Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Moving ACL from Cisco 3750 to MS425

Solved
Paul_N
Here to help
‎Nov 30 2022 8:42 PM
‎Nov 30 2022 8:42 PM

Moving ACL from Cisco 3750 to MS425

Hi All,

I have a Cisco 3750, which is moving to an MS425.
There are some old ACLs, and I don't know how to convert them into MS425.

 

!
ip access-list AAA
permit 10.x.x.x 0.0.0.255
deny 10.x.x.x 0.0.0.255
deny 10.x.x.0 0.0.0.255
permit 10.x.x.0 0.0.3.255
permit 172.x.x.x0.0.0.31
permit 10.x.x.0 0.0.0.255
permit 10.x.x.0 0.0.0.255
permit 10.x.x.0 0.0.0.127
permit 10.x.x.0 0.0.0.255
permit 10.x.x.0 0.0.0.255
permit 10.x.x.0 0.0.0.255
permit 10.x.x.0 0.0.0.63
deny any log

 

This is what I have on MS at the moment, which has no ACL:

Paul_N_0-1669869606239.png

 

What would be the source, destination, and port for such a cisco ACL?

Regards,
Paul 

 

 

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to KarstenI
Paul_N
Here to help
‎Dec 4 2022 2:05 PM
‎Dec 4 2022 2:05 PM

Hi Karstenl,

Thanks for your reply.

I checked, and ACLs are mapped to an SVI that is not used anymore. So I don't need to Map them!

Appreciate your time and help:) 

View solution in original post

0 Kudos
Subscribe
6 Replies 6
Brash
Kind of a big deal
Kind of a big deal
‎Nov 30 2022 8:51 PM
‎Nov 30 2022 8:51 PM

For the IP Access List that you have configured on the 3750, it's all IP traffic, not specific ports.

So for the Port, you would use "Any"

 

In regards to source and destination, it depends where your IP access list is applied in the 3750.

You'll have to identify which interface/SVI it's applied to and whether it's applied inbound or outbound.

Once you have that knowledge, you can then map the individual rules across to the Meraki ACL.

Subscribe
In response to Brash
Paul_N
Here to help
‎Dec 4 2022 2:03 PM
‎Dec 4 2022 2:03 PM

Hi Brash,
Thanks for your reply.

I checked, and ACLs are mapped to an SVI that is not used anymore. So I don't need to Map them!

Appreciate your time and help:) 

0 Kudos
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 1 2022 12:58 AM
‎Dec 1 2022 12:58 AM

The most important question is where this ACL is applied. Keep in mind that in the Meraki world, you don't apply an ACL to a switch. You apply the ACL to the switches in the network.

 

And this line 

permit 172.x.x.x 0.0.0.31

could be wrong (at least if you want to act on the RFC1918 range) and perhaps should be 

permit 172.x.x.x 0.0.0.15

 

Subscribe
In response to KarstenI
Paul_N
Here to help
‎Dec 4 2022 2:05 PM
‎Dec 4 2022 2:05 PM

Hi Karstenl,

Thanks for your reply.

I checked, and ACLs are mapped to an SVI that is not used anymore. So I don't need to Map them!

Appreciate your time and help:) 

0 Kudos
Subscribe
JustinBennett
Here to help
‎Dec 6 2022 10:23 AM
‎Dec 6 2022 10:23 AM

It may assist others to fully explain the differences.

 

The Meraki ACL rules refers to IP addresses and subnets using CIDR notation. It allows you to only block or allow traffic between networks - not just a single switch. It's good for example of "securing camera traffic" or "protecting guest subnets from cross network communication to other LAN clients".

 

The Catalyst ACL is using a wildcard format that is like a reversed subnet mask.  It allows you to apply the list to access to virtual routing, ports, SVI interfaces, VLANs, and mgmt services on a single switch.

 

As @KarstenI mentioned, the ACL will be applied to every switch - not just one. It also has a single purpose of blocking or allowing traffic. You need to see what the Catalyst ACL is protecting and see if it's still relevant. You can translate the wildcard rules to CIDR notation to put them in Meraki. (you can easily google "wildcard subnet calculator" to find an online tool to convert them), but you want to ensure you understand the entire network impact this will have. Once installed, all the switches will get the ACL traffic rules. 

Ref: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-1_14_ea1/configu...
Ref: https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Dec 7 2022 11:11 AM
‎Dec 7 2022 11:11 AM

Don't forget that Meraki ACL's are basically a collection of VACL's (VLAN ACL's).  So basically it's a giant port ACL that is applied to every port, depending on the input VLAN if defined.

This means you can block intra VLAN traffic which is different from a RACL (routed ACL) you applied on your 3750 SVI.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.