UCcert

My core switches are MS425-32's.  Then connected to MS390-48UX's.  Then the final switches are MS125's.

@GregErnest you don’t need to define a VLAN on a Meraki MS. So in the VLAN field on the ACL you just enter the VLAN number. However, the MS390 switches will ignore any ACL which has a VLAN included (one of the many caveats on those switches), so you just need to be careful for any networks with those switches included.

Bruce,

Thank you for the info.

My issue is this:  I have VLAN's which are spread across multiple subnets.  Example (but not real):

172.128.30.x/24 and 172.129.30.x/24 are in VLAN 30, each subnet on a different MS390. 

I would like to create an overall rule preventing VLAN 30 from getting to 172.100.120.x/24.  Right now, each has it's own subnet rule.  Because I have to do this for each VLAN's over six different MS390's, I need six individual subnet rules in the ACL list.

Lets say I need to limit the ports to a print server to limit exposure.  I need two ports open.  VLAN 30.  That takes twelve rules.  I'm going to be sunk up against the 128 limit.

@GregErnest, unfortunately that is one of the limitations of the MS390 switches. You would be able to do exactly what you want on virtually all of the other current MS switches, just not the MS390. Here’s some thoughts…

Can you summarise the subnets at all? The rules in the ACLs don’t have to match your defined subnet, they just need to encompass the IP addresses your trying to capture within the range you define.

What’s the driver for implementing VLAN30 on the MS390, and so creating a number of them, as opposed to consolidating on the MS425, and maybe reducing the number of VLANS (although they obviously end up with different numbers).

Another thought, are you able to flip it on its head and block the other way? The rules are stateless, so block all the traffic returning from the printer except from those two ports and also to any subnet you want to mange the printer from. You won’t be stopping traffic getting to the printer, or limiting it to particular subnets, but you will reduce the number of rules and prevent TCP connections being established.

(Yeah, I get none of this is what you want to be doing, just trying to think through the options).

Bruce,

Thanks for the info.

The 425's are my core switch stack.  The MS390's are my "hubs" to the other areas of my network.

The ACL rules I am adding are under Switch/Configure/ACL.  I was assuming these applied from the 425's and down.  I am not familiar with any ways to add ACL's directly to the 390's.

The driver for for implementing on the 390's?  I didn't know I was doing this.  See above.

Flipping the return traffic?  I'll have to think on that one.

When you apply an ACL under Switch -> Configure -> ACL its defined directly for all switches within the network. Since you stated you had different subnets assigned to VLAN30, I assumed that you had Layer 3 interfaces defined on each stack of MS390 each with a different subnet specific to that "hub". That's where the MS390 will be problematic as you can't defined a rule based on a VLAN for the MS390s, they'll ignore it (one of the many MS390 caveats). And that rule wouldn't work on the MS425 stack as by the time the traffic reached there it would no-longer be VLAN30.

Looking back through your posts though, if you only have devices connected to the MS125, and nothing directly to the MS390, then you could create the ACLs, apply them to VLAN30, and they'll get implemented on the MS125. Your  source will be 'any' so that it apply to any traffic sourced in VLAN30 and the destination the various IP addresses and ports of the devices you want to deny (or permit) access to. There's more on the switch ACLs here https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs.

If you flip the rules and apply them to return traffic then yes, you're not stopping traffic getting to the device, but for TCP traffic you wouldn't be able to establish a connection as the handshake wouldn't complete. And for UDP traffic if there was an expectation of a response it would never come - so whatever is trying to connect to it is 'flying blind'. Yes, I know its not ideal, but just trying to think of other ways around the issue.

Bruce,

There are devices on the 390's and the 125's.  I guess that makes the whole thing a problem.

This is a new installation this Summer.  I'm contacting my reseller to learn more about how to work around this without changing the whole subnetting from 172.1.30.x to 172.30.x.x.  That would be a big, big project.

Can you link me to a document or posting where all of the issues with the 390's are outlined?

Thanks again.

Bruce,

Flipping the rule:  does this protect the server from something malicious getting to it?  That is part of our goal.

cmr

I have found the limit on port ranges.  You can do them on SSID's, so it's confusing.