Using Group Policies within switching to limit VLAN access

Solved
GregErnest
Here to help

Using Group Policies within switching to limit VLAN access

I've run up against the 128 ACL limit, mainly because of the lack of port ranges. I have found that Group Policies don't have the port range restriction.  I have only MS switches and MR access points;  no MX firewalls.

 

1) Is there a limit to the number of Layer 3 firewall rules in a GP?  Or even a practical one?

 

2) I've added my PC's to a test deny rule to block a particular gaming website.  However, I can still resolve the URL.  I can even set it to Protocol "All" and it still resolves and doesn't block my pings.

 

Can I do what I would like to do with Group Policies on my switches?  Any advice would be appreciated.

 

GregErnest_0-1677528047014.png

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you able to do this on whatever firewall you have instead?  I think that would be a better place for stopping access to web sites.

View solution in original post

11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal

There is a limit of 3,000 clients that can have a group policy manually applied per network, but I don't know the maximum number of L3 rules entries that are supported.

 

If you are using group policy on MS switches, please refer to our documentation on MS Group Policy Access Control Lists for additional details, including supported hardware and software.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GregErnest
Here to help

Is that 3,000 for my whole network or or per GP?  I think you mean on my network, but I want to make sure I understand.

alemabrahao
Kind of a big deal
Kind of a big deal

It's per network.

 

I don't know if is the same for GP but all MR models can support a maximum of 1800 L3 firewall rules.

 

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GregErnest
Here to help

As I read it, that's 3000 between ACL rules, GP, and SSID rules. I still might hit that and therefore need to look for a different solution.

WirelesslyWired
Meraki Employee
Meraki Employee

@GregErnest What model MS do you have? Group Policy L3 ACLs are implemented via RADIUS whether it is through a dot1x or mab session. Different platforms have different limits to the number of active ACEs. 

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
GregErnest
Here to help

425's at the core, 390's and one 355 at the L3 level, 125's for the L2's at the outlying departments.

WirelesslyWired
Meraki Employee
Meraki Employee

Ok I will do my best here. The 390s have a limit of about 5000 active ACE entries on the platform at any given time. The 355s are about 600 ACE entries active at any given time, and the 125s unfortunately do not have the TCAM for group policy ACL assignment. That being said, a single 30 line group policy ACL with 100 clients associated to it, will take up 30 entries in the TCAM due to the way the ACLs are applied to the endpoints. This is the same across the 390 and the other platforms that support GPACL (210/225/250/350/355). These do require a RADIUS server to apply them, so you would need to enable at the minimum MAC Auth Bypass to start applying group policies to clients on switching. Hope this helps! 

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
WirelesslyWired
Meraki Employee
Meraki Employee

Also MS does not have a limit to the number of clients in a network that can have a group policy ACL assigned, the limits stated in your initial post are based on static assignment done in dashboard that is applicable to MR and MX. If you were to assign group policies by RADIUS on MR and MS there would be no specific limit. 

CCIEw# 45253 / CWNE# 249 / Principal TME - Meraki Product
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not confident those ACLs in group policy can be applied to a switch.  I think they only apply to an MX.

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you able to do this on whatever firewall you have instead?  I think that would be a better place for stopping access to web sites.

GregErnest
Here to help

That is what we are considering.  I was hoping for an easier solution within Meraki itself.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels