Network segmentation enhances security, resilience, and cluster performance by isolating a subset of traffic to its own network.
The four primary means of network segmentation are the following:
- Isolating Backplane Traffic by using VLANs (Logical Segmentation)
- Isolating Backplane Traffic Physically (Physical Segmentation)
- Isolating Service-Specific Traffic
- Isolating Stargate-to-Stargate traffic over RDMA
We will discuss on how to secure traffic associated with a service (for example, Nutanix Volumes) by confining its traffic to a separate vNIC on the CVM and using a dedicated virtual network that has its own physical NICs. This type of segmentation therefore offers true physical separation for service-specific traffic.
You can use Prism to create the vNIC on the CVM and configure the service to communicate over the dedicated virtual network. However, you must first manually configure the virtual network on the hosts and associate it with the physical NICs that it requires for true traffic isolation.You need one virtual network for each service you want to isolate.
You can isolate traffic associated with the following services to its own virtual network.
-
Nutanix Volumes iSCSI traffic
-
Disaster recovery
Prerequisites
For Nutanix Volumes
Stargate does not monitor the health of a segmented network. If physical network segmentation is configured, network failures or connectivity issues are not tolerated. To overcome this issue, configure redundancy in the network. That is, use two or more uplinks in a fault tolerant configuration, connected to two separate physical switches.
For Disaster Recovery
Ensure that the VLAN and subnet that you plan to use for the network segment are routable.
Make sure that you have a pool of IP addresses to specify when configuring segmentation. For each cluster, you need n+1 IP addresses, where n is the number of nodes in the cluster. The additional IP address is for the virtual IP address requirement.
Enable network segmentation for disaster recovery at both sites (local and remote) before configuring remote sites at those sites.
Limitations
For Nutanix Volumes
If network segmentation is enabled for Volumes, volume group attachments are not recovered during VM recovery.
Nutanix service VMs such as Files and Buckets continue to communicate with the CVM eth0 interface when using Volumes for iSCSI traffic. Other external clients use the new service-specific CVM interface.
For a Step-by-Step process to isolate a network to a separate virtual network, follow this guide. All the steps are performed via PRISM UI.
Note : You cannot enable network segmentation for multiple services at the same time. Complete the configuration for one service before you enable network segmentation for another service.
The following sections describe the settings required by the services that support network segmentation.
Network segmentation for Volumes also requires you to migrate iSCSI client connections to the new segmented network. If you no longer require segmentation for Volumes traffic, you must also migrate connections back to eth0 after disabling the vNIC used for Volumes traffic.
The settings for configuring network segmentation for disaster recovery apply to all Asynchronous, NearSync, and Metro Availability replication schedules. You can use disaster recovery with Asynchronous, NearSync, and Metro Availability replications only if both the primary site and the recovery site is configured with Network Segmentation. Before enabling or disabling the network segmentation on a host, disable all the disaster recovery replication schedules running on that host.
After configuring network segmentation for disaster recovery, configure remote sites at both locations. You also need to reconfigure remote sites if you disable network segmentation.
Note: Network segmentation does not support disaster recovery with Leap.
Other supporting Documents: