Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About JonathanShapiro
Community Record
5
Posts
2
Kudos
0
Solutions
Badges
Oct 1 2024
6:18 AM
I have an SD-WAN network for about 30 locations using MX units. All is working great, but in my two datacenters, I've noticed that I see event log entries regarding source IP and/or VLAN mismatches. I've configured the LAN ports on these devices to run in Access mode rather than Trunk, yet the alerts persist. The event log details list the source device, my downstream core switches. I'm unsure why these alerts are being logged or why there is a conflict. Here's a sample entry: Client: 192.168.100.3, MAC: 00:01:E8:D7:0D:28, VLAN: 1, details: sent 8895539 unexpected packets (Last seen packet IP=172.16.252.19) The client is the core switch, and I would expect packets destined for that 172.16.252.19 to traverse the SD-WAN.
... View more
Labels:
- Labels:
-
Other
Aug 20 2024
11:24 AM
Thanks for all the suggestions. I wonder if I just didn't wait long enough when applying the policies to test. I stopped and retried pings, but I only waiting about 2 minutes or so. From what you are saying, it might have to be 10 minutes or more or possibly even a reboot to kick in. This makes testing pretty hard.
... View more
Aug 18 2024
4:03 PM
I have a Cisco switch downstream of this router. I created an ACL and applied it to the incoming port on my switch from the Meraki. This is accomplishing what I'm after and couldn't seem to do at the MX. I'm blocking the camera subnet from coming into the switch.
... View more
Aug 18 2024
2:24 PM
2 Kudos
Thanks for the quick reply. Here's the firmware version: MX 18.211.2. Yes, my initial thought was just to create an outbound firewall rule blocking traffic from the camera vlan to the general vlan by vlan name. Didn't work. I tried using the subnet IDs instead. That didn't work. It seems like the default allow rule may be opening up traffic even as the other rules block it. Like I said, no matter how I structured the rule, I could ping from a PC in the camera vlan to a pc in the general vlan. The only way I could block traffic was to override the default allow rule by placing my own custom DENY from ANY to ANY above it. Then all outbound traffic everywhere was blocked. Now I could begin to layer in allow rules above that. The problem with the blanket deny rule is how do you allow the cameras to the Internet (basically everywhere) while continuing to block them from the other subnet. Full lockdown between vlans and opening up the Internet doesn't seem possible.
... View more
Aug 18 2024
12:57 PM
Hello: I have a Meraki MX75, and I have two VLANS carved out on the LAN side of the unit. The first VLAN is for general LAN traffic. I added a second VLAN working with a security vendor who needs a pathway to the Internet for the camera network. I want his cameras to have Internet access but want to restrict routing between the general vlan and the camera network. I have tried and tried, but nothing works. I have tried creating an outbound block rule with the camera VLAN as the source and the general VLAN as the destination. Doesn't work. I have tried doing same by subnet IP rather than VLAN name, and same issue. Just to prove that any kind of outbound firewalling is possible, I wrote a block rule to block all traffic from any to any, and that got a higher priority than the default allow rule. This does block outbound traffic. Then I can layer in an allow rule to allow traffic from my general vlan to anywhere. This works too. OK great, but then the camera vlan needs Internet traffic but not access to my other vlan. If I allow the camera network to any to allow the Internet, then it can get to the general vlan too. So it seems like it would be possible to block the camera network from everywhere and then allow it to the general network, but probably not the other way around - allow the camera network to the Internet without allow it to the general network.
... View more
Labels:
- Labels:
-
Firewall
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 723 |
© 2024 Cisco Systems, Inc.
