> > My question is this: what's best practices for making sure that a switch > VLAN misconfiguration issue, a cabling to the wrong port, etc. doesn't > compromise the KVM server itself? Not sure about best practice. But what about using a macvtap. That by default does not allow host communication and only allows the guests connected to the same master to communicate with each other. > How do I allow my KVM server to *not* be on "external", but some of its > guests to be, without compromising security? Do not configure the interface with an ip address on the host, and make sure you do not have daemons binding to 0.0.0.0 on the host.