This discussion is locked

Ask the Expert: Data Center and Cloud Security

Unanswered Question
Dec 7th, 2012

With Naman Latif

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about different solutions and best practices around securing your physical and virtual environment in the Data Center with Cisco expert  Naman Latif.

Naman Latif is a network consulting engineer in the Advanced Services organization at Cisco. He currently focuses on Cisco's security portfolio for data centers including secure data design in both single and multi-tenant environments, virtualization, and security technologies. His other areas of expertise include physical and virtual appliances, routing and switching, and data centers. He holds a bachelor's degree in electrical engineering from UET, Lahore in Pakistan. He also holds CCIE certification in Security (#15951) as well as Cisco WWSP Specialist and VCP (VMware) certifications.

Remember to use the rating system to let Naman know if you have received an adequate response to your technical support question. 

Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community discussion forum shortly after the event.   This event lasts through December 21, 2012. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.7 (3 ratings)
sarah.staker Mon, 12/10/2012 - 15:23

Hello Naman,

I have a quick question on Data Center Security. Can we use TrustSec in Data Center networks. If so, how?

thank you.

- Sarah

irina.shishkina.23 Wed, 12/12/2012 - 06:36

Hi Naman,

I wonder if we can provide secure multi-tenancy within a Cloud. Can we? If so, what is the process to do this? Is there any documented procedure?

Thank you in advance

Irina

frede_frede Wed, 12/12/2012 - 13:59

Hi Naman,

In a scenario of a data center network with VM's connecting to a group of Nexus 5500 what layer 2 security features do you recommend? If exists features to implement in cases where virtual machines can move with facility.

Unfortunately, At this time I don't have conditions to install the nexus 1000V.

Best regards

Fred

ferjbello Mon, 12/17/2012 - 11:23

Hello Naman,

I was reading about VSAN and zones on MDS series  switches. Not sure implementing which one will be giving more security  to the MDS infrastracture. Could you please give an example on the  difference between VSAN and ZONES?

In addition, we are  upgrading our servers and we are looking for hardware that is compatible  with the MDS 9100 series (9124/9134/9148). I cannot find anything  related to compatible boards. Do you have any link that I might be  checking what HBA is compatible with CISCO Hardware? For instance, is  the following HP 82B PCIe 8Gb FC Dual Port HBA compatible with CISCO MDS hardware?

thanks in advance,

Fernando

sebastiangarcia Tue, 12/18/2012 - 14:02

Hi Naman,

What are some Cisco Products designed to provide security for Virtual machines?

I would like to know.

thanks a lot,

Sebastian

mulatif Wed, 12/19/2012 - 11:34

Hi Sebastian,

Various products in Cisco portfolio provide security for Virtual machines from where the traffic enters the Data Center and then all the way up to the Virtual machine. The solution can be pure virtual,physical or a combination of both.

E.g.

1. Cisco ASA Firewall and ASA Service Module provide typical Layer-3,4 filtering with limiated Layer 7 inspection. ASA appliance can be installed with an IPS module to have deeper inspection and Application layer security.

2. Virtual Security Gateway (VSG) - Is a virtual appliance, which is Virtual Machine attributes aware and can implement policies based on Layer3\4 attributes but also on VM specific attributes like Name, OS Name etc. This works in conjunction with Nexus 1000v.

3. Virtual ASA (vASA) - Is a virtual appliance which provides a complete virtual solution, when used with VSG and N1K.

See below URLs for more information.

http://www.cisco.com/en/US/products/ps11208/index.html

http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns376/index.html

In addition to above appliances, many software features on Nexus hardware (when used as DC switch) can provide more security through the use of TrustSec.

http://www.cisco.com/en/US/netsol/ns1051/index.html

Thanks,

Naman

zhoucengchao Tue, 12/18/2012 - 16:15

Hi Naman,

In a public cloud computing environment, one hypervisor host (say VMWare ESXi) may host VMs from different customers. Those VMs may use the same MAC address for their vNIC. What if those VMs with the same MAC connected to the same vSwitch coincidental? This will cause the MAC table on the vSwitch updateing constantly.

How would vSwitch or say how Cisco solution would resolve such kind of issue and provide an isolated networking to each cloud tanent?

thank you!

mulatif Wed, 12/19/2012 - 11:37

Hi Steve,

Typically when using more than one ESXi host, you would use vCenter to manage all the hosts, create new VMs etc. In this case vCenter itself makes sure that no duplicate MAC addresses are being assigned to different VMs.

If you are using different ESXi hosts and still not using vCenter due to some reason then you would have to treat each environment uniquely. In this case there will not be a common vSwitch among the ESXi hosts, however you might need to modify the MAC pool on each ESXi hosts to make it unique across your environment.

Thanks,

Naman

zhoucengchao Wed, 12/19/2012 - 16:30

Thank you, Naman.

So you are saying the vCenter will ensure the uniqueness of VM MAC, right? What if the VMs were migrated from an existing customer datacenter? What I'm trying to tell is that the existing virtual environment has already set the MAC for each VM. Under such situation, it would be possible that the existing customer VMs have the same MAC as those VMs that are already in or will be moved to the same public cloud environemnt. How does vCenter deal with this? I don't think vCenter will change the existing MAC automatically to ensure the uniqueness of VM MAC.

How do you think?

thank you!

mulatif Wed, 12/19/2012 - 21:25

Hi Steve,

This is more of a VMWare\vCenter operation question and I would recommend confirming this in the appropriate forums.

However as per my understanding that during vMotion the MAC address will "not" change and that is not a problem since this is being handled by vCenter and there uniqueness is preserved.

However if you are importing a VM from a different vCenter environment then this is more of a Copy operation and in that case vCenter will assign a new MAC address. See below, if this explains it better

http://communities.vmware.com/thread/303497

Thanks,

Naman

zhoucengchao Wed, 12/19/2012 - 22:05

I'm not very sure about how to migrate, but it shouldn't be a clone process. Anyway, I just learnt from others that network overlay might be the solution.

manel.mendoza Fri, 12/21/2012 - 04:38

Hi,

Actually we are looking for a reference arquitecture to interconnect our physical datacenter with external datacenters in different models like IaaS or cloud. Do you know any reference book or website to build a flexible arquitecture that permits some issues like.

- Maintain the logical of the service and the security policy. We are thinking on publish service using the common firewall.

- Easy movement between different clouds. If I need to maintain the IP address between different clouds is mandatory to share the L2 domain between them or there are any other techniques.

Thanks,

Manel

mulatif Fri, 12/21/2012 - 10:14

Hi Manel,

There are definitely related material to design a Multi-Tenant Data Center (And provide IaaS etc) in addition to Data Center Interconnect (DCI), which covers your requirement of connecting Data Centers.

1. Multi-Tenancy (Using Cisco Validated Design)

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns743/ns1050/white_paper_c11-714729.html

2. Data Center Interconnect

http://www.cisco.com/en/US/netsol/ns975/index.html

Thanks,

Naman

Actions

Login or Register to take actions

This Discussion

Posted December 7, 2012 at 12:51 PM
Stats:
Replies:15 Avg. Rating:4.66667
Views:2764 Votes:0
Shares:0

Related Content

Discussions Leaderboard