Advice RE Vlan or ACL Configuration for Building over Point to Point Link

Killian
New here

Advice RE Vlan or ACL Configuration for Building over Point to Point Link

I'm trying to wrap my head around exactly how to accomplish something and was hoping someone on here could help point me in the right direction.

 

The situation is this; we have a building hooked up to us via a fibre link and we are effectively that buildings internet breakout, offsite backup and domain services (they also host their own DC for the domain there).  That fibre link then gets converted via an NTU and then enters into our Core Switching (an MS350) and gets routed from there.  This point to point link is set up with an internal ip of 10.255.255.0/30 (vlan 4000) with one end of the link being .1 (on our MS350) and the other .2 (on their MS320).  The switch port on the opposite side of this connection is configured with a Native VLAN of 1 and an interface on it for 10.255.255.2 (on VLAN 4000 again).

 

We have an ABUNDANCE of VLANs on our network (around 30 - 40).  I need to segregate that network so that only certain VLANs can communicate with it (effectively isolating it to a backup server, some domain services, and a subnet my own computer sits on and the internet/firewall).  I tried setting an 'allowed vlans' list but I'm still able to communicate with it via machines I know full well sit on another VLAN and I think this is me perhaps completely misunderstanding the VLAN tagging process.

 

For instance if I ping on something from VLAN 110 (which is not in the allowed list on the trunk port) it goes through fine.  When I inspect the packets I see the ping appears to be coming in from VLAN 4000 and the 10.255.255.1 address (not the actual machine I'm testing) on the other side.  Am I seeing this issue because the switch on the opposite side appears to be using the native VLAN 1 (with all ports on that side also being set to trunk native vlan 1)?  Should I change each port to a different VLAN and make them an access type, would this then behave as expected?

 

I've had a mess with the ACL but as they have multiple subnets at the other location (and multiple VLANs) I'd effectively have to create multiple ACLs per VLAN to each VLAN (as you can't use network ranges when configuring the ACL on the Switch).  I have briefly got it working on the ACL idea but trying to do it as clean as possible and VLAN segregation seems like the better approach in the long term.  Especially with the ACL already being 30 lines or so and I'd effectivley be creating several new lines per VLAN.

 

Sorry if I've not explained that very well.  The situation is a real mess.  Everything is working fine at the minute but each building can see everything at the other building and that's what I need to eliminate without killing the other buildings connection to the internet (which comes to us via the p2p link).

 

Any thoughts and advice greatly appreciated.

1 REPLY 1
PhilipDAth
Kind of a big deal
Kind of a big deal

Assuming you are only trunking VLAN4000 between the sites (and are restricting all others), you should be able to put an ACL on just VLAN4000 and either allow everything you want followed by a deny any, or deny everything you don't want.

 

 Note that switch ACLs are stateless, so you have to create rules to allow the traffic in both directions.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels