SSID Layer 3 Firewall Rules Configuration
Dashboard Location: Wireless > Configure > SSIDs > Firewall & Traffic Shaping > Layer 3 firewall rules
Wireless SSID Layer 3 Firewall Rules Management
Section titled “Wireless SSID Layer 3 Firewall Rules Management”SSID Layer 3 firewall rules configuration in Meraki wireless networks provides administrators with comprehensive network-layer traffic filtering and access control capabilities, enabling IP-based security policies, protocol-specific restrictions, network segmentation enforcement, and granular traffic management per SSID. This functionality supports enterprise security requirements, guest network isolation, IoT device control, and compliance with network security policies. Layer 3 firewall rules are essential for implementing zero-trust network architectures, controlling inter-VLAN communication, managing external access, and protecting wireless network segments from unauthorized traffic and potential security threats.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”ssids (meraki.domains.organizations.networks.wireless)
Section titled “ssids (meraki.domains.organizations.networks.wireless)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| firewall_l3_firewall_rules | Class | [firewall_l3_firewall_rules] | No |
firewall_l3_firewall_rules (meraki.domains.organizations.networks.wireless.ssids)
Section titled “firewall_l3_firewall_rules (meraki.domains.organizations.networks.wireless.ssids)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| rules | List | [rules] | No | |
| allow_lan_access | Boolean | true, false | No |
rules (meraki.domains.organizations.networks.wireless.ssids.firewall_l3_firewall_rules)
Section titled “rules (meraki.domains.organizations.networks.wireless.ssids.firewall_l3_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| ip_version | Choice | any, ipv4, ipv6 | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates basic Layer 3 firewall rules configuration for guest network isolation and security controls.
meraki: domains: - name: "!env domain" administrator: name: "!env org_admin" organizations: - name: "!env org" networks: - name: "!env network_name" product_types: - wireless - switch - appliance wireless: ssids: - name: "!env guest_ssid_name" ssid_number: '1' l3_firewall_rules: - comment: "Allow HTTP and HTTPS" policy: allow protocol: tcp dest_port: "80,443" dest_cidr: "any" - comment: "Allow DNS" policy: allow protocol: udp dest_port: "53" dest_cidr: "any" - comment: "Deny all other traffic" policy: deny protocol: any dest_port: "any" dest_cidr: "any"