New switch feature provides port isolation

Ensure that client traffic is kept separated, even for clients on the same VLAN.

 

There is a common security challenge often faced by IT administrators: how to keep client devices from communicating with each other. One specific example comes from the hospitality industry, where hotels typically deploy several switches per floor and connect each room to its own switch port; the issue is how to keep guests in one hotel room from snooping or accessing the traffic of guests in another room.

One way to solve this problem is to assign a separate VLAN to every single port—and then use access control lists (ACLs) or upstream firewall rules to prevent traffic between these VLANs. But creating numerous VLANs and rules can be time consuming, unscalable, and overly complex.

The port isolation feature on the Meraki MS switches takes all the pain out of keeping port traffic separate. Once you enable isolation on various switch ports, Layer 2 network traffic will not be forwarded between them. This means you can have a single guest VLAN servicing all hotel rooms, ensure that guests can access the Internet, and still keep traffic between guests in different rooms completely segregated.

To enable port isolation simply navigate to Configure > Switch ports in the Meraki dashboard, select the ports you’d like to isolate, and then edit those ports. There will be an option to select Isolation:

Meraki MS port isolation

 

Once a port has been isolated, you can view its status by selecting the individual port via the Monitor > Switches page:

Meraki MS port isolation status

 

You can even isolate clients effectively across multiple switches (e.g. access through aggregation) so long as you don’t isolate uplink ports. This will allow isolated clients to pass traffic out to the Internet, while preventing clients connected to upstream switches from accessing clients downstream.

How to config port isolation

Uplink pathways are green; isolated port pathways are orange. In this deployment scenario, all clients are isolated from one another, but can reach the Internet.

In summary, port isolation allows easy, one-click separation of client traffic at the VLAN edge. It allows groups of clients to be logically grouped into a single VLAN (e.g. “Guest”), but keeps their traffic fenced off so that snooping and tampering can be avoided—a win-win scenario!

 

This feature is now live in our latest switch firmware release, so if you don’t see it in your dashboard, please either schedule an upgrade or reach out to Meraki support for assistance. And, as always, we love to get your feedback on our new features, so please make a wish or reach out to us and let us know what you think.