SSID Layer 3 Firewall Rules Configuration
Dashboard Location: Wireless > Configure > SSIDs > Firewall & Traffic Shaping > Layer 3 firewall rules
Wireless SSID Layer 3 Firewall Rules Management
Section titled “Wireless SSID Layer 3 Firewall Rules Management”SSID Layer 3 firewall rules configuration in Meraki wireless networks provides administrators with comprehensive network-layer traffic filtering and access control capabilities, enabling IP-based security policies, protocol-specific restrictions, network segmentation enforcement, and granular traffic management per SSID. This functionality supports enterprise security requirements, guest network isolation, IoT device control, and compliance with network security policies. Layer 3 firewall rules are essential for implementing zero-trust network architectures, controlling inter-VLAN communication, managing external access, and protecting wireless network segments from unauthorized traffic and potential security threats.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”ssids (meraki.domains.organizations.networks.wireless)
Section titled “ssids (meraki.domains.organizations.networks.wireless)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| firewall_l3_firewall_rules | Class | [firewall_l3_firewall_rules] | No |
firewall_l3_firewall_rules (meraki.domains.organizations.networks.wireless.ssids)
Section titled “firewall_l3_firewall_rules (meraki.domains.organizations.networks.wireless.ssids)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| rules | List | [rules] | No | |
| allow_lan_access | Boolean | true, false | No |
rules (meraki.domains.organizations.networks.wireless.ssids.firewall_l3_firewall_rules)
Section titled “rules (meraki.domains.organizations.networks.wireless.ssids.firewall_l3_firewall_rules)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| comment | String | min: 1, max: 127 | No | |
| policy | Choice | allow, deny | Yes | |
| protocol | Choice | any, icmp, icmp6, tcp, udp | Yes | |
| destination_port | Any | Integer[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3 | [1-5][0-9]4 | 6[0-4][0-9]3 |
| destination_cidr | String | Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$ | No | |
| ip_version | Choice | any, ipv4, ipv6 | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates basic Layer 3 firewall rules configuration for guest network isolation and security controls.
The guest SSID (SSID 1, named via the guest_ssid_name environment variable) has Layer 3 firewall rules that allow only essential internet access: First rule named Allow HTTP and HTTPS allows for HTTP and HTTPS traffic (TCP ports 80 and 443) and are permitted to any destination. Second rule, named Allow DNS allows for DNS queries (UDP port 53) and is permitted to any destination, while all other traffic is explicitly denied by the rule named Deny all other traffic. This setup ensures guest users can browse the web and resolve domain names, but are restricted from accessing any other services or internal resources.
meraki: domains: - name: !env domain administrator: name: !env org_admin organizations: - name: !env org networks: - name: !env network_name product_types: - wireless - switch - appliance wireless: ssids: - name: !env guest_ssid_name ssid_number: '1' wireless: ssids: - name: CORP ssid_number: "0" firewall_l3_firewall_rules: rules: - comment: Allow HTTP and HTTPS policy: allow protocol: tcp destination_port: 80,443 destination_cidr: any ip_version: ipv4 - comment: Allow DNS policy: allow protocol: udp destination_port: 53 destination_cidr: any ip_version: ipv4 - comment: Deny all other traffic policy: deny protocol: any destination_port: any destination_cidr: any ip_version: ipv4 allow_lan_access: false # optional, matches schema