On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir@isae.fr> wrote:
That's what I understood I don't have problem configuring VLANs on nics and switches, I've already done many times What I said is If I have 3 VMs VM1 needs vlan1 and 2 VM2 needs vlan3 and 4 VM3 needs vlan5 and vlan6
for security reason I don't want any of these VM to be able to "see" traffic of other VLAN I will need 3 interfaces, one per trunk
Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) )
I'm not a security expert. For sure If you don't trust the sysadmin of the VMs operating system or if anyone has access to the virtual console so it could attach a live distro and so on.... you had better to have 3 different physical network adapters on your hypervisors and create on them trunk for id 1 and 2 on first trunk for id 3 and 4 on second trunk for id 5 and 6 on third But from a functionality point of view (and also segregation if you don't modify configuration of OS) you can have only one physical adapter on hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files It depends on who manages ovirt infrastructure, network infrastructure and OS infrastructure and if they are different people... I don't know if any virtualization vendor can provide the level of security you want using only one physical adapter.... GIanluca