Block traffic over site-to-site and LAN Extention

Solved
TravisFleming1
Conversationalist

Block traffic over site-to-site and LAN Extention

We have a MX100 in our Minnesota and Saskatoon offices. The Saskatoon office is new to us (bought company), and we have routes in place for our network monitoring tools to do SNMP polls on UDP port 161 from Minnesota to Saskatoon. However we don't want to allow anything else. Wondering how I can block this?

 

This is the complicated part. We have a traditional site-to-site VPN where I can create a firewall rule, but then we also have an EVPL layer 2 extension. We have a LAN interface on each MX setup with a /30 IP address. We then have a static route on each MX saying to send traffic over the EVPL if the next hop gateway is available. So if the EVPL went down, it would fall back to our internet connections.

 

How the heck can I limit the traffic that goes over that LAN segment on the same VLAN? We don't have complete control of PC's on the far end, so we want to limit our exposure.

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

Create a group policy. Make your stateless fw rules. and apply it to the vlan that connects the evpl

View solution in original post

2 Replies 2
ww
Kind of a big deal
Kind of a big deal

Create a group policy. Make your stateless fw rules. and apply it to the vlan that connects the evpl

TravisFleming1
Conversationalist

Thanks, that worked. I'm new to Meraki, but CCNA in Cisco so...cousins? ha

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels