Sunday, September 2, 2018

Meraki Layer 3 Firewall Rules

Meraki has traditionally been known as a niche player in the networking world since its inception.  Their wireless access points and switches broke into the market in K-12 school system networks, gained a market share of higher ed networks, and slowly started chipping away in the private sector network space.  Their niche was that they made it easy to manage a wireless and switch network without the need for a highly skilled, trained, and costly Cisco engineer or contracting out the work to a business that provided the same.  Meraki provides a fully capable GUI to make life easier for those who don't like a command line, or have enough time to spend in Cisco's CLI to make it second nature for the admin skills.

That niche market started to change for Meraki when Cisco aquired them to augment their traditional network technologies.  It's still hard to figure out completely where Cisco is taking Meraki while holding onto its traditional portfolio of networking technologies, but that is not the point of this post.  What we do know is that we are seeing more and more Meraki networks replacing traditional Cisco (or other Cisco-esque brand of networks) and you are now seeing Meraki gear in the enterprise space.

As I have played with meraki in my lab and deployed Meraki in a few networks, I have found that there is lacking information out there for best practices in configuring the layer 3 firewall rules.  For someone like me who came from a Cisco background and was used to how the ASA layer 3 rules worked, it was sort of shocking to me to see that the default Meraki layer 3 rule on all their MX appliances are a wide open "ANY-ANY-ANY-ANY" rule.  As I was trying to learn the Meraki interface of how to configure Layer 3, I ran into a couple snags.  I was looking high and low to find some assistance in the Meraki KB's but came up empty, and google-fu proved no luck either.  I just wanted a simple example of how to configure the rules needed out of the box to make it work without leaving all ports on all vLAN's wide open to the world.  You know, like the ASA.  The default rule should be a deny "ANY-ANY-ANY-ANY" then let me build my list of rules in Layer 3 from there for 80,443,22,, etc...

So here you go.  Below is a level set footing to start you on configuring some out of the box layer 3 firewall rules on a Meraki MX Security appliance.  


This will get your MX secure after you bring it online as well as provide you the most basic functionality for the basics of your L3 network.

I love the Meraki MX appliances overall.  They truly are easy to setup and configure compared to a ASA from Cisco.  For folks like me who don't work in firewalls every day anymore it saves a ton of time in trying to remember commands at the CLI when the networking logic is still in our heads.  There are two big features that I constantly bug Meraki to add.  The first is a simple way to take the layer 3 rule list from an MX appliance (like the one pictured), and have the ability to download/upload via a .CSV file.  The second is to give us an easy & visual way to view live traffic without using packet capturing so we can visibly see a network connection's source IP, destination IP, source port, and destination port.  The ASA's have this built into their monitoring tools and its awesome to use when troubleshooting connectivity problems.

Happy Networking!

Cheers!


No comments:

Post a Comment