Advanced access-list on MS switches

Solved
niroulabh
Getting noticed

Advanced access-list on MS switches

I have unique requirements for access-list on the Meraki switches. Anyone here used the access-list extensively? Please reply.

1 Accepted Solution
GIdenJoe
Kind of a big deal
Kind of a big deal

ACL's on all switches are stateless.
Switches usually work in a totally stateless way.

However the functionality I find seriously lacking in the MS line is the ability to use separate ACL's per interface and the very small TCAM space you can use.

Even the lower end Catalyst switch has 1500 ACE's + 1000 QoS entries.
So even when using an access list based of a radius session (Filter-ID) in MS switches you are severely limited in ACE's with L4 information and you even have to share it with QoS rules.

 

That's why I'm hoping they will change their stance when MS390's or Catalyst switches are in Meraki persona.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

I didn't understand your question. If you want to know if the ACLs on MS works well the answer is yes.

 

https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Inderdeep
Kind of a big deal
Kind of a big deal

Yes we are using let us know your question?

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

One of the big limitations is they can have a maximum of 127 entries.  Another is that they are stateless.

GIdenJoe
Kind of a big deal
Kind of a big deal

ACL's on all switches are stateless.
Switches usually work in a totally stateless way.

However the functionality I find seriously lacking in the MS line is the ability to use separate ACL's per interface and the very small TCAM space you can use.

Even the lower end Catalyst switch has 1500 ACE's + 1000 QoS entries.
So even when using an access list based of a radius session (Filter-ID) in MS switches you are severely limited in ACE's with L4 information and you even have to share it with QoS rules.

 

That's why I'm hoping they will change their stance when MS390's or Catalyst switches are in Meraki persona.

niroulabh
Getting noticed

Thanks for your answer and explanation.

niroulabh
Getting noticed

Thanks for the number. Sometimes, I have requirement for more than 127.

niroulabh
Getting noticed

Thanks for the number. Sometimes, I have requirement for more than 127.

Get notified when there are additional replies to this discussion.