On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir(a)isae.fr>
wrote:
That's what I understood
I don't have problem configuring VLANs on nics and switches, I've already
done many times
What I said is
If I have 3 VMs
VM1 needs vlan1 and 2
VM2 needs vlan3 and 4
VM3 needs vlan5 and vlan6
for security reason I don't want any of these VM to be able to "see"
traffic of other VLAN
I will need 3 interfaces, one per trunk
Could Vswitch be the solution ? It seems to be implemented in ovirt, but
documentation looks very poor ( or I didn't find the documentation ;) )
I'm not a security expert.
For sure If you don't trust the sysadmin of the VMs operating system or if
anyone has access to the virtual console so it could attach a live distro
and so on.... you had better to have 3 different physical network adapters
on your hypervisors and create on them
trunk for id 1 and 2 on first
trunk for id 3 and 4 on second
trunk for id 5 and 6 on third
But from a functionality point of view (and also segregation if you don't
modify configuration of OS) you can have only one physical adapter on
hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure
on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files
on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files
on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files
It depends on who manages ovirt infrastructure, network infrastructure and
OS infrastructure and if they are different people...
I don't know if any virtualization vendor can provide the level of security
you want using only one physical adapter....
GIanluca