10-06-2009 03:20 AM - edited 03-06-2019 08:00 AM
Is there a way to control the additions of a VM to a Port Profile until proper approvals?
Part of our process for deploying machines in the DMZ, is to ensure the machine (real or virtual) meets certain criteria (hardening, patching, virus, ...).
Security group is concerned Server Team could accidentally / purposefully bring a VM online without first being "checked".
Is there a way to prevent additions of a VM to a Port-Profile until someone on Networking Security team enables the addition of 1 more machine to the Port Profile?
Would vmware max-ports do the trick?
09-07-2010 05:50 PM
I know this is an old post, but I see that nobody ever replied to it. So I'll put my two-cents in; so far as I understand the capabilities of the Nexus 1000v and VMware.
I'm currently evaluating the Nexus 1000v. I plan to use max-ports and sticky port-security to limit the ability of VM admins to accidentally or purposely place a system in a vLAN to which they have not been authorized. The port-security could be circumvented if the VM admin simply sets the mac address of the new system to be the same as the old system; and using the same IP address could even fool simple ping monitors and firewalls, though it's still possible that our monitoring system, or somebody, would notice that the original host is no longer up. It's not perfect security, by far; though it would mitigate the accidental cases.
The other thing that I'm considering, in addition to what I've already mentioned, is configuring the port-profile with an isolated private vLAN. The network administrator would then have to manually configure the Vethernet port for the correct vLAN before any host communications would be possible. It's more secure, but as such with security it becomes more difficult to manage. At this point, though, I don't know whether the port-profile vLAN configuration could ever override anything that I explicitly configure on the Vethernet (host) ports. It appears as though the port-profile configuration is only applied when the Vethernet port is created, and is never referred to again. More testing and documentation reading is still required.
With respect to port-profiles, I'm disappointed with the limitation of 256 per DVS. Assigning the vLAN in the port-profile may not even be an option for me as I'd have to deploy multiple DVSes (and split my single ESX cluster into multiple clusters) just to support the number of vLANs I have today. I digress, that's another story for another thread.
Edited to add: I found the answer to the original question. Basically configure the port-profile such that new ports are shutdown when they are created.
From the Nexus 1000v FAQ:
Message was edited by: 9ball
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide