I posted this on IT Security but thought it may be more appropriate here. I'm still not sure about cross posting etiquette, so anyone with high enough rep, please feel free to migrate this question
I have a basic to moderate understanding of VLAN's and their pros and cons as they relate to network segmentation but I'm wondering where to start as one moves into virtualized environments.
From a security perspective, how does traditional VLAN segmentation stand up to products/solutions focused on virtual environments, such as VMWare's vCloud Networking and Security product? When you're working with collocated VM's what strategies/technologies do you rely on to segment VM traffic?
I know this may be overly broad, but any starting points would be extremely helpful. For the sake a specific question though, perhaps a good way to put it would be - Do you consider virtual network security products to be at least as good as tradition VLAN's for the purpose of segmenting network traffic?
Are you referring to either VXLAN or VCDNI when you mention vCloud Networking and Security?
Both technically segregate Layer 2 networks, as do VLANs, but one has to understand how both VCDNI and VXLAN deliver the segregation of Layer 2. One also has to understand the purpose of both VCDNI and/or VXLAN. At a very high level, they both look to expand the scalability of VLANs, which has the theoretical limit of 4096 (as far as max number of VLANs, although realistically it's less than 4096).
I can't speak a whole lot to VXLAN yet, as I've only played a bit with it inside of a lab setting, but I would advise you to look at the IETF draft for it @ http://blog.ioshints.info/2011/04/vcloud-director-networking.html . I've been able to confirm the findings there myself, at least with regards to the global broadcasting of multicasts from "protected" networks. One typically sets up a VCDNI "Network Pool" (to use vCloud Director's terminology" with a transport VLAN. One could easily setup a laptop to sit on the physical switch where all hypervisors/hosts reside, configure said laptop to sit on this transport VLAN, and essentially be able to obtain the real MAC address and/or IP addresses for "protected" VMs.
That said, one could mention that if someone can setup a laptop on the physical switch environment in a datacenter, you probably have much larger problems to deal with than the intricacies of VCDNI or VXLAN :)