Meraki

amwjoe · ‎Oct 18 2023

We currently have 2 Meraki switches with each having a Netgear iSCSI switch behind them, connected via fiber strictly intended for management.

The SAN and NICs from servers designated for iSCSI are statically assigned to a separate network with no default gateway or DNS configured. The iSCSI network is a Layer 2 network with no VLAN configured. Each iSCSI switch has its own Layer 2 network of iSCSI IPs. Small illustration below with example IPs.

Our ISCSI traffic has no VLAN so we've noticed since it's untagged traffic is mistakenly flowing through the Meraki. We plan to create a ACLs to deny traffic each of our iSCSI networks from moving across the rest of the PROD network, 1 at a time, to fix this but would like to know if that will cause any disruption to the existing traffic? Ultimately the traffic of the 192.168.100.x and 192.168.101.x should remain within their own switches and not leave them.

alemabrahao · ‎Oct 19 2023

Do the switches have any interconnection between them or are they isolated?

Is the port between the Netgear in access or trunk mode? If it is a trunk you can isolate it by allowing only the VLAN you want on the trunk.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth · ‎Oct 19 2023

If the NetGear switches are only carrying iSCSI - why do they need to be connected to the Meraki switches at all?

I'm guessing this is usually the dual fabric iSCSI/storage concept, and the NetGear switches don't need to be connected to each other either.

amwjoe · ‎Oct 19 2023

The Netgear switches are not connected to each other, only to their respective Meraki switch.

They are connected to the Meraki switches for management of the switch.

GIdenJoe · ‎Oct 20 2023

Can you move the management for those Netgear switches off to another VLAN not used by the iSCSI traffic? Then you could just prune the VLAN off the trunk between your Meraki and Netgear switches. This is the only solution that is watertight.

If you can't do that and the management traffic of the netgears are on the same VLAN as the iSCSI hosts then you should create an ACL where you first allow the traffic on that VLAN from the two netgear IP's and then deny all incoming traffic from the rest of that specific VLAN and subnet. There is an allow any at the end of the switch ACL that will of course allow all your other network traffic.

amwjoe · ‎Oct 21 2023

Thanks so much GldenJoe - this is very clear and I think I can easily get creative and manage this switch another way. I think I'll proceed with removing the fiber management cable and leaving the switch truely isolated on its own.

My next question would be, by disconnecting the cable it's using for traffic (mistakenly), will that cause interruption between the clients on that switch?

Note: On a iSCSI single switch, all clients are configured to be on the same IP network with no default gateway or DNS.

GIdenJoe · ‎Oct 22 2023

Unless you have spanning tree blocked links you should be 100% sure where your traffic should go. If you want to check for sure you could log in to both of your Netgear switches and locate the MAC addresses of both endpoints so you verify on the left switch where the MAC address of the endpoints on the right switch are coming in from and vice versa. If you break the links between the Meraki switch and the Netgear switch and your mac addresses were on the switchlinks between both Netgears instead you will not have any interruption of your iSCSI traffic.

So while you can reason it by using networking logic you should definitely doublecheck using the mac address tables on both switches to be 1000% sure before unplugging anything 😉

Meraki

Community

Impact of Creating New ACL

Impact of Creating New ACL