We have a situation as a result of going through a PCI audit. We have a single subnet which contains a handful of servers that need to be isolated and traffic restricted. Originally we were going to move these few servers to a new switch VLAN changing the IP scheme and use the PA to permit/allow traffic between that new vlan and the existing subnet and internet. Now it looks like it is going to be pain since there are a lot of changes that will need to be done to these few servers to change the IP. Worse yet is that the vendor is on a service blackout as a result of being purchased by Oracle. So there is no time before our deadline to get assistance from them before we will be fined for not being in compliance.
My thought was to create a virtual wire where traffic would ingress to the PA from the existing LAN-VLAN (Client-SIde) and egress on the interface of the virtual wire (Server Side) so I can apply rules to all traffic bound to/from those servers. Seems like it should work in my mind, but wondering if I'm on the right track or is there is a better way to isolate these few hosts to lock them down.
Hopefully this makes sense. I can do a visual if needed.
You're on the right track - and this would work as described.
The other way to accomplish this would be using L2 mode with vlan-tag re-write.
Either method would allow you to keep the same IP scheme, yet isolate one group of hosts from another.
Thank you! That is what I needed to know. I went with the L2 mode with VLAN re-write. Works just as expected.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!