Meraki

Community

Isolate Clients On Same VLAN

Solved
Erik_R
Here to help
‎Apr 2 2025 10:04 AM
‎Apr 2 2025 10:04 AM

Isolate Clients On Same VLAN

Hello.  I created an "Internet only" VLAN on an MS switch.  I have an ACL in place that prevents this VLAN from accessing all of my other production VLANs.  This "Internet only" VLAN will be for some guests that will be wired clients for several weeks.

 

Is there any way to isolate these clients from each other?  In other words, these guest users should only be able to connect to the Internet and not connect to each other.

 

Would it be possible to create an ACL to block the "Internet only" VLAN from itself?

0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 2 2025 10:08 AM
‎Apr 2 2025 10:08 AM

I know it's not possible in MX, but I believe it is possible in MS.

Theoretically, it's enough to create an ACL blocking everything for the network as Source and also as Destination.

Have you tried this?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

0 Kudos
12 Replies 12
BrentB
Here to help
‎Apr 2 2025 10:07 AM
‎Apr 2 2025 10:07 AM

I always thought ACLs were only processed for traffic entering / leaving the interface where they are applied. Anything on the same wire / same VLAN would not pass through the ACL.

 

Brent

0 Kudos
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 2 2025 10:07 AM
‎Apr 2 2025 10:07 AM

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Restricting_Traffic_with_Isolated_Sw...

 

This should do what you want.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 2 2025 10:12 AM
‎Apr 2 2025 10:12 AM

Personally, I think this option is much more work, since the configuration is per port.

I don't see much point in what it intends to do, a simple ACL is much more practical.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 2 2025 10:36 AM
‎Apr 2 2025 10:36 AM

I mean he said he wants every port in the vlan, so just filter that in switch port view, leave out the uplink port and edit. Should take a few moments.

 

ACLs are also global to all switches in the network and could have unintended consequences, this would only affect the ports in question. 🤷‍

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 2 2025 10:53 AM
‎Apr 2 2025 10:53 AM

I agree, but in this case it is only blocking communication between the same subnet, it should not have a major impact. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 2 2025 10:08 AM
‎Apr 2 2025 10:08 AM

I know it's not possible in MX, but I believe it is possible in MS.

Theoretically, it's enough to create an ACL blocking everything for the network as Source and also as Destination.

Have you tried this?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 3 2025 1:27 AM
‎Apr 3 2025 1:27 AM

This is what TrustSec with SGTs is designed to do. But there are some more requirements for that.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
Erik_R
Here to help
‎Apr 4 2025 6:36 AM
‎Apr 4 2025 6:36 AM

An update regarding this.

 

An ACL blocking the "Internet Only" VLAN from itself worked.  Enabling port isolation on each port worked as well.

 

However, none of these settings will work if a switch (obviously non-Meraki) is connected to one of these ports as an uplink on a Meraki switch and clients are connected to it.  The clients will be able to ping each other because that traffic is not flowing through the Meraki switch port.

0 Kudos
In response to Erik_R
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2025 6:42 AM
‎Apr 4 2025 6:42 AM

Exactly, because this communication does not need to go to the network gateway, that is, it is communication within L2.

But do you see ping as a problem?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Erik_R
Here to help
‎Apr 4 2025 6:44 AM
‎Apr 4 2025 6:44 AM

Well, these are guests "squatting" in our office from different trades.  Ideally I would prefer that none of their machines can contact each other on the same VLAN.  I don't have enough ports to properly patch them into our Meraki switches.

0 Kudos
In response to Erik_R
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2025 6:48 AM
‎Apr 4 2025 6:48 AM

In this case there is not much to do other than replace them with Meraki switches. 😕

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Apr 5 2025 7:10 AM
‎Apr 5 2025 7:10 AM

Normally ACL's on MS switches are VLAN ACL's so you should be able to just block traffic coming from that VLAN to any private RFC1918 address in 3 rules and that should effectively also isolate guest clients from each other.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.