VlanWe have 2 1534s supporting our virtual enviroment that tie into a 1544. We need to isolate VMware management traffic from our core vlan and permit limited access to that VM management vlan. I understand creating a seperate vlan on the 1544, then configuring the vlan on the 1534s and then providing access to those ports to that vlan, but how do we isolate that traffic?
You can assign switch ports to a vlan. This will prevent other vlans from accessing it.
Is this what you are looking for?
So by assigning the management vlan to that particular port the management server is connected to, this should isolate the traffic? Should I consider defining the vlan on the 1544 with an IP address or should I only define the vlan on the 1534 switches?
Thank you so much for providing the information. I am bascially trying to figure out a solution where I wouldnt have to put the VM servers and server admins on a totally seperate vlan/subnet to isolate traffic. But there doesnt seem to be away to do so.
Why don't you use the software firewall included in most operating systems (Windows Firewall, iptables) ?
You can use this to restrict access to specific IP addresses on the local network.
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to work with you on this - just let me know in a reply.
Access-lists are what you need, isnt it?
Assigg access group to an interface so if you put it on your default vlan then you can limit acceess to the vmware vlan. Access lists process in top down fashion.
interface vlan 1
ip address 10.xx.x.x 255.255.255.0
ip access-group guest_block out
no rtp quality-monitoring
no ip route-cache express
ip access-list extended guest_block
deny ip 192.168.35.0 0.0.0.255 any
deny ip 10.35.0.0 0.0.7.255 any
deny ip 10.100.0.0 0.0.3.255 any log
deny ip 192.168.3.0 0.0.0.255 any log
permit ip any any
I would just use the access list to control access to the VLAN. If you are truely trying to keep end users or anyone from accessing VLAN for Vmware, then use an access list. You can put in a permit statement to allow your managment machine for example though then your IP would be the only one that could access that VLAN from the standard data network.
This doesnt "separate" the traffic as it is still using existing switching resources, put prohibits access to the VLAN.
So... I would do the following (high level)
1. create management VLAN for vmware traffic
2. Set your management switch ports on the esxi servers
3. configure the native vlan for the switchports that the esxi servers are on to the vmware vlan
4. configure the access list
5. apply it to the proper vlan i.e. your default data vlan
In this access list on the 1544, can you specify which port a particular host will us to access a particular vlan/subnet then use the default implicit deny at the end of the ACL to deny anything that doesn’t match?
permit tcp host 10.1.10.100 eq 5 10.1.160.0 0.0.0.255 eq 5
permit tcp host 10.1.10.101 eq 5 10.1.160.0 0.0.0.255 eq 5