Multiple networks for different customers on VmWare blades

Unanswered Question
Jan 29th, 2010
User Badges:

Dear all,

I have a doubt about a specific network configuration related to our VmWare infrastructure.


Briefly, we have different blade chassis, each one with a pair of Integrated Cisco Switches configured with a stackWise cable.

On the blades we have VmWare machines running VMs for different customers.


We are a Service Provider and each customer has a dedicated network protected by a firewall. Each customer has also his own VTP domain on switches.


In order to deliver VMs for different customers, we set up (on the blade switches) many trunk uplinks going to the customer's VTP switching domain.


So, the blade switches have all the VLANs for customers configured (we managed to avoid overlapping Vlans) and on each trunk we have configured VLAN filtering (switchport allowed vlan ...).


My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.


Is there any way to configure one single uplink on the blades and perform some type of routing?



Thanks for your help.



Fabio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 01/29/2010 - 02:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Dear all,

I have a doubt about a specific network configuration related to our VmWare infrastructure.


Briefly, we have different blade chassis, each one with a pair of Integrated Cisco Switches configured with a stackWise cable.

On the blades we have VmWare machines running VMs for different customers.


We are a Service Provider and each customer has a dedicated network protected by a firewall. Each customer has also his own VTP domain on switches.


In order to deliver VMs for different customers, we set up (on the blade switches) many trunk uplinks going to the customer's VTP switching domain.


So, the blade switches have all the VLANs for customers configured (we managed to avoid overlapping Vlans) and on each trunk we have configured VLAN filtering (switchport allowed vlan ...).


My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.


Is there any way to configure one single uplink on the blades and perform some type of routing?



Thanks for your help.



Fabio


Fabio


My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.


Having dedicated switches per customer will always be a more secure solution that having all customer vlans on the same switch. That said there are many advantages to using the setup you have and these often outweigh the disadvantages.


In your situation with VMWare servers on blade chassis the only way you could make it more secure would be to purchase separate blade switches per customer. This would not only significantly increase the cost because you need new blade switches but also more uplink ports on your distribution switches etc. but it would also increase complexity and manageability.


It is a trade off between convenience and security. There are a lot of designs out there that use a chassis type solution where multiple vlans which must be kept separate all live on the same switch so what you are doing is not unusual. It comes down to the security needs of the companies as well. If one of the companies was storing highly sensitive data that absolutely had to stay isolated then you may want to think about having a separate pair of switches for this company. There is nothing to stop you mixing and matching ie. some customers on dedicated switches, others sharing a pair of switches.


What you must do though is use all possible security measures to make sure the vlans do remain isolated. This means technical measures but also procedural ie. making changes, updating vlan info etc. One of the biggest dangers of your setup is a misconfiguration which allows information to leak across. A misconfigguration on dedicated switches only affects one particular customer. A misconfiguration on switch with multiple customers can affect them all.


Technically, i have attached a link to a doc on vlan security with recommendations as to what to do. It is for 6500 switches but most, if not all of it, is relevant to most Cisco switches -


6500 vlan security


Jon

Networking Team... Fri, 01/29/2010 - 02:48
User Badges:

Jon,


thank you very much for your kind, prompt and helpful answer.

I very much appreciate it.


I'm going to have a look at the document you suggested me.



Regards,
Fabio

Jon Marshall Fri, 01/29/2010 - 02:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

glen.grant Fri, 01/29/2010 - 05:58
User Badges:
  • Purple, 4500 points or more

    Most people assume these bladecenter switches are L2 switches which was true in the first gen bladecenters.  With the latest  bladecenters the switches are basically a 3750 on a card which you can  stack and yes they do  run all the dynamic routing protocols  EIGRP, OSPF , BGP  etc..   What this would mean in your case I'm not sure if anything .  A knowledgeable engineer would have to look and see if there was anything they could do from a layer 3 end .

Jon Marshall Fri, 01/29/2010 - 06:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

glen.grant wrote:


    Most people assume these bladecenter switches are L2 switches which was true in the first gen bladecenters.  With the latest  bladecenters the switches are basically a 3750 on a card which you can  stack and yes they do  run all the dynamic routing protocols  EIGRP, OSPF , BGP  etc..   What this would mean in your case I'm not sure if anything .  A knowledgeable engineer would have to look and see if there was anything they could do from a layer 3 end .


Glen


I don't think it would help in this case because even if the uplink was L3 the blade switch would still have all the customer vlans on it so i think what i said still applies.


Good to know that the later switches actually support L3 though as i wasn't aware of that.


Jon

Actions

This Discussion

Related Content