cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
726
Views
0
Helpful
5
Replies

Multiple networks for different customers on VmWare blades

Dear all,

I have a doubt about a specific network configuration related to our VmWare infrastructure.

Briefly, we have different blade chassis, each one with a pair of Integrated Cisco Switches configured with a stackWise cable.

On the blades we have VmWare machines running VMs for different customers.

We are a Service Provider and each customer has a dedicated network protected by a firewall. Each customer has also his own VTP domain on switches.

In order to deliver VMs for different customers, we set up (on the blade switches) many trunk uplinks going to the customer's VTP switching domain.

So, the blade switches have all the VLANs for customers configured (we managed to avoid overlapping Vlans) and on each trunk we have configured VLAN filtering (switchport allowed vlan ...).

My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.

Is there any way to configure one single uplink on the blades and perform some type of routing?

Thanks for your help.

Fabio

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

network@unicc.org

Dear all,

I have a doubt about a specific network configuration related to our VmWare infrastructure.

Briefly, we have different blade chassis, each one with a pair of Integrated Cisco Switches configured with a stackWise cable.

On the blades we have VmWare machines running VMs for different customers.

We are a Service Provider and each customer has a dedicated network protected by a firewall. Each customer has also his own VTP domain on switches.

In order to deliver VMs for different customers, we set up (on the blade switches) many trunk uplinks going to the customer's VTP switching domain.

So, the blade switches have all the VLANs for customers configured (we managed to avoid overlapping Vlans) and on each trunk we have configured VLAN filtering (switchport allowed vlan ...).

My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.

Is there any way to configure one single uplink on the blades and perform some type of routing?

Thanks for your help.

Fabio

Fabio

My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.

Having dedicated switches per customer will always be a more secure solution that having all customer vlans on the same switch. That said there are many advantages to using the setup you have and these often outweigh the disadvantages.

In your situation with VMWare servers on blade chassis the only way you could make it more secure would be to purchase separate blade switches per customer. This would not only significantly increase the cost because you need new blade switches but also more uplink ports on your distribution switches etc. but it would also increase complexity and manageability.

It is a trade off between convenience and security. There are a lot of designs out there that use a chassis type solution where multiple vlans which must be kept separate all live on the same switch so what you are doing is not unusual. It comes down to the security needs of the companies as well. If one of the companies was storing highly sensitive data that absolutely had to stay isolated then you may want to think about having a separate pair of switches for this company. There is nothing to stop you mixing and matching ie. some customers on dedicated switches, others sharing a pair of switches.

What you must do though is use all possible security measures to make sure the vlans do remain isolated. This means technical measures but also procedural ie. making changes, updating vlan info etc. One of the biggest dangers of your setup is a misconfiguration which allows information to leak across. A misconfigguration on dedicated switches only affects one particular customer. A misconfiguration on switch with multiple customers can affect them all.

Technically, i have attached a link to a doc on vlan security with recommendations as to what to do. It is for 6500 switches but most, if not all of it, is relevant to most Cisco switches -

6500 vlan security

Jon

Jon,

thank you very much for your kind, prompt and helpful answer.

I very much appreciate it.

I'm going to have a look at the document you suggested me.

Regards,
Fabio

network@unicc.org

Jon,

thank you very much for your kind, prompt and helpful answer.

I very much appreciate it.

I'm going to have a look at the document you suggested me.

Regards,
Fabio

Fabio

No problem, glad to have helped.

The doc, pay particular attention to the vlan 1 information ie. don't use vlan 1 in your network and the bits about the native vlan.

Jon

    Most people assume these bladecenter switches are L2 switches which was true in the first gen bladecenters.  With the latest  bladecenters the switches are basically a 3750 on a card which you can  stack and yes they do  run all the dynamic routing protocols  EIGRP, OSPF , BGP  etc..   What this would mean in your case I'm not sure if anything .  A knowledgeable engineer would have to look and see if there was anything they could do from a layer 3 end .

glen.grant wrote:

    Most people assume these bladecenter switches are L2 switches which was true in the first gen bladecenters.  With the latest  bladecenters the switches are basically a 3750 on a card which you can  stack and yes they do  run all the dynamic routing protocols  EIGRP, OSPF , BGP  etc..   What this would mean in your case I'm not sure if anything .  A knowledgeable engineer would have to look and see if there was anything they could do from a layer 3 end .

Glen

I don't think it would help in this case because even if the uplink was L3 the blade switch would still have all the customer vlans on it so i think what i said still applies.

Good to know that the later switches actually support L3 though as i wasn't aware of that.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco