Private VLANs w/ VMware vDS and Cisco Nexus 5000: A Configuration Reference

PVLANs
When configuring the networks of a virtualized environment, private VLANs expand the functionality of a standard VLAN.  This article describes the configuration of PVLANs from both the VMware and Cisco perspectives.  The purpose of this article is to provide a brief configuration overview.  It’s likely you already know what PVLANs are and how they work, so I won’t go into much detail there.  For more information about VLANs and PVLANs, check out Cisco’s Securing Networks with Private VLANs and VLAN Access Control Lists.

Usage Scenarios

  1. DMZ security – Servers running in a DMZ can be isolated from one another. Should a DMZ guest be compromised, the guest is unable to communicate with any other guest in the the DMZ (given each are a part of an isolated PVLAN)
  2. Hosted cloud infrastructure – A customer environment (consisting of multiple guests) in a community PVLAN are able to communicate amongst themselves, but cannot communicate with a different community PVLAN
  3. Overcome standard VLAN limitations – While PVLANs exist with their own set of limitations, private VLANs greatly extend the functionality and usefulness of a standard VLAN

Configuration Overview

vlan 2410 int: 192.168.7.1 (primary 2410, secondary 2411)
vlan 2412 int: 192.168.8.1 (primary 2412, secondary 2413)
vlan 2411 – isolated
vlan 2413 – community
bperove-vm1: 192.168.7.10 – dvPortGroup1 – primary 2410, secondary 2411
bperove-vm2: 192.168.7.11 – dvPortGroup1 – primary 2410, secondary 2411
bperove-vm3: 192.168.8.10 – dvPortGroup2 – primary 2412, secondary 2413
bperove-vm4: 192.168.8.11 – dvPortGroup2 – primary 2412, secondary 2413
bperove-vm5: 192.168.8.12 – dvPortGroup2 – primary 2412, secondary 2413
bperove-vm6: 192.168.8.13 – dvPortGroup3 – primary 2412, secondary 2412

Configuration of VMware vDS (DVS)

CDP information for vmnic2

CDP information for vmnic3

dvSwitch Settings

dvPortGroup Settings

VLAN Configuration

vlan 2410
  private-vlan primary
  private-vlan association 2411
vlan 2411
  private-vlan isolated
vlan 2412
  private-vlan primary
  private-vlan association 2413
vlan 2413
  private-vlan community

Interface Configuration

interface Ethernet1/19
  description bperove - bs-tse-i127 - vmnic2
  switchport mode trunk
  switchport trunk allowed vlan 2410-2411

interface Ethernet1/20
  description bperove - bs-tse-i127 - vmnic3
  switchport mode trunk
  switchport trunk allowed vlan 2412-2413



Communication logic

vm1 can ping vlan 2410 int @ 192.168.7.1, but cannot ping vm2
vm2 can ping vlan 2410 int @ 192.168.7.1, but cannot ping vm1
vm3-5 can ping vlan 2412 int @ 192.168.8.1, and can all ping each other
vm6 can ping vlan 2412 int @ 192.168.8.1, vm3-5, and vm3-5 can ping vm6
vm1-2 cannot ping vm3-6

 

Installing a WLAN @ Ameristar Casino, Black Hawk, Colorado

What’s it like to install a wireless network in a casino?  With the help of two others, we lit up ~200 APs at the Ameristar in Black Hawk just a few weeks before the grand opening on 9/29.  This was a ton of work, but it was worth it.  Here are some photos that I snapped.

One of 6 Cisco Aironet 1130ag access points per floor, locked in an access panel.

One of about 15 IDFs (every 3 floors). APs are connected to a POE switch.

This is a core switch for the admin VLAN (separate from the wireless network). A bit overkill, but cool nonetheless.

In the MDF, fiber connects all the IDFs to the switches above. The two Cisco 4400 WLCs you see each control 100 APs and cost roughly $23K/ea. There’s also a Soekris box running pfSense, a Nomadix 5500ag (for subscriber/guest access), a Cymphonix web filter, and a Servertech IPM-8 rebooter. The main pipe is an OC-3, but guests are limited to 30 Mbits total.

Very nice work by Tim McCabe in Denver. Completed structured cabling with 6 guys in 14 months.

Cross-connect for the phone system, and a lot of it.

Installing an AP 40 feet above the Summit room. One of two in this area (capacity of 700), one in the main hall, and another in the service hall directly behind.

Construction on floors 32-34 was incomplete; hard hats required.

 

Cybertool.mobi

Has it been 8  months since my last post?  Yeesh.  I need to get more simplistic when it comes to this whole blogging thing.

When I’m not working, reading, studying for exams, training for races, or plotting to save the world, apparently I’m writing PHP?  I know–scary thought for a server/network guy.  Just the same… Happy Gilmore was a hockey player, not a golfer.

I’ve updated the site to include a projects page, where my latest & greatest will be available for anyone who wants to check it out.

Speaking of which, I’ve recently built a mobile application called Cybertool.  It’s a collection of utilities that might help to diagnose and resolve network issues.  For a while, I’ve used a handful of different sites to fix DNS, mail, or firewall stuff.  Cybertool is an aggregate of those sites for your mobile device.  As an added bonus, there are tools like Cisco password decryption, a default passwords list, and a subnet calculator.  It’s still a work in progress, so there’s a small list of bugs to iron out yet, but I’ve worked really hard to make sure it’s invulnerable to XSS/SQL injection, and have hardened Apache (obviously from my previous post, as well as part II about mod_security which is coming soon).  All activity is logged and monitored, so don’t try anything funny!  It will get you banned faster than Paris Hilton at a spelling bee… faster than Kanye West at a charity event… you get the point.

Be sure to leave comments over at the Cybertool projects page.

 

Bullet-proof Apache: Nikto Security Scanner

apache

If you’ve ever been responsible for maintaining an Apache web server, you know how important security is.

Nikto provides an easy way to scan for known (and unknown) vulnerabilities within your Apache server.  Actually, it does a fairly comprehensive scan on over 200 web servers, not just Apache.  To run a security scan, download the tool, then extract the archive to the desired location.  To initiate a scan from the Nikto directory, type:

[code]

./nikto.pl -host [ip address]

[/code]

Note: when specifying an IP address, make sure you use the external IP of your webserver, not the internal IP.

Here is what my results look like:

[code]
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP:          10.0.0.1
+ Target Hostname:    blurred for security
+ Target Port:        80
+ Start Time:         2009-01-26 16:44:36
---------------------------------------------------------------------------
+ Server: Apache
+ OSVDB-3092: GET /manual/ : Web server manual found.
+ OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3577 items checked: 3 item(s) reported on remote host
+ End Time:        2009-01-26 16:45:25 (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Test Options: -host 10.0.0.1
---------------------------------------------------------------------------
[/code]

I would then look up the results and fix each issue until there have been no issues detected.  See the OSVDB-ID?  These IDs are found in the Open Source Vulnerability Database.  Each ID will contain a description, classification, and solution.

To aid in your research, I have created an OSVDB Firefox search plugin.  Install the plugin and then search for 3092, 3268, 3233, etc.

Hopefully this makes securing your web server quick & painless.

 

Find Linux CPU Temperature

The easiest way to get a CPU temperature readout from Linux is by looking at an ACPI function called temperature:
[code]
cat /proc/acpi/thermal_zone/THRM/temperature
[/code]

You could also try sensors-detect and then sensors, but I had some trouble detecting the correct modules on 8 year old hardware.

 

Next Page »

Add this site to your Firefox Search Bar

Twitter Updates


No public Twitter messages.

Recent Entries

Topics

Archives

This site is optimized for Firefox.