Can someone please have a look at the below ACL rule and tell me what I am doing wrong, hopefully its something simple but I would have thought rule number 1 would allow the traffic on port 9191 and the second rule blocking all other traffic.... If I only have the default allow all rule I can access the service on port 9191 so its not a tagging issue.
The second rule should be "Any" rather than just "TCP", assuming you want to block all other traffic.
@PhilipDAth Yes I changed that shortly after but from the device listed in Rule one I cannot send traffic via port 9191 to the destination subnet. I cant work out why this isn't working.
Is this an MX or MS?
If I change it to this it works.... The problem is I only want to allow that single IP access.
Its an MS unit MS425-32
I'm going to bet it is not using tcp/9191 - or it requires tcp/9191 and something else.
If you also make the destination port "any" and leave the source host restriction does it also work?
I'll try and get back to you.
Setting the dest port to any works. The software is PaperCut and I am accessing the server via a webrowser with the URL http://192.168.1.5:9191
I tried creating another rule for 9192 which is their HTTPS port but this didnt work either.
Personally, I would do a packet capture on the port that a user is plugged into, and see what ports it tries to access.
Odd, I have done exactly the same setup with a firewall rather than a switch and it worked just using port 9191. Thanks for your help but we might just go down the firewall avenue.
As ACL doesn't support adding in ranges and a ton of our services use a range of ports I'd rather not have to add in a rule for every single port.
Thanks again for your help.
Hi Richard
I believe ACLs in switches work little differently as compared to MX.
Did you get a chance to look at the following url
https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation
And you are 100% sure the service is using tcp/9191? A quick capture on the inbound port would help prove that.
MS does not support IP range for ACLs; been asking for this feature for awhile
@AjitKumar yes I have read that article thanks.
@dpf Yes this had lead to a decision to use a firewaill instead on using our Core MS unit.
there's also a 128 rule limit placed on switches, so if you decide to use l3 routing with completely granular ACLs, be careful.