Hi Does anyone knows how to configure a VM nic with more than 1 vNIC ? Or How to create a vNIC with 2 tagged VLANs ? I need to transmit 2 tagged (or more) VLANs to only 1 interface in my VM Regards D.Mouchoir
On Thu, Nov 17, 2016 at 4:31 PM, David MOUCHOIR <david.mouchoir@isae.fr> wrote:
Hi Does anyone knows how to configure a VM nic with more than 1 vNIC ? Or How to create a vNIC with 2 tagged VLANs ?
I need to transmit 2 tagged (or more) VLANs to only 1 interface in my VM
Regards D.Mouchoir
You need to define a non-vlan network, attach it to a NIC that connects as a trunk to the switch. The vNIC needs to be linked to this network and on the VM (console) itself, define your VLAN/s over the vnic. You will also need to disable mac-spoofing (on 4.0, you have it as a filter in the GUI, on 3.6 you have a hook to disable it). Let us know how it goes. Edy.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Ok, I'll try to do so and will post the result The problem would be that I'll need one nic per different Vlan trunk if I do not misunderstand Le jeudi 17 novembre 2016 à 16:50 +0200, Edward Haas a écrit :
On Thu, Nov 17, 2016 at 4:31 PM, David MOUCHOIR <david.mouchoir@isae.fr> wrote:
Hi Does anyone knows how to configure a VM nic with more than 1 vNIC ? Or How to create a vNIC with 2 tagged VLANs ?
I need to transmit 2 tagged (or more) VLANs to only 1 interface in my VM
Regards D.Mouchoir
You need to define a non-vlan network, attach it to a NIC that connects as a trunk to the switch. The vNIC needs to be linked to this network and on the VM (console) itself, define your VLAN/s over the vnic.
You will also need to disable mac-spoofing (on 4.0, you have it as a filter in the GUI, on 3.6 you have a hook to disable it).
Let us know how it goes. Edy.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Il 17/Nov/2016 16:37, "David MOUCHOIR" <david.mouchoir@isae.fr> ha scritto:
Ok, I'll try to do so and will post the result The problem would be that I'll need one nic per different Vlan trunk if I
do not misunderstand
Le jeudi 17 novembre 2016 à 16:50 +0200, Edward Haas a écrit :
On Thu, Nov 17, 2016 at 4:31 PM, David MOUCHOIR <david.mouchoir@isae.fr>
wrote:
Hi Does anyone knows how to configure a VM nic with more than 1 vNIC ? Or How to create a vNIC with 2 tagged VLANs ?
I need to transmit 2 tagged (or more) VLANs to only 1 interface in my VM
Regards D.Mouchoir
No, on the hypervisor side you will have a physical nic that you configure as non tagged network in ovirt. The port on the physical network switch where the physical nic connects should be configured as a trunk and allow all the vlan ids you want it to transport. Then on the vm you configure one single vnic on this oVirt network and configure at os level all the vlan ids you want into the vm itself. See here for the methods landing page: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... And this for the manual one and ifcfg files syntax: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... Hih, Gianluca
That's what I understood I don't have problem configuring VLANs on nics and switches, I've already done many times What I said is If I have 3 VMs VM1 needs vlan1 and 2 VM2 needs vlan3 and 4 VM3 needs vlan5 and vlan6 for security reason I don't want any of these VM to be able to "see" traffic of other VLAN I will need 3 interfaces, one per trunk Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) ) Le Jeudi, Novembre 17, 2016 19:54 CET, Gianluca Cecchi <gianluca.cecchi@gmail.com> a écrit:
Il 17/Nov/2016 16:37, "David MOUCHOIR" <david.mouchoir@isae.fr> ha scritto:
Ok, I'll try to do so and will post the result The problem would be that I'll need one nic per different Vlan trunk if I
do not misunderstand
Le jeudi 17 novembre 2016 à 16:50 +0200, Edward Haas a écrit :
On Thu, Nov 17, 2016 at 4:31 PM, David MOUCHOIR <david.mouchoir@isae.fr>
wrote:
Hi Does anyone knows how to configure a VM nic with more than 1 vNIC ? Or How to create a vNIC with 2 tagged VLANs ?
I need to transmit 2 tagged (or more) VLANs to only 1 interface in my VM
Regards D.Mouchoir
No, on the hypervisor side you will have a physical nic that you configure as non tagged network in ovirt. The port on the physical network switch where the physical nic connects should be configured as a trunk and allow all the vlan ids you want it to transport. Then on the vm you configure one single vnic on this oVirt network and configure at os level all the vlan ids you want into the vm itself. See here for the methods landing page: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... And this for the manual one and ifcfg files syntax: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Hih, Gianluca
On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir@isae.fr> wrote:
That's what I understood I don't have problem configuring VLANs on nics and switches, I've already done many times What I said is If I have 3 VMs VM1 needs vlan1 and 2 VM2 needs vlan3 and 4 VM3 needs vlan5 and vlan6
for security reason I don't want any of these VM to be able to "see" traffic of other VLAN I will need 3 interfaces, one per trunk
Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) )
I'm not a security expert. For sure If you don't trust the sysadmin of the VMs operating system or if anyone has access to the virtual console so it could attach a live distro and so on.... you had better to have 3 different physical network adapters on your hypervisors and create on them trunk for id 1 and 2 on first trunk for id 3 and 4 on second trunk for id 5 and 6 on third But from a functionality point of view (and also segregation if you don't modify configuration of OS) you can have only one physical adapter on hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files It depends on who manages ovirt infrastructure, network infrastructure and OS infrastructure and if they are different people... I don't know if any virtualization vendor can provide the level of security you want using only one physical adapter.... GIanluca
Perhaps showing my ignorance, but... Can't you set up three virtual tagged bridges in ovirt? Each bridge would be tagged with the proper vlans, and then connect to the correct VMs? Is there something that prevents you from creating tagged bridges that all link into a non-tagged physical NIC? Or, possibly, could you set up the physical NIC for all the vlans and then split them out into the separate virtual bridges? This should prevent the admin on VM1 from accessing the vlans of the other VMs because they are attached to different (tagged) bridges. Or is there something that prevents this approach? -derek Gianluca Cecchi <gianluca.cecchi@gmail.com> writes:
On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir@isae.fr> wrote:
That's what I understood I don't have problem configuring VLANs on nics and switches, I've already done many times What I said is If I have 3 VMs VM1 needs vlan1 and 2 VM2 needs vlan3 and 4 VM3 needs vlan5 and vlan6
for security reason I don't want any of these VM to be able to "see" traffic of other VLAN I will need 3 interfaces, one per trunk
Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) )
I'm not a security expert. For sure If you don't trust the sysadmin of the VMs operating system or if anyone has access to the virtual console so it could attach a live distro and so on.... you had better to have 3 different physical network adapters on your hypervisors and create on them trunk for id 1 and 2 on first trunk for id 3 and 4 on second trunk for id 5 and 6 on third
But from a functionality point of view (and also segregation if you don't modify configuration of OS) you can have only one physical adapter on hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files It depends on who manages ovirt infrastructure, network infrastructure and OS infrastructure and if they are different people...
I don't know if any virtualization vendor can provide the level of security you want using only one physical adapter....
GIanluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
On Fri, Nov 18, 2016 at 5:57 PM, Derek Atkins <derek@ihtfp.com> wrote:
Perhaps showing my ignorance, but...
Can't you set up three virtual tagged bridges in ovirt? Each bridge would be tagged with the proper vlans, and then connect to the correct
A tagged/vlan network has one VLAN set, not multiple ones. A non tagged/vlan network ignores tagging, it passes packets as is, either tagged ones or non tagged ones.
VMs? Is there something that prevents you from creating tagged bridges that all link into a non-tagged physical NIC?
Or, possibly, could you set up the physical NIC for all the vlans and then split them out into the separate virtual bridges?
This should prevent the admin on VM1 from accessing the vlans of the other VMs because they are attached to different (tagged) bridges. Or is there something that prevents this approach?
-derek
Gianluca Cecchi <gianluca.cecchi@gmail.com> writes:
On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir@isae.fr
wrote:
That's what I understood I don't have problem configuring VLANs on nics and switches, I've already done many times What I said is If I have 3 VMs VM1 needs vlan1 and 2 VM2 needs vlan3 and 4 VM3 needs vlan5 and vlan6
for security reason I don't want any of these VM to be able to "see" traffic of other VLAN I will need 3 interfaces, one per trunk
Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) )
I'm not a security expert. For sure If you don't trust the sysadmin of the VMs operating system or if anyone has access to the virtual console so it could attach a live distro and so on.... you had better to have 3 different physical network adapters on your hypervisors and create on them trunk for id 1 and 2 on first trunk for id 3 and 4 on second trunk for id 5 and 6 on third
But from a functionality point of view (and also segregation if you don't modify configuration of OS) you can have only one physical adapter on hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files
It depends on who manages ovirt infrastructure, network infrastructure and OS infrastructure and if they are different people...
I don't know if any virtualization vendor can provide the level of security you want using only one physical adapter....
GIanluca
To increase security, at least in the sense raised here, libvirt provides the ability to specify the exact vlan tags allowed for a vnic, but only with OVS and the underlying host switch. Please see: http://libvirt.org/formatdomain.html#elementVlanTag We are actually on-flight to use OVS as an alternative to the linux bridge, but it is still not fully ready and this trunking setting for the vnic would need to be added as it is not in our current plans (although a hook can do a good job to set it). Thanks, Edy.
Le jeudi 17 novembre 2016 à 16:50 +0200, Edward Haas a écrit :
On Thu, Nov 17, 2016 at 4:31 PM, David MOUCHOIR <david.mouchoir@isae. fr> wrote:
Hi Does anyone knows how to configure a VM nic with more than 1 vNIC ? Or How to create a vNIC with 2 tagged VLANs ?
I need to transmit 2 tagged (or more) VLANs to only 1 interface in my VM Regards D.Mouchoir
You need to define a non-vlan network, attach it to a NIC that connects as a trunk to the switch. The vNIC needs to be linked to this network and on the VM (console) itself, define your VLAN/s over the vnic.
You will also need to disable mac-spoofing (on 4.0, you have it as a filter in the GUI, on 3.6 you have a hook to disable it).
Let us know how it goes. Edy.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
That works fine But still trying to find a solution with ovs
participants (6)
-
David MOUCHOIR -
Derek Atkins -
Edward Haas -
Gianluca Cecchi -
MOUCHOIR David -
MOUCHOIR David