Skip to content

SSID Layer 3 Firewall Rules Configuration

Dashboard Location: Wireless > Configure > SSIDs > Firewall & Traffic Shaping > Layer 3 firewall rules

Wireless SSID Layer 3 Firewall Rules Management

Section titled “Wireless SSID Layer 3 Firewall Rules Management”

SSID Layer 3 firewall rules configuration in Meraki wireless networks provides administrators with comprehensive network-layer traffic filtering and access control capabilities, enabling IP-based security policies, protocol-specific restrictions, network segmentation enforcement, and granular traffic management per SSID. This functionality supports enterprise security requirements, guest network isolation, IoT device control, and compliance with network security policies. Layer 3 firewall rules are essential for implementing zero-trust network architectures, controlling inter-VLAN communication, managing external access, and protecting wireless network segments from unauthorized traffic and potential security threats.

Diagram

ssids (meraki.domains.organizations.networks.wireless)

Section titled “ssids (meraki.domains.organizations.networks.wireless)”
NameTypeConstraintMandatoryDefault Value
firewall_l3_firewall_rulesClass[firewall_l3_firewall_rules]No

firewall_l3_firewall_rules (meraki.domains.organizations.networks.wireless.ssids)

Section titled “firewall_l3_firewall_rules (meraki.domains.organizations.networks.wireless.ssids)”
NameTypeConstraintMandatoryDefault Value
rulesList[rules]No
allow_lan_accessBooleantrue, falseNo

rules (meraki.domains.organizations.networks.wireless.ssids.firewall_l3_firewall_rules)

Section titled “rules (meraki.domains.organizations.networks.wireless.ssids.firewall_l3_firewall_rules)”
NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
protocolChoiceany, icmp, icmp6, tcp, udpYes
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
ip_versionChoiceany, ipv4, ipv6No

Example-1: The example below demonstrates basic Layer 3 firewall rules configuration for guest network isolation and security controls.

meraki:
domains:
- name: "!env domain"
administrator:
name: "!env org_admin"
organizations:
- name: "!env org"
networks:
- name: "!env network_name"
product_types:
- wireless
- switch
- appliance
wireless:
ssids:
- name: "!env guest_ssid_name"
ssid_number: '1'
l3_firewall_rules:
- comment: "Allow HTTP and HTTPS"
policy: allow
protocol: tcp
dest_port: "80,443"
dest_cidr: "any"
- comment: "Allow DNS"
policy: allow
protocol: udp
dest_port: "53"
dest_cidr: "any"
- comment: "Deny all other traffic"
policy: deny
protocol: any
dest_port: "any"
dest_cidr: "any"