Disallow access to other device but still access another VLAN

SOLVED
Darian
Here to help

Disallow access to other device but still access another VLAN

A client of ours wants to setup multiple SSID's for each of their 'teams' and separate them using VLANs and L3 firewall rules. We are trying to talk them out of this and just doing 3 SSID's a guest, private, and a team making those teams connect to the "Team" SSID and making it so none of the devices can communicate with each other. We know you can accomplish this by using the meraki DHCP but they also have a network printer that those devices will also need to connect to on another VLAN. Is it possible to make it so they can communicate to the printer vlan but not to other devices on the "team" vlan?

 

For example: 

I have a laptop on the "Team" SSID using VLAN 2 and need to print to a printer on VLAN 1. However, I should not be able to setup a network share or ping from my laptop to my desktop if both the devices are on the same "Team" SSID. 

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

Make a rule to block vlan team to vlan team.

You can also look at ipsk if you want different teams to have different vlans and still use 1 ssid 

 

Or wpa2 ent with radius

View solution in original post

3 REPLIES 3
ww
Kind of a big deal
Kind of a big deal

Make a rule to block vlan team to vlan team.

You can also look at ipsk if you want different teams to have different vlans and still use 1 ssid 

 

Or wpa2 ent with radius

Darian
Here to help

Thank you, I'm going to try the ipsk without radius for Meraki (they don't have a on-site server) and see how that goes!

Bruce
Kind of a big deal

@Darian, not sure about iPSK as a solution to this, but you could use Layer 2 isolation on the VLAN to prevent clients ‘talking’ to each other. With Layer 2 isolation (SSID needs to be in bridge mode) clients have to communicate through the default gateway. See https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Wireless_Client_Isolation.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.