ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Does intra-VM traffic leave the host?

    Scheduled Pinned Locked Moved IT Discussion
    24 Posts 8 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @1337
      last edited by

      @Pete-S said in Does intra-VM traffic leave the host?:

      @scottalanmiller said in Does intra-VM traffic leave the host?:

      @Pete-S said in Does intra-VM traffic leave the host?:

      What I want to do is set ACLs in the hardware switch to limit intra-VM traffic. But that would only work if the traffic actually goes out to the hardware switch.

      That's a terrible design, think of what a huge bottleneck that would be. The ACL idea is great, but do that on the virtual switch instead.

      I had a look at doing just that with openvswitch (OVS) since that is installed by default in xcp-ng/xenserver and can also be installed on KVM.

      But it looks to be pretty complicated to accomplish compared to a normal hardware switch. It seems to be a part of OpenFlow / SDN in openvswitch.

      Far more common to see it there. It's pretty rare that people want L3 switching and ACLs inside of the backplane. It makes sense that you might want it, it's just pretty niche. I think most people opt to isolate workloads that they need talking onto a single backplane, and those that they want isolated on another. Or they just opt for ACLs on the individual hosts rather than the switch layer to handle that since they control the entire stack, it's not like an external physical device that they might not control.

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller
        last edited by

        What's the use case here? Maybe there is another approach that would be effective?

        1 1 Reply Last reply Reply Quote 0
        • 1
          1337 @scottalanmiller
          last edited by

          @scottalanmiller said in Does intra-VM traffic leave the host?:

          What's the use case here? Maybe there is another approach that would be effective?

          Mostly isolate and allow some well know traffic on appliance type VMs and VMs that we don't admin - without having to put each workload in it's own subnet.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @1337
            last edited by

            @Pete-S said in Does intra-VM traffic leave the host?:

            @scottalanmiller said in Does intra-VM traffic leave the host?:

            What's the use case here? Maybe there is another approach that would be effective?

            Mostly isolate and allow some well know traffic on appliance type VMs and VMs that we don't admin - without having to put each workload in it's own subnet.

            Hmmm... I see why you might want it.

            1 Reply Last reply Reply Quote 0
            • 1
            • 2
            • 2 / 2
            • First post
              Last post