ACL setup - MS switching

SOLVED
GregErnest
Here to help

ACL setup - MS switching

I am working on building the ACL rules for our network.  I have two things I am trying to understand.

 

1)  What is the limit on the number of ACL rules?  I have read in a couple of places that it is 128.

 

2)  The article below shows using the VLAN field to control the ACL rule.  Can anyone point me at how to define the VLAN's so I can use this feature?

 

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

 

Thank you!

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

This one, https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation, highlights the MS390 limitation on the VLAN field about halfway down. For the other limitations it’s best to look at the firmware release notes, the latest ones have been posted here, https://community.meraki.com/t5/Switching/New-MS-14-29-stable-release-candidate-firmware-released-a-... 

View solution in original post

13 REPLIES 13
UCcert
Kind of a big deal

Hi @GregErnest 

 

1) Yes, that limit is correct 

 

2) what switches do you have

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

UCcert

 

My core switches are MS425-32's.  Then connected to MS390-48UX's.  Then the final switches are MS125's.

Bruce
Kind of a big deal

@GregErnest you don’t need to define a VLAN on a Meraki MS. So in the VLAN field on the ACL you just enter the VLAN number. However, the MS390 switches will ignore any ACL which has a VLAN included (one of the many caveats on those switches), so you just need to be careful for any networks with those switches included.

Bruce,

 

Thank you for the info.

 

My issue is this:  I have VLAN's which are spread across multiple subnets.  Example (but not real):

 

172.128.30.x/24 and 172.129.30.x/24 are in VLAN 30, each subnet on a different MS390. 

 

I would like to create an overall rule preventing VLAN 30 from getting to 172.100.120.x/24.  Right now, each has it's own subnet rule.  Because I have to do this for each VLAN's over six different MS390's, I need six individual subnet rules in the ACL list.

 

Lets say I need to limit the ports to a print server to limit exposure.  I need two ports open.  VLAN 30.  That takes twelve rules.  I'm going to be sunk up against the 128 limit.

Bruce
Kind of a big deal

@GregErnest, unfortunately that is one of the limitations of the MS390 switches. You would be able to do exactly what you want on virtually all of the other current MS switches, just not the MS390. Here’s some thoughts…

 

Can you summarise the subnets at all? The rules in the ACLs don’t have to match your defined subnet, they just need to encompass the IP addresses your trying to capture within the range you define.

 

What’s the driver for implementing VLAN30 on the MS390, and so creating a number of them, as opposed to consolidating on the MS425, and maybe reducing the number of VLANS (although they obviously end up with different numbers).

Another thought, are you able to flip it on its head and block the other way? The rules are stateless, so block all the traffic returning from the printer except from those two ports and also to any subnet you want to mange the printer from. You won’t be stopping traffic getting to the printer, or limiting it to particular subnets, but you will reduce the number of rules and prevent TCP connections being established.

 

(Yeah, I get none of this is what you want to be doing, just trying to think through the options).

Bruce,

 

Thanks for the info.

 

The 425's are my core switch stack.  The MS390's are my "hubs" to the other areas of my network.

 

The ACL rules I am adding are under Switch/Configure/ACL.  I was assuming these applied from the 425's and down.  I am not familiar with any ways to add ACL's directly to the 390's.

 

The driver for for implementing on the 390's?  I didn't know I was doing this.  See above.

 

Flipping the return traffic?  I'll have to think on that one.

Bruce
Kind of a big deal

When you apply an ACL under Switch -> Configure -> ACL its defined directly for all switches within the network. Since you stated you had different subnets assigned to VLAN30, I assumed that you had Layer 3 interfaces defined on each stack of MS390 each with a different subnet specific to that "hub". That's where the MS390 will be problematic as you can't defined a rule based on a VLAN for the MS390s, they'll ignore it (one of the many MS390 caveats). And that rule wouldn't work on the MS425 stack as by the time the traffic reached there it would no-longer be VLAN30.

 

Looking back through your posts though, if you only have devices connected to the MS125, and nothing directly to the MS390, then you could create the ACLs, apply them to VLAN30, and they'll get implemented on the MS125. Your  source will be 'any' so that it apply to any traffic sourced in VLAN30 and the destination the various IP addresses and ports of the devices you want to deny (or permit) access to. There's more on the switch ACLs here https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs.

 

If you flip the rules and apply them to return traffic then yes, you're not stopping traffic getting to the device, but for TCP traffic you wouldn't be able to establish a connection as the handshake wouldn't complete. And for UDP traffic if there was an expectation of a response it would never come - so whatever is trying to connect to it is 'flying blind'. Yes, I know its not ideal, but just trying to think of other ways around the issue.

Bruce,

 

There are devices on the 390's and the 125's.  I guess that makes the whole thing a problem.

 

This is a new installation this Summer.  I'm contacting my reseller to learn more about how to work around this without changing the whole subnetting from 172.1.30.x to 172.30.x.x.  That would be a big, big project.

 

Can you link me to a document or posting where all of the issues with the 390's are outlined?

 

Thanks again.

Bruce
Kind of a big deal

This one, https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation, highlights the MS390 limitation on the VLAN field about halfway down. For the other limitations it’s best to look at the firmware release notes, the latest ones have been posted here, https://community.meraki.com/t5/Switching/New-MS-14-29-stable-release-candidate-firmware-released-a-... 

Bruce,

 

Flipping the rule:  does this protect the server from something malicious getting to it?  That is part of our goal.

UCcert
Kind of a big deal

This should help

 

https://documentation.meraki.com/MS/Layer_3_Switching/Layer_3_Switch_Example

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
cmr
Kind of a big deal
Kind of a big deal

@GregErnest you are right in that only 128 rules can be defined.  They are also stateless and therefore unidirectional so you kind of only have 64.  Finally you cannot use ranges...

cmr

 

I have found the limit on port ranges.  You can do them on SSID's, so it's confusing.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels