Nexus 1000V - control additions of VM to a Port-Profile

Unanswered Question
Oct 6th, 2009

Is there a way to control the additions of a VM to a Port Profile until proper approvals?

Part of our process for deploying machines in the DMZ, is to ensure the machine (real or virtual) meets certain criteria (hardening, patching, virus, ...).

Security group is concerned Server Team could accidentally / purposefully bring a VM online without first being "checked".

Is there a way to prevent additions of a VM to a Port-Profile until someone on Networking Security team enables the addition of 1 more machine to the Port Profile?

Would vmware max-ports do the trick?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
9ball Tue, 09/07/2010 - 17:50

I know this is an old post, but I see that nobody ever replied to it.  So I'll put my two-cents in; so far as I understand the capabilities of the Nexus 1000v and VMware.

I'm currently evaluating the Nexus 1000v.  I plan to use max-ports and sticky port-security to limit the ability of VM admins to accidentally or purposely place a system in a vLAN to which they have not been authorized.  The port-security could be circumvented if the VM admin simply sets the mac address of the new system to be the same as the old system; and using the same IP address could even fool simple ping monitors and firewalls, though it's still possible that our monitoring system, or somebody, would notice that the original host is no longer up.  It's not perfect security, by far; though it would mitigate the accidental cases.

The other thing that I'm considering, in addition to what I've already mentioned, is configuring the port-profile with an isolated private vLAN.  The network administrator would then have to manually configure the Vethernet port for the correct vLAN before any host communications would be possible.  It's more secure, but as such with security it becomes more difficult to manage.  At this point, though, I don't know whether the port-profile vLAN configuration could ever override anything that I explicitly configure on the Vethernet (host) ports.  It appears as though the port-profile configuration is only applied when the Vethernet port is created, and is never referred to again.  More testing and documentation reading is still required.

With respect to port-profiles, I'm disappointed with the limitation of 256 per DVS.  Assigning the vLAN in the port-profile may not even be an option for me as I'd have to deploy multiple DVSes (and split my single ESX cluster into multiple clusters) just to support the number of vLANs I have today.  I digress, that's another story for another thread.

Edited to add:  I found the answer to the original question.  Basically configure the port-profile such that new ports are shutdown when they are created.

From the Nexus 1000v FAQ:

Q. Is creating a port profile on the Cisco Nexus 1000V and making it  available within VMware vCenter equivalent to leaving a physical network  interface open and enabled on a switch?
A. Yes and no: yes in the sense that after the port profile is created, a  virtual machine can use it and connect to a vEth interface; and no in  the sense that the interface will be constrained by whatever policy you  have defined and will not be just an open port. You can, if you want,  define a port profile without the no shutdown command. This command will  force the network administrator to enter no shut in the CLI when the  connection is created; however, this approach is the reason that server  administrators like virtual connection: they do not have to wait for the  network administrator.

Message was edited by: 9ball

Actions

This Discussion