Solved: Re: Isolate Clients On Same VLAN

Erik_R · ‎04-02-2025

Hello. I created an "Internet only" VLAN on an MS switch. I have an ACL in place that prevents this VLAN from accessing all of my other production VLANs. This "Internet only" VLAN will be for some guests that will be wired clients for several weeks.

Is there any way to isolate these clients from each other? In other words, these guest users should only be able to connect to the Internet and not connect to each other.

Would it be possible to create an ACL to block the "Internet only" VLAN from itself?

aleabrahao · ‎04-02-2025

I know it's not possible in MX, but I believe it is possible in MS.

Theoretically, it's enough to create an ACL blocking everything for the network as Source and also as Destination.

Have you tried this?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

bberry · ‎04-02-2025

I always thought ACLs were only processed for traffic entering / leaving the interface where they are applied. Anything on the same wire / same VLAN would not pass through the ACL.

Brent

mloraditch · ‎04-02-2025

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Restricting_Traffic_with_Isolated_Switch_Ports

This should do what you want.

If you found this post helpful, please give it a thumbs up. If my answer solves your problem please click Accept as Solution so others can benefit from it.

aleabrahao · ‎04-02-2025

Personally, I think this option is much more work, since the configuration is per port.

I don't see much point in what it intends to do, a simple ACL is much more practical.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

mloraditch · ‎04-02-2025

I mean he said he wants every port in the vlan, so just filter that in switch port view, leave out the uplink port and edit. Should take a few moments.

ACLs are also global to all switches in the network and could have unintended consequences, this would only affect the ports in question. 🤷‍

If you found this post helpful, please give it a thumbs up. If my answer solves your problem please click Accept as Solution so others can benefit from it.

aleabrahao · ‎04-02-2025

I agree, but in this case it is only blocking communication between the same subnet, it should not have a major impact. 😉

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aleabrahao · ‎04-02-2025

I know it's not possible in MX, but I believe it is possible in MS.

Theoretically, it's enough to create an ACL blocking everything for the network as Source and also as Destination.

Have you tried this?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Karsten Iwen · ‎04-03-2025

This is what TrustSec with SGTs is designed to do. But there are some more requirements for that.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Erik_R · ‎04-04-2025

An update regarding this.

An ACL blocking the "Internet Only" VLAN from itself worked. Enabling port isolation on each port worked as well.

However, none of these settings will work if a switch (obviously non-Meraki) is connected to one of these ports as an uplink on a Meraki switch and clients are connected to it. The clients will be able to ping each other because that traffic is not flowing through the Meraki switch port.

aleabrahao · ‎04-04-2025

Exactly, because this communication does not need to go to the network gateway, that is, it is communication within L2.

But do you see ping as a problem?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Erik_R · ‎04-04-2025

Well, these are guests "squatting" in our office from different trades. Ideally I would prefer that none of their machines can contact each other on the same VLAN. I don't have enough ports to properly patch them into our Meraki switches.

aleabrahao · ‎04-04-2025

In this case there is not much to do other than replace them with Meraki switches. 😕

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

joey.debra · ‎04-05-2025

Normally ACL's on MS switches are VLAN ACL's so you should be able to just block traffic coming from that VLAN to any private RFC1918 address in 3 rules and that should effectively also isolate guest clients from each other.