|
May
11
|
Virtualized PVLANs
We have a dilemma… A customer wants to create a PVLANs (Private Virtual LANs) in their virtual environment. If you aren’t familiar with PVLANs, read what Cisco says they are: “A PVLAN is a VLAN with configuration for Layer 2 isolation from other ports within the same broadcast domain or subnet. You can assign a specific set of ports within a PVLAN and thereby control access among the ports at Layer 2.” With certain Cisco switches you can set up PVLANs to allow or deny the traffic between those two hosts in the same subnet.
So the question becomes, how can we do the same thing in the virtual environment while leveraging virtualization to do it? Using the Reflex VMC and vTrust technologies you can define these PVLANs much easier in the virtual environment and apply policy to individual Virtual Machine (VM) hosts or even a set of VM hosts by creating zones. By utilizing VQL and vTrust to segment and set policy, the rules will only apply to the hosts you specify and allow all other network communications. vTrust also provides the option to prevent all internal zone VM-to-VM communication. Reflex VMC setup and configuration can be done quickly and with very few errors.
With Reflex VMC you can create PVLANs (Private Virtual LANs) by following these directions:
1. Create a New Zone – Label it properly, based on business entity, use case, organizational unit, or application function. In this example, I used the Applications zone.
2. Assign VMs to Zone – Determine which virtual machines should be a part of this zone based on specific attributes of the VMs. Alternatively, you can utilize vmTags to classify VMs, as this can be easier and more efficient in large environments.
a. Example VQL, vm.name = Source1 or vm.name = Source2
b. Example use of vmTags, tag: Applications or you can click on the 
and select the desired tags.
c. Other VM attributes such as PNIC, Memory, Tags, etc. can be used when assigning VM’s to a zone.
3. Create Additional Zones – As needed, additional zones can be added. An example zone could be something like “Backups” with your backup server in the zone where you can specify the vmTag associated with your Backup VM’s. A similar association would be tag: Backup_Srvr.
4. Create a New Policy – When creating a new policy, name the policy according to its purpose Retention, Backup, Archive, Corp, etc.
5. Add Rules to the New Policy
- An example of these rules are Source (zone:Applications) and Destination (vm.name contains “Backup”) (whatever your target server is) or more specifically (zone:Backup_Srvr), which is the defined zone for your Backup Servers.
- Create specific Rules, which prevent the VMs inside the Applications zone from talking to each other.
a. Deny > Source (vm.name = Source1) > Check “In Zone” > Destination (vm.name = Source2) > Check “In Zone” – Remove Ethernet Protocols to block all traffic
b. Deny > Source (vm.name = Source1) > Check “In Zone” > Destination (vm.name = Source1) > Check “In Zone” – Remove Ethernet Protocols to block all traffic
Save these rules and they will apply to the associated VM/Servers. You have just created your first PVLAN in the Virtual Environment. Now you can accomplish even more granular network segmentation by using Reflex’s VMC and vTrust technologies. Go forth and segregate…