Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Question about ACL allow rules

Solved
Trust
Comes here often
‎May 17 2023 3:13 AM
‎May 17 2023 3:13 AM

Question about ACL allow rules

Hi,
I don't want all clients to be able to access each other.
Only clients defined by me should have these rights.

Do I always have to create rules for both directions?

 

Trust_0-1684317987432.png

it does not work like that

 

Trust_2-1684318087442.png

With this setting it works

 

I am a bit surprised because I only have to configure one direction in the appliance firewall.

Trust_3-1684318387832.png

I hope you can briefly explain the differences.

Thanks a lot

 

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to Trust
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 4:13 AM
‎May 17 2023 4:13 AM

I noticed this:

 

Stateless Operation

ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

 

So you really need to create in both directions.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

Subscribe
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 3:25 AM
‎May 17 2023 3:25 AM

No, it's not necessary to create on both directions.

 

https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 3:45 AM
‎May 17 2023 3:45 AM

Hi alemabrahao,

then I don't understand something correctly.

I would like to block the clients in the subnet 10.99.28.0/24 from accessing each other. Only 10.99.28.2 should have access to 10.99.28.3.


Here are the two clients with the following rules:

Trust_0-1684320005154.pngTrust_1-1684320064507.png

 

 

and now I have deleted a rule

Trust_2-1684320263372.png

 

Trust_3-1684320307983.png

 

0 Kudos
Subscribe
In response to Trust
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 3:53 AM
‎May 17 2023 3:53 AM

The most specific rule should be at the top.

 

Your rule looks ok. But what is the source IP that you are testing?

 

A question, what is the network gateway? Is it switch itself? If not, you must create the ACL on the device that is the network gateway.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 3:57 AM
‎May 17 2023 3:57 AM

Delete

0 Kudos
Subscribe
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 4:06 AM
‎May 17 2023 4:06 AM

Sorry, I didn't read your whole post.

I test the connection in both directions


The gateway is on the switch where I also configure the ACL.
The DHCP server is on the MX. But that should not matter

 

Trust_0-1684321549169.png

 

0 Kudos
Subscribe
In response to Trust
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 17 2023 4:13 AM
‎May 17 2023 4:13 AM

I noticed this:

 

Stateless Operation

ACLs configured on Meraki switches operate statelessly: each packet is evaluated individually. Thus while traffic may be allowed in one direction, the response can still be blocked. When creating ACL rules, it is important to keep this in mind and create rules that allow desired traffic in both directions.

 

So you really need to create in both directions.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
Trust
Comes here often
‎May 17 2023 4:15 AM
‎May 17 2023 4:15 AM

Ah ok I didn't read that. But I already thought so.
Thanks a lot

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.