Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4963
Views
5
Helpful
10
Replies

Network security via Switch firewall/ACL?

Go to solution
aml
Community Member

‎03-25-2025 08:55 AM

What is the recommended best way to securely allow/deny access to a specific host on a network using a Meraki MS250 switch?

I have a site with two separate networks (Trusted network LAN A & Untrusted network LAN B), but I require to access a single host (IIS server) on the untrusted network from a small number of hosts on the trusted network.

The firewalls are not Meraki and inbound traffic is not permitted through firewall B so I am looking to secure access at the Meraki switch/port.


A very-simplified diagram is as follows:

image.jpeg

Requirements:

There is no routing/other traffic between LAN A & LAN B

Only specific hosts on LAN A (e.g. PC A1, PC A2) can access Server LANA address, and I would like to restrict this further to specific ports (i.e. HTTP/HTTPS)

Unless specified, no other hosts (e.g PC A3) on LAN A can access the server

The server can not access any other devices on LAN A


The server has multiple NICs so one (simpler?) option is to configure a network card for each network - would i be better off configuring an ACL at the Switching level, or create a Group Policy/firewall at the network-wide level and apply that to the switch port?

Or would another option be to configure a dedicated VLAN/SVI for the server's connection to LAN A?


Appreciate any thoughts/suggestions

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎03-25-2025 09:02 AM

Edited

I see two possibilities, you can either configure ACLs directly on the Meraki MS250 switch to control traffic between LAN A and LAN B or create and apply group policies (If the Firewalls are an MX) can provide more granular control and can be applied to specific switch ports or VLANs.

Configuring ACLs - Cisco Meraki Documentation

Creating and Applying Group Policies - Cisco Meraki Documentation

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎03-25-2025 09:02 AM

Edited

I see two possibilities, you can either configure ACLs directly on the Meraki MS250 switch to control traffic between LAN A and LAN B or create and apply group policies (If the Firewalls are an MX) can provide more granular control and can be applied to specific switch ports or VLANs.

Configuring ACLs - Cisco Meraki Documentation

Creating and Applying Group Policies - Cisco Meraki Documentation

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Go to solution
aml
Community Member
In response to aleabrahao

‎03-25-2025 09:20 AM

Thanks, but is there any particular reason I would chose one over the other?

0 Helpful

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to aml

‎03-25-2025 09:26 AM

If the firewall is the default gateway IP and you create the ACLs on the switch, there will be no effect because the firewall is the one that forwards the traffic.

The same explanation applies to the switch if it is the gateway, all the traffic will be forwarded through it and not to the firewall.

When I refer to all the traffic, I mean LAN traffic, whatever goes to the internet, I believe that your firewall is the default gateway for outgoing internet.

Did you get that?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to aleabrahao

‎03-25-2025 09:28 AM

In your case, by topology, it is understood that the firewall is the gateway for these networks.

So you need to create the rules in both firewalls of network A and B.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Go to solution
Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to aleabrahao

‎03-25-2025 10:31 AM

You can't apply a group policy to a switch port or a switch vlan. But I agree about using switch ACLs.

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to Philip D'Ath

‎03-25-2025 10:34 AM

That's right, very well remembered, but I thought about that part taking into consideration that the Firewall could be an MX.

But I forgot to ask.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Go to solution
aml
Community Member
In response to Philip D'Ath

‎03-26-2025 05:33 AM

Thanks I wasn't aware of this, so it looks like ACLs are my best option

0 Helpful

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎03-25-2025 09:11 AM

Oh, one question I forgot, what is the default Gateway for these networks? The firewall or the switch?

If it is the firewall, you must configure the rules on it, if it is the switch, configure the rules on it.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Go to solution
aml
Community Member
In response to aleabrahao

‎03-25-2025 09:18 AM

Default Gateway for LAN A is the Meraki switch, DG for LAN B is the firewall

For all intents and purposes all network clients on LAN B are not aware of LAN A (apart from the server, but that would be on LAN A with the 2nd NIC connection)

0 Helpful

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to aml

‎03-25-2025 10:36 AM

So in LAN A you need to create the ACLs on the Switch and in LAN B on the firewall.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Customers Also Viewed These Support Documents