Meraki

diablo24 · ‎Jun 1 2020

H,

In reading this doc: https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

It's not clear to me how these ACLs are applied. I'm assuming this is all L3 traffic - so are the ACL applied on all ports? If so, is it only applied when an L3 interface is created. It states that "Any traffic passing through the switch will be evaluated. Even traffic that is not routed." Passing in which direction (outbound or inbound)?

Thanks in advance,

-Jerome

jdsilva · ‎Jun 2 2020

ACLs are available on L2 only switches, so these are not tied to an L3 SVI on a switch.

This is a good question and I've never had to dig into the answer before... I've used these ACLs a few times and they do what they are supposed to do. So thinking about it I would hazard a guess that the ACLs are applied somewhere in the ingress side of the switch backplane, before a MAC table lookup is done to determine egress port (egress port being one of the physical ports for L2 forwarding, or an SVI for L3 forwarding).

One big thing to remember with these ACLs is that they are stateless.

http://blog.brokennetwork.ca |

@jdsilva

View solution in original post

PhilipDAth · ‎Jun 1 2020

They are L4 ACLs as you can specify the src/dst port to filter on.

I think it applies on inbound traffic across all physical ports.

whistleblower · ‎Apr 23 2021

so if that ACL applies to all Layer2 switchports it is used as a so called PACL - correct?

Port ACLs perform access control on all traffic entering the specified Layer 2 port. PACLs can provide access control based on the Layer 3 addresses (for IP protocols)...

That would make sense because the documentation states that also traffic between clients which are located in the same VLAN (infra-vlan communication) could be blocked!

What I‘m asking myself...

1) does anyone know how the usage of that function will affect the performace of the switches?

2) when using a Layer3 core switch /w SVI‘s (= acting as standard gateway) is there a possibility to only configure an ACL on the core as well and not influence the passing traffic at the access edge?

Bruce · ‎Apr 24 2021

1) Generally the impact will be minimal as most of this is done in ASICs, there may be a small overhead for the first packet when the forwarding tables are populated. (I’m not fully up to speed on the MS switches, and it’s probably different for the MS390 switches too).

2) Not that I’m aware of, all ACLs configured on a network are applied to all switches in that network. Note the limitation of ‘Maximum ACL limit is 128 access control entries (ACEs) per network’. Also with the MS390, note that it currently ignores any ACLs where a VLAN is specified.

jdsilva · ‎Jun 2 2020

ACLs are available on L2 only switches, so these are not tied to an L3 SVI on a switch.

This is a good question and I've never had to dig into the answer before... I've used these ACLs a few times and they do what they are supposed to do. So thinking about it I would hazard a guess that the ACLs are applied somewhere in the ingress side of the switch backplane, before a MAC table lookup is done to determine egress port (egress port being one of the physical ports for L2 forwarding, or an SVI for L3 forwarding).

One big thing to remember with these ACLs is that they are stateless.

http://blog.brokennetwork.ca |

@jdsilva

diablo24 · ‎Jun 3 2020

@jdsilva @PhilipDAth

Thanks Gents! This helps clearing up some understanding how how these ACLs work.

Meraki

Community

Switch ACL - how does it work

Switch ACL - how does it work