HPE Community
BladeSystem - General
1755449 Members
3708 Online
108833 Solutions
New Discussion

Discusion a round "Private" VLANs to control traffic to servers in a c7000

 
chuckk281
Trusted Contributor

‎08-06-2010 01:20 PM

‎08-06-2010 01:20 PM

Discusion a round "Private" VLANs to control traffic to servers in a c7000

Alex was looking for some clarification:

 

*********************************************

 

Sorry for jumping in late on this, some questions

 

I thought checking private on a network in VC meant that VLAN was private to the VC – are we talking the same private – or have I got it wrong J

 

If the customer wants to control the traffic between to machines why put them on the same Ethernet broadcast domain.

 

If they are on the same Ethernet broadcast domain (vlan), then different ip subnet addresses isn’t really protecting any one ?

 

**********************************************

 

Cullen joined the conversation:

 

***********************************************

 

Alex,

 

If you want to make a network in Virtual Connect that is internal only, you simply don’t assign it to an uplink/shared uplink set.

 

A Private network is one where the systems can only talk out the uplink, not to each other (within the enclosure, as it’s not enforced outside a single Virtual Connect domain).  Suppose you had an “out of band” management VLAN for monitoring the servers at the OS level and suppose you wanted to be sure that systems could not talk to each other on this VLAN.  If you were using switches with the capability, you could use Access Control Lists (ACLs) to restrict which machines could communicate, but Virtual Connect doesn’t support ACLs.  If you were using Cisco gear you could use their proprietary private networking capability (which is pretty flexible) – but that’s Cisco only and works best when you have an end-to-end Cisco environment.

 

With Virtual Connect, you’d have two choices:

  1. Create 32 networks attached to 32 VLANs (assuming double density blades) and assign each blade to a different network.  This potentially wastes a lot of IP address space.  It also complicates the settings for firewalls and routing.
  2. Use a private network.  All machines are on the same VLAN and same IP subnet but can’t talk to each other.  IP address space is not wasted, routing is simplified.

**************************************************************

 

Are you using Private VLANs in your network infrastructure? How do you use it? Let us know.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.