VMware Cloud Community
ViFXStu
Contributor
Contributor
‎06-06-2011 06:11 PM
Jump to solution

Ability to 'filter' portgroups in 1000v?

Does anyone know if it is possible to filter which port groups are presented to individual (or groups of) hosts connected to a 1000v switch?

The reason for asking is that if you wanted to have a single 1000v (redundant pair) for a datacenter that contains hosts that are split into clusters for internal/external (DMZ) VM's, we would only want networks for external VM's presented to the hosts in the cluster for these VM's and different port groups to be presented to the hosts for the internal VM's. From what I can figure out, every port group that is created is automatically made available on each host without any choice.

Or is it better to have one 1000v per cluster? Is it even possible to have multiple 1000v switches within a single datacenter?

0 Kudos
1 Solution

Accepted Solutions
RBurns-WIS
Enthusiast
Enthusiast
‎06-07-2011 04:33 AM
Jump to solution

Have a look at the Port Profile guide below.  Using permissions & roles you can restrict visibility of Port Profiles to certain users.  As for restricting PP's based on the host, this is not yet possible.  Assuming the user can only access certain hosts you might be able to accomplish what you require. This is a new feature in version 1.4 and later.

http://www.cisco.com/en/US/partner/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4/port_profile/...

We find that most people with a DMZ usually opt for separate hosts/clusters & therefore a separate VSM instance.  You can have multple VSMs per Datacenter, but only one host can belong to a single DVS.  This would allow you to have a single vCenter instance managing your completely separated DMZ cluster which has it's own DVS.  This all depends on what your network & security policy requirements are.

Regards,

Robert

View solution in original post

0 Kudos
2 Replies
RBurns-WIS
Enthusiast
Enthusiast
‎06-07-2011 04:33 AM
Jump to solution

Have a look at the Port Profile guide below.  Using permissions & roles you can restrict visibility of Port Profiles to certain users.  As for restricting PP's based on the host, this is not yet possible.  Assuming the user can only access certain hosts you might be able to accomplish what you require. This is a new feature in version 1.4 and later.

http://www.cisco.com/en/US/partner/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4/port_profile/...

We find that most people with a DMZ usually opt for separate hosts/clusters & therefore a separate VSM instance.  You can have multple VSMs per Datacenter, but only one host can belong to a single DVS.  This would allow you to have a single vCenter instance managing your completely separated DMZ cluster which has it's own DVS.  This all depends on what your network & security policy requirements are.

Regards,

Robert

0 Kudos
ViFXStu
Contributor
Contributor
‎06-07-2011 05:06 PM
Jump to solution

Thanks Robert, that's what I figured, I did know about using roles but it doesnt quite achieve what I want. Will go with seperate VSM's per cluster.

0 Kudos