cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VLAN Restriction

Here to help

VLAN Restriction

Hi,

 

We do have different VLAN (100-voice, 110 - Wired, 120 - Wireless, 130 - server, 140 - Others)

 

I do have few questions

 

1) By default one VLAN can communication on each another VLAN or not?

2) In our office we have Desktop, Laptops and Printer. Desktop VLAN (110) and Laptop VLAN (120). Due to security reason I do not want the wireless (130) VLAN to communicate with wired VLAN (120) but laptop need access only to the printer. I have created the group policy in different combination but I did not get the result what I want.

3) In wireless VLAN (130) we do have laptops and smart phones. I want to give access only to the laptop and smart phones should not communicate with any other VLAN.

 SS.JPG

4) I did not see any source IP in the Layer 3 Firewall setting but in this community I can see others screen with source IP. What is the reason?

 

I have created the group policy and assigned to the VLAN and also in client to test the rule. I there any way to attach the group policy in some where else?

 

Kindly help me.

 

Thank you

11 REPLIES 11
Building a reputation

Re: VLAN Restriction

Let me get straight to your questions:

 

1) Yes, by default everything is allowed on MX

2) Have you bound the group config to the correct VLAN interface? In a nutshell and giving a sneak preview for question 4: you don't need a source here because the source is the VLAN the group policy is bound to. This has to be taken care of in the firewall ruleset

3) If you want to prevent your Wifi devices (from the Wifi VLAN) to everything else, you will have to have sereal "Deny" statements (or use a supernet if possible). Otherwise, the policy looks rather fine

4) As said above: if you're using group policies only, there will be no "Source" column. If you need to specify specific source IPs, you would rather use the "global" firewall ruleset (Security & SD-WAN -> Firewall).

 

Hope that helps...

Kind of a big deal

Re: VLAN Restriction

If you have segments setup you can use the regular firewall. Group policies aren't needed in that use case.

 

I think these links should probably help you:

https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Applia...

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Creating_a_DMZ_with_the_MX_Security...

 

The first one talks about segmentation which you already have done but I wanted to share it nonetheless.

 

The second one explains how to restrict inter-vlan communication. I know it says DmZ, but that's just one of the use cases.

Here to help

Re: VLAN Restriction

Thank you very much for your reply.

 

Really I learned some information from that link.

Here to help

Re: VLAN Restriction

Hi,

 

Still I do have some more questions. 

 

We do have 100 Mbps internet speed from the service provider and I would like to know how much we are using from that 100 Mpbs. If we did not use 100 Mpbs probably will downgrade the plan or If it is not sufficient then will upgrade the plan.

 

Can you please help me to find out?

 

Thanks

Building a reputation

Re: VLAN Restriction

You could use the Dashboard: Security & SD-WAN -> Appliance Status. There you can see the status and network usage of your WAN interface(s).

Here to help

Re: VLAN Restriction

Sorry to bother you again and again.

One more question. 

As I know,we can stop access to the website like YouTube using the following options.

 

  1. Content filter
  2. Firewall rules
  3. Group Policy

I added the YouTube in the content filter and I created a group policy in the name of VIP. That group policy will bypass all the rules but is is not working for me. I like to block the YouTube to all the users except those who have the group policy VIP. Can you please tel me how it is working. Which one has more priority. And also we have Wi-Fi Access points so that is make us more confusion.

Kind of a big deal

Re: VLAN Restriction

Hi Hameed, this should answer your question:

What is the order of priority for Group Policies? 

Here to help

Re: VLAN Restriction

Thank you very much for your continues support. 

 

I would like to block internet access to one client but he can access LAN.

 

Can you please help me?

 

Thank you 

Here to help

Re: VLAN Restriction

Sorry to bother you. Is any chance to get reply?

 

Thanks

Kind of a big deal

Re: VLAN Restriction

You should have all information you need in the links I posted before.

 

Just make a group policy, add two firewall rules to it. A firewall rule at the bottom that blocks everything. Firewall rule(s) above it that allow(s) access to you local subnet(s).

Here to help

Re: VLAN Restriction

Thank you very much for your help.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.