CentOS virt - Nov 2009 - Controlling allocation of ethernet devices and KVM

Running Centos 5.4 with KVM on a Dell R610 server and I'd like to
control which of the four ethernet interfaces are used for specific tasks

My ideal configuration would be

eth0 - Host traffic only, no virtual guests. Used for guest mirroring
and management.
eth1 - NAT guest traffic only, no address for local machine and in some
environments in the same zone as eth0
eth2/3 - Allocated to two different bridge devices which might be in
separate network zones.

The configuration of eth2/3 is fairly simple, my issue is restricting
any NAT traffic to a specific ethernet devices, and ideally one with no
local IP.

Any ideas?

Steve

-- 
    *Steven Ellis - Director of Worldwide Engineering,*
    *Bulletin.Net Inc* - http://www.bulletin.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos-virt/attachments/20091127/f13b5f9b/attachment-0004.html>

On Fri, 2009-11-27 at 14:02 +1300, Steven Ellis wrote:
> Running Centos 5.4 with KVM on a Dell R610 server and I'd like to
> control which of the four ethernet interfaces are used for specific
> tasks
> 
> My ideal configuration would be
> 
> eth0 - Host traffic only, no virtual guests. Used for guest mirroring
> and management.
> eth1 - NAT guest traffic only, no address for local machine and in
> some environments in the same zone as eth0
> eth2/3 - Allocated to two different bridge devices which might be in
> separate network zones.
> 
> The configuration of eth2/3 is fairly simple, my issue is restricting
> any NAT traffic to a specific ethernet devices, and ideally one with
> no local IP.
> 
> Any ideas?
> 
> Steve
> 
So if I have this right, at the basic level you wish to have:

- One interface for Host machine
- Multiple interfaces for guest traffic

If your environment supports VLANs (802.1Q), might I suggest a trunk
port on eth1 split up into different bridges to have the KVM guests go
through to get on different VLANs/address spaces.

This is what I currently do for Xen and it works great. What kind of
network setup to you have?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.centos.org/pipermail/centos-virt/attachments/20091126/70bdabb1/attachment-0002.sig>

I would also consider this for physical network isolation.

Put your eth0 and eth1 on separate switches and subnets, then work on 
the firewall tuning between the NICs in the box from there.

I think do that may follow a stronger firewall physical paradigm where 
you can disconnect networks to help contain situations until resolved 
rather than throwing rules at your iptables while under stress.

The extra costs of a couple of switches and wiring could get easily 
offset by your labor time over a few months.



Tait Clarridge wrote:
> On Fri, 2009-11-27 at 14:02 +1300, Steven Ellis wrote:
>> Running Centos 5.4 with KVM on a Dell R610 server and I'd like to
>> control which of the four ethernet interfaces are used for specific
>> tasks
>>
>> My ideal configuration would be
>>
>> eth0 - Host traffic only, no virtual guests. Used for guest mirroring
>> and management.
>> eth1 - NAT guest traffic only, no address for local machine and in
>> some environments in the same zone as eth0
>> eth2/3 - Allocated to two different bridge devices which might be in
>> separate network zones.
>>
>> The configuration of eth2/3 is fairly simple, my issue is restricting
>> any NAT traffic to a specific ethernet devices, and ideally one with
>> no local IP.
>>
>> Any ideas?
>>
>> Steve
>>
> 
> So if I have this right, at the basic level you wish to have:
> 
> - One interface for Host machine
> - Multiple interfaces for guest traffic
> 
> If your environment supports VLANs (802.1Q), might I suggest a trunk
> port on eth1 split up into different bridges to have the KVM guests go
> through to get on different VLANs/address spaces.
> 
> This is what I currently do for Xen and it works great. What kind of
> network setup to you have?
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt at centos.org
> http://lists.centos.org/mailman/listinfo/centos-virt

On 26/11/09 10:16 PM, "Tait Clarridge" <tait at clarridge.ca>
wrote:
> On Fri, 2009-11-27 at 14:02 +1300, Steven Ellis wrote:
>> Running Centos 5.4 with KVM on a Dell R610 server and I'd like to
>> control which of the four ethernet interfaces are used for specific
>> tasks
>> 
>> My ideal configuration would be
>> 
>> eth0 - Host traffic only, no virtual guests. Used for guest mirroring
>> and management.
>> eth1 - NAT guest traffic only, no address for local machine and in
>> some environments in the same zone as eth0
>> eth2/3 - Allocated to two different bridge devices which might be in
>> separate network zones.
>> 
>> The configuration of eth2/3 is fairly simple, my issue is restricting
>> any NAT traffic to a specific ethernet devices, and ideally one with
>> no local IP.
>> 
>> Any ideas?
>> 
>> Steve
>> 
> 
> So if I have this right, at the basic level you wish to have:
> 
> - One interface for Host machine
> - Multiple interfaces for guest traffic
> 
> If your environment supports VLANs (802.1Q), might I suggest a trunk
> port on eth1 split up into different bridges to have the KVM guests go
> through to get on different VLANs/address spaces.
> 
> This is what I currently do for Xen and it works great. What kind of
> network setup to you have?
Could you please provide some pointers on how you accomplished this?  I've
been attempting to set up a similar configuration without success.

Thanks, 
  Kelvin

----- "Steven Ellis" <steven.ellis at bulletin.net> wrote:
> My issue is I can't see any way to bring up NAT guests unless they are
> using a ethernet interface that has a address for the host OS.
How will you NAT without an interface address to translate to? You can probably
wrangle the scripts into supporting your own configured mangle/NAT setup with
something handling the ARP for you on the unnumbered interface, but that's
probably beyond the scope of this list.

-- 
Christopher G. Stach II