Segregate VLAN/SSID and open for just specific IPs/Ports

Solved
Nydo89
Here to help

Segregate VLAN/SSID and open for just specific IPs/Ports

Hi all,

 

we created a SSID for Voice WLAN handhelds which is tagged as VLAN 20. VLAN 20 has a /24 192.168.20.0 IP range which is created on a MX100. The MX100 serves this VLAN with DHCP as well.

APs are MR42 with MS225 Switches in between. SSID has PSK WPA2.

 

No we need to close this VLAN/WLAN down completely and just allow specific IPs/Ports to connect to the cloud based telephone system of the provider. We got a sheet from the provider what to open and allow on the firewall. 

 

Where to configure these rules and how? I find Firewall Config on the MX/Security Tab as well as on the WLAN/SSID Firewall Tab. 

What would be the best approach to close a SSID/VLAN down and just open for specific ports?

 

Best regards and thanks in advance!

 

 

1 Accepted Solution
kYutobi
Kind of a big deal

Best to do it on the MX where you have the VLAN created on. You can also create group policies with VLANs assigned to them with your specific IP/Ports within this as well if you want.

Enthusiast

View solution in original post

3 Replies 3
kYutobi
Kind of a big deal

Best to do it on the MX where you have the VLAN created on. You can also create group policies with VLANs assigned to them with your specific IP/Ports within this as well if you want.

Enthusiast
Nydo89
Here to help

Thanks for the quick response!

 

So if I understand right:

Implement allowed Rules on MX Firewall for VLAN.

Source: Provider IPs and Ports. Destination Voice VLAN?

 

Set Deny Any to Destination Voice VLAN at the end to block the rest.denyalltovoice.JPG

 

Correct like this???

kYutobi
Kind of a big deal

Yes, but make sure to allow the IP's/VLANS that need to access this. Make a test group policy see if it works.

Enthusiast
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels