On Fri, Jan 10, 2014 at 03:06:28PM +0200, Itamar Heim wrote: > On 01/10/2014 01:32 PM, Dan Kenigsberg wrote: > >On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote: > >>Hello Alan, > >> > >>On 09/01/14 10:07, Alan Murrell wrote: > >>>Hello, > >>> > >>>I am evaluating oVirt as a replacement/alternative to VMware deployments > >>>we typically do. I have installed and all-in-one setup on a test box > >>>(which itself used to be an ESXi server), but it only has one NIC. I > >>>trying to duplicate our typical configuration we do in VMware, which is > >>>this: > >>> > >>> 1.) we create several "port groups" on the vSwitch, each assigned a > >>>VLAN ID, such as: > >>> > >>> - VLAN001 (VLAN ID: 1) > >>> - VLAN002 (VLAN ID: 2) > >>> - VLAN009 (VLAN ID: 9) > >>> - VLAN010 (VLAN ID: 10) > >>> - VLAN200 (VLAN ID: 200) > >>> - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all > >>>VLANS" and basically just passes the VLANs through to whatever is > >>>attached to the port group for the VM to handle) > >>> > >>> 2.) We assign VMs to port groups appropriate for the VLAN they are > >>>part of. > >>> 3.) The only VM that has a NIC assigned to the "TRUNK" port group is > >>>the firewall (which is Linux), and we create VLAN interfaces on it > >>>(i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200"). The firewall VM acts > >>>as the router between the various VLANs. > >>> > >>>To replicate the above in oVirt, I created logical networks for each > >>>VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not > >>>have an equivalent for VMware's VLAN ID of "4095", so after some > >>>searching around, so for the "TRUNK" network, I left it with no VLAN > >>>assigned. Because i cannot add VLAN and non-VLAN networks to the same > >>>physical NIC, after some searching around, it looks like I may have to > >>>utilise two NICS: one for the VLAN networks and one for the "TRUNK" > >>>network. > >> > >>That is true. One non-VLAN network can in fact sit on the same NIC with > >>VLAN networks, but it has to be non-VM. > > > >This was devised as a security constraint - otherwise, a VM attached to > >the non-VLAN network could sniff traffic from another (VLAN) network. > >However, it seems that this is exactly what you need - a special VM that > >is designed to do just that. > > > > isn't that was promiscious mode (aka port mirroring) is for?
Oh that makes more sense... But unfortunately, it is impossible to mirror more than a single network onto a vnic. (Engine implementation limitation). However, one can device a tc-based after_network_setup hook, that directs all traffic from all bridges onto a specific target bridge, onto which the firewall VM is connected. Dan. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users