Hi,
I have a plan of unifying the management of 4 separate PVE environments. Each server has a dual port nic so would it be a "safe" setup to configure those boxes so that the other physical nic is reserved only for management traffic (ssh & https access to host environment & external backups) and the other interface handles all VM traffic?
To be more specific:
I know that to be 100% sure I should separate "sensitive" vlans to different physical servers and allow management only via console, but that kind of arrangement is an impractical overkill right now.
- Mikael
I have a plan of unifying the management of 4 separate PVE environments. Each server has a dual port nic so would it be a "safe" setup to configure those boxes so that the other physical nic is reserved only for management traffic (ssh & https access to host environment & external backups) and the other interface handles all VM traffic?
To be more specific:
- Each management nic (eth0) is connected to vmbr0 and has an IP address assigned. This should be the only route to the host.
- The other nic (eth1) is configured with X vlan interfaces (eth1.1, eth1.2 etc) and each vlan is connected to a bridge of its own respectively. None of the vlan interfaces or bridges has an IP address. Each bridge has N VEs (with IPs and mac) connected.
- Each host has iptables rules set to drop all traffic between eth1.X and eth0 and between bridges. This may not even be necessary?
I know that to be 100% sure I should separate "sensitive" vlans to different physical servers and allow management only via console, but that kind of arrangement is an impractical overkill right now.
- Mikael
