Re: [Users] Networking questions (LONG)

On 01/10/2014 01:32 PM, Dan Kenigsberg wrote: >On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote: >>Hello Alan, >> >>On 09/01/14 10:07, Alan Murrell wrote: >>>Hello, >>> >>>I am evaluating oVirt as a replacement/alternative to VMware deployments >>>we typically do. I have installed and all-in-one setup on a test box >>>(which itself used to be an ESXi server), but it only has one NIC. I >>>trying to duplicate our typical configuration we do in VMware, which is >>>this: >>> >>> 1.) we create several "port groups" on the vSwitch, each assigned a >>>VLAN ID, such as: >>> >>> - VLAN001 (VLAN ID: 1) >>> - VLAN002 (VLAN ID: 2) >>> - VLAN009 (VLAN ID: 9) >>> - VLAN010 (VLAN ID: 10) >>> - VLAN200 (VLAN ID: 200) >>> - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all >>>VLANS" and basically just passes the VLANs through to whatever is >>>attached to the port group for the VM to handle) >>> >>> 2.) We assign VMs to port groups appropriate for the VLAN they are >>>part of. >>> 3.) The only VM that has a NIC assigned to the "TRUNK" port group is >>>the firewall (which is Linux), and we create VLAN interfaces on it >>>(i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200"). The firewall VM acts >>>as the router between the various VLANs. >>> >>>To replicate the above in oVirt, I created logical networks for each >>>VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not >>>have an equivalent for VMware's VLAN ID of "4095", so after some >>>searching around, so for the "TRUNK" network, I left it with no VLAN >>>assigned. Because i cannot add VLAN and non-VLAN networks to the same >>>physical NIC, after some searching around, it looks like I may have to >>>utilise two NICS: one for the VLAN networks and one for the "TRUNK" network. >> >>That is true. One non-VLAN network can in fact sit on the same NIC with >>VLAN networks, but it has to be non-VM. > >This was devised as a security constraint - otherwise, a VM attached to >the non-VLAN network could sniff traffic from another (VLAN) network. >However, it seems that this is exactly what you need - a special VM that >is designed to do just that. > isn't that was promiscious mode (aka port mirroring) is for?