<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <span dir="ltr"><<a href="mailto:David.Mouchoir@isae.fr" target="_blank">David.Mouchoir@isae.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> That's what I understood<br>
I don't have problem configuring VLANs on nics and switches, I've already done many times<br>
What I said is<br>
If I have 3 VMs<br>
VM1 needs vlan1 and 2<br>
VM2 needs vlan3 and 4<br>
VM3 needs vlan5 and vlan6<br>
<br>
for security reason I don't want any of these VM to be able to "see" traffic of other VLAN<br>
I will need 3 interfaces, one per trunk<br>
<br>
Could Vswitch be the solution ? It seems to be implemented in ovirt, but documentation looks very poor ( or I didn't find the documentation ;) )<br></blockquote><div><br></div><div>I'm not a security expert.</div><div>For sure If you don't trust the sysadmin of the VMs operating system or if anyone has access to the virtual console so it could attach a live distro and so on.... you had better to have 3 different physical network adapters on your hypervisors and create on them </div><div>trunk for id 1 and 2 on first</div><div>trunk for id 3 and 4 on second</div><div>trunk for id 5 and 6 on third</div><div><br></div><div>But from a functionality point of view (and also segregation if you don't modify configuration of OS) you can have only one physical adapter on hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure</div><div>on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files</div><div>on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files<br></div><div>on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files<br></div><div> </div><div>It depends on who manages ovirt infrastructure, network infrastructure and OS infrastructure and if they are different people...</div><div><br></div><div>I don't know if any virtualization vendor can provide the level of security you want using only one physical adapter....</div><div><br></div><div>GIanluca</div><div><br></div></div></div></div>