Hello all.  Very new to Meraki.  Struggling a bit.  I've followed this document and I thought I had it.     https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing_Clients#:~:text=Click%20on%20the%20Policy%20drop,list%20policy%20and%20select%20normal.   Created a Group Policy "Allowed Clients" and selected "Custom network firewall & shaping rules".  The Layer 3 firewall is Allow Any Any.  Everything else in the Group Policy is default settings.       In the Firewall -> Outbound rules, I'm denying everything.   I connected a Cisco phone today for the first time and it comes into the Clients as "Normal".  My understanding is that this device will be blocked per the L3 Deny firewall rule.  However, this device is connecting fine over the Site-to-Site VPN tunnel back to Call Manager and is functional.    Firewall Log shows that this phone is allowed to communicate over L7 policy and also L3(VPN) policy.  L3(LAN) policy is blocked.  Maybe the L3 VPN policy is what is allowing?  Looks like L7 policy may also be allowing?     Overall, I would like to send out these MX67s or Z4s to users but have it set so that ONLY specific clients can communicate on the network.  Ideally, communication on the LAN (same subnet) would also be blocked unless specifically allowed.  I can get around that one if the user only needs 1 connection at home.  Many require 2 ports.  Normally a Cisco phone and a PC.  I just don't understand what I'm missing.  Also thinking this type of thing would be something that almost all enterprise businesses would want when sending a device like this to a user's home.  If there is a way to better control port access using 802.1x, I may be able to do that as well but haven't even explored that yet.  Hoping for the easy button.   Thanks for any help.   ... View more

Hello all.  Brand new to Meraki.  I've set up a lab at this point and I can tunnel traffic from my spoke to the hub.  When I check the box for "IPv4 default route" I get the expected "All" traffic tunnels to the hub.  However, the internet traffic then hairpins directly outbound from the hub.  I don't want that.  I want all traffic to tunnel to the Hub and then that traffic to be forwarded to a separate firewall to then go outbound.     Maybe this is the incorrect deployment for what we're trying to do.  Overall, I'd say the Meraki will be utilized as mostly a VPN concentrator for all our small remote sites.  We might allow some remote sites to "split tunnel" and allow those select remote sites to go directly from the internet and not tunnel that traffic.     Thanks for any help. ... View more