Our server team is starting to move their vm's around and asking me to trunk some different vlans to it... vlans that should not be able to talk without going through the firewall first.
The server guy said each of those vlans on the trunk go to a different vswitch and that the different vm's on each vswitch can't cross talk to other vswitches without going out the trunk and being routed by the network.
But is that really true?
It seems to me that if a vswitch is anything like a physical switch they can just set up svi's and trunks on them and do back door routing.
Because of this I told management I need admin rights on the hypervisors so only I can manage the networking side, but that got shot down.
What can I do from my end? I was thinking URPF on the L3 gateway interfaces would make sure inbound packets have a source address that matches the subnet, but even that can't really stifle back door routing on the server side.
Any advice? Am I just being paranoid?
No comments:
Post a Comment