Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor II

Limiting traffic over Metro Ethernet between 3810M Switches

Hello,

 

I'm very new to Aruba and don't have much experience at all with writing ACLs.  I'm seeking help with blocking nearly all traffic going from a production network over Metro Ethernet to a backup SAN at a data center.  There are 3810M Switches doing the routing on both sides of the connection.

 

The goal is to only allow our on premise backup server #1 10.10.10.50 (All Ports) and server #2 10.10.10.60 (Port 25) to replicate to the SAN at the data center and no other network traffic.

 

I'm familiar with setting this up in a firewall, but don't have that luxury with the current hardware setup.  It seems like it may be less complex to block from the source Data Center switch side, but I'm not sure.  There are several other networks/vlans on the switches as well.

 

Any guidance is greatly appreciated.  I've attached a sample network picture for clarity.

 

Thanks!

Jason

Highlighted
Occasional Contributor II

Re: Limiting traffic over Metro Ethernet between 3810M Switches

I will add that I tired to make this work with a ACL a few days ago, but failed.

 

I made a deny 10.10.10.0 statement first and then added an allow statement underneath it for the two servers, but figured out the hard way that once the switch matches the packet with a ACL it won't match another rule.

 

If it helps anyone else this also caused the switch to delete the IP address that was assigned to the Vlan for that network which broke the network.

Highlighted
Occasional Contributor II

Re: Limiting traffic over Metro Ethernet between 3810M Switches

After doing some research this is what I have in mind.  It would be great to get some confirmation beforehand.  Thanks!

 

ip access-list extended backups

10 permit ip 10.10.10.50 0.0.0.0 10.10.10.16 0.0.0.0

20 permit ip 10.10.10.60 0.0.0.0 10.10.10.16 0.0.0.0 eq 25

30 deny ip 0.0.0.0 255.255.255.255 10.10.10.16 0.0.0.0

40 permit ip any any

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: