Meraki

Community

Network isolation

Towhid
Just browsing
Monday
Monday

Network isolation

I wanted to isolate my wifi vlans with my network I don't want any communication between both of them if iam at my wifi vlans I don't want my ip to communicate with lan vlan or RDP how do I configured it 

Labels:
0 Kudos
11 Replies 11
Shubh3738
A model citizen
Monday
Monday

Use “Layer 3 Firewall Rules” on the MX

Go to Security & SD-WAN → Firewall & traffic shaping → Layer 3 firewall rules

Add a rule to block traffic between Wi-Fi VLAN and LAN VLAN:

Policy  Protocol       Source                           Destination          Port/Range

Deny   Any             VLAN 20(Wifi VLAN)     VLAN 10(LAN)        Any

Make sure this rule is above any allow rules, because Meraki applies rules top-down.

This will prevent Wi-Fi clients from reaching LAN devices (including RDP, file shares, etc.)

In response to Shubh3738
Towhid
Just browsing
Monday
Monday

I tried this as well still the issue was still there 

 

0 Kudos
In response to Towhid
Shubh3738
A model citizen
Monday
Monday

Make sure this rule is above any allow rules, because Meraki applies rules top-down.

0 Kudos
Shubh3738
A model citizen
Monday
Monday

Then try- Option B: Use “SSID Firewall Rules” on the Wi-Fi SSID

Go to Wireless → Firewall & traffic shaping → SSID firewall rules

Add a rule like:

Policy Protocol Source Destination Port/Range
Deny Any Any Local LAN Any

This isolates Wi-Fi from LAN without affecting LAN-to-LAN routing.

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

L3 firewall rules are what you need to setup.

You will want to deny rules for your WiFi clients to prevent them communicating with your other clients.

You can apply these rules on the MX, or on the MR SSID. Where you apply these will change how clients can talk to each other.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...

 

One thing to note is that L3 rules on the MX don't impact site to site VPN destined traffic. You would instead need to use site to site VPN firewall rules

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

 

0 Kudos
jimmyt234
Head in the Cloud
Tuesday
Tuesday

Have a look at the layer 2 isolation and outbound rules section on the SSID Firewall & traffic shaping page. 

 

Wireless Client Isolation - Cisco Meraki Documentation

0 Kudos
In response to jimmyt234
Towhid
Just browsing
yesterday
yesterday

Why it's not related to layer 2 how would it make any difference 

0 Kudos
In response to Towhid
jimmyt234
Head in the Cloud
yesterday
yesterday

Because you'd want to isolate clients on the same SSID so they cannot access each other????

0 Kudos
In response to jimmyt234
Towhid
Just browsing
8 hours ago
8 hours ago

We don't have MR we only use MX for firewall can we use group policies to isolate netwrok

0 Kudos
In response to Towhid
Shubh3738
A model citizen
8 hours ago
8 hours ago

So, where you have created the SSIDs.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

You can use the "Deny Local LAN" option.

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.