Isolating a guest VLAN - does a layer 3 firewall rule block DHCP/DNS traffic?

David_Moen
New here

Isolating a guest VLAN - does a layer 3 firewall rule block DHCP/DNS traffic?

Happy Friday!

 

I have recently taken over management of a network set up by another consultant.  There are several VLANS set up on the network and at the moment, they all rely on a server running on the default VLAN for DHCP and DNS.  All of the "production" VLANS are in 10.20.xxx.xxx ranges.  The guest WiFi VLAN is on the 172.20.xxx.xxx range. 

 

David_Moen_0-1632502411259.png

 

2 questions then.

 

Can I group the "production" VLANS in a layer 3 firewall rule by denying traffic to/from 10.20.0.0/24?

 

Will that kind of firewall rule prevent devices on this VLAN from obtaining IP addresses and DNS info from the server on the default VLAN?  It's not a major tragedy if it does, I can have the MX respond to DNS queries on that VLAN I suppose.

 

Thanks for your time.

3 Replies 3
DarrenOC
Kind of a big deal
Kind of a big deal

Do you have MRs by any chance for wifi?  If so, why not run your guest SSID in NAT mode with Meraki DHCP and isolate that way?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
David_Moen
New here

The access points are Unifi.

 

I did see that I could put multiple IP ranges in the firewall rules, just separated with a comma, so that's what I did.  I set the MX up to respond to DHCP for the Guest WiFi VLAN and all is good!

ww
Kind of a big deal
Kind of a big deal

Not with a /24.  More likely a /17

Yes it will block traffic to dhcp. But you can allow it or let the mx be dhcp for guest.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels