How does one isolate (air-gap) a VMware VM yet allow it to print, using a Meraki stack?
Ideally in a series of easy-to-follow steps vs. "go RTFM".
(Trying to translate documentation - e.g. Switch ACL Operation - and related threads - e.g. Isolate vlan from all other vlans! - into actual configuration steps.)
The stack is MX100 with MS switches, a few ESXi 7 servers, vCenter 7.
So far the plan is:
Do the above steps do what's needed, to fully isolate the VM with the exception of talking to a printer? Did I miss anything obvious (or not so obvious)?
Thank you!
Create a security rule denying any and above of this rule create rules for what you want to allow.
@alemabrahao wrote:Create a security rule denying any and above of this rule create rules for what you want to allow.
Thank you. Which question are you answering with this?
This is the main one:
How does one isolate (air-gap) a VMware VM yet allow it to print, using a Meraki stack?
Ideally in a series of easy-to-follow steps vs. "go RTFM".
(Highlighting mine.)
This is the follow-up one:
Do the above steps do what's needed, to fully isolate the VM with the exception of talking to a printer? Did I miss anything obvious (or not so obvious)?
(It's two questions - yet both still boiling down to, "did I miss anything?")
Thanks again - and apologies for needing precision and well defined steps as opposed to "being pointed in the right direction".
Don't you know how to create a L3 security rule?
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Outbound_rules
@alemabrahao wrote:Don't you know how to create a L3 security rule?
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Firewall_Settings#Outbound_rules
Ouch.
Does the host have any free network ports?
If so connect the VM to a VMware switch that maps to that port. On the switches create two access ports on the new VLAN, don't create an interface for it. Connect the host NIC to one port and the printer to the other.
No risk of traffic getting outside of that.
Right - or USB passthrough was my second thought. No idea what support for that looks like on Server 2000 though...
My other thought is do users need to access this server? If so, OP's proposed solution will not work, and the server will only be accessible through VMRC...
If the printer is dedicated to this VM, there's really no need to create a VLAN interface on the MX.
You can simply setup a new VLAN on the vSwitch, configure that VLAN on the trunk ports on the switches through the network to the switch where the printer is connected and configure the printer port as an access port in that VLAN.
Don't set any default gateway on either the printer or the computer and you're good to go. Those devices will not be able to communicate with anything outside of that VLAN.
The only 'risk' of this is VLAN bleeding if someone misconfigures the network in the future. To minimize that, you can add switch ACL's to allow on the specific communication (IP's and ports) on that VLAN and deny all other communication from those hosts.