VLAN Restriction

Here to help

VLAN Restriction



We do have different VLAN (100-voice, 110 - Wired, 120 - Wireless, 130 - server, 140 - Others)


I do have few questions


1) By default one VLAN can communication on each another VLAN or not?

2) In our office we have Desktop, Laptops and Printer. Desktop VLAN (110) and Laptop VLAN (120). Due to security reason I do not want the wireless (130) VLAN to communicate with wired VLAN (120) but laptop need access only to the printer. I have created the group policy in different combination but I did not get the result what I want.

3) In wireless VLAN (130) we do have laptops and smart phones. I want to give access only to the laptop and smart phones should not communicate with any other VLAN.


4) I did not see any source IP in the Layer 3 Firewall setting but in this community I can see others screen with source IP. What is the reason?


I have created the group policy and assigned to the VLAN and also in client to test the rule. I there any way to attach the group policy in some where else?


Kindly help me.


Thank you

11 Replies 11
Kind of a big deal
Kind of a big deal

Let me get straight to your questions:


1) Yes, by default everything is allowed on MX

2) Have you bound the group config to the correct VLAN interface? In a nutshell and giving a sneak preview for question 4: you don't need a source here because the source is the VLAN the group policy is bound to. This has to be taken care of in the firewall ruleset

3) If you want to prevent your Wifi devices (from the Wifi VLAN) to everything else, you will have to have sereal "Deny" statements (or use a supernet if possible). Otherwise, the policy looks rather fine

4) As said above: if you're using group policies only, there will be no "Source" column. If you need to specify specific source IPs, you would rather use the "global" firewall ruleset (Security & SD-WAN -> Firewall).


Hope that helps...

If you have segments setup you can use the regular firewall. Group policies aren't needed in that use case.


I think these links should probably help you:





The first one talks about segmentation which you already have done but I wanted to share it nonetheless.


The second one explains how to restrict inter-vlan communication. I know it says DmZ, but that's just one of the use cases.

Thank you very much for your reply.


Really I learned some information from that link.



Still I do have some more questions. 


We do have 100 Mbps internet speed from the service provider and I would like to know how much we are using from that 100 Mpbs. If we did not use 100 Mpbs probably will downgrade the plan or If it is not sufficient then will upgrade the plan.


Can you please help me to find out?



Kind of a big deal
Kind of a big deal

You could use the Dashboard: Security & SD-WAN -> Appliance Status. There you can see the status and network usage of your WAN interface(s).

Sorry to bother you again and again.

One more question. 

As I know,we can stop access to the website like YouTube using the following options.


  1. Content filter
  2. Firewall rules
  3. Group Policy

I added the YouTube in the content filter and I created a group policy in the name of VIP. That group policy will bypass all the rules but is is not working for me. I like to block the YouTube to all the users except those who have the group policy VIP. Can you please tel me how it is working. Which one has more priority. And also we have Wi-Fi Access points so that is make us more confusion.

Kind of a big deal

Hi Hameed, this should answer your question:

What is the order of priority for Group Policies? 

Thank you very much for your continues support. 


I would like to block internet access to one client but he can access LAN.


Can you please help me?


Thank you 

Sorry to bother you. Is any chance to get reply?



Kind of a big deal

You should have all information you need in the links I posted before.


Just make a group policy, add two firewall rules to it. A firewall rule at the bottom that blocks everything. Firewall rule(s) above it that allow(s) access to you local subnet(s).

Thank you very much for your help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.