Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Limiting traffic over Metro Ethernet between 3810M Switches

This thread has been viewed 1 times

  • 1.  Limiting traffic over Metro Ethernet between 3810M Switches

    Posted Jun 22, 2020 03:38 PM
      |   view attached

    Hello,

     

    I'm very new to Aruba and don't have much experience at all with writing ACLs.  I'm seeking help with blocking nearly all traffic going from a production network over Metro Ethernet to a backup SAN at a data center.  There are 3810M Switches doing the routing on both sides of the connection.

     

    The goal is to only allow our on premise backup server #1 10.10.10.50 (All Ports) and server #2 10.10.10.60 (Port 25) to replicate to the SAN at the data center and no other network traffic.

     

    I'm familiar with setting this up in a firewall, but don't have that luxury with the current hardware setup.  It seems like it may be less complex to block from the source Data Center switch side, but I'm not sure.  There are several other networks/vlans on the switches as well.

     

    Any guidance is greatly appreciated.  I've attached a sample network picture for clarity.

     

    Thanks!

    Jason



  • 2.  RE: Limiting traffic over Metro Ethernet between 3810M Switches

    Posted Jun 22, 2020 04:43 PM

    I will add that I tired to make this work with a ACL a few days ago, but failed.

     

    I made a deny 10.10.10.0 statement first and then added an allow statement underneath it for the two servers, but figured out the hard way that once the switch matches the packet with a ACL it won't match another rule.

     

    If it helps anyone else this also caused the switch to delete the IP address that was assigned to the Vlan for that network which broke the network.



  • 3.  RE: Limiting traffic over Metro Ethernet between 3810M Switches

    Posted Jun 26, 2020 02:48 PM

    After doing some research this is what I have in mind.  It would be great to get some confirmation beforehand.  Thanks!

     

    ip access-list extended backups

    10 permit ip 10.10.10.50 0.0.0.0 10.10.10.16 0.0.0.0

    20 permit ip 10.10.10.60 0.0.0.0 10.10.10.16 0.0.0.0 eq 25

    30 deny ip 0.0.0.0 255.255.255.255 10.10.10.16 0.0.0.0

    40 permit ip any any