I am unable to add or edit any ACLs on our MS250 switch. Upon saving any changes, including just adding a comment, I receive a long stream of errors like these:
Must be 'both', 'ipv4', or ipv6''
For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'
Must be 'both', 'ipv4', or ipv6''
For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'
Must be 'both', 'ipv4', or ipv6''
For ACL rules applied to both IPv4 and IPv6, Source address must be 'any'
Must be 'both', 'ipv4', or ipv6''
For ACL rules applied to both IPv4 and IPv6, Source address must be 'any'
Must be 'both', 'ipv4', or ipv6''
For ACL rules applied to both IPv4 and IPv6, Destination address must be 'any'
Per Meraki support, they think it is a bug because of a similar case they have open and have referred my case on to developers.
So I need to get some ACLs set up for a new subnet and I have been stuck for a week now waiting for Meraki to figure out what is wrong. Has anyone else run into this? Any advice?
That does indeed sound like a bug. Are you using any rules with "IPv6" or "both"?
What code are you running, if a bug the support can up/downgrade you to a working version, even if it isn't on the web UI
That's a good suggestion. We are running MS 11.17 firmware. Looks like 11.22 is available on the Stable Channel.
Nope. All rules are IPv4.
Have you definately got a layer 3 VLAN configured?
Could you post a screenshot of the ACL when the error happens?
The MS250 is configured to route traffic between VLANs, and has been doing so for over a year and a half. The current ACLs have been working. I did just recently add a new VLAN which is the one I want to add ACLs for. But, I cannot even add a comment to an existing ACL without the errors.
I just added the comment to the following rule and receive the errors upon trying to save the change.
Apart from trying a fw update I'm at a loss. It really seems like a bug. Nag helpdesk daily, this really should just work.
@SchoolTechFW we have been running 11.22 on 225s and 210s for a while with no issues, but we don't do L3 so I can't comment on the stability of that layer.
There is nothing wrong with what you are doing. Time for a Meraki support ticket.
Thank you for all the inputs!
So it's been 2 week now since Meraki decided my ACL issue was a bug and forwarded it onto developers, which seems to be a black hole of some sort where things go in, but nothing (like information, or status reports) ever comes out. The support staff seems unable to get a status or any info at all on this.
The only workaround Meraki support can suggest is deleting all ACLs and trying to add them back. I am not going to do that since it could leave me much worse off if I am unable to add the current ACLs back. So I am still stuck with our core switch missing key functionality - unable to add or edit ACLs. Wondering if I should explore a switch from another vendor and if I can find a more reliable one.
Did you upgrade to 11.22? If so perhaps worth trying 11.25, just in case it fixes it (you can always roll back).
I have not upgraded. It might help, although I didn't see anything in the release notes that mentioned my issue. This is our central routing/gateway switch so if I botch it, it will be a major problem.
I've had a think about this. If it was me I would clone the network, and then in the cloned copy try some experiments to see what resolves it.
You could also try cloning the network, get it working correctly, and then just move the kit to the new network. If all goes well, delete the original network. If it doesn't go well, move the kit back (aka a rollback plan).
Cloning the network is a thought! Maybe I could do that safely, without endangering all that is actually working now.
Thank you for the idea!