[ovirt-users] ?==?utf-8?q? 2 Vlans on one VM nic
Edward Haas
ehaas at redhat.com
Fri Nov 18 16:27:05 UTC 2016
On Fri, Nov 18, 2016 at 5:57 PM, Derek Atkins <derek at ihtfp.com> wrote:
> Perhaps showing my ignorance, but...
>
> Can't you set up three virtual tagged bridges in ovirt? Each bridge
> would be tagged with the proper vlans, and then connect to the correct
>
A tagged/vlan network has one VLAN set, not multiple ones.
A non tagged/vlan network ignores tagging, it passes packets as is, either
tagged
ones or non tagged ones.
> VMs? Is there something that prevents you from creating tagged bridges
> that all link into a non-tagged physical NIC?
>
> Or, possibly, could you set up the physical NIC for all the vlans and
> then split them out into the separate virtual bridges?
>
> This should prevent the admin on VM1 from accessing the vlans of the
> other VMs because they are attached to different (tagged) bridges. Or
> is there something that prevents this approach?
>
> -derek
>
> Gianluca Cecchi <gianluca.cecchi at gmail.com> writes:
>
> > On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <David.Mouchoir at isae.fr
> >
> > wrote:
> >
> > That's what I understood
> > I don't have problem configuring VLANs on nics and switches, I've
> already
> > done many times
> > What I said is
> > If I have 3 VMs
> > VM1 needs vlan1 and 2
> > VM2 needs vlan3 and 4
> > VM3 needs vlan5 and vlan6
> >
> > for security reason I don't want any of these VM to be able to "see"
> > traffic of other VLAN
> > I will need 3 interfaces, one per trunk
> >
> > Could Vswitch be the solution ? It seems to be implemented in ovirt,
> but
> > documentation looks very poor ( or I didn't find the documentation
> ;) )
> >
> > I'm not a security expert.
> > For sure If you don't trust the sysadmin of the VMs operating system or
> if
> > anyone has access to the virtual console so it could attach a live
> distro and
> > so on.... you had better to have 3 different physical network adapters
> on your
> > hypervisors and create on them
> > trunk for id 1 and 2 on first
> > trunk for id 3 and 4 on second
> > trunk for id 5 and 6 on third
> >
> > But from a functionality point of view (and also segregation if you don't
> > modify configuration of OS) you can have only one physical adapter on
> > hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure
> > on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files
> > on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files
> > on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files
> >
> > It depends on who manages ovirt infrastructure, network infrastructure
> and OS
> > infrastructure and if they are different people...
> >
> > I don't know if any virtualization vendor can provide the level of
> security
> > you want using only one physical adapter....
> >
> > GIanluca
>
To increase security, at least in the sense raised here, libvirt provides
the ability
to specify the exact vlan tags allowed for a vnic, but only with OVS and the
underlying host switch.
Please see: http://libvirt.org/formatdomain.html#elementVlanTag
We are actually on-flight to use OVS as an alternative to the linux bridge,
but it
is still not fully ready and this trunking setting for the vnic would need
to be added
as it is not in our current plans (although a hook can do a good job to set
it).
Thanks,
Edy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161118/46c17ecc/attachment-0001.html>
More information about the Users
mailing list