[ovirt-users] Re: Separating VM network
On Wed, Nov 14, 2018 at 5:54 PM wrote: > Thanks a lot for you answer, Marcin! > > > On Wed, Nov 14, 2018 at 2:24 PM wrote: > > Having separate NICs you don't even need separate VLANs. You can just use > > one NIC for your host/storage network, and use another NIC to create a VM > > network. You must of course make sure to separate these outside of the > > hosts. > > VLANs are useful if you have just one NIC on your host, or want to have > > multiple networks on a single NIC. You can then create multiple VLAN > > networks (VLAN devices) on top of your NIC, and so achieve network > > separation. > How are these VLAN tags "enforced"? Does the switch automatically separate > VLANs from each other by default? > The VLAN tags are enforced by creating a VLAN device on top of your NIC on the host (tagging outgoing frames). Your switch should keep the tagging, unless configured otherwise. > > > If you have your VM networks and host network use different NICs, your > > networks are already separated (L2). > Yes, but I defined an IP for the "VM" NIC on the hosts which is reachable > by the VMs (= the VMs are in the same subnet as the host). I want to > completely make the hosts unreachable by the VM. > I do not know whether this is best-practice or even necessary? I found > little to no information about networking best-practices regarding oVirt. > If the VM networks are on different VLANs, the subnets are irrelevant, since you have L2 separation. You might want to create another VLAN for your local host traffic if you want to use the same NIC. > > Just as an anecdote: we had an laptop in the network of the hosts/storages > which had for some reason had a static IP defined by an employee - which > was also assigned to an storage server - which in turn resulted in some > downtime. > > I think separating the hosts/storage from the rest of the network was a > good first step to prevent such incidents but - as I said before - I am not > sure whether it suffices. > It should do the trick. You will probably need to route your vm traffic out of the VM network at some stage, which will connect your VM networks with the rest of your network, but that will be on L3. > > Thanks again for all your input! > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/4YLDMESO5ZRPY7YGIEBBP5XUACI5STSU/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XD5APM5KS2YBXSBTETO6A3AEDWLHWCUR/
[ovirt-users] Re: Separating VM network
Thanks a lot for you answer, Marcin! > On Wed, Nov 14, 2018 at 2:24 PM wrote: > Having separate NICs you don't even need separate VLANs. You can just use > one NIC for your host/storage network, and use another NIC to create a VM > network. You must of course make sure to separate these outside of the > hosts. > VLANs are useful if you have just one NIC on your host, or want to have > multiple networks on a single NIC. You can then create multiple VLAN > networks (VLAN devices) on top of your NIC, and so achieve network > separation. How are these VLAN tags "enforced"? Does the switch automatically separate VLANs from each other by default? > If you have your VM networks and host network use different NICs, your > networks are already separated (L2). Yes, but I defined an IP for the "VM" NIC on the hosts which is reachable by the VMs (= the VMs are in the same subnet as the host). I want to completely make the hosts unreachable by the VM. I do not know whether this is best-practice or even necessary? I found little to no information about networking best-practices regarding oVirt. Just as an anecdote: we had an laptop in the network of the hosts/storages which had for some reason had a static IP defined by an employee - which was also assigned to an storage server - which in turn resulted in some downtime. I think separating the hosts/storage from the rest of the network was a good first step to prevent such incidents but - as I said before - I am not sure whether it suffices. Thanks again for all your input! ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/4YLDMESO5ZRPY7YGIEBBP5XUACI5STSU/
[ovirt-users] Re: Separating VM network
On Wed, Nov 14, 2018 at 2:24 PM wrote: > We would like to separate our VM traffic completely from our host/storage > network. As far as I can see, there is no definitive guide to achieve this > by using VLANs/separate VM networks/subnetting. > Having separate NICs you don't even need separate VLANs. You can just use one NIC for your host/storage network, and use another NIC to create a VM network. You must of course make sure to separate these outside of the hosts. VLANs are useful if you have just one NIC on your host, or want to have multiple networks on a single NIC. You can then create multiple VLAN networks (VLAN devices) on top of your NIC, and so achieve network separation. > In our current setup: > - the storage traffic happens in a separate VLAN (configured directly on > the switch) on separate NICs on both hosts/storages in the > 192.168.179.0/24 subnet > - all other infrastructure (oVirt hosts, gateway, DHCP, DNS, VM > thinclients, switches, ...) are in the 192.168.178.0/24 subnet > We now want to separate the oVirt hosts/engine completely from the other > infrastructure, eg. the VMs and thinclients. > If you have your VM networks and host network use different NICs, your networks are already separated (L2). > > I am not experienced in networking and would be very thankful for all > hints/tipps! > > Thanks in advance, > David > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/FKDIYT5MUOFSZ444VARD7MVN5M5ANUKA/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/2U6QM2WDICU6DLUPLPGNPUXMH7MZF54L/
