Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20809
Views
11
Helpful
3
Replies

Meraki Firewall rules for communicating with Meraki Cloud

dganta
Level 1
Level 1

‎07-06-2016 02:06 PM - edited ‎07-05-2021 05:22 AM

HI Team,

Do not know whether this is the right gforum for Meraki. Customer has bought the meraki wireless access points and for implementing the firewall rules he has a problem with allowing too many destination ips outbound. The customer is located in Manchester united kingdom. Can you please clarify whether the customer can use any specific outbound Ip addresses instead of using the following firewall rules as per Meraki Firewall info. Also the customer does not want to allow any for NTP and wants to know which Specific IP he can configure to allow for NTP.

As of now Meraki firewall info shows the following rules:

Access Points VLAN IP addresses 185.92.120.0/25, 185.17.255.128/25, 50.115.86.96/27, 217.89.128.0/24, 199.231.78.0/24, 108.161.147.0/24, 64.62.142.12/32, 54.193.207.248/32 7351 UDP outbound Meraki cloud communication Access points, MX Security Appliance, Phones, Switches
Access Points VLAN IP addresses 199.231.78.0/24, 64.156.192.245/32, 217.89.128.0/24, 185.17.255.128/25, 50.115.86.96/27, 185.92.120.0/25 9350 UDP outbound VPN registry Access points, MX Security Appliance
Access Points VLAN IP addresses 54.193.207.248/32 80 TCP outbound Backup Meraki cloud communication Access points, MX Security Appliance, Phones, Switches
Access Points VLAN IP addresses 50.115.86.96/27, 64.62.142.2/32, 108.161.147.0/24, 185.17.255.128/25, 185.92.120.0/25, 199.231.78.0/24, 217.89.128.0/24 80, 443, 7734, 7752 TCP outbound Backup configuration downloads, Backup firmware downloads, Splash pages, Throughput tests live tool Access points, MX Security Appliance, Phones, Switches
Access Points VLAN IP addresses Any 123 UDP outbound NTP time synchronization Access points, MX Security Appliance, Switches

 

"Please can you clarify why you have specified such a wide range of subnets for the outboumd.

We are expecting to limit these to individual IP addresses’s for your management stations.

We will also not allow ANY rule to NTP time servers you will need to be more specific and specify time sources used.”

3 people had this problem
Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎07-11-2016 02:22 AM

If the customer wants a Cisco Meraki supported platform then the customer has to deploy stated rules.  Period.

If they don't mind that it doesn't work properly then they can do whatever they like.

0 Helpful

jggentry
Level 1
Level 1
In response to Philip D'Ath

‎10-15-2019 09:37 AM

That was a jerk answer

 

omz
VIP Alumni
VIP Alumni

‎10-16-2019 08:05 AM

Hi 

Meraki and most people say you need to allow all the rules. But .. you dont need to allow all the IP ranges.

As you can see .. some are backup connection, snmp traps, ntp, and for MX devices. If the customer is only using APs... you can just allow 7351 UDP to the given ranges and it should be fine. UDP 9350 is for VPN registry. If the APs are connecting back to a MX wireless concentrator then you need to allow a range for MX and 9350.

 

Capture.PNG

Hope this helps. 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card