - and that is where restrictions should be done on inter-vlan traffic.

Osberg
Here to help

Sorry to say, but I dont agree with you here.. 

 

Even do that traffic must go pass the gateway, a better solution would be that you need to allow traffic and not need to deny... since the day of dawn of making normal firewall acl it has been like this. 

Could be that this is the reason why fortinet etc has made the solution like this.. Allow never block unless you need to?? 🙂 

Frank Osberg | Domain Architect @ Solar A/S
LinkedIn - Twitter
Found this helpful? Give me some Kudos! Much Thanks
PauloSPCorreia
New here

Sorry for ressurecting and old post.

You're comparing a Layer 2 feature with a Layer 3.
a L2 port isolation make the device only talk with the Gateway.
If the Gateway then have a rule to allow it to talk with other VLANs, then it will happen.
But understand that before getting to the gateway, port isolation will prevent any internal VLAN communication.
This is helpful to restrict access between devices or having a bogus gateway inside the network.
The only thing I wished Meraki had is a Port Isolation whitelist, so if I have another server that is not an MX inside the VLAN, I could add to the whitelist and be happy with it.
But yeah, if you need to resctrict inter VLAN comms you need to go to the FW tab and explicitly DENY it.
The difference between Fortigate and MX is that one starts with an explicit DENY ALL and the other starts with an explicit ALLOW ALL.
Which can be changed for both.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels