Meraki

Community

Restrict traffic of a VLAN to only the ports in the VLAN

Solved
ChrisPixley
New here
‎Apr 16 2025 5:52 AM
‎Apr 16 2025 5:52 AM

Restrict traffic of a VLAN to only the ports in the VLAN

I have a VLAN (230) that is configured on several downstream switches from my Layer 3 switch. I need to restrict the traffic on this VLAN to only talk to this VLAN (VLAN 230 only talks to VLAN 230).

 

Labels:
0 Kudos
1 Accepted Solution
In response to ChrisPixley
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 6:53 AM
‎Apr 16 2025 6:53 AM

This may help explain how that will work:  https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

In my mind there are two possible solutions :
A) If you don't care about internet
An allow rule saying source/destination with VLAN 230 subnet in both fields is allowed.
Followed by denies with each being a source of any and  destination VLAN 230 and one the opposite.
B)If you care about internet
An allow rule saying source/destination with VLAN 230 subnet is allowed.
Followed by a series of explicit pairings of each subnet you want to deny access to vlan 230, two rules for each subnet with one being where that subnet is the source and vlan 230 is the destination and then a second with the opposite.

Switch ACLs don't support subnet lists, but if there is a relevant supernet you could use that to consolidate the denies.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
8 Replies 8
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 5:54 AM
‎Apr 16 2025 5:54 AM

You can use switch ACLs for this: https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs

 

You could also rehome the vlans to your firewall and configure the restrictions there. If its an MX that would be via group policies.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
ChrisPixley
New here
‎Apr 16 2025 5:58 AM
‎Apr 16 2025 5:58 AM

Can I place the ACL only on the ports where this VLAN is used?

0 Kudos
In response to Mloraditch
ChrisPixley
New here
‎Apr 16 2025 6:04 AM
‎Apr 16 2025 6:04 AM

I would assume that rehome VLAN to MX is as simple as adding the VLAN to the MX.

0 Kudos
In response to ChrisPixley
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 6:27 AM
‎Apr 16 2025 6:27 AM

Switch ACLs are shared globally so no.

As to rehoming it, providing your MX is already trunked to your switches and the VLAN is allowed, yes you would just delete off your Layer 3 switch and add to your MX. Being careful to record any relevant settings, especially DHCP reservations and such.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
ChrisPixley
New here
‎Apr 16 2025 6:39 AM
‎Apr 16 2025 6:39 AM

Sounds like rehoming the MX is not the right direction for us. 

 

My concern in setting up a ACL is its' impact on my other VLAN's.   I have VLAN 10 & 224-231 in this network.  I need to isolate VLAN 230 without impact the other VLANS.  If I create an allow rule for 230 and then follow it up with all deny rule, would It impact my other VLANS negatively?  

0 Kudos
In response to ChrisPixley
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 6:53 AM
‎Apr 16 2025 6:53 AM

This may help explain how that will work:  https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

In my mind there are two possible solutions :
A) If you don't care about internet
An allow rule saying source/destination with VLAN 230 subnet in both fields is allowed.
Followed by denies with each being a source of any and  destination VLAN 230 and one the opposite.
B)If you care about internet
An allow rule saying source/destination with VLAN 230 subnet is allowed.
Followed by a series of explicit pairings of each subnet you want to deny access to vlan 230, two rules for each subnet with one being where that subnet is the source and vlan 230 is the destination and then a second with the opposite.

Switch ACLs don't support subnet lists, but if there is a relevant supernet you could use that to consolidate the denies.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
ChrisPixley
New here
‎Apr 16 2025 7:13 AM
‎Apr 16 2025 7:13 AM

Thank you.  Off course the 230 is in the middle of the supernet /21 

0 Kudos
In response to Mloraditch
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 1:28 PM
‎Apr 16 2025 1:28 PM

>You could also rehome the vlans to your firewall

 

When the data flows are not high - this is my preferred approach.  I like to do all my firewalling and access restrictions in one place.

 

Switch ACLs can also be applied per-vlan - so you could consider moving these devices into their own VLAN.  You can also simply specify the devices address in the source and destination field.

PhilipDAth_0-1744835252410.png

 

If you have an MS Advanced licence, and a suitable switch, you could also consider using Adaptive Policy.  You can apply a policy to a specify port this way, using an Adaptive Policy "tag".

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Adaptive_Policy_Overv...

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.