Deny Local LAN and ACL Conflict?

PhillipJFry
Here to help

Deny Local LAN and ACL Conflict?

We have an SSID setup for guest devices, VLAN20, with the deny local LAN option enabled.  We also have a few ACLs configured for VLAN 20 (see screen shot).

PhillipJFry_0-1676396977935.png

 Would there be any conflict having the ACLs and "deny local LAN"?

9 REPLIES 9
PhilipDAth
Kind of a big deal
Kind of a big deal

Note that DNS uses both UDP and TCP (UDP for small queries and TCP for large queries).

 

Yes, you can use both ACLs at the same time.

KarstenI
Kind of a big deal
Kind of a big deal

No conflict as your individual rules are always placed above the "Deny Local LAN".

So order of operations would process the ACLs first then it would process "deny local LAN"?

 

alemabrahao
Kind of a big deal
Kind of a big deal

If this network is used only for Wifi you can deny the LAN directly on the SSID and remove the firewall rule deny which will work without problem. But it's okay to keep both.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhillipJFry
Here to help

Thank you everyone for the quick responses.  I just wanted to make sure I wasnt hindering any wireless clients from getting connected/dhcp addresses.

You wouldn't need the firewall rules for DHCP as that is exempted from the "Deny Local LAN" processing:

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

I need the ACLs in place for the Guest devices that are going to be plugged into the switch.

ww
Kind of a big deal
Kind of a big deal

For that you would need acl on the switch. Or maybe port isolation

PhillipJFry
Here to help

Bringing this back alive.  Does anyone see a problem with this ACL?  With these ACLs in place, mobile clients do not get a DHCP IP.  If I remove the ACLs, everything works as it should.  Also this network has the "Deny local LAN" option ticked under ssid.

PhillipJFry_0-1678304073633.png

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels