[c-nsp] Securing virtual networks
Nate Carlson
cisco-nsp at natecarlson.com
Thu Mar 13 19:04:59 EDT 2008
On Thu, 13 Mar 2008, Higham, Josh wrote:
> What methods are available for making sure that no traffic leaks between
> virtual networks? I am looking at doing some sort of virtualization for
> a small enterprise network (so no software based provisioning) and want
> to either prevent or detect misconfigurations.
What type of virtualization are you talking about? Something like
VMWare/Xen, or network virtualization?
If VMware/Xen, just split up your networks by VLAN as usual, trunk the
VLAN's to the management domain for your virtualized environment, and
assign the guests whatever VLAN they should be on.
> If I restrict the address ranges I can use netflow and ACLs, but that
> removes one of the benefits. This isn't a hostile environment, but
> would include a guest network so malicious attacks are possible, along
> with the obvious virus issues.
OK - so put the guest network off on it's own VLAN, and isolate it.
> We have a collapsed core, so I would be using VLANs within the LAN, and
> GRE tunnels across the WAN. We can't count on a typo breaking something
> because some of the networks will be infrequently utilized. Any
> suggestions?
------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
More information about the cisco-nsp
mailing list