Solved: ACL question - Isolating a VLAN

8clopez09 · ‎05-20-2026

Trying to isolate some guest VLANs in an environment with an L3 switch via switch ACLs

Opting to block traffic to and from the RFC1918 blocks instead of having 30+ rules (we have 10+ vlans per site) but wondering if I need an Allow rule at the top so that clients on that subnet can communicate with each other.

Merakis KBs don't specifically mention the scenario but in this article:

https://documentation.meraki.com/Switching/MS_-_Switches/Operate_and_Maintain/How-Tos/Switch_ACL_Operation

They show an example where the VLAN tag is used it does isolate clients.

If there is an entirely better way of doing this I'm all ears.

aleabrahao · ‎05-20-2026

Meraki MS ACLs are stateless, and the first match prevails.
If you add a broad deny (such as RFC1918), it will also match intra-VLAN traffic.
So yes, you should add an allow if you want intra-VLAN communication.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

aleabrahao · ‎05-20-2026

Meraki MS ACLs are stateless, and the first match prevails.
If you add a broad deny (such as RFC1918), it will also match intra-VLAN traffic.
So yes, you should add an allow if you want intra-VLAN communication.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

8clopez09 · ‎05-20-2026

Perfect, thanks for the gutcheck!