On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir@isae.fr> wrote:

That's what I understood
I don't have problem configuring VLANs on nics and switches, I've already done many times
What I said is
If I have 3 VMs
VM1 needs vlan1 and 2
VM2 needs vlan3 and 4
VM3 needs vlan5 and vlan6

for security reason I don't want any of these VM to be able to "see" traffic of other VLAN
I will need 3 interfaces, one per trunk

Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) )

I'm not a security expert.

For sure If you don't trust the sysadmin of the VMs operating system or if anyone has access to the virtual console so it could attach a live distro and so on.... you had better to have 3 different physical network adapters on your hypervisors and create on them

trunk for id 1 and 2 on first

trunk for id 3 and 4 on second

trunk for id 5 and 6 on third

But from a functionality point of view (and also segregation if you don't modify configuration of OS) you can have only one physical adapter on hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure

on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files

on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files

on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files

It depends on who manages ovirt infrastructure, network infrastructure and OS infrastructure and if they are different people...

I don't know if any virtualization vendor can provide the level of security you want using only one physical adapter....

GIanluca