Per VLAN Content Policies

Here to help

Per VLAN Content Policies

Hi Meraki folks


My first post!  I'm a network engineer for a UK charity who're about to embark on a rollout of MXs to all our sites, moving from MPLS and centralised firewall to direct internet access and distributed security/SD-WAN. It's a big project with tight timescales but it's a real opportunity to optimise the network for our migration of all our applications to the cloud. All to be completed in 2019 - no pressure then! But we're excited to be joining the Meraki family.


My question is - can the MX only support one Content Policy?   If I want to provide different content controls on a per-VLAN basis, is Layer 7 firewall group policies and a VLAN to group mapping the only way to do it?


Also, it would be really handy to apply more than one IP address to an MX internal L3 interface to aid transition from our old to new WAN termination - what would be a secondary IP address in traditional Cisco.   Does the MX support anything like that?

Thanks in advance.

Andy Gray

3 Replies 3
Kind of a big deal

Hey @AndyGray ,


You can create custom policies via a Group Policy, and apply the GP to a VLAN to do what you're asking.


You can't do secondary addresses on an MX. Only just create multiple VLANs with their own IP addresses. 

Getting noticed

Hi Andy,

can the MX only support one Content Policy? - Yes

  1. Go to Network-wide > Configure > Group policies
  2. In "Blocked website categories" Choose override
  3. Similar for "Blocked URL patterns" and "Whitelisted URL patterns" if required
  4. click Save Changes
    >Applying above Group Policy to a VLAN
  5. Go to Security appliance > Configure > Addressing & VLANs
  6. Select the Group policy from the drop-down and save changes


apply more than one IP address to an MX internal L3 interface -No No No

A workaround you can try is "1:1 NAT or 1:many NAT to internal addresses" 




Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.