Restrict vm's to vlans

RoelHeman · ‎10-11-2019

Hello all,

I'm having a challenge.

We are having multiple resource pools and we want to restrict a VM to that resource pool. So we don't want a user the be able to create a network between two resource pools. Even if he has full rights on the two resource pools.

I have no idee of this is possible and is how.

All vm's in one resource pool are allowed to have network connection to eachother but not to vm's in other resources pools.

Thanks

Gidrakos · ‎10-11-2019

A vDistributed Switch will probably be your best bet here. You can create a vDS, assign it multiple networks (port groups) which each use different vLAN tagging, then restrict the user per-resource pool to be able to only access specific networks on the DSwitch.

RoelHeman · ‎10-11-2019

I do agree.

The only problem is. People can have rights on 2 our more resource groups. And thus on more than one dvswitch. And thereby able to connect vm's from one resource pool to the other ( but only the one's they are having rights on).

Gidrakos · ‎10-11-2019

Actually, with the new 6.7 permissions scheme, you must apply all permissions at all levels which gives you a lot more freedom to customize who can see and access what/where.

For example:

UserA (UA) can access Resource Pool 0 (RP0) and Dswitch Port Group 0 (DSP0).

UA should also access RP1 but DSP1, and not DSP0.

This means you need a permissions set for both scenarios, and apply the permissions per resource pool, per user.

I go into more detail about the oddities with 6.7 permissions here: VCSA 6.7 Individual Resource Pool Permissions No Longer Work

RoelHeman · ‎10-11-2019

Thanks for the fast response. I will try this Monday!