Meraki

Community

Recommended settings to block inter-VLAN traffic

Solved
federicogalarza
Here to help
‎May 23 2019 2:35 AM
‎May 23 2019 2:35 AM

Recommended settings to block inter-VLAN traffic

Hello everyone,

 

We are currently configuring individual rules in the layer 3 configuration of the MX Firewall section to block inter-VLAN traffic.

 

Let’s suppose that we have 100 VLANs which should be totally isolated, anytime that a new VLAN is added, many individual rules must be manually created. I have already discussed this with Meraki support and they say that using L3 firewall rules is indeed the method they recommend to block inter-VLAN traffic.

 

They do not have an automation feature available directly on this, but it is possible to perform rules updates using the dashboard API rather than manually. Do you have any recommendation for this? We would like to understand the best practices to block inter-vlan traffic in the Meraki structure and also avoid manual configurations whenever possible.

 

Thanks.

1 Accepted Solution
In response to BrechtSchamp
jdsilva
Kind of a big deal
‎May 23 2019 7:09 AM
‎May 23 2019 7:09 AM

You can also get away with a bit of a cheat on this, provided your subnets can be summarized.

 

If you have a bunch of subnets, say, something like this:

 

**EDIT** Ignore the first entry, it doesn't fall in the summary and was snipped by accident

 

image.png

 

You can get away with adding a single rule like this to block all inter-VLAN traffic:

 

image.png

 

That's it. You're done.

 

 

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

5 Replies 5
BrechtSchamp
Kind of a big deal
‎May 23 2019 2:45 AM
‎May 23 2019 2:45 AM

There is an API endpoint for MX L3 FW rules indeed:

https://documenter.getpostman.com/view/897512/meraki-dashboard-api/2To9xm?version=latest#7fa65270-ce...

 

I suppose you already know this but if you have a default deny you don't need to add any rules to block inter-vlan communication when you add a new VLAN. You will have to add rules to allow certain communication to take place.

In response to BrechtSchamp
jdsilva
Kind of a big deal
‎May 23 2019 7:09 AM
‎May 23 2019 7:09 AM

You can also get away with a bit of a cheat on this, provided your subnets can be summarized.

 

If you have a bunch of subnets, say, something like this:

 

**EDIT** Ignore the first entry, it doesn't fall in the summary and was snipped by accident

 

image.png

 

You can get away with adding a single rule like this to block all inter-VLAN traffic:

 

image.png

 

That's it. You're done.

 

 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
federicogalarza
Here to help
‎Jun 25 2019 12:28 AM
‎Jun 25 2019 12:28 AM

Thanks for the suggestion. The summarisation option is actually a very good idea.
In response to BrechtSchamp
Sprocket
Getting noticed
‎Oct 8 2019 6:28 AM
‎Oct 8 2019 6:28 AM

How will such a default deny rule look like?
I guess all clients would loose internet connectivity by making a "deny any-any "..
0 Kudos
In response to Sprocket
jdsilva
Kind of a big deal
‎Oct 8 2019 7:19 AM
‎Oct 8 2019 7:19 AM

Hi @Sprocket. There's an example of what the rule looks like in my post above. Just take a look a that for reference. 

 

Yes, if you put a "deny any any" rule into an MX it will block everything and nothing will work, unless you have other permit rules before it.  

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.