Home > Wireless LAN > Firewall and Traffic Shaping > 'Deny Local LAN' settings in Cisco Meraki MR firewall

'Deny Local LAN' settings in Cisco Meraki MR firewall

The 'Deny Local LAN' function located under Configure > Firewall & traffic shaping blocks access from Wireless clients on specific SSIDs to the Local LAN. For the purposes of this firewall rule, Local LAN is described as any destinations in the following private address spaces:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

Note: DNS and DHCP traffic is exempt from this rule. If the SSID is in NAT mode, only DNS traffic is exempt since the AP acts as a DHCP server for connecting clients.

A common usage for this would be the "guest SSID" scenario. Changing the Policy for traffic destined to the Local LAN from Allow to Deny prevents clients on the Guest SSID from accessing the LAN but still allows connections to the Internet. This feature can be used in both Bridge Mode and NAT Mode.

1. Navigate to Configure > Firewall & Traffic Shaping

2. Select the SSID

3. Change the Policy for the row with Destination as Local LAN from Allow to Deny

4. Click Save Changes at the bottom of the page.

If the clients on this SSID need connectivity to other LANs on these subnets you will need to configure an additional Layer 3 firewall rule to allow traffic to that subnet and order it above the Local LAN rule.

Additional Layer 3 Firewall Rules

Create additional Layer 3 firewall rules to manipulate traffic outbound from the SSID. The policy, protocol, destination, and port number must be defined. "Any" is a valid Protocol, Destination and/or Port.

1. Click Add a layer 3 firewall rule

2. Specify Policy, Protocol, Destination and Port Number

3. Click Save Changes at the bottom of the page.

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 2193

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community