Isolate network traffic


(Daniel Ruiz Molina) #1

Hello,

First of all, I’m going to explain my OpenNebula configuration and, later, I will explain what I need.
I have only one server that acts as OpenNebula-server and OpenNebula-kvm-node. It has 4 NICs but only 1 is connected to the physical switch.
I have configured network with eth0 attached to bridge br0 (I’m using LinuxBridges, not OpenvSwitch). This “br0” is configured with my public IP address and, then, I have created 3 more bridges (br0:1, br0:2 and br0:3), each of them with an private IP address from my three OpenNebula private networks. So my server has configured 4 IPs.

Each private network, during its configuration in OpenNebula, was attached to “br0” device, no “br0:X” device (parameter “BRIDGE”), but I have not configured parameter “PHYDEV” of each private network (neither on the public network).

In my scenario, several users need to use these three private networks. They are not been able to create network, so they ONLY could use three I have create as “oneadmin”.
But now, I have got this problem: machine 1 of user A in private network #1 can ping machine 1 of user B in the same private network #1 because both machines are attached to the same network. So, could I configure OpenNebula private networks or bridges for isolate this traffic?

Thanks a lot!!!


(David Brierley) #2

Hi Daniel,

I might be reading it wrong.

So you do have 4 networks.
1 Public, 3 Privates?
All setup as bridges

It sounds like you may have confused bridge for physical device (phydev)
bridge is just the name of the linux bridge it creates (So like br0)

to confirm run brctl show Opennebula in bridged mode will bridge the VM Guest NIC to a physical bridge, you do need to specify the physical and you could leave the bridge bit out.

so Network 1: Public
physdev: br0

Private 1:
phydev: br0:x
bridge: private1-To-Br0:x

Private 2:
phydev: br0:x:
bridge: private2-To-Br0:x

Private 3:
phydev: br0:X
bridge: private3-To-Br0:x

Then when you attach a VM to Private 3 it will create a bridge called private2-To-Br0:x visible via brctl show it should show that this is connected to physical port/bridge br0:x and you will see another port which is the VM’s NIC in KVM

I think the bridge bit is mis-leading, by default if you leave blank it will just name it one-br-[Network ID] or something.

So mine for example (little bit different as using Vlan’s but should help)

[root@PBC-FE01 ~]# brctl show
bridge name bridge id STP enabled interfaces
Mgmt-Web 8000.68b599b6c45c no bond0.10
one-38-0