Meraki

Community

Upstream firewall rules

Solved
ToryDav
Building a reputation
‎Jan 13 2021 7:28 AM
‎Jan 13 2021 7:28 AM

Upstream firewall rules

Would someone be able to explain to me what this rule is doing?

Control traffic?

ToryDav_0-1610551621015.png


The customer has internal RADIUS so my understanding is that the firewall should allow RADIUS east/west though zones but this is inbound, and to seemingly private IP addressing. 

Tory

0 Kudos
1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal
‎Jan 13 2021 7:40 AM
‎Jan 13 2021 7:40 AM

Thats the radius ip and port you configured.  Its should be able to communicate  to the meraki mr manamgement IP.  So in case you have any fw  between mr and radius server that fw should allow that flow

 

 

View solution in original post

4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎Jan 13 2021 7:40 AM
‎Jan 13 2021 7:40 AM

Thats the radius ip and port you configured.  Its should be able to communicate  to the meraki mr manamgement IP.  So in case you have any fw  between mr and radius server that fw should allow that flow

 

 

In response to ww
ToryDav
Building a reputation
‎Jan 13 2021 8:14 AM
‎Jan 13 2021 8:14 AM

@ww 
Okay, I think I'm following. So I am interpreting the rule wrong the document says inbound ..

https://documentation.meraki.com/General_Administration/Other_Topics/Upstream_Firewall_Rules_for_Clo...

so not inbound from the outside zone but inbound from the network the AP MGMT is on, destined for those 172 addresses. 

So the addressing under destination IP (172.19.0.25/32 and 172.25.0.25/32) are just examples then? I would put Source ip  = Meraki MR Management IP
Destination = RADUIS server

Thanks for your help in advice. 

0 Kudos
In response to ToryDav
ww
Kind of a big deal
Kind of a big deal
‎Jan 13 2021 8:30 AM
‎Jan 13 2021 8:30 AM

That page is just a example. 

The fw rules depends on if you configured the radius and on what meraki dc you are hosted etc.. If you dont have a radius server that rule is not present under help> fw info on your dashboard.

Yes source is <you networks ip> (management ip from switch,ap,mx)  dst  =radius ip

 

Not sure why i says  inbound (that would asume the radius server always initiates the session, im not sure about this), i would allow it both ways

 

In response to ww
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 13 2021 10:31 AM
‎Jan 13 2021 10:31 AM

On my "Help>Firewall Info" page, the field "Destination" is populated with my real RADIUS-server. I think it is taken from the dashboard-config.

For the firewall-rules:

Traffic to 1812/1813 is always from the NAD to the RADIUS-server, traffic initiated by the RADIUS-server is typically a CoA which runs on port 1700.

There is also one situation where this traffic is really "inbound": When the Meraki RADIUS-proxy is used. But I would not use it as long as there is no DTLS support.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.