Home > Switches > Other Topics > Switch ACL Operation

Switch ACL Operation

Access Control Lists (ACLs) can be configured on Cisco Meraki MS series switches and can be used to limit what traffic is permitted through the switch. This article will discuss how those ACLs operate based on a series of examples. All ACLs can be configured on the Configure > IPv4 ACL page under the User-defined rules section. If this section does not appear, a firmware upgrade may be required.

Note: Allow rules for the list of IP addresses under Dashboard service rules will automatically be created to allow communication with Dashboard.

Stateless Operation

IPv4 ACLs configured on Cisco Meraki MS series switches operate statelessly. This means that each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

Order of Processing

As traffic is evaluated in sequence down the list, it will only use the first rule that matches. Any traffic that doesn't match a specific allow or deny rule will be permitted by the default allow rule at the end of the list.


Any traffic passing through the switch will be evaluated. Even traffic that is not routed.

Example 1 - Explicit allow with explicit deny

In this example, traffic is permitted from the subnet to the subnet in rule 1. Any other traffic will be denied by rule 2. Because of rule 2, an explicit deny, any desired traffic must be explicitly allowed to override this rule.

Thus if tries to communicate with, the traffic will be allowed due to rule 1. However, the response from will be blocked by rule 2. This occurs even though the initial communication was allowed, due to the stateless operation of the ACLs.


This will also block all communication amongst clients within the network and amongst clients within the network. Thus would be unable to communicate with


Example 2 - Source VLAN

In this example, traffic from VLAN 10 is denied to any destination. This will essentially isolate any client devices in VLAN 10 and prevent them from communicating with each other or other networks. All other traffic will be permitted by the default allow at the end of the list.


Note: The VLAN field reference to the source VLAN for the traffic being evaluated and is processed on ingress.

Thus will not be able to reach, however will be able to send traffic to


Traffic will also be blocked between clients within the same VLAN.


Example 3 - Explicit deny

In this example, VLAN 10 ( is not permitted SSH access to any servers in VLAN 30 ( Likewise, VLAN 30 is not permitted MySQL access to any servers in LAN 10. All other traffic is permitted by the default allow rule. 

Since no rules apply to VLAN 20 (, any traffic to or from that VLAN is permitted. 


Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1129

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community