I would also consider this for physical network isolation.
Put your eth0 and eth1 on separate switches and subnets, then work on the firewall tuning between the NICs in the box from there.
I think do that may follow a stronger firewall physical paradigm where you can disconnect networks to help contain situations until resolved rather than throwing rules at your iptables while under stress.
The extra costs of a couple of switches and wiring could get easily offset by your labor time over a few months.
Tait Clarridge wrote:
On Fri, 2009-11-27 at 14:02 +1300, Steven Ellis wrote:
Running Centos 5.4 with KVM on a Dell R610 server and I'd like to control which of the four ethernet interfaces are used for specific tasks
My ideal configuration would be
eth0 - Host traffic only, no virtual guests. Used for guest mirroring and management. eth1 - NAT guest traffic only, no address for local machine and in some environments in the same zone as eth0 eth2/3 - Allocated to two different bridge devices which might be in separate network zones.
The configuration of eth2/3 is fairly simple, my issue is restricting any NAT traffic to a specific ethernet devices, and ideally one with no local IP.
Any ideas?
Steve
So if I have this right, at the basic level you wish to have:
- One interface for Host machine
- Multiple interfaces for guest traffic
If your environment supports VLANs (802.1Q), might I suggest a trunk port on eth1 split up into different bridges to have the KVM guests go through to get on different VLANs/address spaces.
This is what I currently do for Xen and it works great. What kind of network setup to you have?
CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt