MS 120 Slow to accept and also run the ACL

Kave
Getting noticed

MS 120 Slow to accept and also run the ACL

MS 120 Slow to accept and also run the ACL

 

 

1- I made an ACL on The MS 120 but it takes a long time to change the ACL.

it is about 20 min.

 

 

 

IT IS NOT JUST PROBLEM,  packet processing slow also. so I cant make a handshake with my SQL server Authentication. that SQL Authentication gets fail when ACL is running.

 

 
MS120 ACL-2.PNG

 

 

 

 

 

 

kav noroozi
9 REPLIES 9
PhilipDAth
Kind of a big deal
Kind of a big deal

The return traffic ACLs, like rule 2, are wrong.

 

The source and destination should be swapped.

Thank you Philip.

i just change the ACL as you can see.

172.18.0.0/24 is the subnet  which i wont have full port access to my server farm 172.16.0.0/24

18 subnet need to access to subnet 16 for , HTTPS(443) RDP (3389, DNS 53, and SQL 1433

 

when i applied that ACL Meraki for this port and that destination became so slow.

kav noroozi
PhilipDAth
Kind of a big deal
Kind of a big deal

What is the IP address of your server and what is the IP address of your client trying to access the server?

172.18.0.0/24  is my client's subnet need to connect to  some server in 172.16.0..0/24MS120 ACL 3.PNG

kav noroozi
PhilipDAth
Kind of a big deal
Kind of a big deal

You don't have any rules to allow the return traffic.

 

You need a rule to allow traffic from 172.18.0.0/24 to 172.16.0.0/24 with a destination port of tcp/443 AND a rule to allow the return traffic (source 172.16.0..0/24, source port 443 to destination 172.18.0.0/24).

 

Ditto for the other rules.

I think for return is should be ok because  at the END of the ACL i have Allow any  any any any any, isn't it?

kav noroozi

so you mean somthing like this? MS120 ACL-4.PNG

kav noroozi
PhilipDAth
Kind of a big deal
Kind of a big deal

Yes that looks much better to me now.

Hi Philip did you see my msg?

kav noroozi
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels