Hello Every One I have Below Setup where i am Connecting Two Remote Site trough L2 vpn as user have Same Vlans and Same Subnet. The Tunnel has been Established but the issue Site 1 sending Traffic to Site 2 and data centre. Site 2 sending same. Outbound Policy not work with Vlans. How i can Stop the communication between Remote Sites need Communication from remote site with Data centre.
Hi, is the only reason you’re using Layer 2 because the subnets at each site are the same, or do you want layer 2 for some reason so have made them all the same?
You can’t isolate the sites from each other as they are on the same L2 segment so by design can send broadcast traffic and contact remote devices direct without the need for layer 3 routing. No routing, no outbound policy, no firewalls, no mechanism to isolate the sites.
If you are using layer 2 because all sites need to have the same IP subnet ranges for local operational requirements, you can use virtual network mapping to leave the local subnets in place but then present a virtual network to the rest of the speedfusion peer devices.
@MartinLangmaid I am using L2 because the customer dont want to change the Subnet or change the Vlans.
and what flows of traffic do you need to support? is it all remote sites to the datacenter servers or everything via the hub for internet acces perhaps? whats the point / need of the vpn?
@MartinLangmaid Each Remote site have unicast and Multicast traffic to send to data centre. and the remote sites and Datacentre connected trough HUB. The traffic is fine he Receive the Unicast and multicast traffic at datacentre but issue this data is going to other sites as well due to L2 Bridge. but customer want data just go to datacentre not to other sites.
In layer 3 networks I have used Remote network isolation but I’m not sure if that works on layer 2 VPNs. You could try enabling it on the hub
If not I can’t think of a way to do this using peplink alone if you need to support multicast. By design all peers on the layer 2 network see all traffic sent on it.
You would need to add a virtual switch at the hub location that supports L2 isolation and then have multiple fusionhubs - one per remote site to connect the, via L2 into that switch.