Meraki

Community

switches and firewall

Solved
Messy
Getting noticed
‎Apr 16 2025 3:35 AM
‎Apr 16 2025 3:35 AM

switches and firewall

Hello,

 

Apologies, couldnt think of a helpful title.


I was wondering about firewalls rules that deal with inter-vlan routing. If we put our VLAN interfaces on the MX, then routing traffic will go through the MX and it can apply its firewall rules.


However what happens if the interface is on the switch? Traffic wont touch the MX so no firewall rules apply I assume (ignoring WiFi / group policy rules).

If we wanted to restrict certain VLAN to VLAN talk, is out only option ACL's ?(apart form moving the interface to a MX)

thanks!

0 Kudos
1 Accepted Solution
Mloraditch
Kind of a big deal
‎Apr 16 2025 4:43 AM
‎Apr 16 2025 4:43 AM

You are correct. The MX can only inspect traffic it sees. It will not see intervlan traffic where a switch is the home of the vlan.

 

You would need to use switch ACLs.

 

You could also use 802.1x solutions in combination with group or adaptive policies 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

3 Replies 3
Mloraditch
Kind of a big deal
‎Apr 16 2025 4:43 AM
‎Apr 16 2025 4:43 AM

You are correct. The MX can only inspect traffic it sees. It will not see intervlan traffic where a switch is the home of the vlan.

 

You would need to use switch ACLs.

 

You could also use 802.1x solutions in combination with group or adaptive policies 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
DarrenOC
Kind of a big deal
Kind of a big deal
‎Apr 16 2025 5:04 AM
‎Apr 16 2025 5:04 AM

Hi @Messy, I don’t know your environment or business requirements etc but for the sake of simplicity why not move all SVIs into your MX?  Then your can restrict inter-vlan traffic on a single device rather than manage both ACLs and MX firewall rules?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
Messy
Getting noticed
‎Apr 16 2025 5:13 AM
‎Apr 16 2025 5:13 AM

yea that's what we do now but for whatever reason we seem to have multiple sites where some or all VLANs were put on the switches. Probably a hang over from transitioning to Meraki where engineers just set them up the way they were on the old hardware.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.