On Wed, May 18, 2011 at 6:46 AM, Gilberto Nunes gilberto.nunes32@gmail.com wrote:
-Does KVM have a concept of virtual switches and and are they tied to physical NICs? ESXi allows me to create a vSwitch that isn't tied to a physical NIC so I can create a DMZ that exists solely within the host system. I'd like to replicate that if possible.
Yes... You can use VirtManager to work with this feature...
And in fact I'd say it's "concept" is *better*. KVM/libvirt just leverages the built-in virtual switching (bridging) support in Linux accessible through brctl. So you can create virtual bridges, tie ethernet devices to them, and have visibility into what's going on using standard tools like brctl and iproute2 tools if you'd like (instead of VirtManager). You can also use stuff like iptables to filter traffic going across bridges...
Sad to admit it, but I have a Linux box functioning as a router which also runs KVM domains ... eth0 is a bridge port (so no IP address), the virtual switch br0 has both the router internal IP (.1) and the "service-providing" IP of the box (still the IP I used to manage the KVM host from before I was using it as the router), eth1 has multiple VLANs with IPs on our Fiber WAN and the local out-of-band network. The NICs of the guests are also attached to br0, naturally. And of course iptables is able to securely filter traffic across all that. It's a stopgap measure, but works flawlessly.
If you want a NAT subnet, behind the scenes it's real Linux routing with iptables snat module (or masquerade). Your host-only network is a bridge without any hardware NICs attached as ports, only KVM NICs. And so on. Sublime!
Eric
PS, all the above is also true for running Xen on CentOS, though it comes with its own scripts for setting up the bridging instead of leveraging libvirt to do it