Meraki

David_Moen · ‎Sep 24 2021

Happy Friday!

I have recently taken over management of a network set up by another consultant. There are several VLANS set up on the network and at the moment, they all rely on a server running on the default VLAN for DHCP and DNS. All of the "production" VLANS are in 10.20.xxx.xxx ranges. The guest WiFi VLAN is on the 172.20.xxx.xxx range.

2 questions then.

Can I group the "production" VLANS in a layer 3 firewall rule by denying traffic to/from 10.20.0.0/24?

Will that kind of firewall rule prevent devices on this VLAN from obtaining IP addresses and DNS info from the server on the default VLAN? It's not a major tragedy if it does, I can have the MX respond to DNS queries on that VLAN I suppose.

Thanks for your time.

DarrenOC · ‎Sep 24 2021

Do you have MRs by any chance for wifi? If so, why not run your guest SSID in NAT mode with Meraki DHCP and isolate that way?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

David_Moen · ‎Sep 24 2021

The access points are Unifi.

I did see that I could put multiple IP ranges in the firewall rules, just separated with a comma, so that's what I did. I set the MX up to respond to DHCP for the Guest WiFi VLAN and all is good!

ww · ‎Sep 24 2021

Not with a /24. More likely a /17

Yes it will block traffic to dhcp. But you can allow it or let the mx be dhcp for guest.

Meraki

Community

Isolating a guest VLAN - does a layer 3 firewall rule block DHCP/DNS traffic?

Isolating a guest VLAN - does a layer 3 firewall rule block DHCP/DNS traffic?