cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7949
Views
0
Helpful
5
Replies

DMZ virtualization and network design. UCS+VMWARE

comsout comsout
Level 1
Level 1

Up to now, we had a physically segmented network with internal and external different vtp domains/zones. Internal zone switches have a VLAN set, and external zone switches have a different VLAN set. VLANs are not propagated between different zones for security reasons, are isolated.

Currently, we just have started working with UCS+VMWARE, and we are facing some troubles. According to the previous model, if we virtualize servers within the internal zone in the UCS farm, we cannot virtualize servers within the external zone in the same UCS farm, since I would have to propagate external VLANs to the internal zone switches as well as to the UCS farm, mixing them. As a result of this, isolation would be lost.

I am trying to redesign all my core network, to adapt current infraestructure to the new one with UCS+VMWARE, without missing any point of security.

My major point, is to know whether it is posible to virtualize external and internal zone virtual machines in the same UCS farm, without compromising my network security.

Could you give me some advice or design guidelines?

Regards,

1 Accepted Solution

Accepted Solutions

mwronkow
Cisco Employee
Cisco Employee

Hello -

You are correct that up through UCS 1.4 all VLANs needed to be available on the upstream switches.  However, UCS 2.x introduced a feature named "Disjointed L2."  Using this feature you will be able to connect the Fabric Interconnects to both your internal network & DMZ then provision those vlans to blades.

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/2.0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_010101.html

Matthew

View solution in original post

5 Replies 5

mwronkow
Cisco Employee
Cisco Employee

Hello -

You are correct that up through UCS 1.4 all VLANs needed to be available on the upstream switches.  However, UCS 2.x introduced a feature named "Disjointed L2."  Using this feature you will be able to connect the Fabric Interconnects to both your internal network & DMZ then provision those vlans to blades.

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/2.0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_010101.html

Matthew

Hello -

How secure is UCS "disjointed L2" solution compare to traditional physically separated L2 domains i.e. DMZ and Back-end network?

fb_webuser
Level 6
Level 6

It might be worthwhile exploring Nexus 1000V and specifically the VSG (Virtual Security Gateway) which targets the ability to provide more granular security within a VMWare virtualised environment.

---

Posted by WebUser Adriaan Steyn

comsout comsout
Level 1
Level 1

Thank you. I greatly appreciate your usefull contributions.

Regards,

Jeremy Mayfield
Level 1
Level 1

I have a UCS mini, and I do not know what version I have.   

a. How do I check the version?

b. How can I upgrade if i am not on the right version? 

I am using a Nexus 3000 as my fabric switch to the rest of the network, and i have a 9300 I will also have available for the server cabinet.  Can I make this happen or will i need a virtual switch like a Nexus 1000 appliance on my VMware environment.   Also not a Cisco engineer.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: