Add ability to restrict vlan traffic to local network only

Shad0w
Conversationalist

Add ability to restrict vlan traffic to local network only

It would be great if there was a way to perform local network segmentation, in addition to the existing VLAN functionality. For instance, it could be as simple as providing another toggle switch under the VLAN creation tab for the GX. So while you're creating another VLAN on your network under the GX, you would have  a toggle to specify whether the current VLAN will be configured for local network traffic only with no internet access, or if it will have full network access, which is the only existing option. 

 

Providing the ability to restrict a VLAN's access to local network only would allow business owners to further decrease their attack surface, and increase the control they have over their network and devices. 

2 REPLIES 2
DarklightRanger
Conversationalist

I'd like to +1 this request and add that it would also be desirable to have granular control of access between VLANs via firewall rules (perhaps under the advanced settings menu?)

 

The default behavior seems to be to allow all VLANs to route between each other, which is unfortunate. There needs to be an ability to segment things like NVRs and Point of Sale servers into VLANs and only allow certain IP addresses to connect to them on certain ports.

hidden0
Meraki Go Team

Hey @Shad0w / @DarklightRanger 

 

I fully appreciate the need to start configuring firewall rules, and how to manage that on a per-VLAN basis.

We've made some changes, so I thought I would shoot you guys a note here on the community.

 

  • We've moved VLAN creation to the Networks tab, and dubbed them wired networks
  • When creating or modifying a wired network, there is a toggle for secure
    • secure network has L3 firewall rules automatically created to deny all inter-VLAN traffic on the LAN, just allowing outbound (not inbound) connections only for the devices on that network. The idea here was to prevent a guest network user or some evil actor on the LAN from seeing a point-of-sale network, but still let these secure networks build VPN tunnels or otherwise secure outbound connections.

I'd love your feedback on this feature! As we continue to feel out the UI for firewall rules and how to manipulate them, we'll all start to see more granular controls come into play (for instance, controlling which VLANs can talk to each other, and a toggle for internet access to be disabled if required).