VLAN

gplatret
Here to help

VLAN

Hello,

 

I have 3 VLANs on a switch :
1 voice
2 data

 

I would like to separate the two VLAN datas.
Currently the 2 data VLANs are accessible. How to separate them?

 

Thank you

12 Replies 12
kYutobi
Kind of a big deal

You can separate it by first creating your VLAN IP addresses.

 

Example:

VLAN 1 192.168.1.1

VLAN 2 192.168.2.1

Voice VLAN 192.168.3.1

 

Then on the switch change switchport to access and assign the VLAN number.

Enthusiast

@gplatret  - That link is specifically for an MX, it will not be helpful unfortunately for you if you want to make changes on a Meraki switch.

If you would like to do this on your Meraki Switch, you will need to follow these instructions. - https://documentation.meraki.com/MS/Layer_3_Switching/MS_Layer_3_Switching_and_Routing

 

However I do need to understand further what you mean, you are asking to seperate the data vlan's. From my point of view the English wording you are using here is not helpful, I mean that in a sincere way as I understand that English is a difficult language.

 

So to clarify with you and ensure we are understanding each other. The purpose of VLANs and their nature is that they provide a layer of network seperation. We create VLAN's to keep traffic isolated based on their purpose. This does not however prevent access to those networks. In order to do this we need to implement some sort of control mechanism.

 

SO before I explain how we can do some form of control mechanisms with Meraki, can you clarify if the word you are using - "seperate" means either;

1. To create new VLAN's that will be able to contacted by all other networks (vlan's) within my network.

2. To create a control mechanism to prevent access between the two data vlan's so people or servers in each of those vlans cannot communicate with each other.

 

Thanks,

Daniel.

Hello,

Thanks for your help.

 

I want :

2. To create a control mechanism to prevent access between the two data vlan's so people or servers in each of those vlans cannot communicate with each other. 

But the networks must have internet access.

The gateway is located on VLAN 1.

 

 

 

@gplatret 

I am assuming the router is connected to some other gateway or router and you want to manage everything on the Meraki switch instead.

 

You can restrict network access between these two VLANs by the tried and true method of ACLs (Also Known As: Access Control Lists). Follow this guide in setting it up - https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs

 

With Meraki all traffic not specified here will be allowed. So as per the guide, if you configure your first rule with the destination of data VLAN 1 and the source data VLAN 2, you will find that traffic from data VLAN 2 will not work. You will then make a similar rule for destination VLAN 2.

As a precaution since I am guessing this is your first time doing this, I would encourage you do to do this at a time when it will cause minimal disruption if this switch is in a work environment.

 

Let me know if you get stuck and or if this does not make sense.

 

Thanks.

Hello,
I authorize access to the router 192.9.200.1
And I forbid everything.
But it doesn't work.
An idea ?
Thank you

 

gplatret_0-1577351711702.png

 

@gplatret-

 

Your first rule to allow access to the gateway is redundant because we are just blocking access between VLAN's and all other traffic not specified is allowed.

 

The second rule (the vlan deny rule) will not work in it's current form and will block all access as the destination is set to ANY. Since all you have advised me here is that you want to block access for each data vlan to talk to each other you need to make a rule in summart that does this.

 

1. Rule 1 - Deny Traffic from VLAN1 to VLAN2

2. Rule 2 - Deny Traffic from VLAN2 to VLAN1

 

Within Meraki, you need to include the Source Address and Destination addresses for each respective rule and then select Deny. So for example, this is what it should look like. Obviously remove the addresses I have put in and match it with what the networks are configured for your environment.


daniel_bostock_1-1577405013807.png

 

 

Let me know how you go mate.

 

Thanks.

Thanks for the help.
But it does not work.

 

gplatret_0-1577436667011.png

 

All good mate, hopefully we get there in the end and sort out this problem!

 

I am not so sure why that is not working. Just to confirm when you mentioned at the start the vlan's were on the switch, I assumed that you mean that the switch has configured the Layer 3 Interfaces for the VLANs and are routing the traffic to a router which maintains the internet (WAN) connection. Is this the case or is there a seperate device like a ISP provided router or your own managed router?

Also just to confirm, with this Meraki switch are all the devices in both vlan's connected to this switch either directly or into another switch connected to this switch?

The router is a MERAKI MX100 connected to other switches before arriving at the one I'm interested in.

Ah ok, because that is the router and it is the gateway to the networks, it is always better practice to configure control policies there. On the MX Firewall Configuration section, just apply the rules which you were applying to the switch. This should get it working for you.

 

As always, I recommend you do this during a suitable time frame as you may cause network disruption that is unexpected for some end users.

 

Thanks,

Daniel.

Get notified when there are additional replies to this discussion.