Adtran
Help
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎07-24-2012 03:55 PM

1534 VLan isolation

VlanWe have 2 1534s supporting our virtual enviroment that tie into a 1544. We need to isolate VMware management traffic from our core vlan and permit limited access to that VM management vlan. I understand creating a seperate vlan on the 1544, then configuring the vlan on the 1534s and then providing access to those ports to that vlan, but how do we isolate that traffic?

Tags (3)
0 Kudos
Reply
13 Replies
Anonymous
Not applicable
‎07-24-2012 05:09 PM

Re: 1534 VLan isolation

I am sorry, how do I limit access to that management vlan to only administrators. 

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎07-24-2012 10:50 PM

Re: 1534 VLan isolation

You can assign switch ports to a vlan. This will prevent other vlans from accessing it.

Is this what you are looking for?

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎07-25-2012 08:43 AM

Re: 1534 VLan isolation

So by assigning the management vlan to that particular port the management server is connected to, this should isolate the traffic? Should I consider defining the vlan on the 1544 with an IP address or should I only define the vlan on the 1534 switches? 

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎07-25-2012 08:52 AM

Re: 1534 VLan isolation

It depends how the switches are configured.

If traffic will need to flow to the 1544 then you will have to configure the vlan on it as well.

You may want to take a look at this document:

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎07-25-2012 11:47 AM

Re: 1534 VLan isolation

Thank you so much for providing the information. I am bascially trying to figure out a solution where I wouldnt have to put the VM servers and server admins on a totally seperate vlan/subnet to isolate traffic. But there doesnt seem to be away to do so.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎07-25-2012 11:51 AM

Re: 1534 VLan isolation

Why don't you use the software firewall included in most operating systems (Windows Firewall, iptables) ?

You can use this to restrict access to specific IP addresses on the local network.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎07-25-2012 12:03 PM

Re: 1534 VLan isolation

Auditors want traffic completely isolated from point A to point B from all other traffic.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎07-25-2012 12:05 PM

Re: 1534 VLan isolation

In that case you will need to create a new vlan/network.

Accept as Solution Reply
Anonymous
Not applicable
‎08-20-2012 11:32 AM

Re: 1534 VLan isolation

@cburgamy -

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to work with you on this - just let me know in a reply.


Thanks,

Noor

0 Kudos
Accept as Solution Reply
getzjd
New Contributor II
‎08-28-2012 11:20 AM

Re: 1534 VLan isolation

Access-lists are what you need, isnt it?

Assigg access group to an interface so if you put it on your default vlan then you can limit acceess to the vmware vlan. Access lists process in top down fashion.

interface vlan 1

  description Default

  ip address  10.xx.x.x  255.255.255.0

  ip access-group guest_block out

  no rtp quality-monitoring

  no awcp

  no ip route-cache express

  no shutdown

ip access-list extended guest_block

  deny   ip 192.168.35.0 0.0.0.255  any

  deny   ip 10.35.0.0 0.0.7.255  any

  deny   ip 10.100.0.0 0.0.3.255  any     log

  deny   ip 192.168.3.0 0.0.0.255  any     log

  permit ip any  any

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎08-28-2012 11:23 AM

Re: 1534 VLan isolation

Would I have to enable ip firewall on a the 1544 core or is that even possible.

Chris

0 Kudos
Accept as Solution Reply
getzjd
New Contributor II
‎08-28-2012 11:29 AM

Re: 1534 VLan isolation

I would just use the access list to control access to the VLAN.  If you are truely trying to keep end users or anyone from accessing VLAN for Vmware, then use an access list.  You can put in a permit statement to allow your managment machine for example though then your IP would be the only one that could access that VLAN from the standard data network.

This doesnt "separate" the traffic as it is still using existing switching resources, put prohibits access to the VLAN.

So...  I would do the following (high level)

1. create management VLAN for vmware traffic

2. Set your management switch ports on the esxi servers

3. configure the native vlan for the switchports that the esxi servers are on to the vmware vlan

4. configure the access list

5. apply it to the proper vlan i.e. your default data vlan

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎08-28-2012 11:49 AM

Re: 1534 VLan isolation

In this access list on the 1544, can you specify which port a particular host will us to access a particular vlan/subnet then use the default implicit deny at the end of the ACL to deny anything that doesn’t match?

Ex:

Router(config-ext-nacl)#

permit tcp host 10.1.10.100 eq 5 10.1.160.0 0.0.0.255 eq 5

permit tcp host 10.1.10.101 eq 5 10.1.160.0 0.0.0.255 eq 5

0 Kudos
Accept as Solution Reply
li.common.scroll-to.top