Skip to main content

 

 

Cisco Defense Orchestrator

Objects Associated with Meraki Devices

About Objects Used with Meraki Devices

The Meraki dashboard does not support the concept of objects; instead, Meraki utilizes groups of IP addresses, protocols, or port ranges in source and destination fields in outbound access control rules. Once onboarded, CDO translates IP address into network objects, and application layer protocol values into either service objects or protocol objects.

Since Meraki does not support objects, a single rule in CDO can translate into multiple rules in the dashboard. For example, if you add an ASA protocol group that includes both TCP and UDP protocols to a single access control rule in CDO, CDO translates the one CDO rule into multiple rules in the dashboard: one rule containing a TCP protocol and one rule containing a UDP protocol.

Note that the Meraki dashboard and CDO both support CIDR subnet notation. For more information on layer 3 switch interfaces and MX device layout, see the Meraki Knowledge Base

Which Objects Can You Use With a Meraki Device in CDO?

There are no objects in Cisco Defense Orchestrator (CDO) that are exclusive to MX devices. Instead, you can create or share FTD and ASA objects and associate these objects in rules that are deployed to the device. Because Meraki is not fully compatible with FTD and ASA objects, there may be a few limitations that affect how the MX device uses objects. 

Note that if you associate an ASA or FTD object with a MX device, that object becomes shared. Any changes to that object will affect all the devices it is shared with and the devices' configuration status will appear as Not Synced. See Shared Objects for more information. For additional object states that could affect your objects, see the Related Articles section listed at the bottom of this page. 

Meraki does not support objects containing IPv6 addresses or FQDNs. 

Object in CDO Compatible with Meraki
Protocol Objects TCP, UDP, ICMP
Network Objects yes
Network Groups yes
Service Objects yes
ASA Service Groups no
FTD Service Groups no

 

What Do Meraki Rules Look Like in CDO

You can view the objects from the device's policy page, or you can filter the objects page based on device. From the policy page you can view, edit, and reorder the access control rules. Because CDO translates the outbound rules from the Meraki dashboard into access control rules with objects, rules and protocols from the Meraki dashboard may look different. The following table addresses the new names for protocols once the device is onboarded to CDO:

Rule or Protocol Header in the Meraki dashboard  Rule or Object Header in CDO
Policy Action
Source IP Network Object or Network Group
Destination IP Network Object or Network Group
Source Port Network Object or Network Group
Destination Port Network Object or Network Group
Layer 3 Application Protocol Ports (Protocol Groups, Port Groups, or Service Objects)

 

The following is an example of what the outbound rules from the Meraki dashboard look in CDO: 

meraki_policy_2.PNG

 

Related Articles:

  • Was this article helpful?