Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Converting Cisco switch ACLs to Meraki

pfisterfarm
Just browsing
‎Dec 5 2023 1:05 PM
‎Dec 5 2023 1:05 PM

Converting Cisco switch ACLs to Meraki

We are replacing a Cisco 3850 at a remote site with a Meraki MS425-16. I think I understand how the ACLs work, but wanted to ask to be sure. 

 

For a couple of the VLANs on the Meraki side, we have ACLs assigned inbound and outbound. Under Meraki, do I need to rewrite those all to be in one big global ACL?

0 Kudos
Subscribe
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 5 2023 1:17 PM
‎Dec 5 2023 1:17 PM

I think that it will help you.

 

https://developer.cisco.com/codeexchange/github/repo/fadysharobeem/Catalyst_to_Meraki_Migration_tool...

 

https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
pfisterfarm
Just browsing
‎Dec 5 2023 1:29 PM
‎Dec 5 2023 1:29 PM

Thank you... I've used this tool in the past. Isn't this only for 2960x? It doesn't say anything about access control lists.

0 Kudos
Subscribe
In response to pfisterfarm
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 5 2023 1:39 PM
‎Dec 5 2023 1:39 PM

The truth is that there is no magic tool for migrating settings. Everything that exists is basically what was created by someone within the community.

I can try this python code.


import requests
import json

# Define the API key and network ID
API_KEY = 'YOUR_API_KEY'
NETWORK_ID = 'YOUR_NETWORK_ID'

# Define the headers for the API request
headers = {
    'X-Cisco-Meraki-API-Key': API_KEY,
    'Content-Type': 'application/json'
}

# Define the URL for the API request
url = f'https://api.meraki.com/api/v1/networks/{NETWORK_ID}/switch/accessControlLists'

# Read the Catalyst ACLs from a text file
with open('catalyst_acls.txt', 'r') as file:
    catalyst_acls = file.readlines()

# Convert the Catalyst ACLs to the Meraki standard
# This is a basic conversion and might need to be adjusted based on your specific ACLs
meraki_acls = [{'comment': acl.split(' ')[1], 'policy': acl.split(' ')[2], 'protocol': acl.split(' ')[3], 'srcCidr': acl.split(' ')[4], 'srcPort': acl.split(' ')[5], 'dstCidr': acl.split(' ')[6], 'dstPort': acl.split(' ')[7], 'vlan': acl.split(' ')[8]} for acl in catalyst_acls]

# Make the API request
response = requests.put(url, headers=headers, json=meraki_acls)

# Check the response
if response.status_code == 200:
    print('Successfully updated ACLs.')
else:
    print(f'Failed to update ACLs. Status code: {response.status_code}.')

This script assumes that each line in the text file is a single Catalyst ACL and that the ACLs are formatted as follows: access-list ACL_NAME action protocol source destination. The script splits each line into separate parts and maps them to the corresponding fields in the Meraki ACLs. If your Catalyst ACLs are formatted differently, you’ll need to adjust the script accordingly.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
pfisterfarm
Just browsing
‎Dec 5 2023 1:50 PM
‎Dec 5 2023 1:50 PM

Thank you, but I suspect my ACLs will need a little work and a migration tool probably won't exist to do everything for me. 

 

My question was... does Meraki only have one global ACL for everything, and not individual ACLs assigned to VLANs like Cisco had?

0 Kudos
Subscribe
In response to pfisterfarm
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 5 2023 2:02 PM
‎Dec 5 2023 2:02 PM

The way of working at Meraki is different, so the answer is no, you don't have an individual ACL, but you can work with Group Policies and apply it directly to the client (which is a lot of work) or apply it to the interface.
 
See the documentation. 
 
Note that there are limitations.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Brash
Kind of a big deal
Kind of a big deal
‎Dec 5 2023 3:30 PM
‎Dec 5 2023 3:30 PM

The easiest way I've found is just to do a 'copy and paste' from the Catalyst to Meraki.

There is some transformation required as Meraki switches treat ACL's a little differently and can be relatively limiting.

Mainly:

1. Meraki ACL's apply across all ports on all switches in the network rather than on individual L3 interfaces

2. Meraki ACL's do not support port ranges, port lists or subnet lists

3. Meraki ACL's end with a default allow rather than an implicit deny

 

Depending on how fancy your ACL's are, you may find it's not feasible to convert them and you may need to redesign your network with a firewall (Meraki MX or otherwise) instead.

0 Kudos
Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Dec 6 2023 11:11 AM
‎Dec 6 2023 11:11 AM

Also think of Meraki ACL's as VACL's, not RACL's as one would expect.  You also have a 128 ACE hard limit so you'll have to be quite coarse in your rules.

 

This hard limit is a reason to consider mixed environments where you have a Catalyst distribution pair of switches to allow for complexer ACL's and VRF support and keep the access switch Meraki to take advantage of the dashboard.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.