cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cburgamy
Contributor
Contributor

1534 VLan isolation

VlanWe have 2 1534s supporting our virtual enviroment that tie into a 1544. We need to isolate VMware management traffic from our core vlan and permit limited access to that VM management vlan. I understand creating a seperate vlan on the 1544, then configuring the vlan on the 1534s and then providing access to those ports to that vlan, but how do we isolate that traffic?

Tags (3)
0 Kudos
13 Replies
cburgamy
Contributor
Contributor

Re: 1534 VLan isolation

I am sorry, how do I limit access to that management vlan to only administrators. 

unified
Valued Contributor
Valued Contributor

Re: 1534 VLan isolation

You can assign switch ports to a vlan. This will prevent other vlans from accessing it.

Is this what you are looking for?

cburgamy
Contributor
Contributor

Re: 1534 VLan isolation

So by assigning the management vlan to that particular port the management server is connected to, this should isolate the traffic? Should I consider defining the vlan on the 1544 with an IP address or should I only define the vlan on the 1534 switches? 

unified
Valued Contributor
Valued Contributor

Re: 1534 VLan isolation

It depends how the switches are configured.

If traffic will need to flow to the 1544 then you will have to configure the vlan on it as well.

You may want to take a look at this document:

cburgamy
Contributor
Contributor

Re: 1534 VLan isolation

Thank you so much for providing the information. I am bascially trying to figure out a solution where I wouldnt have to put the VM servers and server admins on a totally seperate vlan/subnet to isolate traffic. But there doesnt seem to be away to do so.

unified
Valued Contributor
Valued Contributor

Re: 1534 VLan isolation

Why don't you use the software firewall included in most operating systems (Windows Firewall, iptables) ?

You can use this to restrict access to specific IP addresses on the local network.

cburgamy
Contributor
Contributor

Re: 1534 VLan isolation

Auditors want traffic completely isolated from point A to point B from all other traffic.

unified
Valued Contributor
Valued Contributor

Re: 1534 VLan isolation

In that case you will need to create a new vlan/network.

Anonymous
Not applicable

Re: 1534 VLan isolation

@cburgamy -

I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to work with you on this - just let me know in a reply.


Thanks,

Noor

getzjd
New Contributor II

Re: 1534 VLan isolation

Access-lists are what you need, isnt it?

Assigg access group to an interface so if you put it on your default vlan then you can limit acceess to the vmware vlan. Access lists process in top down fashion.

interface vlan 1

  description Default

  ip address  10.xx.x.x  255.255.255.0

  ip access-group guest_block out

  no rtp quality-monitoring

  no awcp

  no ip route-cache express

  no shutdown

ip access-list extended guest_block

  deny   ip 192.168.35.0 0.0.0.255  any

  deny   ip 10.35.0.0 0.0.7.255  any

  deny   ip 10.100.0.0 0.0.3.255  any     log

  deny   ip 192.168.3.0 0.0.0.255  any     log

  permit ip any  any

cburgamy
Contributor
Contributor

Re: 1534 VLan isolation

Would I have to enable ip firewall on a the 1544 core or is that even possible.

Chris

getzjd
New Contributor II

Re: 1534 VLan isolation

I would just use the access list to control access to the VLAN.  If you are truely trying to keep end users or anyone from accessing VLAN for Vmware, then use an access list.  You can put in a permit statement to allow your managment machine for example though then your IP would be the only one that could access that VLAN from the standard data network.

This doesnt "separate" the traffic as it is still using existing switching resources, put prohibits access to the VLAN.

So...  I would do the following (high level)

1. create management VLAN for vmware traffic

2. Set your management switch ports on the esxi servers

3. configure the native vlan for the switchports that the esxi servers are on to the vmware vlan

4. configure the access list

5. apply it to the proper vlan i.e. your default data vlan

cburgamy
Contributor
Contributor

Re: 1534 VLan isolation

In this access list on the 1544, can you specify which port a particular host will us to access a particular vlan/subnet then use the default implicit deny at the end of the ACL to deny anything that doesn’t match?

Ex:

Router(config-ext-nacl)#

permit tcp host 10.1.10.100 eq 5 10.1.160.0 0.0.0.255 eq 5

permit tcp host 10.1.10.101 eq 5 10.1.160.0 0.0.0.255 eq 5