13 Replies Latest reply on Aug 28, 2012 9:49 AM by cburgamy

    1534 VLan isolation

    cburgamy New Member

      VlanWe have 2 1534s supporting our virtual enviroment that tie into a 1544. We need to isolate VMware management traffic from our core vlan and permit limited access to that VM management vlan. I understand creating a seperate vlan on the 1544, then configuring the vlan on the 1534s and then providing access to those ports to that vlan, but how do we isolate that traffic?

        • Re: 1534 VLan isolation
          cburgamy New Member

          I am sorry, how do I limit access to that management vlan to only administrators. 

            • Re: 1534 VLan isolation
              unified Past_Featured_Member

              You can assign switch ports to a vlan. This will prevent other vlans from accessing it.

              Is this what you are looking for?

                • Re: 1534 VLan isolation
                  cburgamy New Member

                  So by assigning the management vlan to that particular port the management server is connected to, this should isolate the traffic? Should I consider defining the vlan on the 1544 with an IP address or should I only define the vlan on the 1534 switches? 

                    • Re: 1534 VLan isolation
                      unified Past_Featured_Member

                      It depends how the switches are configured.

                      If traffic will need to flow to the 1544 then you will have to configure the vlan on it as well.

                       

                      You may want to take a look at this document:

                      Understanding the Switch Menu in the AOS Web Interface

                      • Re: 1534 VLan isolation
                        getzjd New Member

                        Access-lists are what you need, isnt it?

                        Assigg access group to an interface so if you put it on your default vlan then you can limit acceess to the vmware vlan. Access lists process in top down fashion.

                         

                         

                        interface vlan 1

                          description Default

                          ip address  10.xx.x.x  255.255.255.0

                          ip access-group guest_block out

                          no rtp quality-monitoring

                          no awcp

                          no ip route-cache express

                          no shutdown

                         

                        ip access-list extended guest_block

                          deny   ip 192.168.35.0 0.0.0.255  any

                          deny   ip 10.35.0.0 0.0.7.255  any

                          deny   ip 10.100.0.0 0.0.3.255  any     log

                          deny   ip 192.168.3.0 0.0.0.255  any     log

                          permit ip any  any

                          • Re: 1534 VLan isolation
                            cburgamy New Member

                            Would I have to enable ip firewall on a the 1544 core or is that even possible.

                             

                            Chris

                              • Re: 1534 VLan isolation
                                getzjd New Member

                                I would just use the access list to control access to the VLAN.  If you are truely trying to keep end users or anyone from accessing VLAN for Vmware, then use an access list.  You can put in a permit statement to allow your managment machine for example though then your IP would be the only one that could access that VLAN from the standard data network.

                                 

                                This doesnt "separate" the traffic as it is still using existing switching resources, put prohibits access to the VLAN.

                                 

                                So...  I would do the following (high level)

                                1. create management VLAN for vmware traffic

                                2. Set your management switch ports on the esxi servers

                                3. configure the native vlan for the switchports that the esxi servers are on to the vmware vlan

                                4. configure the access list

                                5. apply it to the proper vlan i.e. your default data vlan

                                  • Re: 1534 VLan isolation
                                    cburgamy New Member

                                    In this access list on the 1544, can you specify which port a particular host will us to access a particular vlan/subnet then use the default implicit deny at the end of the ACL to deny anything that doesn’t match?

                                    Ex:

                                     

                                    Router(config-ext-nacl)#

                                    permit tcp host 10.1.10.100  eq 5  10.1.160.0 0.0.0.255 eq 5

                                    permit tcp host 10.1.10.101  eq 5  10.1.160.0 0.0.0.255 eq 5