04-10-2014 07:52 AM - edited 03-07-2019 07:03 PM
I have a pair of Nexus 5596s being used at the core of my datacenter network, I have several 2000 series fabric extenders connected to them using VPCs. What I am trying to do is install a pair of fabric extenders for my segregated PCI environment sh the traffic within that environment is isolated to those FEXs, the gateways to all VLANs will be a Checkpoint firewall.
Is there a way to create a routing or security context that isolates these pair of FEXs and their VLANs on the 5596?
Thanks for any help!
Jeff
04-10-2014 10:58 AM
Jeff
The N5Ks do support VRF-Lite which allows you to have a separate routing and forwarding table for those vlans.
That said if the default gateway is going to be the firewall then why do you need a different routing context ie. just don't create any L3 SVIs for those vlans on the N5ks.
Then you cannot route from or to those vlans without going via the checkpoint so you do have isolation.
I should say i don't have direct experience with the Nexus switches so i may not be understanding your question correctly.
Jon
04-10-2014 11:26 AM
Yea....probably not the best of explanations.....is there a way to create a "virtual data center" to segregate the FEXs.....as you mentioned the traffic I can segregate using just L2 vlans, limiting that traffic to just the "PCI" FEX ports, etc......I guess my real question is is there any way to keep the traffic on the wire so it is not accessible from the core without some sort of password/etc. to it.
For example, if I telnet in to the core I can monitor any port on any FEX in the datacenter, can I keep that from happening somehow maybe with some sort of security context, etc?? I am new to the Nexus gear so I am trying to catch up.
The object was to leverage the 5500/FEX design with somehow carving off and isolating the PCI network so as to be PCI compliant, and not have to use stand-alone switches behind the PCI firewall.
I probably muddied the water even more with all of that.....thanks.
04-10-2014 12:21 PM
Jeff
I see what you mean now.
I think a separate VDC could be what you are looking ie. a virtual switch but as far as i know only the N7K series suppors VDCs.
I believe with VDCs you can setup up who can access which ones etc.
But for the N5ks i don't know of a solution other than to rely on vlans for isolation.
Perhaps someone with experience of these switches may be able to suggest something.
Sorry i can't be more help.
Jon
04-11-2014 05:48 AM
Thanks for the feedback!
04-10-2014 05:36 PM
For PCI, you don't necessarily need VRF or VDC, because the if vlans need to talk to Internet you would have to leak the VRFs together. As long as you can firewall the vlans interfaces, open specific ports for your applications and log all the activities, you should be fine.
BTW, as Jon also noted, only 7ks support VDCs. All the other models support VRFs, only as long as you have the right license.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide