Restrict SSID from accessing a wired VLAN

whocaresatwork
Here to help

Restrict SSID from accessing a wired VLAN

I have an issue with my Meraki access points. I have two SSIDs, one for RnD and one for Marketing. I assigned a different vlan for each SSID. I also have wired devices on the RnD vlan. How do I prevent the users on the marketing SSID from accessing the RnD devices?

The setup I have is the MX75 connected to the ISP and to an MS120 switch. The two access points are connected to the MS120. All wired clients are connected to the switch. 

Thanks.

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried this?

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
whocaresatwork
Here to help

Yes, but I do want the marketing SSID to have access to wired printers and meeting rooms smart TVs which are also wired and on the same vlan. 

alemabrahao
Kind of a big deal
Kind of a big deal

So allow it instead of deny. And create firewall.

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/MR_Firewall_Rules

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
whocaresatwork
Here to help

I did. Below is a screenshot of the rules I have for the marketing SSID (on vlan 20 192.168.20.0/24), blocking access to vlan 30 192.168.30.0/24.

But it does not work... when a user connects to the marketing SSID, they can still ping devices on the RND vlan.

 

whocaresatwork_0-1717162466087.png

 

alemabrahao
Kind of a big deal
Kind of a big deal

ICMP is not a 100% reliable test, have you tested access to other resources within the network?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Check it out.

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/All_VLANs_can_ping_the_Cisco_Meraki...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
whocaresatwork
Here to help

Thanks.

I'll update once back in the office.

Assuming that this works, is there a way to also block ICMP?

alemabrahao
Kind of a big deal
Kind of a big deal

The ICMP will be accepted even if you have specific rule blocking it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels