With Naman Latif
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about different solutions and best practices around securing your physical and virtual environment in the Data Center with Cisco expert Naman Latif.
Naman Latif is a network consulting engineer in the Advanced Services organization at Cisco. He currently focuses on Cisco's security portfolio for data centers including secure data design in both single and multi-tenant environments, virtualization, and security technologies. His other areas of expertise include physical and virtual appliances, routing and switching, and data centers. He holds a bachelor's degree in electrical engineering from UET, Lahore in Pakistan. He also holds CCIE certification in Security (#15951) as well as Cisco WWSP Specialist and VCP (VMware) certifications.
Remember to use the rating system to let Naman know if you have received an adequate response to your technical support question.
Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum shortly after the event. This event lasts through December 21, 2012. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.
I have a quick question on Data Center Security. Can we use TrustSec in Data Center networks. If so, how?
Yes. Trustsec can definitely be used in a Data Center environment. For devices, which natively support Security Tags (SGTs) like Nexus, it can make it easier to deploy firewall policy enforcement rules. Other devices like 6500 can still work with Trustsec using SXP.
Below URL provides more info
I wonder if we can provide secure multi-tenancy within a Cloud. Can we? If so, what is the process to do this? Is there any documented procedure?
Thank you in advance
Multi-tenancy can be provided through the use of VLANs, VRF-Lite, ASA firewall contexts and so on. Cisco has validated design for "Virtual Multi-Service Data Center" (VMDC) , which covers various options in more detail.
You can fnd this information at
In a scenario of a data center network with VM's connecting to a group of Nexus 5500 what layer 2 security features do you recommend? If exists features to implement in cases where virtual machines can move with facility.
Unfortunately, At this time I don't have conditions to install the nexus 1000V.
I was reading about VSAN and zones on MDS series switches. Not sure implementing which one will be giving more security to the MDS infrastracture. Could you please give an example on the difference between VSAN and ZONES?
In addition, we are upgrading our servers and we are looking for hardware that is compatible with the MDS 9100 series (9124/9134/9148). I cannot find anything related to compatible boards. Do you have any link that I might be checking what HBA is compatible with CISCO Hardware? For instance, is the following HP 82B PCIe 8Gb FC Dual Port HBA compatible with CISCO MDS hardware?
thanks in advance,
What are some Cisco Products designed to provide security for Virtual machines?
I would like to know.
thanks a lot,
Various products in Cisco portfolio provide security for Virtual machines from where the traffic enters the Data Center and then all the way up to the Virtual machine. The solution can be pure virtual,physical or a combination of both.
1. Cisco ASA Firewall and ASA Service Module provide typical Layer-3,4 filtering with limiated Layer 7 inspection. ASA appliance can be installed with an IPS module to have deeper inspection and Application layer security.
2. Virtual Security Gateway (VSG) - Is a virtual appliance, which is Virtual Machine attributes aware and can implement policies based on Layer3\4 attributes but also on VM specific attributes like Name, OS Name etc. This works in conjunction with Nexus 1000v.
3. Virtual ASA (vASA) - Is a virtual appliance which provides a complete virtual solution, when used with VSG and N1K.
See below URLs for more information.
In addition to above appliances, many software features on Nexus hardware (when used as DC switch) can provide more security through the use of TrustSec.
In a public cloud computing environment, one hypervisor host (say VMWare ESXi) may host VMs from different customers. Those VMs may use the same MAC address for their vNIC. What if those VMs with the same MAC connected to the same vSwitch coincidental? This will cause the MAC table on the vSwitch updateing constantly.
How would vSwitch or say how Cisco solution would resolve such kind of issue and provide an isolated networking to each cloud tanent?
Typically when using more than one ESXi host, you would use vCenter to manage all the hosts, create new VMs etc. In this case vCenter itself makes sure that no duplicate MAC addresses are being assigned to different VMs.
If you are using different ESXi hosts and still not using vCenter due to some reason then you would have to treat each environment uniquely. In this case there will not be a common vSwitch among the ESXi hosts, however you might need to modify the MAC pool on each ESXi hosts to make it unique across your environment.
Thank you, Naman.
So you are saying the vCenter will ensure the uniqueness of VM MAC, right? What if the VMs were migrated from an existing customer datacenter? What I'm trying to tell is that the existing virtual environment has already set the MAC for each VM. Under such situation, it would be possible that the existing customer VMs have the same MAC as those VMs that are already in or will be moved to the same public cloud environemnt. How does vCenter deal with this? I don't think vCenter will change the existing MAC automatically to ensure the uniqueness of VM MAC.
How do you think?
This is more of a VMWare\vCenter operation question and I would recommend confirming this in the appropriate forums.
However as per my understanding that during vMotion the MAC address will "not" change and that is not a problem since this is being handled by vCenter and there uniqueness is preserved.
However if you are importing a VM from a different vCenter environment then this is more of a Copy operation and in that case vCenter will assign a new MAC address. See below, if this explains it better
I'm not very sure about how to migrate, but it shouldn't be a clone process. Anyway, I just learnt from others that network overlay might be the solution.
Actually we are looking for a reference arquitecture to interconnect our physical datacenter with external datacenters in different models like IaaS or cloud. Do you know any reference book or website to build a flexible arquitecture that permits some issues like.
- Maintain the logical of the service and the security policy. We are thinking on publish service using the common firewall.
- Easy movement between different clouds. If I need to maintain the IP address between different clouds is mandatory to share the L2 domain between them or there are any other techniques.