Solved: Re: L3FirewallRules source/dest set to VLAN

jjabson · ‎09-20-2023

Hello,

I'm trying to figure out what the following source/dest means from calling the L3FirewallRules on an MX device:

{
"comment": "Deny Inter-VLAN Communication",
"policy": "deny",
"protocol": "any",
"srcPort": "Any",
"srcCidr": "VLAN(1).*",
"destPort": "Any",
"destCidr": "VLAN(50).*",
"syslogEnabled": false
},

What does the ".*" mean at the end of the srcCidr and the destCidr? I've search all the docs on outbound firewall rules on an MX and it does not mention anything regarding this when using a VLAN as the source/dest.

Thanks in advance,

-Jerome

Philip D'Ath · ‎09-20-2023

You get this when using templates.

Because templates use a different subnet per site (usually), you can't create a firewall rule based on IP addressing. What the above rule does is say allow anything with an IP address that is assigned to VLAN1 to talk to anything else with an IP address assigned to VLAN50. You can also specify a specific address, such as .50.

https://documentation.meraki.com/General_Administration/Templates_and_Config_Sync/Managing_Multiple_Networks_with_Configuration_Templates#MX_-_Firewall_Rules_and_DHCP_Reservations_for_Templates

View solution in original post

aleabrahao · ‎09-20-2023

Generally the asterisk "*" is a wildcard, that is, it allows anything, in this case I understand that it is including any address.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jjabson · ‎09-20-2023

@alessandrodematosThanks. So does it mean "all traffic that we send over VLAN X, including to other VLANs beyond?"

aleabrahao · ‎09-20-2023

What I'm talking about is the meaning of the asterisk "*", but I find it strange because as far as I know it's not possible to use an asterisk in the rules.

So I can't say for sure, it's just an assumption.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jjabson · ‎09-20-2023

@alessandrodematosYeah, I'm trying to configure it now and I can't even get the dashboard to accept VLAN# or what's shown in the output I added. Somehow, our customer is able to do this cause there's a lot of MXs in their network with these rules set.

jjabson · ‎09-20-2023

Looks like you can configured this by using the VLAN name not the number. There's options to select either IPv4 or IPv6 or Dual. I'm guess with the default setting as dual, that's the ".*" you get from the API. However, this still doesn't answer my question on what this means:

whether a filter about VLAN X is just using the IP's of stuff in VLAN X, or does it mean "all traffic that we send over VLAN X, including to other VLANs beyond?"

Philip D'Ath · ‎09-20-2023

You get this when using templates.

Because templates use a different subnet per site (usually), you can't create a firewall rule based on IP addressing. What the above rule does is say allow anything with an IP address that is assigned to VLAN1 to talk to anything else with an IP address assigned to VLAN50. You can also specify a specific address, such as .50.

https://documentation.meraki.com/General_Administration/Templates_and_Config_Sync/Managing_Multiple_Networks_with_Configuration_Templates#MX_-_Firewall_Rules_and_DHCP_Reservations_for_Templates

jjabson · ‎09-20-2023

Thanks @Philip D'Ath