Skip to main content

 

Cisco Meraki Documentation

Configuring ACLs

  1. Last updated
  2. Save as PDF

日本語版はこちら

Information About ACLs

Access Control Lists (ACLs) are an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the switch determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the switch applies the applicable default rule.

Learn more with this free online training course on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.
With Meraki, you only have to define an ACL once in a network and it will be propagated to all switches within that network. Additionally, the default rule for Meraki ACLs is "Permit Any Any".

 

For more detailed information and examples of ACLs, see our MS Switch ACL Operation article.

ACL Location in Meraki Dashboard

To configure an ACL from the Meraki dashboard, navigate to Switch > Configure > ACL.

 

This is an image on how to Navigate to Configure ACLs Location.

Dashboard Service Rules

In order to help maintain connectivity with the dashboard, dashboard service rules are added to the access control list. These rules consist of an explicit allow for all IPv4 traffic to and from the listed dashboard IP addresses. This list changes dynamically depending on the devices and services added to the Dashboard as well as the region the organization is located. Dashboard service rules are always processed before user-defined rules.

dashboard service rules image.

Initial Setup

Upon initial setup, you will see that the explicit "Permit Any Any" rule is defined by default.

This is an image of User-defined rules in the Dashboard.

Add a Rule

To add a new rule, select the Add a rule button below the list of ACL rules.

This is an image on how to add a user-defined rule in the Dashboard.

Edit a Rule

For each ACL rule, you can define the policy, IP version, source IP address or subnet, source port, destination IP address or subnet, destination port, and VLAN. You also have the option to describe the rule in a comment section.

This is an image on how to edit a defined rule.

Note: The source and destination addresses must be an IP address or subnet in CIDR form (e.g. '192.168.1.0/24'), or 'any'.

Note: The VLAN qualifier is not supported on the MS390 and the C9300-M. ACL rules with non-empty VLAN fields will be ignored by these devices.

Move a Rule

To change the position of a specific rule in the ACL, select the crossed arrows symbol to the right of the rule and drag the rule up or down the list.

This is an image on how to Move user-defined rules.

Remove a Rule

To delete a rule from the ACL, select the x symbol to the far right of the rule.

This is an image of how to remove a user-defined rules.

Save Changes to an ACL

To save changes to the ACL rules, select the Save button below the ACL.

This is an image on how to save ACL changes.

The Save button will be surrounded by an amber bar if there are unsaved changes on the page.

It may take 1-2 minutes for the changes to the ACL to propagate from the Meraki dashboard to the switches in your network.

Note: As ACLs are stateless, Management VLANs need to be allowed when creating ACLs to allow traffic between Stacks and other VLANs on the same switch

Monitoring ACLs

Beginning with MS 16, MS platforms (with the exception of MS390 and C9300-M) have an ACL Hit Counter live tool on the Tools tab of the switch details page. The tool can be run for 30s, 1min, or 2min, during which time the access-control entries (ACEs) defined in the network-wide Switching > ACL page will be displayed under the tool along with hit counts indicating how many frames have matched the ACEs while the live tool is running. 

This is an image showing the ACL hit counter.

This tool can be useful for confirming that traffic is being denied or allowed as expected, or that hosts on the network are indeed sending the type of traffic admins expect.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Final
  2. Tags
    1. access control list
    2. acl