Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
5
Replies

Nexus Context?

jrichterkessing
Level 1
Level 1

‎04-10-2014 07:52 AM - edited ‎03-07-2019 07:03 PM

I have a pair of Nexus 5596s being used at the core of my datacenter network, I have several 2000 series fabric extenders connected to them using VPCs. What I am trying to do is install a pair of fabric extenders for my segregated PCI environment sh the traffic within that environment is isolated to those FEXs, the gateways to all VLANs will be a Checkpoint firewall.

Is there a way to create a routing or security context that isolates these pair of FEXs and their VLANs on the 5596?

 

Thanks for any help!

 

Jeff

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎04-10-2014 10:58 AM

Jeff

The N5Ks do support VRF-Lite which allows you to have a separate routing and forwarding table for those vlans.

That said if the default gateway is going to be the firewall then why do you need a different routing context ie. just don't create any L3 SVIs for those vlans on the N5ks.

Then you cannot route from or to those vlans without going via the checkpoint so you do have isolation.

I should say i don't have direct experience with the Nexus switches so i may not be understanding your question correctly.

Jon

 

0 Helpful

jrichterkessing
Level 1
Level 1
In response to Jon Marshall

‎04-10-2014 11:26 AM

Yea....probably not the best of explanations.....is there a way to create a "virtual data center" to segregate the FEXs.....as you mentioned the traffic I can segregate using just L2 vlans, limiting that traffic to just the "PCI" FEX ports, etc......I guess my real question is is there any way to keep the traffic on the wire so it is not accessible from the core without some sort of password/etc. to it.

For example, if I telnet in to the core I can monitor any port on any FEX in the datacenter, can I keep that from happening somehow maybe with some sort of security context, etc?? I am new to the Nexus gear so I am trying to catch up.

The object was to leverage the 5500/FEX design with somehow carving off and isolating the PCI network so as to be PCI compliant, and not have to use stand-alone switches behind the PCI firewall.

I probably muddied the water even more with all of that.....thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to jrichterkessing

‎04-10-2014 12:21 PM

Jeff

I see what you mean now.

I think a separate VDC could be what you are looking ie. a virtual switch but as far as i know only the N7K series suppors VDCs.

I believe with VDCs you can setup up who can access which ones etc.

But for the N5ks i don't know of a solution other than to rely on vlans for isolation.

Perhaps someone with experience of these switches may be able to suggest something.

Sorry i can't be more help.

Jon

0 Helpful

jrichterkessing
Level 1
Level 1
In response to Jon Marshall

‎04-11-2014 05:48 AM

Thanks for the feedback!

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to jrichterkessing

‎04-10-2014 05:36 PM

For PCI, you don't necessarily need VRF or VDC, because the if vlans need to talk to Internet you would have to leak the VRFs together.  As long as you can firewall the vlans interfaces, open specific ports for your applications and log all the activities, you should be fine.

BTW, as Jon also noted, only 7ks support VDCs. All the other models support VRFs, only as long as you have the right license.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card