Recommended settings to block inter-VLAN traffic

Solved
federicogalarza
Here to help

Recommended settings to block inter-VLAN traffic

Hello everyone,

 

We are currently configuring individual rules in the layer 3 configuration of the MX Firewall section to block inter-VLAN traffic.

 

Let’s suppose that we have 100 VLANs which should be totally isolated, anytime that a new VLAN is added, many individual rules must be manually created. I have already discussed this with Meraki support and they say that using L3 firewall rules is indeed the method they recommend to block inter-VLAN traffic.

 

They do not have an automation feature available directly on this, but it is possible to perform rules updates using the dashboard API rather than manually. Do you have any recommendation for this? We would like to understand the best practices to block inter-vlan traffic in the Meraki structure and also avoid manual configurations whenever possible.

 

Thanks.

1 Accepted Solution
jdsilva
Kind of a big deal

You can also get away with a bit of a cheat on this, provided your subnets can be summarized.

 

If you have a bunch of subnets, say, something like this:

 

**EDIT** Ignore the first entry, it doesn't fall in the summary and was snipped by accident

 

image.png

 

You can get away with adding a single rule like this to block all inter-VLAN traffic:

 

image.png

 

That's it. You're done.

 

 

View solution in original post

5 Replies 5
BrechtSchamp
Kind of a big deal

There is an API endpoint for MX L3 FW rules indeed:

https://documenter.getpostman.com/view/897512/meraki-dashboard-api/2To9xm?version=latest#7fa65270-ce...

 

I suppose you already know this but if you have a default deny you don't need to add any rules to block inter-vlan communication when you add a new VLAN. You will have to add rules to allow certain communication to take place.

jdsilva
Kind of a big deal

You can also get away with a bit of a cheat on this, provided your subnets can be summarized.

 

If you have a bunch of subnets, say, something like this:

 

**EDIT** Ignore the first entry, it doesn't fall in the summary and was snipped by accident

 

image.png

 

You can get away with adding a single rule like this to block all inter-VLAN traffic:

 

image.png

 

That's it. You're done.

 

 

federicogalarza
Here to help

Thanks for the suggestion. The summarisation option is actually a very good idea.
Sprocket
Getting noticed

How will such a default deny rule look like?
I guess all clients would loose internet connectivity by making a "deny any-any "..
jdsilva
Kind of a big deal

Hi @Sprocket. There's an example of what the rule looks like in my post above. Just take a look a that for reference. 

 

Yes, if you put a "deny any any" rule into an MX it will block everything and nothing will work, unless you have other permit rules before it.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels