ACLs for Multiple Networks/VLANs

Solved
PhillipJFry
Here to help

ACLs for Multiple Networks/VLANs

Hello everyone, I am still new to Meraki and getting used to how Meraki does things.  I am working on creating multiple ACLs for our networks.  An ACL for VLAN 2, ACL for VLAN 3, etc.  The ACLs basically only giving those networks dns,dhcp, access to specific hosts, and block from communicating with the rest of our network.  I am used to the traditional Cisco way, you build out your ACL, and apply that to the network.  I am not seeing that option in our Meraki environment.  I can create the ACLs line by line, like one giant list, and specify the vlan on that line.  It just seems kind of ugly for lack of better words.  Is there another way to achieve this that I am missing?  If it helps, our environment is a mixture of ms350s and ms250s.

1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal

The Meraki ACL situation is best compared to a VACL.  It works on switched packets so it can block traffic between hosts in the same VLAN.

So it has one long list of entries that work on optional source VLAN and L3/4 info.  So it's quite easy.

However it comes with a big downside for me.  It only allows 128 ACE entries for the entire network.  Since ACL's are stateless and you can have many VLAN's that list fills up very quick even if you keep it quite basic.

 

If you need more room for ACE's I would recommend going for a more hybrid approach where your coreswitches are Catalyst and your access switches are Meraki.  You can now monitor Catalyst switches in dashboard so it's a valid design to have for example 2 9500's as core and a bunch of stacked MS250's in the access layer.

 

You also have the ability to use adaptive policy which basically is a Meraki version of Cisco Trustsec, however you need all MS390 switches in your network in the access layer and they are at the moment still a bit finnicky.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

You can use group policy, but for Meraki switches as far as I remember it is not possible to apply to a specific subnet, unlike MX. Take a look at this documentation.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

You don't need to apply an ACL to a specific entity, like a VLAN or SVI, like you do with similar solutions.   Note this from the beginning of the guide:

<With Meraki, you only have to define an ACL once in a network and it will be propagated to all switches within that network. Additionally, the default rule for Meraki ACLs is "Permit Any Any">     'Network' in context means a specific Network within the Meraki Dashboard (i.e. it will be applied on all switches, effectively on all ports on those switches.   You therefore just need to get the sources and destinations right, for them to work properly.

Note though that it is possible, within any ACL, to choose to specify a source VLAN - but the default is Any

 

https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

 

GIdenJoe
Kind of a big deal
Kind of a big deal

The Meraki ACL situation is best compared to a VACL.  It works on switched packets so it can block traffic between hosts in the same VLAN.

So it has one long list of entries that work on optional source VLAN and L3/4 info.  So it's quite easy.

However it comes with a big downside for me.  It only allows 128 ACE entries for the entire network.  Since ACL's are stateless and you can have many VLAN's that list fills up very quick even if you keep it quite basic.

 

If you need more room for ACE's I would recommend going for a more hybrid approach where your coreswitches are Catalyst and your access switches are Meraki.  You can now monitor Catalyst switches in dashboard so it's a valid design to have for example 2 9500's as core and a bunch of stacked MS250's in the access layer.

 

You also have the ability to use adaptive policy which basically is a Meraki version of Cisco Trustsec, however you need all MS390 switches in your network in the access layer and they are at the moment still a bit finnicky.

PhillipJFry
Here to help

I thought this was the case.  I guess the long running list will have to do until we can try the other alternatives.  Thank you for the reply

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels