Meraki Community

JacobTank

I would like to isolate our general networks from our AVL Networks.

Our AVL Networks are on another VLAN.

Devices on the AVL VLAN should be able to talk to each other, a few resources on the Default VLAN, and reach the internet.

What is the best way to isolate these clients from our other networks? Assigning VLANs to the Switches? Assigning Port Profiles to the Switch ports that have the right Native VLAN and allow only AVL VLAN? Using Group Policies?

GIdenJoe

If you terminate your VLAN's on your MX then you have the ability to just use the L3/4 firewall rules on the MX to prevent one network to reach the other.
In the beginning of your MX firewall rule set just add a rule deny any source AVL network, destination private address spaces.
Then you can still have other filtering rules to any like http https, dns, ntp, icmp for avl towards the internet.

View solution in original post

dcatiller

What is doing routing between the two VLANs? (is the switch L3, have an MX or non-Meraki device?)

You can create those VLANs and filter traffic with the switch ACL or Group Policy, but it would be important to know what is doing the routing.

JacobTank

MX is L3 and doing the routing.

Meraki Support said to use Firewall Policies. I prefer using Group Policies if the outcome is the same.

GIdenJoe

If you terminate your VLAN's on your MX then you have the ability to just use the L3/4 firewall rules on the MX to prevent one network to reach the other.
In the beginning of your MX firewall rule set just add a rule deny any source AVL network, destination private address spaces.
Then you can still have other filtering rules to any like http https, dns, ntp, icmp for avl towards the internet.

Meraki Community

VLANS - AVL & OPS

VLANS - AVL & OPS