UCS - Disjoined L2 - Security

Rajagopal Sivaramakrishnan · ‎01-22-2014

I havent seen much documents on Disjioned L2 UCS deployment (on security). We have a UCS chassis (5108) and have few B230s on it.. We want to use the same chassis both for internal LAN and DMZ.

Obviously the first question that comes in is security - We know that UCS in EHM doesnt act like a switch (with regards to unicasts & broadcasts), but is the design secure enough - logically and physically ? Has anyone come across any security limiations with disjoined L2 ?

Our thinking was -

1) Isolation is anyway done on link going from FI to upstream switches - internal LAN VNICs go through a different PINNED uplink than DMZ

2) Should we consider seperate blades for DMZ ? or running both DMZ and internal on the same blade is fine (with different Vswitches) ?

3) How about the links going from 2204 FEX to FI ? I know that the VNICs are built upon automatically generated port channels - but is it possible to use 2 different sets of links for internal and DMZ ?

Regards

Raj

Walter Dey · ‎01-23-2014

We have several customers, that run DMZ and internal servers on the same UCS domain.

They use different hardware blades for DMZ, recommendation is also separate chassis (therefore dedicated links IOM-FI)

They the also run disjoint vlan's which automatically results in dedicated uplinks

Separation of tenants by Vlans seems to be accepted by Security Audits in most Financial Institutes.

In this designs, the only shared components are the FI.

Tom MacDonald · ‎01-24-2014

I guess it all depends on the organizations security posture. I am finding gov't institutions slow to adopt the segregation mechanisms that UCS and the Nexus products provides, mostly a result of their lack of understanding of the technology and how it's implemented.

Some people have issues with “mixing” data in the FIs from the different zones. On the other hand, financial institutions seem to be more willing/understanding of the technology in question. But we still see clients requesting physical hardware separation in the DMZ.

The current implementation of the L2 disjointed works quite well but requires some planning when configuring your vNICs. As you know by default, all VLANs are accessible by all ports. Disjointed L2 is similar to “switchport trunk allow” in the switching world.

Rajagopal Sivaramakrishnan · ‎01-27-2014

Hi Mike

Thanks for your feedback

"

The current implementation of the L2 disjointed works quite well but requires some planning when configuring your vNICs."

Can you please explain on what planning is required when configuring the vNICs ?

Regards

Raj

Rajagopal Sivaramakrishnan · ‎01-27-2014

Thanks Wdey ..

Im not sure if we can have a different chassis (as of now).. maximum we can do is provide a seperate blade... In this case, both the FI & FEX 2204 are shared...

As of today we have 2 links from 2204 to the FI(with a port channel)..

We still have 2 more ports on 2204.. Can we use that for DMZ with a static port channel configured ? I know its not possible, but just throwing it out

Raj

Walter Dey · ‎01-27-2014

To have only one chassis is in my opinion tricky: it is a single point of failure; I had a couple of customers loosing a chassis.

You could at least have dedicated uplinks for DMZ, by not using a port-channel between IOM and FI.

If you have 2 links, then odd numbered slots go over uplink nr. 1, even ones over uplink nr. 2

Therefore place all your DMZ blades in even resp. odd slots

Similiar concepts could be applied in case of 4 uplinks