Skip to content

ACL

Location in Dashboard: Switching >> Configure >> ACL

Switch Access Control Lists (ACLs) configuration in Meraki switches provides granular Layer 3 traffic filtering and security controls, enabling administrators to define comprehensive network access policies based on IP addresses, protocols, ports, and VLAN membership. This functionality supports both IPv4 and IPv6 traffic management with allow and deny policies, ensuring precise control over network traffic flow between different network segments and external resources. Switch ACLs are essential for implementing network segmentation, controlling inter-VLAN communication, enforcing security policies, and managing traffic flow in enterprise switching environments.

Diagram

switch (meraki.domains.organizations.networks)

Section titled “switch (meraki.domains.organizations.networks)”
NameTypeConstraintMandatoryDefault Value
access_control_lists_rulesList[access_control_lists_rules]No

access_control_lists_rules (meraki.domains.organizations.networks.switch)

Section titled “access_control_lists_rules (meraki.domains.organizations.networks.switch)”
NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
ip_versionChoiceany, ipv4, ipv6No
protocolChoiceany, tcp, udpYes
vlanAnyInteger[min: 1, max: 4094] or String[matches: `(?:[1-9][1-9][0-9][1-9][0-9]2
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3

Example-1: This configuration defines access control list (ACL) rules for managing network traffic based on protocol, source, and destination criteria. The rules specify actions for IPv4 traffic and include details such as VLAN scope, allowed protocols, and destination filtering.

The first rule, labeled “tcp rules,” allows TCP traffic from any source IP and port to destination subnet 1.1.1.1/24 on port 443 and applies specifically to VLAN 100. The second rule, labeled “Test Any rule,” allows any IPv4 protocol from any source IP and port to the single host 2.1.1.1 on any destination port and applies to all VLANs.

meraki:
domains:
- name: !env domain
administrator:
name: !env org_admin
organizations:
- name: !env org
networks:
- name: !env network_name
product_types:
- appliance
- switch
- wireless
- camera
- sensor
- cellularGateway
switch:
access_control_lists_rules:
- comment: tcp rules
policy: allow
ip_version: ipv4
protocol: tcp
source_cidr: any
source_port: any
destination_cidr: 1.1.1.1/24
destination_port: "443"
vlan: 100
- comment: Test Any rule
policy: allow
ip_version: ipv4
protocol: any
source_cidr: any
source_port: any
destination_cidr: 2.1.1.1/32
destination_port: any
vlan: any