Block VLAN routing by default?

ElGuapo
Conversationalist

Block VLAN routing by default?

Hello, we are building a network that needs to have a few dozen VLANs. By default, all VLANs can get to all other VLANs. In order to block inter VLAN traffic, it looks like I need to create explicit rules blocking each VLAN from every other VLAN. When you get past a few VLANs that gets to be a ton of rules and this would be a lot easier to handle if routing was disabled by default. 

 

We can improve things a bit by using IP ranges that are farther apart and easier to create broad rules, but is there a better way to handle this? Any way to prevent routing by default?

 

Thanks

5 REPLIES 5
RyanB
Meraki Employee
Meraki Employee

There isn't any way to default block all inter-vlan traffic with a setting in dashboard. However you could simply add a global firewall rule Security Appliance > Firewall under the Outbound rules section which would Deny, Any protocol, with a Source: 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, and Destination: 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8.

 

This would add a default to prevent any local traffic from being routed between VLANs. That would be your last rule, and above it you could add more specific allows/deny's as required.

ElGuapo
Conversationalist

@RyanB Thanks. That's about what we are doing, but farther down the subnet. Makes sense to do it at the bottom like this. I'll give that a try and I think it will keep things from getting too out of control. 

 

@PhilipDAth The routing is happening at the MX. The switches are set to layer 2. 

 

Thanks!

Sorry to resurrect this but I am also facing a similar but more complicated problem.

I have many physical locations (about 20, each with a layer 3 switch, most connected to each other by ptp microwave links) but very few physical users (100 people).

I am using vlans and a meraki mx80 gateway providing dhcp for each vlan.

For security and virus/worm reasons I need to segregate a few vlans so that they can't see any of the rest of the network (the staff camp wifi) and go directly to the internet but I do want the work vlans to be traversable.

Currently the vlans are all using 10.0.x.x.

If I move the camp vlans to 10.1.x.x can use similar nomenclature as above to prohibit traversal?

Also some of my l3 switches (mainly Cisco 3560 series) do have IP routing turned on which I believe will negate this, I assume that I need to turn that off?

PhilipDAth
Kind of a big deal
Kind of a big deal

You should start a new thread ...

 

If all of the routing is being done by the MX80, then yes you can use the same approach.  If some of the routing is being done on the 3560's then you could also apply switch based ACLs there.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you don't need L3 configured on a VLAN why not just remove the layer 3 config, so it is a layer 2 VLAN only?  Or are you using the switches for routing as a default gateway?

 

IP summarisation is the only clean way to handle this - which is what you have already started doing.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels