ACL list questions

watdee
Getting noticed

ACL list questions

I just want to verify that this will block mdns within vlan 1?

 

Switch ACL.jpg

 

Also, I'm surprised the default rule is permit Any Any.  I have several vlans for example vlan 1 and guest vlan 100.  I wouldn't want traffic between them so do I need to add a Deny rule?  My vlans are all set up on my firewall.

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal

Doesnt it use 5353?

Yes you need to create deny rules.

Between vlans on your l3 firewall.

Within a vlan then also on a switch

watdee
Getting noticed

Yes, the port is correct.  I just wanted to make sure the rule is correct because most of the examples are about blocking traffic between networks but I'm trying to block workstations from using mDNS within the vlan in this example.

 

I already don't allow traffic between VLANs through my firewall.  So it would just be the switch that I'm concerned about.  

watdee
Getting noticed

So if I have 5 vlans, how do I make sure clients on different vlans can't communicate with each other?  Seems like you could go with deny rules or add a deny any at the bottom, then go with allow rules.

Bruce
Kind of a big deal

The one point to remember with ACLs on the MS switches is that they’re applied to all traffic entering the switch, not going between VLANs - hence why there is no default deny all, as that would render the switch inoperative out of the box (it would just deny everything). And they’re stateless too - so just because they allow traffic in one direction, doesn’t mean they’ll let it come back the other way.

 

As you’ve discovered this actually provides some great flexibility as it means you can actually stop clients from communicating within a VLAN.

 

It also means that to stop communication between VLANs you could use deny rules that specify the source IP as any, the destination IP as the other VLANs subnet, and apply it to the source VLAN, simple as that. Then you don’t actually need the rules on the firewall to block inter-VLAN traffic as it is blocked as it enters the network. 

There are a couple of gotchas to watch out for. The MS390 switches still have limitations on support for switch ACLs, and the MS120/125 switch model also have restrictions.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels