Meraki

Community

Question about ACL allow rules

Solved
Trust
Comes here often
‎May 17 2023 3:13 AM
‎May 17 2023 3:13 AM

Question about ACL allow rules

Hi,
I don't want all clients to be able to access each other.
Only clients defined by me should have these rights.

Do I always have to create rules for both directions?

 

Trust_0-1684317987432.png

it does not work like that

 

Trust_2-1684318087442.png

With this setting it works

 

I am a bit surprised because I only have to configure one direction in the appliance firewall.

Trust_3-1684318387832.png

I hope you can briefly explain the differences.

Thanks a lot

 

Labels:
0 Kudos
1 Accepted Solution
In response to Trust
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 4:13 AM
‎May 17 2023 4:13 AM

I noticed this:

 

Stateless Operation

ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

 

So you really need to create in both directions.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 3:25 AM
‎May 17 2023 3:25 AM

No, it's not necessary to create on both directions.

 

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 3:45 AM
‎May 17 2023 3:45 AM

Hi alemabrahao,

then I don't understand something correctly.

I would like to block the clients in the subnet 10.99.28.0/24 from accessing each other. Only 10.99.28.2 should have access to 10.99.28.3.


Here are the two clients with the following rules:

Trust_0-1684320005154.pngTrust_1-1684320064507.png

 

 

and now I have deleted a rule

Trust_2-1684320263372.png

 

Trust_3-1684320307983.png

 

0 Kudos
In response to Trust
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 3:53 AM
‎May 17 2023 3:53 AM

The most specific rule should be at the top.

 

Your rule looks ok. But what is the source IP that you are testing?

 

A question, what is the network gateway? Is it switch itself? If not, you must create the ACL on the device that is the network gateway.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 3:57 AM
‎May 17 2023 3:57 AM

Delete

0 Kudos
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 4:06 AM
‎May 17 2023 4:06 AM

Sorry, I didn't read your whole post.

I test the connection in both directions


The gateway is on the switch where I also configure the ACL.
The DHCP server is on the MX. But that should not matter

 

Trust_0-1684321549169.png

 

0 Kudos
In response to Trust
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 4:13 AM
‎May 17 2023 4:13 AM

I noticed this:

 

Stateless Operation

ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

 

So you really need to create in both directions.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 4:15 AM
‎May 17 2023 4:15 AM

Ah ok I didn't read that. But I already thought so.
Thanks a lot

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.