We are replacing a Cisco 3850 at a remote site with a Meraki MS425-16. I think I understand how the ACLs work, but wanted to ask to be sure.
For a couple of the VLANs on the Meraki side, we have ACLs assigned inbound and outbound. Under Meraki, do I need to rewrite those all to be in one big global ACL?
I think that it will help you.
https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs
Thank you... I've used this tool in the past. Isn't this only for 2960x? It doesn't say anything about access control lists.
The truth is that there is no magic tool for migrating settings. Everything that exists is basically what was created by someone within the community.
I can try this python code.
import requests import json # Define the API key and network ID API_KEY = 'YOUR_API_KEY' NETWORK_ID = 'YOUR_NETWORK_ID' # Define the headers for the API request headers = { 'X-Cisco-Meraki-API-Key': API_KEY, 'Content-Type': 'application/json' } # Define the URL for the API request url = f'https://api.meraki.com/api/v1/networks/{NETWORK_ID}/switch/accessControlLists' # Read the Catalyst ACLs from a text file with open('catalyst_acls.txt', 'r') as file: catalyst_acls = file.readlines() # Convert the Catalyst ACLs to the Meraki standard # This is a basic conversion and might need to be adjusted based on your specific ACLs meraki_acls = [{'comment': acl.split(' ')[1], 'policy': acl.split(' ')[2], 'protocol': acl.split(' ')[3], 'srcCidr': acl.split(' ')[4], 'srcPort': acl.split(' ')[5], 'dstCidr': acl.split(' ')[6], 'dstPort': acl.split(' ')[7], 'vlan': acl.split(' ')[8]} for acl in catalyst_acls] # Make the API request response = requests.put(url, headers=headers, json=meraki_acls) # Check the response if response.status_code == 200: print('Successfully updated ACLs.') else: print(f'Failed to update ACLs. Status code: {response.status_code}.')
This script assumes that each line in the text file is a single Catalyst ACL and that the ACLs are formatted as follows: access-list ACL_NAME action protocol source destination. The script splits each line into separate parts and maps them to the corresponding fields in the Meraki ACLs. If your Catalyst ACLs are formatted differently, you’ll need to adjust the script accordingly.
Thank you, but I suspect my ACLs will need a little work and a migration tool probably won't exist to do everything for me.
My question was... does Meraki only have one global ACL for everything, and not individual ACLs assigned to VLANs like Cisco had?
The easiest way I've found is just to do a 'copy and paste' from the Catalyst to Meraki.
There is some transformation required as Meraki switches treat ACL's a little differently and can be relatively limiting.
Mainly:
1. Meraki ACL's apply across all ports on all switches in the network rather than on individual L3 interfaces
2. Meraki ACL's do not support port ranges, port lists or subnet lists
3. Meraki ACL's end with a default allow rather than an implicit deny
Depending on how fancy your ACL's are, you may find it's not feasible to convert them and you may need to redesign your network with a firewall (Meraki MX or otherwise) instead.
Also think of Meraki ACL's as VACL's, not RACL's as one would expect. You also have a 128 ACE hard limit so you'll have to be quite coarse in your rules.
This hard limit is a reason to consider mixed environments where you have a Catalyst distribution pair of switches to allow for complexer ACL's and VRF support and keep the access switch Meraki to take advantage of the dashboard.