Hello experts,

Core: DC  : 2- 6500 (PO Trunked) Configured L3 vlan interrfaces with HSRP.

Vlans:

Servers - 192.168.5.0/24

PCs: 192.168.10.0/24

Phones : 192.168.20.0/24

Replica-exchange: 192.168.30.0/24

--------------------------------------

DR- One Core SW:

Vlans:

Servers vlan - 10.10.5.0/24

PCs: 10.10.10.0/24

Phones : 10.10.20.0/24

Replica-exchange: 10.10.30.0/24

----------------------------

OSPF is the routing protocol. Everything works fine.

New requirement (exchange 2010 MAPI & DAG subnets)

192.168.5.0 <--> 192.168.30.0 & 10.10.30.0 : Communication should fail

10.10.5.0/24<--> 192.168.30.0 & 10.10.30.0 : Fail

Replica@DC <--> Replica@DC: work

Replicas --> Rest of the nw- not that of an issue.

Iam thinking of adding a Extended ACLs on Replica-Exchange (DC & DR) and servers Vlan interfaces to block bidirectional communication.

CORE1 &2:

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 deny ip 10.10.5.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 permit ip any any

!
access-list 102 deny ip 192.168.30.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 deny ip 192.168.30.0 0.0.0.255 10.10.5.0 0.0.0.255
access-list 102 permit ip any any

!

int vla30
desc: Replication
ip access-group 101 in

ip access-group 102 out

!

Similar to the same on DR as well.

I wanted to see if ACL is the way to go or any other suggested methods with OSPF being the routing protocol.

Thanks in advance

MS