Assuming you are only trunking VLAN4000 between the sites (and are restricting all others), you should be able to put an ACL on just VLAN4000 and either allow everything you want followed by a deny any, or deny everything you don't want. Note that switch ACLs are stateless, so you have to create rules to allow the traffic in both directions.
... View more
