Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
8
Helpful
5
Replies

Network Restrictions on VLANS

Scott Hanson
Level 3
Level 3

‎01-07-2016 09:36 AM - edited ‎03-05-2019 03:04 AM

Hello,

I have a remote site connect to a central site with a P2P.  Internet Access is across the P2P and out through the central site.  Vlans 50, 51 and 52 exist at both sites.  These VLANs are for servers and other VMs.  If I want to restrict access to the Internet only for the remote site can I not just shut down those VLANs on the switch at the remote site or would I need to do somewthing more?

Thanks,

Replies rated.

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎01-07-2016 10:51 AM

We could give you better answers if we knew more about your environment. How is the P2P configured that connects the sites? When you say that vlan 50, 51, and 52 exist at both sites, there a subnet for the vlan at the central site and a different subnet for the vlan at the remote site? What kind of device connects the sites via the P2P?

We also need a better understanding of what the vlans at the remote site need to connect to. If you just shut down the vlans on the switch at the remote site then it looks like those vlans would not communicate with anything. That does not sound like the result that you want. Do the vlans need to communicate only with other devices at the remote site? Do the vlans need to communicate with the vlans at the central site?

It should be possible to configure some filter/access lists to restrict their access. But whether it is feasible and desirable to do it at the device connecting the remote site to the P2P, or at the device connecting the central site to the P2P, or at the device connecting the central site to the Internet would depend on having answers to the questions I have asked.

HTH

Rick

HTH

Rick

Scott Hanson
Level 3
Level 3
In response to Richard Burts

‎01-07-2016 11:19 AM

Thanks Rick,

The VLANs exist at both teh central and remote site.  The desired effect is indeed for the remote site not to be able to get to the servers and workstations on those VLANs anymore.  Just Internet access only

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Scott Hanson

‎01-07-2016 02:06 PM

It is still not clear what is the relationship of devices in vlan 50 at the remote and devices in vlan 50 at the central site. It is also not clear what kind of devices connect the sites over the P2P link.

Is it correct to understand that what you want to achieve is that devices at the remote site can access Internet through the central site but that devices at the remote site should not communicate with any devices at the central site?

HTH

Rick

HTH

Rick

Scott Hanson
Level 3
Level 3
In response to Richard Burts

‎01-08-2016 08:04 AM

Hello Rick,

Yes, the goal is for the remote site to still be able to get to the Internet through the central site but not be able to talk to anything else

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Scott Hanson

‎01-08-2016 11:31 AM

Thanks for the clarification. Without knowing what the devices are that make the P2P connection it is difficult to know what their capabilities are and whether they would support the alternatives that we might suggest. For example perhaps the optimum solution would be to configure VRFs and put the remote subnets into a VRF that routed to the Internet but not to any of the subnets at the central site.

Another alternative would be to do some route filtering at the remote site so that it did not have routes to the central site servers etc. Or another alternative would be to configure access lists and to apply them to deny traffic between the remote site addresses and the addresses for servers etc at the central site.

HTH

Rick 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents