Perhaps showing my ignorance, but... Can't you set up three virtual tagged bridges in ovirt? Each bridge would be tagged with the proper vlans, and then connect to the correct VMs? Is there something that prevents you from creating tagged bridges that all link into a non-tagged physical NIC? Or, possibly, could you set up the physical NIC for all the vlans and then split them out into the separate virtual bridges? This should prevent the admin on VM1 from accessing the vlans of the other VMs because they are attached to different (tagged) bridges. Or is there something that prevents this approach? -derek Gianluca Cecchi <gianluca.cecchi@gmail.com> writes:
On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir@isae.fr> wrote:
That's what I understood I don't have problem configuring VLANs on nics and switches, I've already done many times What I said is If I have 3 VMs VM1 needs vlan1 and 2 VM2 needs vlan3 and 4 VM3 needs vlan5 and vlan6
for security reason I don't want any of these VM to be able to "see" traffic of other VLAN I will need 3 interfaces, one per trunk
Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) )
I'm not a security expert. For sure If you don't trust the sysadmin of the VMs operating system or if anyone has access to the virtual console so it could attach a live distro and so on.... you had better to have 3 different physical network adapters on your hypervisors and create on them trunk for id 1 and 2 on first trunk for id 3 and 4 on second trunk for id 5 and 6 on third
But from a functionality point of view (and also segregation if you don't modify configuration of OS) you can have only one physical adapter on hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files It depends on who manages ovirt infrastructure, network infrastructure and OS infrastructure and if they are different people...
I don't know if any virtualization vendor can provide the level of security you want using only one physical adapter....
GIanluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant