[ovirt-users] Re: Separating VM network
Thanks a lot for you answer, Marcin!
On Wed, Nov 14, 2018 at 2:24 PM wrote:
Having separate NICs you don't even need separate VLANs. You can just use
one NIC for your host/storage network, and use another NIC to create a VM
network. You must of course make sure to separate these outside of the
hosts.
VLANs are useful if you have just one NIC on your host, or want to have
multiple networks on a single NIC. You can then create multiple VLAN
networks (VLAN devices) on top of your NIC, and so achieve network
separation.
How are these VLAN tags "enforced"? Does the switch
automatically separate VLANs from each other by default?
If you have your VM networks and host network use different NICs,
your
networks are already separated (L2).
Yes, but I defined an IP for the
"VM" NIC on the hosts which is reachable by the VMs (= the VMs are in the same
subnet as the host). I want to completely make the hosts unreachable by the VM.
I do not know whether this is best-practice or even necessary? I found little to no
information about networking best-practices regarding oVirt.
Just as an anecdote: we had an laptop in the network of the hosts/storages which had for
some reason had a static IP defined by an employee - which was also assigned to an storage
server - which in turn resulted in some downtime.
I think separating the hosts/storage from the rest of the network was a good first step to
prevent such incidents but - as I said before - I am not sure whether it suffices.
Thanks again for all your input!