Solved: Re: AP-Cloud Communication Ports

Francis95 · ‎07-27-2018

Hello everyone, I tell you that I have a WiFi solution with the AP-Meraki in my company and I have the following question.

What communication ports do these teams use to communicate with the Meraki cloud in order to manage them from the DashBoad?

I have these teams in a vlan (20) for administration, and the provider that configured them told me that this network has access to the internet without any restriction. In the company, a policy of restricting ports and services both incoming and outgoing is currently being carried out.

Please, if you could help me specifying if this is true, or I could only restrict in the perimeter firewall that my VLAN20 network of administration of the AP-Meraki depart for such services towards such domains of Meraki's cloud.

giacomos · ‎07-31-2018

Hey @Francis95,

Only the Meraki devices need to communicate to those addresses, so it should be sufficient to put only their IPs.

E.g.: my MX is on 192.168.0.1, my MR on 192.168.0.5 and my clients are on 192.168.100.0/24 . Only 192.168.0.1 and 192.168.0.5 will need to be allowed.

Also keep in mind that by default the MX allows outbound traffic, so you might not need to do anything unless you have a device upstream blocking traffic or unless you want to restrict the accessible ranges yourself.

Thanks!

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

View solution in original post

AjitKumar · ‎07-27-2018

Hi Francis

The following url may help you.

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Connectivity

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

Francis95 · ‎07-30-2018

Hello, thanks for the help and sorry for the delay.

Here my question:
Regarding the image in Help-> FW info, in the Source IP field, would my VLAN administration network of the AP-Meraki only? Or should I also put the vlans that are distributed over the wifi?

giacomos · ‎07-31-2018

Hey @Francis95,

Only the Meraki devices need to communicate to those addresses, so it should be sufficient to put only their IPs.

E.g.: my MX is on 192.168.0.1, my MR on 192.168.0.5 and my clients are on 192.168.100.0/24 . Only 192.168.0.1 and 192.168.0.5 will need to be allowed.

Also keep in mind that by default the MX allows outbound traffic, so you might not need to do anything unless you have a device upstream blocking traffic or unless you want to restrict the accessible ranges yourself.

Thanks!

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

Francis95 · ‎08-01-2018

Okay, thank you very much everyone for your support.

Francis95 · ‎08-01-2018

Okay, thank you very much everyone for your support.

Brandon Svec · ‎07-27-2018

help > firewall info will show you the outbound ports you need allowed for management.

for user traffic that is up to you and/or the security team I suppose.

-- please remember to rate and mark answered helpful posts --