Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
2
Replies

UCS and VMWare Private VLAN between guests

ecornwell
Level 2
Level 2

‎08-22-2015 04:49 PM

Hello,

I'm looking to create a new infrastructure based off UCS and I have a requirement for some micro-segmentation. (We don't have the budget for something like NSX.) The plan it to start with a 4 node VMWare Ent+ cluster.  The guests need to be in a dmz style network where they can't communicate with each other but need to be able to communicate with the back end through a firewall.  My plan was to create an isolated private vlan in vSphere and have the guests as a member of it. I was trying to decide what devices were needed inbetween UCS and the firewalls and found out what I want to do may not work.

From what I'm reading on this document http://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-b-series-blade-servers/116310-config-ucs-pvlan-00.html, it looks like doing s PVLAN on a vDS and uplinking it isn't supported.  (There was another way but it involved creating a vNIC per VM which won't scale at all.) 

 

Here's a sort of topology for what I'm looking at.

ASA Cluster <----->  ???? <------> UCS <----->ESXi

    ^---- OOB Mgmt SW <-------> Any mgmt interfaces

I'm not sure if there needs to be something at the ???? segment.  There shouldn't be anything else added to the network other than a backup appliance and there will be an out of band management switch connected to the firewall cluster.  I originally planning for something like a 5K but we decided we wouldn't need to scale the solution at the site for quite a while and it could always be added later.  I was thinking about something like a 3850 stack might work.

From what I've seen, the ASA doesn't support private vlans but it will work connected as a promiscuous port.

One of the design goals is to lower the total amount of hardware needed. The SAN will directly connect to the via FC.  All the applications will be virtual. 

 

My main question is, can I use isolated private vlans through VMWare and UCS to the firewalls to segment vm guests from each other?

 

Thank you!

Labels:
0 Helpful
2 Replies 2

Walter Dey
VIP Alumni
VIP Alumni

‎08-23-2015 02:18 AM

Are you aware of UCS disjoint vlans ?

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-computing/white_paper_c11-692008.html

Many customers have used this concept for DMZ configuration with UCS.

Walter.

0 Helpful

ecornwell
Level 2
Level 2
In response to Walter Dey

‎08-23-2015 06:30 AM

Thank you for the response.  I seem to remember that feature. (I installed and managed a UCS system but haven't touched it in over a year.) 

I may end up using something like that but I have to be able to isolate the VM's from each other, that's why I was looking at private vlans.  From a security perspective, I'm going to treat them as hostile.

0 Helpful
Customers Also Viewed These Support Documents