How does one isolate (air-gap) a VMware VM yet allow it to print, using a Meraki stack? Ideally in a series of easy-to-follow steps vs. "go RTFM". (Trying to translate documentation - e.g. Switch ACL Operation - and related threads - e.g. Isolate vlan from all other vlans! - into actual configuration steps.) The task is to "air-gap" a VMware (ESXi / vCenter) VM yet allow it to print to a physical printer on a network. The printer can be dedicated to the task, i.e. it does not have to be shared with any other devices for printing. The VM is a P2V'd Windows Server 2000 machine (presumably vulnerable, presumably even running malware) running an old LoB application that occasionally needs to be accessed and records from it - printed out. The stack is MX100 with MS switches, a few ESXi 7 servers, vCenter 7. So far the plan is: VMware: Create a vSwitch (vCenter / ESXi), set it to a unique VLAN that's not used elsewhere. E.g. 2001. do not (yet) connect the VM's NIC to it: the VLAN is not fully isolated yet - not until the MX is configured to stop almost all of the traffic flow to/from it Meraki MX: Connect a network printer to a Meraki switch port, "access" type, VLAN 2001, port isolation: disabled (no point given port isolation won't stop traffic flow within the vSwitch, or between VLANs?) Create a "deny everything" Group Policy, name it something like "VLAN 2001 printing only" Create a new VLAN on the MX ("Security & SD-WAN" -> "Addressing & VLANs" -> "Routing" -> "Add VLAN", give it a non-routable subnet with the smallest range possible (e.g. "VLAN interface IP" of 10.201.0.128, Subnet 10.201.0.128/30, then give the VM and the printer .129 and .130 IPs) assign the above group policy to it Now connect the VM's NIC to the vSwitch configured above, configure IPs on the printer and the VM, try pinging the printer's IP from VM, confirm no ICMP response create an "allow" rule in the GP configured above allowing ICMP traffic from the VM to the printer (and back?) try pinging again, confirm it's working modify the "allow" rule configured above to include TCP/UDP traffic testing printing Do the above steps do what's needed, to fully isolate the VM with the exception of talking to a printer? Did I miss anything obvious (or not so obvious)? Thank you!
... View more