[Users] Networking questions (LONG)

Dan Kenigsberg danken at redhat.com
Fri Jan 10 15:10:51 UTC 2014 

On Fri, Jan 10, 2014 at 03:06:28PM +0200, Itamar Heim wrote:
> On 01/10/2014 01:32 PM, Dan Kenigsberg wrote:
> >On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote:
> >>Hello Alan,
> >>
> >>On 09/01/14 10:07, Alan Murrell wrote:
> >>>Hello,
> >>>
> >>>I am evaluating oVirt as a replacement/alternative to VMware deployments
> >>>we typically do.  I have installed and all-in-one setup on a test box
> >>>(which itself used to be an ESXi server), but it only has one NIC.  I
> >>>trying to duplicate our typical configuration we do in VMware, which is
> >>>this:
> >>>
> >>>   1.) we create several "port groups" on the vSwitch, each assigned a
> >>>VLAN ID, such as:
> >>>
> >>>       - VLAN001 (VLAN ID: 1)
> >>>       - VLAN002 (VLAN ID: 2)
> >>>       - VLAN009 (VLAN ID: 9)
> >>>       - VLAN010 (VLAN ID: 10)
> >>>       - VLAN200 (VLAN ID: 200)
> >>>       - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all
> >>>VLANS" and basically just passes the VLANs through to whatever is
> >>>attached to the port group for the VM to handle)
> >>>
> >>>   2.) We assign VMs to port groups appropriate for the VLAN they are
> >>>part of.
> >>>   3.) The only VM that has a NIC assigned to the "TRUNK" port group is
> >>>the firewall (which is Linux), and we create VLAN interfaces on it
> >>>(i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200").  The firewall VM acts
> >>>as the router between the various VLANs.
> >>>
> >>>To replicate the above in oVirt, I created logical networks for each
> >>>VLAN, and assigned the appropriate VLAN ID.  It seems oVirt/KVM does not
> >>>have an equivalent for VMware's VLAN ID of "4095", so after some
> >>>searching around, so for the "TRUNK" network, I left it with no VLAN
> >>>assigned.  Because i cannot add VLAN and non-VLAN networks to the same
> >>>physical NIC, after some searching around, it looks like I may have to
> >>>utilise two NICS: one for the VLAN networks and one for the "TRUNK" network.
> >>
> >>That is true. One non-VLAN network can in fact sit on the same NIC with
> >>VLAN networks, but it has to be non-VM.
> >
> >This was devised as a security constraint - otherwise, a VM attached to
> >the non-VLAN network could sniff traffic from another (VLAN) network.
> >However, it seems that this is exactly what you need - a special VM that
> >is designed to do just that.
> >
> 
> isn't that was promiscious mode (aka port mirroring) is for?

Oh that makes more sense...

But unfortunately, it is impossible to mirror more than a single network
onto a vnic. (Engine implementation limitation).

However, one can device a tc-based after_network_setup hook, that
directs all traffic from all bridges onto a specific target bridge, onto
which the firewall VM is connected.

Dan.

More information about the Users mailing list