Meraki

Community

Group Policy intra VLAN

guitb
Getting noticed
‎Apr 7 2025 9:01 AM
‎Apr 7 2025 9:01 AM

Group Policy intra VLAN

I've set up a group policy for a specific VLAN on my MX.

I have a wired client and a wireless client (connected through a Meraki MR) residing on this same VLAN.

 

Will the firewall rules within this group policy be evaluated on communication between these two devices on the same VLAN?

Labels:
0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Apr 7 2025 9:31 AM
‎Apr 7 2025 9:31 AM

No, traffic probably won't even hit the mx vlan

Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 7 2025 9:32 AM
‎Apr 7 2025 9:32 AM

Group Policies are not evaluated for Layer 2 traffic. Switch ACLs can be used for this: https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation if you have Meraki Switches.

If you just need no access between clients, isolation is a possibility: https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Restricting_Traffic_with_Isolated_Sw...


You could also just block wireless from wired with Wireless ACLs: https://documentation.meraki.com/MR/Access_Control

 

Suffice it to say there are several options depending on exactly what you want to do.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
guitb
Getting noticed
‎Apr 7 2025 11:22 AM
‎Apr 7 2025 11:22 AM

I don't have a switch, only an MX68 and an MR36.

A wired client is directly connected to the MX68, and the MR36 is also connected to the MX68.

I require wireless clients connected to the MR36 to be able to communicate with the wired device. I am investigating if any configuration on the MX68 could be blocking this communication.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Apr 7 2025 12:37 PM
‎Apr 7 2025 12:37 PM

For the switch client you need to set the group policy via 802.1X and then you can have your L3/4 rules.
For the wireless client if you block access to the same VLAN range, the AP will block it and since this rule is stateless the switch client will be able to send to the AP client but the AP client will not be able to respond back so in effect you can block traffic between a wired and a wireless client on the same VLAN.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 7 2025 1:31 PM
‎Apr 7 2025 1:31 PM

You could consider using a WiFi firewall rule (it can restrict WiFi to LAN).

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules

 

Bobcheese2
Here to help
‎Apr 8 2025 7:48 AM
‎Apr 8 2025 7:48 AM

How do you want them to communicate? IE is this a L2 broadcast discovery or will they communicate through 'known' IP addresses? I think the issue you may be having is that the ports on the MX are not switch ports so even though they're configured on the same VLAN i don't believe broadcasts will traverse the two ports.

 

If they will communicate over known IP's you may have more success if you segment them on different VLAN's and subnet's and create rules to allow the traffic to pass through the MX.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.