Meraki

Community

Network isolation

Towhid
New here
yesterday
yesterday

Network isolation

I wanted to isolate my wifi vlans with my network I don't want any communication between both of them if iam at my wifi vlans I don't want my ip to communicate with lan vlan or RDP how do I configured it 

Labels:
0 Kudos
7 Replies 7
Shubh3738
A model citizen
yesterday
yesterday

Use “Layer 3 Firewall Rules” on the MX

Go to Security & SD-WAN → Firewall & traffic shaping → Layer 3 firewall rules

Add a rule to block traffic between Wi-Fi VLAN and LAN VLAN:

Policy  Protocol       Source                           Destination          Port/Range

Deny   Any             VLAN 20(Wifi VLAN)     VLAN 10(LAN)        Any

Make sure this rule is above any allow rules, because Meraki applies rules top-down.

This will prevent Wi-Fi clients from reaching LAN devices (including RDP, file shares, etc.)

In response to Shubh3738
Towhid
New here
yesterday
yesterday

I tried this as well still the issue was still there 

 

0 Kudos
In response to Towhid
Shubh3738
A model citizen
yesterday
yesterday

Make sure this rule is above any allow rules, because Meraki applies rules top-down.

0 Kudos
Shubh3738
A model citizen
yesterday
yesterday

Then try- Option B: Use “SSID Firewall Rules” on the Wi-Fi SSID

Go to Wireless → Firewall & traffic shaping → SSID firewall rules

Add a rule like:

Policy Protocol Source Destination Port/Range
Deny Any Any Local LAN Any

This isolates Wi-Fi from LAN without affecting LAN-to-LAN routing.

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
18 hours ago
18 hours ago

L3 firewall rules are what you need to setup.

You will want to deny rules for your WiFi clients to prevent them communicating with your other clients.

You can apply these rules on the MX, or on the MR SSID. Where you apply these will change how clients can talk to each other.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

 

One thing to note is that L3 rules on the MX don't impact site to site VPN destined traffic. You would instead need to use site to site VPN firewall rules

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

 

0 Kudos
jimmyt234
Head in the Cloud
17 hours ago
17 hours ago

Have a look at the layer 2 isolation and outbound rules section on the SSID Firewall & traffic shaping page. 

 

Wireless Client Isolation - Cisco Meraki Documentation

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

You can use the "Deny Local LAN" option.

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.