Skip to content
Network as Code

Switch Access Control Lists Configuration

Dashboard Location: Switching > Configure > ACL

Layer 3 Traffic Filtering

Switch Access Control Lists (ACLs) configuration in Meraki switches provides granular Layer 3 traffic filtering and security controls, enabling administrators to define comprehensive network access policies based on IP addresses, protocols, ports, and VLAN membership. This functionality supports both IPv4 and IPv6 traffic management with allow and deny policies, ensuring precise control over network traffic flow between different network segments and external resources. Switch ACLs are essential for implementing network segmentation, controlling inter-VLAN communication, enforcing security policies, and managing traffic flow in enterprise switching environments.

Diagram

Diagram

Classes

switch (meraki.domains.organizations.networks)

NameTypeConstraintMandatoryDefault Value
access_control_lists_rulesList[access_control_lists_rules]No

access_control_lists_rules (meraki.domains.organizations.networks.switch)

NameTypeConstraintMandatoryDefault Value
commentStringmin: 1, max: 127No
policyChoiceallow, denyYes
ip_versionChoiceany, ipv4, ipv6No
protocolChoiceany, tcp, udpYes
vlanAnyInteger[min: 1, max: 4094] or String[matches: `(?:[1-9][1-9][0-9][1-9][0-9]2
source_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
source_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3
destination_cidrStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$No
destination_portAnyInteger[min: 0, max: 65535] or String[matches: `(?:[1-9][0-9]3[1-5][0-9]46[0-4][0-9]3

Examples

Example-1: The example below demonstrates switch access control lists configuration using tested YAML configuration from pipeline fixtures.

meraki:
  domains:
    - name: "!env domain"
      administrator:
        name: "!env org_admin"
      organizations:
        - name: "!env org"
          networks:
            - name: "!env network_name"
              product_types:
                - appliance
                - switch
                - wireless
                - camera
                - sensor
                - cellularGateway
              switch:
                access_control_lists_rules:
                  - comment: tcp rules
                    policy: allow
                    ip_version: ipv4
                    protocol: tcp
                    source_cidr: any
                    source_port: any
                    destination_cidr: 1.1.1.1/24
                    destination_port: "443"
                    vlan: 100
                  - comment: Test Any rule
                    policy: allow
                    ip_version: ipv4
                    protocol: any
                    source_cidr: any
                    source_port: any
                    destination_cidr: 2.1.1.1/32
                    destination_port: any
                    vlan: any
                      source_port: "any"
                      destination_cidr: "!env dns_server_ips"
                      destination_port: "53"
                      vlan: "any"
                    - comment: "Block Inter-VLAN Guest Traffic"
                      policy: deny
                      ip_version: ipv4
                      protocol: "any"
                      source_cidr: "!env guest_network_range"
                      source_port: "any"
                      destination_cidr: "!env internal_network_ranges"
                      destination_port: "any"
                      vlan: "any"