2

We have several machines plugged into various ports on a Cisco Nexus 5000. We want to separate the switch into groups, so a handful of machines can see and talk to each other and no one else. So, to create a physically isolated port group.

We (apparently) have no VLAN IDs available, as they are all used (large corporate network), so we cannot just separate these into a VLAN or a PVLAN.

Is there a way to just tell the switch to physically isolate traffic to only a given group of ports?

Brad
  • 477
  • 2
  • 5
  • 13
  • This can only really be done via vLANs. You have all 1024 vLANs (or 504, depends on version) used already?? Something's messed up if you're using that many vLANs in one physical location. – Chris S Apr 04 '13 at 17:47
  • I don't manage the network, so I don't know. This is a very large company, in a large campus. I am trying to not deal with "all that", and trying to just get my 8 machines to talk only to each other. – Brad Apr 04 '13 at 17:49
  • I usually work with ASA product from Cisco so I am not entirely sure how the IOS on Nexus product works but, can't you create ACL's for that? – Alex Apr 04 '13 at 18:13
  • 1
    so this sounds to me like a rogue operation otherwise you'd have asked the network team this question, right? – tony roth Apr 04 '13 at 18:16
  • This method won't provide physical isolation but if you can't create VLAN's then this might be the only way to get close: Assign the machines ip addresses in a range that isn't used anywhere else in the corporate network and isn't being routed anywhere else in the corporate network. This will keep those machines from being able to communicate with all other machines at layer 3. Unfortunately I don't see any way to isolate them at layer 2 without the use of VLAN's. – joeqwerty Apr 04 '13 at 18:18
  • Perhaps PVLAN would be a solution, but I'm not sure if the Nexus allow creations of those if you've hit the 1024 limit.. – pauska Apr 04 '13 at 18:23
  • ---Nexus 5000 supports ~470 active vlans on a switch and nexus 5500 supports ~4000. Check with your networking team to get an unassigned vlan. Or (as a complete hack) you could use some random address space inside an existing vlan so your gear is isolated at layer 3. Be ready for your ports to be shut off when the network team eventually finds arp requests for your non-authorized IP space on a real vlan. – cpt_fink Apr 05 '13 at 01:51

2 Answers2

3

If you want these devices to be totally isolated from everything else, just add them all onto their own separate switch and call it a day. No point being on the shared company switch if you specifically don't want them to be able to talk to anyone else.

Edit:

What else is on the same segment as you that you want to avoid? Do you just not want the servers to be able to route out? Or are there other servers on the same VLAN segment that they shouldn't be able to talk to?

If you really wanted to get crazy, you could have IT provision a new virtual switch on the Nexus chassis that has your server ports assigned to it. You can use whatever VLANs you like, and they won't communicate with the ones in the main context. Of course, if I was your network engineer and you asked me to do this I would have a good chuckle about it with the guys after work.

There are other hacks you could do. PVLANs of course, but you don't have any more VLANs. VLAN filters could be used to only allow your IPs to talk to your own IPs. Just plain old ACLs on ports could stop the L3 traffic too if you wanted.

I also have a suspicion that the switch isn't out of VLANs, and your network guy just wants to avoid work or having to explain to you why policy doesn't allow it. But take that for what its worth -- a guess.

The correct answer for this is to use VLANs -- this is pretty much exactly what they're designed for.

Keller G
  • 644
  • 3
  • 6
0

Unfortunately Nexus 5K doesn't support VDC like Nexus 7K. So I agree the only way to divide network (except using new switch) is using VLANs or PVLANs.

Dmitri Malinovsky
  • 1