Re: Vmnic ACL's

Hernandes · ‎03-22-2007

Hello,

We are about to set our new architecture and we need some information about Network security.

We have for example 3 Virtual Switch, let's say "PROD", "TEST" and "MGMT".

I would need to know if it's possible to set ACL's on the virtual switch "MGMT" as if two VMs, one in PROD one in TEST with each on interface in MGMT can not communicate each other.

I hope it's clear enough (two VMs with two VNics that cannot communicate even if they have one VNic in the same VSwitch ..)

Thanks in advance for your infos

oreeh · ‎03-22-2007

You can't set ACLs on vSwitches

To achieve minimum security you could use VLANs instead

wobbly1 · ‎03-22-2007

If you are just trying to keep prod and test seperate you could create two mgmt vSwitches and only have the prod systems on one vSwitch and test on the other but have your mgmt server connected to both

Hernandes · ‎03-22-2007

Thanks,

The thing is, we actually are using VLAN's, as a virtual switch correspond to a Vlan.

The Vlan MGMT, is for us to be able to manage server from one zone (via rdp), but the servers can not communicate trough this VLAN.

So on a same box, VMs using the same VSwitch can communicate .. And we do not want..

As we have about 10 VLANS for prod, test, dev ... and one common for the management.

We would like to have one only zone for all the VMs and the VLANs. Physical limit would be 8 NICs (4 with the failover).

wobbly1 · ‎03-22-2007

this would point to using two seperate vSwitches for mgmt - one for prod systems and one for test systems and the only common system on both is the mgmt server. This then gives you the seperation.

Hernandes · ‎03-22-2007

Yep, understood that point.

But we still have, for two VMs from PROD, the possibility they comuinicate through their MGMT Vswitch.

And that is what our security department doesn't want ...

All

Vmnic ACL's