|
| From: | Mike Lovell |
| Subject: | Re: [Qemu-discuss] Networking and vlan |
| Date: | Thu, 19 Apr 2012 12:58:06 -0600 |
| User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Lightning/1.0b2 Thunderbird/3.1.20 |
On 04/19/2012 01:30 AM, Valerio Pachera wrote:
... (vlan) they do not extend outside of the individual qemu processesOk, that's what I was trying to undestand. In other words, if a guest has two nics and I do not specify any vlan, each packet sent to a guest nic is received also from the other nic becauseit also behaves like an ethernet hubThat also means it doesn't matter if I use vlan ot not, a guest will always be able to ping the others on the same bridge and any host i the lan. To achive the my scope, I have to configure vlan on the guests. The only bad side of that is: if I let other people to manage the guest, they can chenge network configuration and get out of the vlan. That's why I would have like something host side.
another way of achieving this is to have multiple bridges on the host and the various guests connect to different bridges. this isolates guests from each other. you could then connect vlan interfaces on the host to the separate guest bridges. this would result in guests being on separate vlans in the physical network.
yet another way would be to use openvswitch instead of the standard linux bridge. openvswitch supports setting vlans on 'ports,' kind of like a managed ethernet switch would. you could then specify the different vlans there. openvswitch would require a 3.3+ kernel or building some out-of-tree modules.
and there are a few other options for achieving isolation of guests. it depends on your needs and how much you want to work at it. :)
mike
| [Prev in Thread] | Current Thread | [Next in Thread] |