What is the best practice for IOT device segmentation and isolation

Here to help

What is the best practice for IOT device segmentation and isolation

I have smart home devices that generally talk to a hub via protocols like zwave and zigbee. I have PCs and personal computing / storage devices that I don’t need to talk to the hub or the IOT devices.


So, should I put them into separate VLANs and write firewall rules that keep them segmented and isolated from each other?


My PCs don’t really need to talk to the IOT hub or the devices behind the hub.


But my iPhone (for example) does need to communicate both with the hub (to launch routines etc) and to a printer that is attached to the PC. 


What is the best practice?

3 Replies 3
Getting noticed

@EricWenger it truly depends on your uses cases you could segment your network to block off that traffic but I mean what are you solving for? If your use case is security-related i would ask the question of how are your devices connected? (Direct via Ethernet or WiFI) this will really help and decide how or if to segment your network. Personally, I have a separate network for my Sonos sound system and the controller that operates it but that is purely for ease of administration(use). 


I am always up for advanced tinkering and thoughts if you have any questions!

If its just your devices at home fo ease of use I would just have them on the same network, unless you are living with a bunch of hackers why make things more difficult. 

Kind of a big deal

It would be pretty hard do define overall best practices, but I have been thinking about doing this for my home network for security concerns.  With my ever growing collection of "smart" devices and speakers I am concerned with the attack vector that could allow access to my network through a compromised or backdoored smart switch/speaker/light/camera/lock/thermostat, etc.  The hard part is really figuring out what inter-VLAN access might be required or desired to operate.  Each device can have different requirement and might be difficult to work with when on a different VLAN than the one used for general internet access.  Good luck.



- Ex community all-star (⌐⊙_⊙)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.