10-26-2010 08:01 AM - edited 03-01-2019 06:52 AM
Hi all,
I have a question about administering the veths on a VSM.
In a real physical network, in order to maintain physical security in a LAN environment, we, as Network Administrators put the unused switchports in “shutdown” state.
However, in a VMWARE virtualized environment, once you created a port-profile on VSM, it shows up on vCenter. When the VMWARE administrator assigns a VMs’ NIC card to that port-profile that VM can begin to communicate on that VLAN immediately. How am I gonna have the same control level in this virutalized environment as in a physical LAN ?
Seems like Cisco recommends not to play with veths directly cause veths are tied to VM s vNICs. They say so on Networkers slide deck.
Thanks in advance.
Dumlu
10-30-2010 02:27 AM
Hi Dumlu,
I never thought about that, but portsecurity could help you? Here you can allow just the MAC's you want. maybe a workaround.
regards,
Sebastian
10-30-2010 03:19 AM
Hi Sebastian,
Thank you for your response. Apparently, we can configure port security under a vethernet port so once that new server is powered up, then dynamically a new vethernet port is created on Nexus1K, right after that I can configure that vethernet port characteristcis. But the server has already got network access ? I need to find a method which prevents that server from access the network prior to that...
Thanks again.
Dumlu
10-30-2010 09:56 AM
Hi Dumlu,
I understand your claim. But from the Nexus side I see no change. When you connect a maschine to a port-profice a veth will created until you delete the maschine. The only change I see is to prevent it on vCenter site, but I believe your colleauges will not play with you on this side ..
My suggestion, remove the Network permission from the server admins and you will get maybe just network rights in vCenter. This could work. But I'm not a VM specialist I just now that there are some posibilities to customize the permissions.
Check this guide.
http://www.vmware.com/pdf/vsphere4/r40/vsp_40_admin_guide.pdf
-Sebastian
10-31-2010 03:55 AM
Hi again Sebastian,
Actually thats what Ive had in mind so far. Yeah, in vCenter you have such customized permission lists, and that was what I suggested the customer should do. But still I though that there has to be some way to prevent this from the Nexus side
thanks anyways....
Dumlu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide