Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Impact of Creating New ACL

amwjoe
Here to help
‎Oct 18 2023 7:57 PM
‎Oct 18 2023 7:57 PM

Impact of Creating New ACL

We currently have 2 Meraki switches with each having a Netgear iSCSI switch behind them, connected via fiber strictly intended for management.

The SAN and NICs from servers designated for iSCSI are statically assigned to a separate network with no default gateway or DNS configured. The iSCSI network is a Layer 2 network with no VLAN configured. Each iSCSI switch has its own Layer 2 network of iSCSI IPs. Small illustration below with example IPs.

 

Our ISCSI traffic has no VLAN so we've noticed since it's untagged traffic is mistakenly flowing through the Meraki. We plan to create a ACLs to deny traffic each of our iSCSI networks from moving across the rest of the PROD network, 1 at a time, to fix this but would like to know if that will cause any disruption to the existing traffic? Ultimately the traffic of the 192.168.100.x and 192.168.101.x should remain within their own switches and not leave them.

 

amwjoe_0-1697684108500.png

 

0 Kudos
Subscribe
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 19 2023 5:22 AM
‎Oct 19 2023 5:22 AM

Do the switches have any interconnection between them or are they isolated?
 
Is the port between the Netgear in access or trunk mode? If it is a trunk you can isolate it by allowing only the VLAN you want on the trunk.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 19 2023 1:08 PM
‎Oct 19 2023 1:08 PM

If the NetGear switches are only carrying iSCSI - why do they need to be connected to the Meraki switches at all?

 

I'm guessing this is usually the dual fabric iSCSI/storage concept, and the NetGear switches don't need to be connected to each other either.

0 Kudos
Subscribe
amwjoe
Here to help
‎Oct 19 2023 2:51 PM
‎Oct 19 2023 2:51 PM

The Netgear switches are not connected to each other, only to their respective Meraki switch.

 

They are connected to the Meraki switches for management of the switch. 

0 Kudos
Subscribe
In response to amwjoe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 20 2023 12:35 PM
‎Oct 20 2023 12:35 PM

Can you move the management for those Netgear switches off to another VLAN not used by the iSCSI traffic?  Then you could just prune the VLAN off the trunk between your Meraki and Netgear switches.  This is the only solution that is watertight.

If you can't do that and the management traffic of the netgears are on the same VLAN as the iSCSI hosts then you should create an ACL where you first allow the traffic on that VLAN from the two netgear IP's and then deny all incoming traffic from the rest of that specific VLAN and subnet.  There is an allow any at the end of the switch ACL that will of course allow all your other network traffic.

Subscribe
In response to GIdenJoe
amwjoe
Here to help
‎Oct 21 2023 8:16 AM
‎Oct 21 2023 8:16 AM

Thanks so much GldenJoe - this is very clear and I think I can easily get creative and manage this switch another way. I think I'll proceed with removing the fiber management cable and leaving the switch truely isolated on its own.

 

My next question would be, by disconnecting the cable it's using for traffic (mistakenly), will that cause interruption between the clients on that switch? 

Note: On a iSCSI single switch, all clients are configured to be on the same IP network with no default gateway or DNS. 

0 Kudos
Subscribe
In response to amwjoe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 22 2023 12:54 PM
‎Oct 22 2023 12:54 PM

Unless you have spanning tree blocked links you should be 100% sure where your traffic should go.  If you want to check for sure you could log in to both of your Netgear switches and locate the MAC addresses of both endpoints so you verify on the left switch where the MAC address of the endpoints on the right switch are coming in from and vice versa.  If you break the links between the Meraki switch and the Netgear switch and your mac addresses were on the switchlinks between both Netgears instead you will not have any interruption of your iSCSI traffic.

So while you can reason it by using networking logic you should definitely doublecheck using the mac address tables on both switches to be 1000% sure before unplugging anything 😉

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.