I work for a small managed hosting company that colocates servers. We have three racks there, and connectivity managed by the datacentre. They present a couple of uplink ports plugged into one of the rack switches. The other two rack switches are connected to this. The switches are Juniper EX4200's.
Right now, everything is a fairly flat network, with one large broadcast domain. Each port with a server connected is configured as trunk port, with a native (i.e. untagged) vlan for normal traffic, and another VLAN for ipmi.
The problem is that this doesn't provide much isolation between customers. Whilst we are a managed provider and don't tend to give many customers root access, this is still a concern.
We'd like to move to a setup that uses PVLAN in order to provide isolation between servers. In this setup we'd have:
- the Uplink ports (and inter-switch links) as promiscuous ports
- Most servers on an isolated secondary VLAN
- Some servers (hypervisors for our Cloud platform) in a community secondary vlan.
There are a couple of things I'm not sure about, however:
- Some customer servers connect to each other via their public IP address for file synchronisation and such. We'd like to keep these in an isolated vlan if possible. How would this communication work? (would it?)
- How would we retain IPMI access on a separate vlan? We use 10.0.0.0/16 space for this and only machines configured with access to the IPMI vlan can reach it.
Grateful for any assistance you can provide!
No comments:
Post a Comment