Question about ACL allow rules

Solved
Trust
Comes here often

Question about ACL allow rules

Hi,
I don't want all clients to be able to access each other.
Only clients defined by me should have these rights.

Do I always have to create rules for both directions?

 

Trust_0-1684317987432.png

it does not work like that

 

Trust_2-1684318087442.png

With this setting it works

 

I am a bit surprised because I only have to configure one direction in the appliance firewall.

Trust_3-1684318387832.png

I hope you can briefly explain the differences.

Thanks a lot

 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

I noticed this:

 

Stateless Operation

ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

 

So you really need to create in both directions.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

No, it's not necessary to create on both directions.

 

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi alemabrahao,

then I don't understand something correctly.

I would like to block the clients in the subnet 10.99.28.0/24 from accessing each other. Only 10.99.28.2 should have access to 10.99.28.3.


Here are the two clients with the following rules:

Trust_0-1684320005154.pngTrust_1-1684320064507.png

 

 

and now I have deleted a rule

Trust_2-1684320263372.png

 

Trust_3-1684320307983.png

 

alemabrahao
Kind of a big deal
Kind of a big deal

The most specific rule should be at the top.

 

Your rule looks ok. But what is the source IP that you are testing?

 

A question, what is the network gateway? Is it switch itself? If not, you must create the ACL on the device that is the network gateway.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Delete

Sorry, I didn't read your whole post.

I test the connection in both directions


The gateway is on the switch where I also configure the ACL.
The DHCP server is on the MX. But that should not matter

 

Trust_0-1684321549169.png

 

alemabrahao
Kind of a big deal
Kind of a big deal

I noticed this:

 

Stateless Operation

ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

 

So you really need to create in both directions.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Ah ok I didn't read that. But I already thought so.
Thanks a lot

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels