5.8
Table Of Contents
- vCloud Suite Architecture Overview and Use Cases
- Contents
- About this book
- Introduction to vCloud Suite
- Architecture Overview
- Conceptual Design of a vCloud Suite Environment
- vCloud Suite Components in the Management Cluster
- Software-Defined Data Center Core Infrastructure
- Delivering an Infrastructure Service
- Delivering Platform as a Service
- Deploying vCloud Suite
- Install vCloud Suite Components
- Update vCloud Suite Components
- External Dependencies for Deploying vCloud Suite
- System Requirements of vCloud Suite Components
- Security Considerations
- Licensing
- vCloud Suite Licensing Model
- Activating vCloud Suite Components in the vSphere Web Client
- Activating vCloud Suite Components in the vSphere Client
- Add the vCloud Suite License by Using the vSphere Client
- Assign the vCloud Suite License to vSphere in the vSphere Client
- Assign the vCloud Suite License to vCenter Operations Management Suite in the vSphere Client
- Assign the vCloud Suite License to vCloud Networking and Security in the vSphere Client
- Assign the vCloud Suite License Key to vCenter Site Recovery Manager
- Activating vCloud Suite Components by Using Their Own Licensing Interfaces
- Monitoring License Usage for vCloud Suite
- vCloud Suite Use Cases
- Index
Figure 3‑3. Sample VLAN Layout
VM3 VM4
Standard Switch
VM5
Standard Switch
VM6 VM7 VM8
Standard Switch
VM0 VM1 VM2
Standard Switch
VM9 VM10 VM11
VM12
VLAN
B
VM13
VLAN
A
VM14
VLAN
B
Standard Switch
Router
Host 1
Host 3
Host 4
Host 2
Switch 1
Switch 2
Multiple VLANs
on the same
virtual switch
Broadcast
Domains A and B
VLAN A
Broadcast
Domain A
VLAN B
Broadcast
Domain B
In this configuration, all employees in the accounting department use virtual machines in VLAN A and the
employees in sales use virtual machines in VLAN B.
The router forwards packets containing accounting data to the switches. These packets are tagged for
distribution to VLAN A only. Therefore, the data is confined to Broadcast Domain A and cannot be routed
to Broadcast Domain B unless the router is configured to do so.
This VLAN configuration prevents the sales force from intercepting packets destined for the accounting
department. It also prevents the accounting department from receiving packets intended for the sales group.
The virtual machines serviced by a single virtual switch can be in different VLANs.
Securing Standard Switch Ports
As with physical network adapters, a virtual network adapter can send frames that appear to be from a
different machine or impersonate another machine so that it can receive network frames intended for that
machine. Also, like physical network adapters, a virtual network adapter can be configured so that it
receives frames targeted for other machines.
When a standard switch is created, port groups are added to impose a policy configuration for the virtual
machines and storage systems attached to the switch. Virtual ports are created through the vSphere Web
Client or the vSphere Client.
As part of adding a port or standard port group to a standard switch, the vSphere Client configures a
security profile for the port. This security profile can be used so that the host prevents the guest operating
systems for its virtual machines from impersonating other machines on the network. This security feature is
implemented so that the guest operating system responsible for the impersonation does not detect that the
impersonation was prevented.
vCloud Suite Architecture Overview and Use Cases
36 VMware, Inc.