<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 18, 2016 at 5:57 PM, Derek Atkins <span dir="ltr"><<a target="_blank" href="mailto:derek@ihtfp.com">derek@ihtfp.com</a>></span> wrote:<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">Perhaps showing my ignorance, but...<br>
<br>
Can't you set up three virtual tagged bridges in ovirt? Each bridge<br>
would be tagged with the proper vlans, and then connect to the correct<br></blockquote><div><br></div><div>A tagged/vlan network has one VLAN set, not multiple ones.<br></div><div>A non tagged/vlan network ignores tagging, it passes packets as is, either tagged<br></div><div>ones or non tagged ones.<br></div><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
VMs? Is there something that prevents you from creating tagged bridges<br>
that all link into a non-tagged physical NIC?<br>
<br>
Or, possibly, could you set up the physical NIC for all the vlans and<br>
then split them out into the separate virtual bridges?<br>
<br>
This should prevent the admin on VM1 from accessing the vlans of the<br>
other VMs because they are attached to different (tagged) bridges. Or<br>
is there something that prevents this approach?<br>
<br>
-derek<br>
<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
Gianluca Cecchi <<a href="mailto:gianluca.cecchi@gmail.com">gianluca.cecchi@gmail.com</a>> writes:<br>
<br>
> On Fri, Nov 18, 2016 at 10:28 AM, MOUCHOIR David <<a href="mailto:David.Mouchoir@isae.fr">David.Mouchoir@isae.fr</a>><br>
> wrote:<br>
><br>
> That's what I understood<br>
> I don't have problem configuring VLANs on nics and switches, I've already<br>
> done many times<br>
> What I said is<br>
> If I have 3 VMs<br>
> VM1 needs vlan1 and 2<br>
> VM2 needs vlan3 and 4<br>
> VM3 needs vlan5 and vlan6<br>
><br>
> for security reason I don't want any of these VM to be able to "see"<br>
> traffic of other VLAN<br>
> I will need 3 interfaces, one per trunk<br>
><br>
> Could Vswitch be the solution ? It seems to be implemented in ovirt, but<br>
> documentation looks very poor ( or I didn't find the documentation ;) )<br>
><br>
> I'm not a security expert.<br>
> For sure If you don't trust the sysadmin of the VMs operating system or if<br>
> anyone has access to the virtual console so it could attach a live distro and<br>
> so on.... you had better to have 3 different physical network adapters on your<br>
> hypervisors and create on them <br>
> trunk for id 1 and 2 on first<br>
> trunk for id 3 and 4 on second<br>
> trunk for id 5 and 6 on third<br>
><br>
> But from a functionality point of view (and also segregation if you don't<br>
> modify configuration of OS) you can have only one physical adapter on<br>
> hypervisor, allow id 1, 2, 3, 4, 5, 6 on it and then configure<br>
> on VM1 OS configure ifcfg-eth0.1 and ifcfg-eth0.2 files<br>
> on VM2 OS configure ifcfg-eth0.3 and ifcfg-eth0.4 files<br>
> on VM3 OS configure ifcfg-eth0.5 and ifcfg-eth0.6 files<br>
> <br>
> It depends on who manages ovirt infrastructure, network infrastructure and OS<br>
> infrastructure and if they are different people...<br>
><br>
> I don't know if any virtualization vendor can provide the level of security<br>
> you want using only one physical adapter....<br>
><br>
> GIanluca<br></div></div></blockquote><div><br></div></div>To increase security, at least in the sense raised here, libvirt provides the ability<br></div><div class="gmail_extra">to specify the exact vlan tags allowed for a vnic, but only with OVS and the<br></div><div class="gmail_extra">underlying host switch.<br></div><div class="gmail_extra">Please see: <a href="http://libvirt.org/formatdomain.html#elementVlanTag">http://libvirt.org/formatdomain.html#elementVlanTag</a><br><br></div><div class="gmail_extra">We are actually on-flight to use OVS as an alternative to the linux bridge, but it<br></div><div class="gmail_extra">is still not fully ready and this trunking setting for the vnic would need to be added<br></div><div class="gmail_extra">as it is not in our current plans (although a hook can do a good job to set it).<br><br></div><div class="gmail_extra">Thanks,<br></div><div class="gmail_extra">Edy.<br></div></div>