cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3569
Views
14
Helpful
15
Replies
Highlighted
Community Manager

Ask the Expert: Data Center and Cloud Security

With Naman Latif

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about different solutions and best practices around securing your physical and virtual environment in the Data Center with Cisco expert  Naman Latif.

Naman Latif is a network consulting engineer in the Advanced Services organization at Cisco. He currently focuses on Cisco's security portfolio for data centers including secure data design in both single and multi-tenant environments, virtualization, and security technologies. His other areas of expertise include physical and virtual appliances, routing and switching, and data centers. He holds a bachelor's degree in electrical engineering from UET, Lahore in Pakistan. He also holds CCIE certification in Security (#15951) as well as Cisco WWSP Specialist and VCP (VMware) certifications.

Remember to use the rating system to let Naman know if you have received an adequate response to your technical support question. 

Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Data Center sub-community discussion forum shortly after the event.   This event lasts through December 21, 2012. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.

15 REPLIES 15
Highlighted
Beginner

Ask the Expert: Data Center and Cloud Security

Hello Naman,

I have a quick question on Data Center Security. Can we use TrustSec in Data Center networks. If so, how?

thank you.

- Sarah

Highlighted
Cisco Employee

Ask the Expert: Data Center and Cloud Security

Hi Sarah,

Yes. Trustsec can definitely be used in a Data Center environment. For devices, which natively support Security Tags (SGTs) like Nexus, it can make it easier to deploy firewall policy enforcement rules. Other devices like 6500 can still work with Trustsec using SXP.

Below URL provides more info

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

HTH

Thanks,

Naman

Highlighted

Ask the Expert: Data Center and Cloud Security

Hi Naman,

I wonder if we can provide secure multi-tenancy within a Cloud. Can we? If so, what is the process to do this? Is there any documented procedure?

Thank you in advance

Irina

Highlighted
Cisco Employee

Ask the Expert: Data Center and Cloud Security

Hi Irina,

Multi-tenancy can be provided through the use of VLANs, VRF-Lite, ASA firewall contexts and so on. Cisco has validated design for "Virtual Multi-Service Data Center" (VMDC) , which covers various options in more detail.

You can fnd this information at

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns743/ns1050/landing_vmdc.html

HTH

Naman

Highlighted
Beginner

Ask the Expert: Data Center and Cloud Security

Hi Naman,

In a scenario of a data center network with VM's connecting to a group of Nexus 5500 what layer 2 security features do you recommend? If exists features to implement in cases where virtual machines can move with facility.

Unfortunately, At this time I don't have conditions to install the nexus 1000V.

Best regards

Fred

Highlighted
Beginner

Ask the Expert: Data Center and Cloud Security

Hello Naman,

I was reading about VSAN and zones on MDS series  switches. Not sure implementing which one will be giving more security  to the MDS infrastracture. Could you please give an example on the  difference between VSAN and ZONES?

In addition, we are  upgrading our servers and we are looking for hardware that is compatible  with the MDS 9100 series (9124/9134/9148). I cannot find anything  related to compatible boards. Do you have any link that I might be  checking what HBA is compatible with CISCO Hardware? For instance, is  the following HP 82B PCIe 8Gb FC Dual Port HBA compatible with CISCO MDS hardware?

thanks in advance,

Fernando

Highlighted

Ask the Expert: Data Center and Cloud Security

Hi Naman,

What are some Cisco Products designed to provide security for Virtual machines?

I would like to know.

thanks a lot,

Sebastian

Highlighted
Cisco Employee

Ask the Expert: Data Center and Cloud Security

Hi Sebastian,

Various products in Cisco portfolio provide security for Virtual machines from where the traffic enters the Data Center and then all the way up to the Virtual machine. The solution can be pure virtual,physical or a combination of both.

E.g.

1. Cisco ASA Firewall and ASA Service Module provide typical Layer-3,4 filtering with limiated Layer 7 inspection. ASA appliance can be installed with an IPS module to have deeper inspection and Application layer security.

2. Virtual Security Gateway (VSG) - Is a virtual appliance, which is Virtual Machine attributes aware and can implement policies based on Layer3\4 attributes but also on VM specific attributes like Name, OS Name etc. This works in conjunction with Nexus 1000v.

3. Virtual ASA (vASA) - Is a virtual appliance which provides a complete virtual solution, when used with VSG and N1K.

See below URLs for more information.

http://www.cisco.com/en/US/products/ps11208/index.html

http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns376/index.html

In addition to above appliances, many software features on Nexus hardware (when used as DC switch) can provide more security through the use of TrustSec.

http://www.cisco.com/en/US/netsol/ns1051/index.html

Thanks,

Naman

Highlighted
Beginner

Ask the Expert: Data Center and Cloud Security

Hi Naman,

In a public cloud computing environment, one hypervisor host (say VMWare ESXi) may host VMs from different customers. Those VMs may use the same MAC address for their vNIC. What if those VMs with the same MAC connected to the same vSwitch coincidental? This will cause the MAC table on the vSwitch updateing constantly.

How would vSwitch or say how Cisco solution would resolve such kind of issue and provide an isolated networking to each cloud tanent?

thank you!

Highlighted
Cisco Employee

Ask the Expert: Data Center and Cloud Security

Hi Steve,

Typically when using more than one ESXi host, you would use vCenter to manage all the hosts, create new VMs etc. In this case vCenter itself makes sure that no duplicate MAC addresses are being assigned to different VMs.

If you are using different ESXi hosts and still not using vCenter due to some reason then you would have to treat each environment uniquely. In this case there will not be a common vSwitch among the ESXi hosts, however you might need to modify the MAC pool on each ESXi hosts to make it unique across your environment.

Thanks,

Naman

Highlighted
Beginner

Ask the Expert: Data Center and Cloud Security

Thank you, Naman.

So you are saying the vCenter will ensure the uniqueness of VM MAC, right? What if the VMs were migrated from an existing customer datacenter? What I'm trying to tell is that the existing virtual environment has already set the MAC for each VM. Under such situation, it would be possible that the existing customer VMs have the same MAC as those VMs that are already in or will be moved to the same public cloud environemnt. How does vCenter deal with this? I don't think vCenter will change the existing MAC automatically to ensure the uniqueness of VM MAC.

How do you think?

thank you!

Highlighted
Cisco Employee

Ask the Expert: Data Center and Cloud Security

Hi Steve,

This is more of a VMWare\vCenter operation question and I would recommend confirming this in the appropriate forums.

However as per my understanding that during vMotion the MAC address will "not" change and that is not a problem since this is being handled by vCenter and there uniqueness is preserved.

However if you are importing a VM from a different vCenter environment then this is more of a Copy operation and in that case vCenter will assign a new MAC address. See below, if this explains it better

http://communities.vmware.com/thread/303497

Thanks,

Naman

Highlighted
Beginner

Ask the Expert: Data Center and Cloud Security

I'm not very sure about how to migrate, but it shouldn't be a clone process. Anyway, I just learnt from others that network overlay might be the solution.

Highlighted
Beginner

Ask the Expert: Data Center and Cloud Security

Hi,

Actually we are looking for a reference arquitecture to interconnect our physical datacenter with external datacenters in different models like IaaS or cloud. Do you know any reference book or website to build a flexible arquitecture that permits some issues like.

- Maintain the logical of the service and the security policy. We are thinking on publish service using the common firewall.

- Easy movement between different clouds. If I need to maintain the IP address between different clouds is mandatory to share the L2 domain between them or there are any other techniques.

Thanks,

Manel

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey