Skip to content
Network as Code

Layer 3 Firewall Rules Configuration

Dashboard Location: Security and SD-WAN > Configure > Firewall > Layer 3 firewall rules

Network Layer Security Management

Section titled “Network Layer Security Management”

Layer 3 firewall rules configuration in Meraki appliances provides comprehensive IP-based access control for network traffic, enabling administrators to define granular security policies based on source and destination IP addresses, protocols, and ports. This functionality allows for sophisticated network segmentation, application control, and security enforcement at the network layer, supporting both allow and deny policies with detailed logging capabilities. L3 firewall rules are essential for implementing zero-trust security models, controlling inter-VLAN communication, and protecting critical network resources from unauthorized access.

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

firewall (meraki.domains.organizations.networks.appliance)

Section titled “firewall (meraki.domains.organizations.networks.appliance)”
NameTypeConstraintMandatoryDefault Value
l3_firewall_rulesClass[l3_firewall_rules]No

l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)

Section titled “l3_firewall_rules (meraki.domains.organizations.networks.appliance.firewall)”
NameTypeConstraintMandatoryDefault Value
rulesList[rules]No
syslog_default_ruleBooleantrue, falseNo

rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)

Section titled “rules (meraki.domains.organizations.networks.appliance.firewall.l3_firewall_rules)”
NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
protocolChoiceany, icmp, icmp6, tcp, udpYes
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4]))(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4]))(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?|VLAN\((?:[1-9]|[1-9]\d|[1-9]\d{2}|[1-3]\d{3}|40[0-8]\d|409[0-4])\)\.(?:\*|[1-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])))*$No
syslogBooleantrue, falseNo

Examples

Section titled “Examples”

Example-1: The example below demonstrates Layer 3 firewall rule configuration.

This configuration implements granular security policies for network segmentation and application control. The rules support zero-trust security models and inter-VLAN communication management through policy actions (allow/deny), protocol specifications (tcp/udp/icmp/any), source/destination addressing with CIDR notation, and port ranges.

This configuration creates two comprehensive Layer 3 firewall rules for network security enforcement.

The first rule, “Block Bad Traffic”, denies UDP traffic on port 1433 originating from the subnet 10.10.10.0/24, any device in VLAN(10), and host .5 in VLAN(20) to any destination on port 1433, effectively blocking potentially malicious SQL-related traffic. The second rule, “Block SSH”, denies TCP traffic on port 22 from any source to any destination, preventing unauthorized SSH access across the network. Optional syslog settings are available to log matched traffic for monitoring and auditing purposes.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              appliance:
                firewall:
                  l3_firewall_rules:
                    rules:
                      - comment: "Block Bad Traffic"
                        policy: deny
                        protocol: udp
                        source_port: 1433
                        source_cidr: 10.10.10.0/24,VLAN(10).*,VLAN(20).5
                        destination_port: 1433
                        destination_cidr: Any
                        # syslog: true
                      - comment: "Block SSH"
                        policy: deny
                        protocol: tcp
                        source_port: 22
                        source_cidr: Any
                        destination_port: 22
                        destination_cidr: Any
                        # syslog: true
                    # syslog_default_rule: true