ACL

Location in Dashboard: Switching >> Configure >> ACL

Layer 3 Traffic Filtering

Switch Access Control Lists (ACLs) configuration in Meraki switches provides granular Layer 3 traffic filtering and security controls, enabling administrators to define comprehensive network access policies based on IP addresses, protocols, ports, and VLAN membership. This functionality supports both IPv4 and IPv6 traffic management with allow and deny policies, ensuring precise control over network traffic flow between different network segments and external resources. Switch ACLs are essential for implementing network segmentation, controlling inter-VLAN communication, enforcing security policies, and managing traffic flow in enterprise switching environments.

Diagram

Classes

switch (meraki.domains.organizations.networks)

Name	Type	Constraint	Mandatory	Default Value
access_control_lists_rules	List	`[access_control_lists_rules]`	No

access_control_lists_rules (meraki.domains.organizations.networks.switch)

Name	Type	Constraint	Mandatory	Default Value
comment	String	min: `1`, max: `127`	No
policy	Choice	`allow`, `deny`	Yes
ip_version	Choice	`any`, `ipv4`, `ipv6`	No
protocol	Choice	`any`, `tcp`, `udp`	Yes
vlan	Any	Integer[min: `1`, max: `4094`] or String[matches: `(?:[1-9]	[1-9][0-9]	[1-9][0-9]2
source_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$`	No
source_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3
destination_cidr	String	Regex: `^(?i:any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any\|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$`	No
destination_port	Any	Integer[min: `0`, max: `65535`] or String[matches: `(?:[1-9][0-9]3	[1-5][0-9]4	6[0-4][0-9]3

Examples

Example-1: This configuration defines access control list (ACL) rules for managing network traffic based on protocol, source, and destination criteria. The rules specify actions for IPv4 traffic and include details such as VLAN scope, allowed protocols, and destination filtering.

The first rule, labeled “tcp rules,” allows TCP traffic from any source IP and port to destination subnet 1.1.1.1/24 on port 443 and applies specifically to VLAN 100. The second rule, labeled “Test Any rule,” allows any IPv4 protocol from any source IP and port to the single host 2.1.1.1 on any destination port and applies to all VLANs.

meraki:
  domains:
    - name: !env domain
      administrator:
        name: !env org_admin
      organizations:
        - name: !env org
          networks:
            - name: !env network_name
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              switch:
                access_control_lists_rules:
                  - comment: tcp rules
                    policy: allow
                    ip_version: ipv4
                    protocol: tcp
                    source_cidr: any
                    source_port: any
                    destination_cidr: 1.1.1.1/24
                    destination_port: "443"
                    vlan: 100
                  - comment: Test Any rule
                    policy: allow
                    ip_version: ipv4
                    protocol: any
                    source_cidr: any
                    source_port: any
                    destination_cidr: 2.1.1.1/32
                    destination_port: any
                    vlan: any