0

I am sketching a network design for a KVM hosting site, preparing for hundreds of virtual guests. In our current design, every customer (no matter if physical or virtual) reside on their own VLAN to achieve isolation. We don't nat on our firewall, all servers have public IPs (I guess i'm to blame for the ipv4 shortage ;).

What strikes me is that even fairly expensive gigabit switches from Cisco, like Catalyst 2960 series, is capable of only 255 VLANs. This is likely to become a bottleneck. I figure I could let the KVM host node be in charge of a /20 network, and let it subnet it to really small networks (/30, /29 etc). Would that be the best approach? Would it make sense to have each guest on their own vlan interface of the host node?

A few facts
* Cisco switches
* Got a /20 network to use.

Thanks in advance,

3molo
  • 4,330
  • 5
  • 32
  • 46

1 Answers1

0

Normally, providing every user with a separate VLAN can be REALLY wasteful. Instead, provide them with small subnets, and if you run out, expand to another VLAN where you can start over.

If all those IPs have to be public, then you know exactly how many subnets you can sell.

Now, what exactly does it have to do with kvm? This seems like a simple hosting provider architecture planning question

dyasny
  • 18,802
  • 6
  • 49
  • 64
  • True, removed the kvm tags. Our central ASA have every VLAN configured on a vlan interface, around 60 vlan interfaces today. To be able to use multiple small subnets on the same interface in ASA, I would use only one vlan and then somehow configure multiple subnets for a single interface of the ASA? – 3molo Jan 26 '11 at 14:22
  • Can you elaborate on what the waste with one vlan per virtual server is? – 3molo Jan 26 '11 at 14:28
  • well, why give a user an entire network, when you cna limit them to a small range, and if they want full networks, they should set up private subnets with private addresses and NAT – dyasny Jan 26 '11 at 15:09
  • Entire networks? The customers are often given a /30 or /29, which is tied to a VLAN interface of the ASA firewall. I don't see the waste – 3molo Jan 27 '11 at 10:19
  • ah, I thought you were keeping the users inside an entire private network, restricted to a vlan, nm then – dyasny Jan 27 '11 at 10:35