Home > Switches > Other Topics > Switch ACL Operation

Switch ACL Operation

Access Control Lists (ACLs) can be configured on Cisco Meraki MS series switches and can be used to limit what traffic is permitted through the switch. This article will discuss how those ACLs operate based on a series of examples. All ACLs can be configured on the Configure > IPv4 ACL page under the User-defined rules section. If this section does not appear, a firmware upgrade may be required.

Note: Allow rules for the list of IP addresses under Dashboard service rules will automatically be created to allow communication with Dashboard.

Stateless Operation

IPv4 ACLs configured on Cisco Meraki MS series switches operate statelessly. This means that each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

Order of Processing

As traffic is evaluated in sequence down the list, it will only use the first rule that matches. Any traffic that doesn't match a specific allow or deny rule will be permitted by the default allow rule at the end of the list.

 

Any traffic passing through the switch will be evaluated. Even traffic that is not routed.

Example 1 - Explicit allow with implicit deny

In this example, traffic is permitted from the 10.1.10.0/24 subnet to the 192.168.20.0/24 subnet in rule 1. Any other traffic will be denied by rule 2. Because of rule 2, an implicit deny, any desired traffic must be explicitly allowed to override this rule.

Thus if 10.1.10.50 tries to communicate with 192.168.20.20, the traffic will be allowed due to rule 1. However, the response from 192.168.20.20 will be blocked by rule 2. This occurs even though the initial communication was allowed, due to the stateless operation of the ACLs.

 

This will also block all communication amongst clients within the 10.1.10.0/24 network and amongst clients within the 192.168.20.0/24 network. Thus 192.168.20.20 would be unable to communicate with 192.168.20.25.

Example 2 - Source VLAN

In this example, traffic from VLAN 10 is denied to any destination. This will essentially isolate any client devices in VLAN 10 and prevent them from communicating with each other or other networks. All other traffic will be permitted by the default allow at the end of the list.

 

Note: The VLAN field reference to the source VLAN for the traffic being evaluated and is processed on ingress.

Thus 10.1.10.50 will not be able to reach 192.168.20.20, however 192.168.20.20 will be able to send traffic to 10.1.10.50.

Traffic will also be blocked between clients within the same VLAN.

Example 3 - Explicit deny

In this example, VLAN 10 (10.1.10.0/24) is not permitted SSH access to any servers in VLAN 30 (172.16.30.0/24). Likewise, VLAN 30 is not permitted MySQL access to any servers in LAN 10. All other traffic is permitted by the default allow rule. 

Since no rules apply to VLAN 20 (192.168.20.0/24), any traffic to or from that VLAN is permitted. 

You must to post a comment.
Last modified
14:19, 11 Jul 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1129

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case