You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "Jeries, Ibrahim (Student)" <ib...@student.anglia.ac.uk> on 2011/10/24 07:02:57 UTC

Traffic isolation

Dear all,



Can VCL isolate virtual machines traffic from on another?

I.e.: have "vm1" reserved and in an active session by one user.

       another "vm2" also reserved and in an active session by user 2

So how can one prevent user1 from seeing user2's traffic completely? For example, if used the Windows net view command not to show vm2, not be able to ping vm2 or vice versa, and even if a network sniffer (Cain, WireShark and the like) to be deployed not to be able to discover vm1 or any vms used by other users..



Also is it possible for a single user to reserve and use more then one machine simultaneously on a form of a single group? i.e: vm1 being a windows server 2008, vm2 being a windows win7 (client) in which a student can reserve and use both machine to practice setting up the windows server as a domain controller with Active Directory, DNS, DHCP and so on then join win 7 to the domain..



Many thanks,



Ibrahim

Re: Traffic isolation

Posted by James O'Dell <jo...@fullerton.edu>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

To isolate the traffic within a switch-port/VLAN you may
want to look into building a private vlan.
> http://en.wikipedia.org/wiki/Private_VLAN

That way, systems in the same switch/VLAN won't be able
to see anything but the uplink to the router.

__Jim


On 10/23/2011 10:02 PM, Jeries, Ibrahim (Student) wrote:
> Dear all,
> 
> 
> 
> Can VCL isolate virtual machines traffic from on another?
> 
> I.e.: have "vm1" reserved and in an active session by one user.
> 
>        another "vm2" also reserved and in an active session by user 2
> 
> So how can one prevent user1 from seeing user2's traffic completely? For example, if used the Windows net view command not to show vm2, not be able to ping vm2 or vice versa, and even if a network sniffer (Cain, WireShark and the like) to be deployed not to be able to discover vm1 or any vms used by other users..
> 
> 
> 
> Also is it possible for a single user to reserve and use more then one machine simultaneously on a form of a single group? i.e: vm1 being a windows server 2008, vm2 being a windows win7 (client) in which a student can reserve and use both machine to practice setting up the windows server as a domain controller with Active Directory, DNS, DHCP and so on then join win 7 to the domain..
> 
> 
> 
> Many thanks,
> 
> 
> 
> Ibrahim
> 


- -- 
Jim O'Dell
Network Analyst
California State University Fullerton
Email: jodell@fullerton.edu
Phone: (657) 278-2256
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6loGoACgkQREVHAOnXPYSO7gCgnXxnLo0l2ayfW0k/1k1pcUlA
HZMAoLYA7pbyTTDdG5yqHojePlDdx2ka
=2fPV
-----END PGP SIGNATURE-----

RE: Traffic isolation

Posted by "Jeries, Ibrahim (Student)" <ib...@student.anglia.ac.uk>.
Aaron,
Many thanks for your advice, very helpful and exactly what i was looking for.
James, 
Many thanks for your advice too, I already have VLANs in place but was hoping for an automated solution that one can set and forget in a sense.

Regards,

Ibrahim

________________________________________
From: Aaron Peeler [aaron_peeler@ncsu.edu]
Sent: 24 October 2011 16:02
To: vcl-dev@incubator.apache.org
Cc: vcl-user@incubator.apache.org
Subject: Re: Traffic isolation

On Mon, Oct 24, 2011 at 1:02 AM, Jeries, Ibrahim (Student)
<ib...@student.anglia.ac.uk> wrote:
> Dear all,
>
>
>
> Can VCL isolate virtual machines traffic from on another?
>
> I.e.: have "vm1" reserved and in an active session by one user.
>
>       another "vm2" also reserved and in an active session by user 2
>
> So how can one prevent user1 from seeing user2's traffic completely? For example, if used the Windows net view command not to show vm2, not be able to ping vm2 or vice versa, and even if a network sniffer (Cain, WireShark and the like) to be deployed not to be able to discover vm1 or any vms used by other users..
>
>

This is at the network layer, VCL does not handle this level of
network separation.  Folks are accomplishing this by a third party
firewalls.


>
> Also is it possible for a single user to reserve and use more then one machine simultaneously on a form of a single group? i.e: vm1 being a windows server 2008, vm2 being a windows win7 (client) in which a student can reserve and use both machine to practice setting up the windows server as a domain controller with Active Directory, DNS, DHCP and so on then join win 7 to the domain..
>
>

Yes, this is handled in Manage Groups tool. Set the 'Max Overlapping
Reservations' variable to how many concurrent reservations you care to
allow for the user group this user is in.

Aaron


>
> Many thanks,
>
>
>
> Ibrahim
>



--
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

RE: Traffic isolation

Posted by "Jeries, Ibrahim (Student)" <ib...@student.anglia.ac.uk>.
Aaron,
Many thanks for your advice, very helpful and exactly what i was looking for.
James, 
Many thanks for your advice too, I already have VLANs in place but was hoping for an automated solution that one can set and forget in a sense.

Regards,

Ibrahim

________________________________________
From: Aaron Peeler [aaron_peeler@ncsu.edu]
Sent: 24 October 2011 16:02
To: vcl-dev@incubator.apache.org
Cc: vcl-user@incubator.apache.org
Subject: Re: Traffic isolation

On Mon, Oct 24, 2011 at 1:02 AM, Jeries, Ibrahim (Student)
<ib...@student.anglia.ac.uk> wrote:
> Dear all,
>
>
>
> Can VCL isolate virtual machines traffic from on another?
>
> I.e.: have "vm1" reserved and in an active session by one user.
>
>       another "vm2" also reserved and in an active session by user 2
>
> So how can one prevent user1 from seeing user2's traffic completely? For example, if used the Windows net view command not to show vm2, not be able to ping vm2 or vice versa, and even if a network sniffer (Cain, WireShark and the like) to be deployed not to be able to discover vm1 or any vms used by other users..
>
>

This is at the network layer, VCL does not handle this level of
network separation.  Folks are accomplishing this by a third party
firewalls.


>
> Also is it possible for a single user to reserve and use more then one machine simultaneously on a form of a single group? i.e: vm1 being a windows server 2008, vm2 being a windows win7 (client) in which a student can reserve and use both machine to practice setting up the windows server as a domain controller with Active Directory, DNS, DHCP and so on then join win 7 to the domain..
>
>

Yes, this is handled in Manage Groups tool. Set the 'Max Overlapping
Reservations' variable to how many concurrent reservations you care to
allow for the user group this user is in.

Aaron


>
> Many thanks,
>
>
>
> Ibrahim
>



--
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Traffic isolation

Posted by Aaron Peeler <aa...@ncsu.edu>.
On Mon, Oct 24, 2011 at 1:02 AM, Jeries, Ibrahim (Student)
<ib...@student.anglia.ac.uk> wrote:
> Dear all,
>
>
>
> Can VCL isolate virtual machines traffic from on another?
>
> I.e.: have "vm1" reserved and in an active session by one user.
>
>       another "vm2" also reserved and in an active session by user 2
>
> So how can one prevent user1 from seeing user2's traffic completely? For example, if used the Windows net view command not to show vm2, not be able to ping vm2 or vice versa, and even if a network sniffer (Cain, WireShark and the like) to be deployed not to be able to discover vm1 or any vms used by other users..
>
>

This is at the network layer, VCL does not handle this level of
network separation.  Folks are accomplishing this by a third party
firewalls.


>
> Also is it possible for a single user to reserve and use more then one machine simultaneously on a form of a single group? i.e: vm1 being a windows server 2008, vm2 being a windows win7 (client) in which a student can reserve and use both machine to practice setting up the windows server as a domain controller with Active Directory, DNS, DHCP and so on then join win 7 to the domain..
>
>

Yes, this is handled in Manage Groups tool. Set the 'Max Overlapping
Reservations' variable to how many concurrent reservations you care to
allow for the user group this user is in.

Aaron


>
> Many thanks,
>
>
>
> Ibrahim
>



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Traffic isolation

Posted by Aaron Peeler <aa...@ncsu.edu>.
On Mon, Oct 24, 2011 at 1:02 AM, Jeries, Ibrahim (Student)
<ib...@student.anglia.ac.uk> wrote:
> Dear all,
>
>
>
> Can VCL isolate virtual machines traffic from on another?
>
> I.e.: have "vm1" reserved and in an active session by one user.
>
>       another "vm2" also reserved and in an active session by user 2
>
> So how can one prevent user1 from seeing user2's traffic completely? For example, if used the Windows net view command not to show vm2, not be able to ping vm2 or vice versa, and even if a network sniffer (Cain, WireShark and the like) to be deployed not to be able to discover vm1 or any vms used by other users..
>
>

This is at the network layer, VCL does not handle this level of
network separation.  Folks are accomplishing this by a third party
firewalls.


>
> Also is it possible for a single user to reserve and use more then one machine simultaneously on a form of a single group? i.e: vm1 being a windows server 2008, vm2 being a windows win7 (client) in which a student can reserve and use both machine to practice setting up the windows server as a domain controller with Active Directory, DNS, DHCP and so on then join win 7 to the domain..
>
>

Yes, this is handled in Manage Groups tool. Set the 'Max Overlapping
Reservations' variable to how many concurrent reservations you care to
allow for the user group this user is in.

Aaron


>
> Many thanks,
>
>
>
> Ibrahim
>



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.