Routes and ACLs between NVGRE VM Networks for single tenant

We're running into a situation where multiple tenants need NVGRE VM Networks with multiple routed/ACL'd subnets. These tenants have multi-tier services that need a perimeter network.
We can accomplish this for these tenants with VLAN VM Networks by deploying virtual firewalls/routers to their VM networks or by managing their firewall/routers between VM networks. We do this by deploying a front-end perimeter VLAN VM Network, a back-end
perimeter VLAN VM Network, and an internal VLAN VM Network. This all works well and is secure. The only problem is that it doesn't scale well because the tenant is taking up three VLANs; and its also a burden to provision.
NVGRE VM Networks could solve all our problems IF we had a way of doing the following:
Give a tenant multiple NVGRE VM Networks. It seems like this is possible today, but they're completely isolated with no routing capabilities which doesn't meet our needs most of the time.
We need the ability to route between multiple NVGRE VM Networks. This is currently not possible from what I can tell because no default gateway is used for VMs within a single VM Network on the same host.
We need the ability to create ACL rules between routed NVGRE VM Networks.
The last part of this is that we need to be able to assign multiple internet-facing IP addresses to a client's NVGRE VM network for NAT/ACL rules. This would mean that we could have 4x different services deployed within a front-end perimeter VM Network
and each of those services could have a unique public IP that is either being load balanced to a service or pointing directly to a service.
The NVGRE based VMM private cloud isn't production ready for us until we can check these boxes.
I'm willing to think outside the box if anyone has any alternative solutions to these problems.
Thank you for taking the time to read this and help.

We know that there are some challenges in order to realize all scenarios with the NVGRE solution today. The feedback is registered, and I recommend to read up on the Windows Server technical preview to get a look into the future. 
Here's a short blog post I wrote on what's already public: http://kristiannese.blogspot.no/2014/10/scratching-surface-of-networking-in.html
As you can see, we get a new Windows Server Role (Network Controller) that will be responsible for several virtual network functions. 
If you also search through the content from TechEd, you should get more insight.
-kn
Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

Similar Messages

  • I can't buy apps in my iPhone because iTunea ask me all time security questions and I don't remember the answers, but I send to my email and itune didn't send me for single up

    how come I can reset my security questions? I sens to my email and iTunes didn't send me for reset them

    Alternatives for Help Resetting Security Questions and/or Rescue Mail
         1. If you have a valid rescue email address, then use this procedure:
             Rescue email address and how to reset Apple ID security questions.
         2. Fill out and submit this form. Select the topic, Account Security. You must
             have a Rescue Email to use this option.
         3. This is the only option if you do not already have a valid Rescue Email.
             These are telephone numbers for contacting Apple Support in your country.
             Apple ID- Contacting Apple for help with Apple ID account security. Select
             the appropriate country and call. Ask to speak to the Account Security Team.
         4. Account security issues almost always require you to speak directly to an
             Apple representative to securely establish your identity as the account holder.
             You can set it up so that Apple calls you, either immediately or at a time
             convenient to you.
                1. Go to www.apple.com/support.
                2. Choose Contact Support and click Contact Us.
                3. Choose Other Apple ID Topics and choose the appropriate topic for
                    your issue.
                4. Follow the onscreen instructions.
             Note: If you have already forgotten your security questions, then you cannot
             set up a rescue email address in order to reset them. You must set up
             the rescue email address beforehand.
    Your Apple ID: Manage My Apple ID.
                            Apple ID- All about Apple ID security questions.

  • Since I have installed yosemite problems with my retina notebook 15. It hit off the router and no longer detected wiffi networks. I need to turn off and turn on my computer wiffi to re-connect for a few minutes

    Problem with mi wifi since i upgrade to yosmite. I have to turn off wifi from my retina and then turn on to reconnect

    Hello there, ogresta.
    The following Knowledge Base article offers up some great, in-depth recommendations for troubleshooting Wi-Fi connectivity on your MacBook:
    Wi-Fi: How to troubleshoot Wi-Fi connectivity
    Thanks for reaching out to Apple Support Communities.
    Cheers,
    Pedro.

  • SRP 546W Intervlan Routing and ACL

    Hi,
    how can I configure Access Control Lists to manage the communication between different vlan? As I activate Intervlan Routing, all vlan members can communicate together.
    Thanks a lot.
    Thomas

    Thomas,
    Intervlan Routing on the SRP routers is all or none. You cannot choose which VLAN members can communicate with other VLANs.
    - Marty

  • I have Verizon FiOS service for phone, internet and TV but I only have one TV hooked up for it for just basic cable service with no DVR and no need for widgets.  Can I use an Airport Extreme as my router and not use the FiOs router?

    I want to use an Airport Extreme as my router.  I currently have a Verizon FiOS router.  I have Verizon for phone, internet and TV.  However, TV-wise, I just have a basic service for one TV with just a regular box.  No HD, no DVR.  Don't need access to a menu, widgets, on-demand.  Can I eliminate the FiOS Router and just use the Airport Extreme and still have phone and internet?

    I know that it will increase my wireless coverage in my house but will it increase the speeds?
    Not sure what you are asking here.  The AirPort Extreme is only going to be as fast as the Internet connection that it receives.....which is 75/75. It cannot take a 75/75 connection and make it go any faster.
    If you locate the AirPort Extreme in an area where you need more wireless signal coverage, the AirPort Extreme would deliver 75/75 in that area.  But, keep in mind that the AirPort Extreme must connect to the FIOS router using a permanent, wired Ethernet cable connection.
    If you are asking if the AirPort Extreme can wirelessly connect to the FIOS modem router, and extend the FIOS wireless network, the AirPort Extreme would not be compatible with a FIOS product for that purpose.

  • Scenario required for sd route and mm route

    Dear Guru
    There is two process for stock transfer order one is SD route and 2nd one is mm route
    can you please explain the differnce between these rout
    and what is the scenario required for sd route and mm route
    it means in which scenario we use sd route for stock transfer and in which scenario we use mm route for stock transfer
    Thanks in advance
    Kashyap

    Kashyup,
    I am not aware of 'SD Route vs MM Route'.  They are the same Route.
    STO is basically a special kind of Purchase order.  Purchase orders are part of the MM module. In order to permit shipping goods from one plant to another, SAP has 'borrowed' some of the functionality from the SD module.
    During Configuration of Stock Transport orders, you assign a Customer (Shipto), Sales org, and Distribution channel to the receiving plant.  When creating a STO, the system uses these data to determine the Route.
    Route contains info that the system uses to plan movement of goods from one location to another location in the SD module.  The route contains duration information (how long does it take to move goods from warehouse to customer location), factory calendar, and perhaps some other data.  In the case of an SD order, the system will find the customer for the Sales doc, the default shipping conditions for the customer, and using this information together with the region of the shipping point, will determine a route.
    This same determination procedure is also used during creation of a STO.  The system will take the STO customer from STO configuration, and the default shipping conditions for that customer, and using this information together with the region of the shipping point, will determine a Route.  The same determination procedure used by SD sales orders.
    When you are setting up your master data, and you have decided what the duration of transport time should be, it is important that your planned delivery time in your info records or in your material master be consistent with your shipping duration (pick/pack/route time).  This makes the execution (creation and shipment of STOs) stay consistent with planning (creation of STO purchase reqs) as far as timing is concerned.
    If your STOs use Deliveries, then the shipping information in the STO that was determined during creation (customer, shipping point, route, etc) will be copied to the delivery during delivery creation.
    Rgds,
    DB49

  • I have been using WRT54G wireless broadband router and WU...

    I have been using WRT54G wireless broadband router and WUSB54G on my home PC for the last 2 years. It was working fine until recently I encountered serious connection problem.
    The WUSB54G cannot connect with WRT54G.
    Error message " Cannot assocaite with the access point.
    I have checked the followings to try and solve the problem.
    1) Refresh site survey the WUSB54G does not show my SSID, but it can show my neighbour'sSSID.
    3) When I use my notebook with built-in wireless network adaptor to access wirelss broadband there is no problem at all. I can access my SSID.
    4) I have try reseting the WRT54G and changing password but still can not solve the problem.
    5) Uninstall and re-install
    5) I have installed a new USB adapter (WUSB54GG) thinking that it could be the old WUSB54G is faulty. But still encounter same problem.
    I am using Window XP Professional. What could be the problem?
    Please provide your professional advice. Thank you.

    Hi, Try to update firmware of router. You can get latest version from www.linksys.com/download, Hope it will help you

  • To find months and days between 2 dates

    Hi,
    I want to find the months and days between 2 dates.
    For Eg.
    Date-1 : 25-Aug-2013
    Date-2 : 23-Oct-2013
    If we consider every month as 30 days it should give
    25-Aug-2013 to 30-Aug-2013 = 6 days
    01-Sep-2013 to 30-Sep-2013 = 1 Month
    23-Oct-2013 to 30-Oct-2013 =   8 days
    Total = 1 month and 14 days.
    Kindly help at the earliest.
    Thanks & Regards
    Suresh

    SureshM wrote:
    Hi,
    I want to find the months and days between 2 dates.
    For Eg.
    Date-1 : 25-Aug-2013
    Date-2 : 23-Oct-2013
    If we consider every month as 30 days it should give
    25-Aug-2013 to 30-Aug-2013 = 6 days
    01-Sep-2013 to 30-Sep-2013 = 1 Month
    23-Oct-2013 to 30-Oct-2013 =   8 days
    Total = 1 month and 14 days.
    Kindly help at the earliest.
    Thanks & Regards
    Suresh
    That's not a good idea though.  Be considering every month as 30 days, then comparisons over larger date ranges (years) will be out by more and more days the larger the difference gets.
    Your example is also wrong.
    For Eg.
    Date-1 : 25-Aug-2013
    Date-2 : 23-Oct-2013
    If we consider every month as 30 days it should give
    25-Aug-2013 to 30-Aug-2013 = 6 days
    01-Sep-2013 to 30-Sep-2013 = 1 Month
    23-Oct-2013 to 30-Oct-2013 =   8 days
    The last one should be:
    01-Oct-2013 to 23-Oct-2013 = 23 days
    giving a result of 1 month and 29 days.
    Oracle provides a months_between function to do the calculation.
    SQL> select months_between(date '2013-10-23', date '2013-08-25') from dual;
    MONTHS_BETWEEN(DATE'2013-10-23',DATE'2013-08-25')
                                           1.93548387
    But of course, because the number of days in a month varies, it's not exacly known what the decimal part of the number represents.
    However, if you combine methods, using months_between to get the months, and then assume 30 days for a month to get the days part from the remainder, it's more consistent over longer periods...
    SQL> ed
    Wrote file afiedt.buf
      1  with dates as (select date '2013-08-25' as date_from, date '2013-10-23' as date_to from dual)
      2  --
      3  select months_between(date_to, date_from)
      4        ,trunc(months_between(date_to, date_from)) as months
      5        ,round(mod(months_between(date_to, date_from),1)*30) as days
      6* from dates
    SQL> /
    MONTHS_BETWEEN(DATE_TO,DATE_FROM)     MONTHS       DAYS
                           1.93548387          1         28

  • I have a tesco router and an external hard drive attached to it as a network drive (shared) for my macbook and MB-Air. Have no problems with my MB accessing it, but with MB-AIR it says -  'the version of the server you are trying to connect to is not supp

    I have a tesco router and an external hard drive attached to it as a network drive (shared) for my macbook and MB-Air. Have no problems with my MB accessing it, but with MB-AIR it says -  'the version of the server you are trying to connect to is not supported. pls contact your system administrator to resolve the problem'. MB-Air uses maverick downloaded yesterday - upgrade from mountain lion. MB uses snow leopard still, as i am quite used to it and am thinking of upgrade if mavericks work fine on air. Also have parallel on snow leopard but it is no longer supported according to mac website - if i upgrade am i going to lose my parallel and will have to buy a new one!!!

    Yes, the Old Master file has a folder for each year where I find all photos from that specific year. I am attaching a screen shot of the file.
    In the meantime i have managed to download all photos (it did not download any video files though in mpg, avi, 3gp, m4v,mp4 and mov format) to a new iphoto library. Unfortunately the photos are quite mixed and often doubled up. I ma considering to purchase iphoto library which checks all duplicates in iphoto. this will save me a lot of time. What do you think?

  • I have an Airport Extreme as my router and am using time capsule to extend the network in my new house. My ISP is only providing me 4-5 ip addresses and wants me to set up my router to issue out new ip addresses for all my devices.How do I fix this?Help

    I have an Airport Extreme as my router and am using time capsule to extend the network in my new house. My ISP is only providing me 4-5 ip addresses and wants me to set up my router to issue out new ip addresses for all my devices.How do I fix this?Help.
    They said I need to change my settings to NAT settings. I haven't been able to figure out or find anything. I have also spoken to Apple Support on the phone for hours without being able to figure out how to do this ( i don't think he knew much either lol.) Please help me because I've got about 15-20 devices in my house that require to be connected to the internet and this is just making things ridiculously slow and painful for me.
    Thanks!

    It is on DHCP & NAT under router mode yet my isp is still the one issuing ip addresses to my devices instead of the router issuing them

  • I hooked up new iMac to wireless network and now iPad and iPhone do not work using wireless.  I am using a Netgear N300 router.  Also my Netgear ethernet/homeplug for wireless TV internet no longer works.  Any ideas?

    I hooked up new iMac to wireless network and now iPad and iPhone do not work using wireless. They did before hooking up the iMac. I am using a Netgear N300 router.  Also my Netgear ethernet/homeplug for wireless TV internet no longer works.  Any ideas?  I have tried unplugging, restarting, and resetting.  No luck!  Thanks!

    You should probalby contact Netgear

  • Prevent routing between 2 logical networks without a VLAN

    Background: We have some older hubs in our network. As such, we cannot implement a VLAN yet. We have a 10/100 ethernet network across our campus for our production users. We have multiple buildings on the campus and one physical network. We are installing Cisco 1100 WAPs to provide our guests with wireless internet access. Our DHCP server is configured to hand out 192.168.1.x addresses to our guests. Our DHCP server has 192.168.0.x reservations for our production machines.
    Questions:
    1) Would this ACL prevent traffic from routing between the 192.168.0.x and 192.168.1.x networks?
    access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    2) Does anyone have a better solution for preventing our guests from accessing our production machines? Once all the hubs are replaced with switches, we plan to implement a VLAN.
    TIA,
    Mark

    Are you sure you want to protect your Guest WLAN from your production Network, not the otherway round? Your access-list states that the .0 network (production) is not allowed to access the .1 (wlan) network. Then, i don't see in your config the activation of any of your access-list. They are just defined without being activated on any of your interfaces. Plus there is missing the allow at the end of the access-list, because there is an implicite deny at the end of any access-list.

  • How do I use my ethernet connection for printing on my LAN and use my Wifi on a different router and ISP to connect to the internet?

    I'm in a small office, and I have to use my ethernet connection to connect to the networked copier to be able to print, but connection to which I hooked my Time Capsule is literally 20x faster when connecting to the internet.
    How can I tell the computer to use the ethernet connection to print, while everything else should go through wifi?
    I have been manually going back and forth changing the order in Network Preferences between ethernet and Wifi, but I'm know there must be an easier way.  Thanks for your help!

    A packet going to Apple is not local. It is going to 17.149.160.49  -- So it is sent to the topmost working connection to be Routed and sent to the Internet.
    A packet going to a local computer or other device that is on the same subnet (has an IP address very close to the topmost IP Address of your computer) gets sent out that port as well, but is sent directly to that computer on the local subnet, since no Routing [changing of Addresses} is needed.
    A packet going to a local computer or Printer or Network Attached Storage device that is not on the topmost subnet, but is on a secondary subnet such as the second network connection would be sent directly to that computer, since no Routing is needed.
    I do not understand why two Routers have the same IP Address if they are not cross-connected. That makes everything very difficult when it should be simple.

  • How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?

    Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
    My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
    Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
    56128's where my static routes are:
    ip route 192.168.101.0/24 192.168.30.77 name firewall 250
    router eigrp 65100
       redistribute static route-map Static-To-Eigrp
    route-map Static-To-Eigrp permit 10
       match ip address prefix-list Static2Eigrp
    ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
    Edge device:
    router eigrp 65100
     network 172.18.0.5 0.0.0.0
     network 172.18.0.32 0.0.0.3
     network 172.18.0.36 0.0.0.3
     redistribute ospf 65100 metric 2000000 0 255 1 1500
     redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
     passive-interface default
     no passive-interface Port-channel11
     no passive-interface Port-channel12
     eigrp router-id 172.18.0.5
    router ospf 65100
     router-id 172.18.0.5
     log-adjacency-changes
     redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
     passive-interface default
     no passive-interface GigabitEthernet1/0/1
     no passive-interface GigabitEthernet1/0/2
     no passive-interface GigabitEthernet2/0/1
     no passive-interface GigabitEthernet2/0/2
     network 172.18.0.0 0.0.255.255 area 0
    ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
    ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
    route-map EIGRP_INTO_OSPF permit 10
     match ip address prefix-list EIGRP_INTO_OSPF

    So in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
    I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have.

  • Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

    Hi,
    I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
    I have 3 web servers behind a router.
    Public interface: 3 public ip adresses
    Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
    I would to know the best way to redirect http traffic to the right server.
    My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
    So if you have some advise for this case, it would be really appreciated.
    Thank you.
    Chris.

    Hello Christophe,
    As I understand you want 1st that ; 
    if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
    That means, you need static mapping between your public @ip address and your local ip address. 
    for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
    that is the config for the Web Server1. You can do the same with the remaining servers:
    interface fa0/0.1 
    ip nat inside
    interface serial0/0
     ip nat outside
    ip nat inside source static 192.168.1.10 172.1.2.3 
    static mapping from local to public. 
    I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
    ip route 171.1.2.3 interface serial0/0 
    or 
    ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
    After these step for each web server, you will get the mapping. 
    Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
    like
    ip access-list extended ACL_WebServer1
    permit ip any 192.168.1.10 eq www
    deny ip any 192.168.1.10
    exit
    interface fa0/0.1
     ip acess-group ACL_WebServer1 in
    no shut
    exit
    That is the first step. 
    Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
    I am not sure that it is possible using cisco router with (ZBF + Regex).
    Check the first step and let us know ! 
    Please rate and mark as correct if it is the case. 
    Regards,

Maybe you are looking for

  • Error while calling external webservice.

    Hi I am trying to call an external web service but getting following error. exception on JaxRpc invoke: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 503 Servi

  • 2lis_02_itm NETWR in case of PO with Invoicing Plan

    Hello all, The 2lis_02_itm documentation says that the field NETWR (Net PO value) is picked up directly from table field EKPO-NETWR. However I observed a different behaviour in case of POs with an Invoicing Plan ( mostly framework POs) E.g If a PO it

  • Windows 7 wont boot from CD

    Hello, i recently had my mac Laptop serviced which involved wiping the hard drive, and now i have to re-install windows. i have my windows 7 ultimate CD and my mac is running fully updated software, every time i hit start installation of windows on b

  • Webutil Read Image Problem

    Hi, I am reading image from client system using the below code CLIENT_IMAGE.READ_IMAGE_FILE(v_rd_file_name, 'JPG', 'CTRL_BLK.ADD_IMAGE'); But this image is not displaying in the image item, this is happening for some particular images only. While wri

  • Adobe Photoshop Elements 11 not downloading to Windows 8

    I already purchased Adobe Photoshop Elements 11.  Had it on a laptop with Windows 7.  The laptop motherboard crashed.  I was told by Adobe rep that I could re-install on a new computer.  My new laptop is Windows 8 and the software will NOT download.