01-29-2010 02:25 AM - edited 03-06-2019 09:30 AM
Dear all,
I have a doubt about a specific network configuration related to our VmWare infrastructure.
Briefly, we have different blade chassis, each one with a pair of Integrated Cisco Switches configured with a stackWise cable.
On the blades we have VmWare machines running VMs for different customers.
We are a Service Provider and each customer has a dedicated network protected by a firewall. Each customer has also his own VTP domain on switches.
In order to deliver VMs for different customers, we set up (on the blade switches) many trunk uplinks going to the customer's VTP switching domain.
So, the blade switches have all the VLANs for customers configured (we managed to avoid overlapping Vlans) and on each trunk we have configured VLAN filtering (switchport allowed vlan ...).
My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.
Is there any way to configure one single uplink on the blades and perform some type of routing?
Thanks for your help.
Fabio
01-29-2010 02:38 AM
Dear all,
I have a doubt about a specific network configuration related to our VmWare infrastructure.
Briefly, we have different blade chassis, each one with a pair of Integrated Cisco Switches configured with a stackWise cable.
On the blades we have VmWare machines running VMs for different customers.
We are a Service Provider and each customer has a dedicated network protected by a firewall. Each customer has also his own VTP domain on switches.
In order to deliver VMs for different customers, we set up (on the blade switches) many trunk uplinks going to the customer's VTP switching domain.
So, the blade switches have all the VLANs for customers configured (we managed to avoid overlapping Vlans) and on each trunk we have configured VLAN filtering (switchport allowed vlan ...).
My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.
Is there any way to configure one single uplink on the blades and perform some type of routing?
Thanks for your help.
Fabio
Fabio
My question is: since by design each customer's network has to be isolated, is it a security issue having all the VLANs configured on single switch? I mean, there is a L3 separation but not a L2 segregation.
Having dedicated switches per customer will always be a more secure solution that having all customer vlans on the same switch. That said there are many advantages to using the setup you have and these often outweigh the disadvantages.
In your situation with VMWare servers on blade chassis the only way you could make it more secure would be to purchase separate blade switches per customer. This would not only significantly increase the cost because you need new blade switches but also more uplink ports on your distribution switches etc. but it would also increase complexity and manageability.
It is a trade off between convenience and security. There are a lot of designs out there that use a chassis type solution where multiple vlans which must be kept separate all live on the same switch so what you are doing is not unusual. It comes down to the security needs of the companies as well. If one of the companies was storing highly sensitive data that absolutely had to stay isolated then you may want to think about having a separate pair of switches for this company. There is nothing to stop you mixing and matching ie. some customers on dedicated switches, others sharing a pair of switches.
What you must do though is use all possible security measures to make sure the vlans do remain isolated. This means technical measures but also procedural ie. making changes, updating vlan info etc. One of the biggest dangers of your setup is a misconfiguration which allows information to leak across. A misconfigguration on dedicated switches only affects one particular customer. A misconfiguration on switch with multiple customers can affect them all.
Technically, i have attached a link to a doc on vlan security with recommendations as to what to do. It is for 6500 switches but most, if not all of it, is relevant to most Cisco switches -
Jon
01-29-2010 02:48 AM
Jon,
thank you very much for your kind, prompt and helpful answer.
I very much appreciate it.
I'm going to have a look at the document you suggested me.
Regards,
Fabio
01-29-2010 02:58 AM
Jon,
thank you very much for your kind, prompt and helpful answer.
I very much appreciate it.
I'm going to have a look at the document you suggested me.
Regards,
Fabio
Fabio
No problem, glad to have helped.
The doc, pay particular attention to the vlan 1 information ie. don't use vlan 1 in your network and the bits about the native vlan.
Jon
01-29-2010 05:58 AM
Most people assume these bladecenter switches are L2 switches which was true in the first gen bladecenters. With the latest bladecenters the switches are basically a 3750 on a card which you can stack and yes they do run all the dynamic routing protocols EIGRP, OSPF , BGP etc.. What this would mean in your case I'm not sure if anything . A knowledgeable engineer would have to look and see if there was anything they could do from a layer 3 end .
01-29-2010 06:31 AM
glen.grant wrote:
Most people assume these bladecenter switches are L2 switches which was true in the first gen bladecenters. With the latest bladecenters the switches are basically a 3750 on a card which you can stack and yes they do run all the dynamic routing protocols EIGRP, OSPF , BGP etc.. What this would mean in your case I'm not sure if anything . A knowledgeable engineer would have to look and see if there was anything they could do from a layer 3 end .
Glen
I don't think it would help in this case because even if the uplink was L3 the blade switch would still have all the customer vlans on it so i think what i said still applies.
Good to know that the later switches actually support L3 though as i wasn't aware of that.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: