[libvirt-users] What's the best way to make use of VLAN interfaces with VMs?
Richard Achmatowicz
rachmato at redhat.com
Fri Nov 29 17:15:32 UTC 2019
Hi Laine
What you have suggested sounds eminently reasonable. Thanks for your
advice. I'm going to give it a shot and report back.
Richard
On 11/27/19 1:38 PM, Laine Stump wrote:
> On 11/26/19 11:07 PM, Richard Achmatowicz wrote:
>> Hello
>>
>> I have a problem with attaching VMs to a VLAN interface.
>>
>> Here is my setup: I have several physical hosts connected by a
>> physical switch. Each host has two NICs leading to the switch, which
>> have been combined into a team, team0. Each host a has a bridge br1,
>> which has team0 as a slave. So communication between hosts is based
>> on the IP address of bridge br1 on each host.
>>
>> Up until recently, using libvirt and KVM, I was creating VMs which
>> had one interface attached the default virtual network and one
>> interface attached to the bridge:
>>
>> virt-install ... --network network=default --network bridge=br1 ...
>>
>> I would then statically assign an IP address to the bridge interface
>> on the guest when installing the OS.
>>
>> A few days ago, a VLAN was introduced to split up the network. I
>> created a new VLAN interface br1.600 on each of the hosts. My initial
>> attempt was to do try this:
>>
>> virt-install ... --network network=default --network bridge=br1.600 ...
>>
>> which did not work. It then dawned on me that a VLAN interface and a
>> bridge aren't treated the same. So I started to look for ways to
>> allow my VMs to bind to this new interface.
>>
>> This would seem to be a common situation. What is the best way to
>> work around this?
>>
>> Both the host bridge and the host VLAN interface already have their
>> assigned IP addresses and appear like this in libvirt:
>>
>> [root at clusterdev01 ]# ifconfig
>> br1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 192.168.0.110 netmask 255.255.255.0 broadcast
>> 192.168.0.255
>> inet6 fe80::1e98:ecff:fe1b:276d prefixlen 64 scopeid
>> 0x20<link>
>> ether 1c:98:ec:1b:27:6d txqueuelen 1000 (Ethernet)
>> RX packets 833772 bytes 2976958254 (2.7 GiB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 331237 bytes 23335124 (22.2 MiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> br1.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 192.168.1.110 netmask 255.255.255.0 broadcast
>> 192.168.1.255
>> inet6 fe80::1e98:ecff:fe1b:276d prefixlen 64 scopeid
>> 0x20<link>
>> ether 1c:98:ec:1b:27:6d txqueuelen 1000 (Ethernet)
>> RX packets 189315 bytes 9465744 (9.0 MiB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 302 bytes 30522 (29.8 KiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> [root at clusterdev01]# virsh iface-list --all
>> Name State MAC Address
>> ---------------------------------------------------
>> br1 active 1c:98:ec:1b:27:6d
>> br1.600 active 1c:98:ec:1b:27:6d
>>
>> [root at clusterdev01 sysadmin]# virsh iface-dumpxml br1.600
>> <interface type='vlan' name='br1.600'>
>> <protocol family='ipv4'>
>> <ip address='192.168.1.110' prefix='24'/>
>> </protocol>
>> <protocol family='ipv6'>
>> <ip address='fe80::1e98:ecff:fe1b:276d' prefix='64'/>
>> </protocol>
>> <link state='up'/>
>> <vlan tag='600'>
>> <interface name='br1'/>
>> </vlan>
>> </interface>
>>
>> I tried following some suggestions which wrapped the vlan interface
>> in a bridge interface, but in ended up trashing the br1.600 interface
>> which was originally defined on the host.
>>
>> Is there a failsafe way to deal with such a situation? Am I doing
>> something completely wrong here? In would like br1.600 to behave like
>> br1 .....
>>
>> Any suggestions or advice greatly appreciated.
>
>
> I guess what you need is for all the traffic from your guests to go
> out on the physical network tagged with vlan id 600, and you want that
> to be transparent to the guests, right?
>
> The simplest way to handle this is to create a vlan interface off of
> the ethernet that you have attached to br1 (not br1 itself), so it
> would be named something like "eth0.600", and then create a new bridge
> (call it, say "br600") and attach eth0.600 to br600. Then your guests
> would be created with "--network bridge=br600"
>
> (Note that Linux host bridges do now support vlan tagging (and maybe
> even trunking) at the port level, but libvirt hasn't added support for
> it. (in other words, "Patches Welcome!" :-))
>
More information about the libvirt-users
mailing list