cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Recommended settings to block inter-VLAN traffic

SOLVED
Highlighted
Here to help

Recommended settings to block inter-VLAN traffic

Hello everyone,

 

We are currently configuring individual rules in the layer 3 configuration of the MX Firewall section to block inter-VLAN traffic.

 

Let’s suppose that we have 100 VLANs which should be totally isolated, anytime that a new VLAN is added, many individual rules must be manually created. I have already discussed this with Meraki support and they say that using L3 firewall rules is indeed the method they recommend to block inter-VLAN traffic.

 

They do not have an automation feature available directly on this, but it is possible to perform rules updates using the dashboard API rather than manually. Do you have any recommendation for this? We would like to understand the best practices to block inter-vlan traffic in the Meraki structure and also avoid manual configurations whenever possible.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Recommended settings to block inter-VLAN traffic

You can also get away with a bit of a cheat on this, provided your subnets can be summarized.

 

If you have a bunch of subnets, say, something like this:

 

**EDIT** Ignore the first entry, it doesn't fall in the summary and was snipped by accident

 

image.png

 

You can get away with adding a single rule like this to block all inter-VLAN traffic:

 

image.png

 

That's it. You're done.

 

 

View solution in original post

5 REPLIES 5
Highlighted
Kind of a big deal

Re: Recommended settings to block inter-VLAN traffic

There is an API endpoint for MX L3 FW rules indeed:

https://documenter.getpostman.com/view/897512/meraki-dashboard-api/2To9xm?version=latest#7fa65270-ce...

 

I suppose you already know this but if you have a default deny you don't need to add any rules to block inter-vlan communication when you add a new VLAN. You will have to add rules to allow certain communication to take place.

Highlighted
Kind of a big deal

Re: Recommended settings to block inter-VLAN traffic

You can also get away with a bit of a cheat on this, provided your subnets can be summarized.

 

If you have a bunch of subnets, say, something like this:

 

**EDIT** Ignore the first entry, it doesn't fall in the summary and was snipped by accident

 

image.png

 

You can get away with adding a single rule like this to block all inter-VLAN traffic:

 

image.png

 

That's it. You're done.

 

 

View solution in original post

Highlighted
Here to help

Re: Recommended settings to block inter-VLAN traffic

Thanks for the suggestion. The summarisation option is actually a very good idea.
Highlighted
Here to help

Re: Recommended settings to block inter-VLAN traffic

How will such a default deny rule look like?
I guess all clients would loose internet connectivity by making a "deny any-any "..
Highlighted
Kind of a big deal

Re: Recommended settings to block inter-VLAN traffic

Hi @Sprocket. There's an example of what the rule looks like in my post above. Just take a look a that for reference. 

 

Yes, if you put a "deny any any" rule into an MX it will block everything and nothing will work, unless you have other permit rules before it.  

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.