xuanyuanaosheng commented on issue #7930:
URL: https://github.com/apache/cloudstack/issues/7930#issuecomment-1706262502
@levindecaro Thanks for your reply.
I have followed your guidance and modified the network configuration to:
```
# cat ifcfg-eno1
TYPE=Ethernet
BOOTPROTO=none
NAME=eno1
UUID=a1420bd0-2cbe-45b4-b92e-7ba22aa148ef
DEVICE=eno1
ONBOOT=yes
# cat ifcfg-eno1.2128
NAME=eno1.2128
DEVICE=eno1.2128
ONBOOT=yes
HOTPLUG=no
BOOTPROTO=none
VLAN=yes
BRIDGE=cloudbr0
# cat ifcfg-cloudbr0
NAME=cloudbr0
DEVICE=cloudbr0
TYPE=BRIDGE
BOOTPROTO=none
ONBOOT=yes
IPADDR=10.26.128.22
GATEWAY=10.26.128.254
NETMASK=255.255.255.0
HOTPLUG=no
DELAY=5
STP=no
-------------------------------------------------------------------------------------
# cat ifcfg-eno2
TYPE=Ethernet
BOOTPROTO=none
NAME=eno2
UUID=d8d48df8-95f5-43af-afc5-433fc81f322e
DEVICE=eno2
ONBOOT=yes
# cat ifcfg-eno2.2230
NAME=eno2.2230
DEVICE=eno2.2230
ONBOOT=yes
HOTPLUG=no
VLAN=yes
BOOTPROTO=static
IPADDR=10.71.231.42
NETMASK=255.255.255.0
```
Now the hosts network config:
```
|---------------- cloudbr0: 10.26.128.22 ( VLAN 2128)
kvm001 ------
|---------------- eno2.2230: 10.71.231.42 ( VLAN 2230)
|---------------- cloudbr0: 10.26.128.23 ( VLAN 2128)
kvm002 ------
|---------------- eno2.2230: 10.71.231.43 ( VLAN 2230)
|---------------- cloudbr0: 10.26.128.25 ( VLAN 2128)
kvm003 ------
|---------------- eno2.2230: 10.71.231.41 ( VLAN 2230)
```
Now the guest vxlan network is binded to a vlan NIC: `eno2.2230` and the
vlan interface should assigned a private IP (10.71.231.42, 10.71.231.41,
10.71.231.43) to do multicast with peer host. and they can ping each other
using ` eno2.2230`.
The zone set is
The host can ping each other using `eno2.2230`:
```
[root@kvm001 ~]# ping -I eno2.2230 10.71.231.41
PING 10.71.231.41 (10.71.231.41) from 10.71.231.42 eno2.2230: 56(84) bytes
of data.
64 bytes from 10.71.231.41: icmp_seq=1 ttl=64 time=0.161 ms
64 bytes from 10.71.231.41: icmp_seq=2 ttl=64 time=0.177 ms
64 bytes from 10.71.231.41: icmp_seq=3 ttl=64 time=0.178 ms
^C
--- 10.71.231.41 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2027ms
rtt min/avg/max/mdev = 0.161/0.172/0.178/0.007 ms
[root@kvm001 ~]# ping -I eno2.2230 10.71.231.43
PING 10.71.231.43 (10.71.231.43) from 10.71.231.42 eno2.2230: 56(84) bytes
of data.
64 bytes from 10.71.231.43: icmp_seq=1 ttl=64 time=0.239 ms
64 bytes from 10.71.231.43: icmp_seq=2 ttl=64 time=0.221 ms
^C
--- 10.71.231.43 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1025ms
rtt min/avg/max/mdev = 0.221/0.230/0.239/0.009 ms
```
The hosts have configed:
```
Linux only configures enough IGMP memberships for 20 VXLAN networks.
Run this - echo 100 >/proc/sys/net/ipv4/igmp_max_memberships
And change permanent by adding this to sysctl.conf -
net.ipv4.igmp_max_memberships = 100
```
The hosts have configed:
```
iptables -I INPUT -p udp -m udp --dport 8472 -j ACCEPT
iptables -A INPUT -s 224.0.0.0/4 -j ACCEPT
iptables -A FORWARD -s 224.0.0.0/4 -d 224.0.0.0/4 -j ACCEPT
iptables -A OUTPUT -d 224.0.0.0/4 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
```
Now the host iptables on kvm002
```
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.8.4 on Mon Sep 4 12:19:22 2023
*filter
:INPUT ACCEPT [296573:1195510000]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [300735:351478871]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -p udp -m udp --dport 8472 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
-A INPUT -j LIBVIRT_INP
-A INPUT -p tcp -m tcp --dport 16514 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -s 224.0.0.0/4 -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
COMMIT
# Completed on Mon Sep 4 12:19:22 2023
# Generated by iptables-save v1.8.4 on Mon Sep 4 12:19:22 2023
*security
:INPUT ACCEPT [368423:2248850292]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [300741:351481031]
COMMIT
# Completed on Mon Sep 4 12:19:22 2023
# Generated by iptables-save v1.8.4 on Mon Sep 4 12:19:22 2023
*raw
:PREROUTING ACCEPT [371554:2249164792]
:OUTPUT ACCEPT [300741:351481031]
COMMIT
# Completed on Mon Sep 4 12:19:22 2023
# Generated by iptables-save v1.8.4 on Mon Sep 4 12:19:22 2023
*mangle
:PREROUTING ACCEPT [371554:2249164792]
:INPUT ACCEPT [368423:2248850292]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [300741:351481031]
:POSTROUTING ACCEPT [300780:351485545]
COMMIT
# Completed on Mon Sep 4 12:19:22 2023
# Generated by iptables-save v1.8.4 on Mon Sep 4 12:19:22 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Sep 4 12:19:22 2023
---------------------------------
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:otv
ACCEPT tcp -- anywhere anywhere tcp
dpts:49152:49216
ACCEPT tcp -- anywhere anywhere tcp
dpts:rfb:synchronet-db
LIBVIRT_INP all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:16514
ACCEPT tcp -- anywhere anywhere tcp dpt:16509
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- base-address.mcast.net/4 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
ACCEPT all -- base-address.mcast.net/4 base-address.mcast.net/4
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_OUT all -- anywhere anywhere
ACCEPT all -- anywhere base-address.mcast.net/4
Chain LIBVIRT_INP (1 references)
target prot opt source destination
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
Chain LIBVIRT_FWO (1 references)
target prot opt source destination
Chain LIBVIRT_FWI (1 references)
target prot opt source destination
Chain LIBVIRT_FWX (1 references)
target prot opt source destination
```
According to the these configuration, the current situation is still the
same as before.
Any idears?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
