Meraki

Community

Meraki MR - L3/L7 ACL

Pavan_Pawar
Getting noticed
‎Feb 21 2024 3:48 AM
‎Feb 21 2024 3:48 AM

Meraki MR - L3/L7 ACL

Hello Experts,

 

In the L3/L7 ACL processing order, Does it match the 'Default permit any' rule in L3 ACL or just match the configured one?
I have referred to the below document but could not see any L3 Rule which is no match but has an L7 match example

source is 10.10.10.10 
destination is 1.1.1.1 URL category is Email.

there is no L3 ACL but there is L7 ACL which blocks the email category so the above packet will pass to the L7 or in L3 it will match Default any rule and bypass L7? and also what about return traffic, will that be allowed by default

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Layer_3_and_7_Firewal...

 

does reverse traffic also get evaluated in the L3/L7 ACL?

 

 

-Pavan

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
‎Feb 21 2024 3:57 AM
‎Feb 21 2024 3:57 AM

Traffic Allowed by Default

By default, outbound traffic will be allowed through the firewall unless explicitly blocked by at least one L3 or L7 rule. In this example, SSH (TCP port 22) traffic will be allowed through the firewall because there are no configured L3 or L7 rules that act upon it.

Layer 3 Rules

  1. No Match
  2. No Match
  3. No Match

Layer 7 Rules

  1. No Match

Traffic Blocked by Layer 3 Rule

In this example, SMTP traffic (TCP port 25) will be blocked by the L3 firewall, because rule 3 under layer 3 explicitly blocks it. Layer 7 rules would be ignored because the traffic has already been blocked.

Layer 3 Rules

  1. No Match
  2. No Match
  3. Matched - Traffic blocked

Layer 7 Rules

  1. Not processed because traffic was already blocked

 

Traffic Blocked by Layer 7 Rule

The MR access point and MX security appliance differ slightly in their processing of L7 firewall rules after the L3 firewall. On the MR, if traffic matches an allow rule on the L3 firewall, that traffic will bypass the L7 firewall altogether.

On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules. 

On the MX, if traffic matches an allow rule on the L3 firewall, it can still be blocked by an L7 firewall rule.

On the MX, HTTP traffic (TCP port 80) to Facebook.com will be blocked by the L7 firewall, because rule 1 under layer 7 explicitly blocks it, even though the traffic was allowed through the layer 3 firewall.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Matched - Traffic blocked

 

On the MR, HTTP traffic (TCP port 80) to Facebook.com will be allowed through the firewall, because rule 1 under layer 3 explicitly allows it.

Layer 3 Rules

  1. Matched - Traffic allowed through L3 firewall
  2. Not processed
  3. Not processed

Layer 7 Rules

  1. Not processed because traffic was already allowed
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Pavan_Pawar
Getting noticed
‎Feb 21 2024 4:09 AM
‎Feb 21 2024 4:09 AM

i have gone through the document,

what if there is no match in L3 ACL , if traffic with port 513 and there is no matching L3 ACL rule so will it match the Default permit L3 rule and bypass L7 or it will go to L7 as no match in L3

 

and what about reverse traffic because the ACL we configure in MR are destination based so return traffic will be allowed by default?

0 Kudos
In response to Pavan_Pawar
alemabrahao
Kind of a big deal
‎Feb 21 2024 4:15 AM
‎Feb 21 2024 4:15 AM

In other words, the Layer7 rule is treated differently in MX and MR.
 
In MR, even if port 80 for Facebook or any other website, for example, is allowed in the L3 rule and blocked in the L7 rule, traffic will be allowed because port 80 is explicitly allowed in the L3 rule.
 
Were you confused?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Pavan_Pawar
Getting noticed
‎Feb 21 2024 4:21 AM
‎Feb 21 2024 4:21 AM

what if there is no match in L3 ACL , if traffic with port 513 and there is no matching L3 ACL rule so will it match the Default permit L3 rule and bypass L7 or it will go to L7 as no match in L3

 

Layer 3 Rules

  1. No match
  2. No match
  3. No match
  4. Does Default permit rule match ?

Layer 7 Rules

  1. Matched - Traffic blocked

Imp : what about reverse traffic because the ACLs we configure in MR are destination-based so return traffic will be allowed by default or denied ?

0 Kudos
In response to Pavan_Pawar
alemabrahao
Kind of a big deal
‎Feb 21 2024 4:29 AM
‎Feb 21 2024 4:29 AM

The answer is right in the document.

 

On MR, default L3 rules do not act as a bypass for L7 rules. Only allow custom rules will bypass L7 rules. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Pavan_Pawar
Getting noticed
‎Feb 21 2024 4:33 AM
‎Feb 21 2024 4:33 AM

thanks, how does it handle return traffic, does it follow the same pattern as mentioned in the document if so then for return traffic we need to create L3,L7 ACL ?

0 Kudos
In response to Pavan_Pawar
alemabrahao
Kind of a big deal
‎Feb 21 2024 4:44 AM
‎Feb 21 2024 4:44 AM

These rules are outbound rules, not inbound, so if the traffic is not blocked at the exit, the response will obviously not be blocked.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.