Switch ACL - how does it work

SOLVED
diablo24
Building a reputation

Switch ACL - how does it work

H,

 

In reading this doc: https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation

 

It's not clear to me how these ACLs are applied. I'm assuming this is all L3 traffic - so are the ACL applied on all ports? If so, is it only applied when an L3 interface is created. It states that "Any traffic passing through the switch will be evaluated. Even traffic that is not routed." Passing in which direction (outbound or inbound)?

 

Thanks in advance,

-Jerome

 

 

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

ACLs are available on L2 only switches, so these are not tied to an L3 SVI on a switch. 

 

This is a good question and I've never had to dig into the answer before... I've used these ACLs a few times and they do what they are supposed to do. So thinking about it I would hazard a guess that the ACLs are applied somewhere in the ingress side of the switch backplane, before a MAC table lookup is done to determine egress port (egress port being one of the physical ports for L2 forwarding, or an SVI for L3 forwarding). 

 

One big thing to remember with these ACLs is that they are stateless. 

View solution in original post

5 REPLIES 5
PhilipDAth
Kind of a big deal

They are L4 ACLs as you can specify the src/dst port to filter on.

 

I think it applies on inbound traffic across all physical ports.

so if that ACL applies to all Layer2 switchports it is used as a so called PACL - correct?

Port ACLs perform access control on all traffic entering the specified Layer 2 port. PACLs can provide access control based on the Layer 3 addresses (for IP protocols)...

That would make sense because the documentation states that also traffic between clients which are located in the same VLAN (infra-vlan communication) could be blocked!

 

What I‘m asking myself...

1) does anyone know how the usage of that function will affect the performace of the switches?

2) when using a Layer3 core switch /w SVI‘s (= acting as standard gateway) is there a possibility to only configure an ACL on the core as well and not influence the passing traffic at the access edge?

 

 

Bruce
Kind of a big deal

1) Generally the impact will be minimal as most of this is done in ASICs, there may be a small overhead for the first packet when the forwarding tables are populated. (I’m not fully up to speed on the MS switches, and it’s probably different for the MS390 switches too).

 

2) Not that I’m aware of, all ACLs configured on a network are applied to all switches in that network. Note the limitation of ‘Maximum ACL limit is 128 access control entries (ACEs) per network’. Also with the MS390, note that it currently ignores any ACLs where a VLAN is specified.

jdsilva
Kind of a big deal

ACLs are available on L2 only switches, so these are not tied to an L3 SVI on a switch. 

 

This is a good question and I've never had to dig into the answer before... I've used these ACLs a few times and they do what they are supposed to do. So thinking about it I would hazard a guess that the ACLs are applied somewhere in the ingress side of the switch backplane, before a MAC table lookup is done to determine egress port (egress port being one of the physical ports for L2 forwarding, or an SVI for L3 forwarding). 

 

One big thing to remember with these ACLs is that they are stateless. 

View solution in original post

diablo24
Building a reputation

@jdsilva @PhilipDAth 

 

Thanks Gents! This helps clearing up some understanding how how these ACLs work.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels