On Fri, Jan 10, 2014 at 03:06:28PM +0200, Itamar Heim wrote:
On 01/10/2014 01:32 PM, Dan Kenigsberg wrote:
On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote:
Hello Alan,
On 09/01/14 10:07, Alan Murrell wrote:
Hello,
I am evaluating oVirt as a replacement/alternative to VMware deployments we typically do. I have installed and all-in-one setup on a test box (which itself used to be an ESXi server), but it only has one NIC. I trying to duplicate our typical configuration we do in VMware, which is this:
1.) we create several "port groups" on the vSwitch, each assigned a VLAN ID, such as:
- VLAN001 (VLAN ID: 1) - VLAN002 (VLAN ID: 2) - VLAN009 (VLAN ID: 9) - VLAN010 (VLAN ID: 10) - VLAN200 (VLAN ID: 200) - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all VLANS" and basically just passes the VLANs through to whatever is attached to the port group for the VM to handle)
2.) We assign VMs to port groups appropriate for the VLAN they are part of. 3.) The only VM that has a NIC assigned to the "TRUNK" port group is the firewall (which is Linux), and we create VLAN interfaces on it (i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200"). The firewall VM acts as the router between the various VLANs.
To replicate the above in oVirt, I created logical networks for each VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not have an equivalent for VMware's VLAN ID of "4095", so after some searching around, so for the "TRUNK" network, I left it with no VLAN assigned. Because i cannot add VLAN and non-VLAN networks to the same physical NIC, after some searching around, it looks like I may have to utilise two NICS: one for the VLAN networks and one for the "TRUNK" network.
That is true. One non-VLAN network can in fact sit on the same NIC with VLAN networks, but it has to be non-VM.
This was devised as a security constraint - otherwise, a VM attached to the non-VLAN network could sniff traffic from another (VLAN) network. However, it seems that this is exactly what you need - a special VM that is designed to do just that.
isn't that was promiscious mode (aka port mirroring) is for?
Oh that makes more sense... But unfortunately, it is impossible to mirror more than a single network onto a vnic. (Engine implementation limitation). However, one can device a tc-based after_network_setup hook, that directs all traffic from all bridges onto a specific target bridge, onto which the firewall VM is connected. Dan.