- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question about ACL allow rules
Hi,
I don't want all clients to be able to access each other.
Only clients defined by me should have these rights.
Do I always have to create rules for both directions?
it does not work like that
With this setting it works
I am a bit surprised because I only have to configure one direction in the appliance firewall.
I hope you can briefly explain the differences.
Thanks a lot
Solved! Go to solution.
- Labels:
-
ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed this:
Stateless Operation
ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.
So you really need to create in both directions.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, it's not necessary to create on both directions.
https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi alemabrahao,
then I don't understand something correctly.
I would like to block the clients in the subnet 10.99.28.0/24 from accessing each other. Only 10.99.28.2 should have access to 10.99.28.3.
Here are the two clients with the following rules:
and now I have deleted a rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The most specific rule should be at the top.
Your rule looks ok. But what is the source IP that you are testing?
A question, what is the network gateway? Is it switch itself? If not, you must create the ACL on the device that is the network gateway.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Delete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I didn't read your whole post.
I test the connection in both directions
The gateway is on the switch where I also configure the ACL.
The DHCP server is on the MX. But that should not matter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed this:
Stateless Operation
ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.
So you really need to create in both directions.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah ok I didn't read that. But I already thought so.
Thanks a lot