Alright I thought this would be simple enough but I have to be missing something here...
In brief: I have a VLAN that my backup servers reside on. I am trying to segregate from the rest of the network.
Physical infrastructure is a stack of Cisco 9300s.
Basic setup is:
-
VLAN 700 - Segregated Backup vlan (10.60.55.0/24)
-
VLAN 4000 - Regular Server VLAN
Server setup is:
-
Veeam Backup Repository - VLAN 700
-
Veeam Proxy/Server - VLAN700 on 1 NIC, VLAN 4000 on another NIC.
The goal is to stop VLAN 700 from being accessible to anything other than traffic that is already on VLAN 700.
My access list is as follows:
interface Vlan700 description BACKUP VLAN ip address 10.60.55.1 255.255.255.0 ip access-group BACKUP in ip access-list extended BACKUP permit ip 10.60.55.0 0.0.0.255 10.60.55.0 0.0.0.255 permit tcp 10.60.55.0 0.0.0.255 10.60.55.0 0.0.0.255 established permit udp 10.60.55.0 0.0.0.255 10.60.55.0 0.0.0.255 deny ip any any Works fine and dandy, except whenever this ACL is in place, my Veeam backup jobs fail saying it cannot contact the backup repository (aka the backup server on VLAN 700).
From the Veeam server I can ping the backup repo, even RDP the backup repo, but can't get the backup going.
Anyway, can someone sanity check my ACL?
No comments:
Post a Comment