Re: Untagged Networking for Advanced Zone possible?

[Dag Sonstebo]

 RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> >
> >
> > Dag Sonstebo
> > Cloud Architect
> > ShapeBlue
> >
> >
> > dag.sonst...@shapeblue.com
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > @shapeblue
> >
> >
> >
> > On 06/04/2018, 11:45, "Parth Patel" <parthpatel2...@gmail.com>
> wrote:
> >
> > Hi Dag,
> >
> > Thanks for the response. I am currently looking into VLANs and
> network
> > configuration for my case. But I want to know one thing: are
> "untagged"
> > VLAN networks sufficient for an advanced zone to function with
> two
> > networks? I did not state I do not want to use VLANs for
> networking
> > but I
> > wanted to know if ACS advanced zone would function if VLANs are
> > untagged?
> > (The network router/switch did not support them). According to 
my
> > knowledge
> > I would have to dig much deeper into kernel files to provide a
> dummy
> > interface as systemctl restart network would not function
> properly,
> > still
> > appreciate the advice. I will look into this more and see what I
> can do
> > with it.
> >
> > Thanks,
> > Parth Patel
> >
> > On Fri, 6 Apr 2018 at 13:59 Dag Sonstebo <
> dag.sonst...@shapeblue.com>
> > wrote:
> >
> > > Hi Parth,
> > >
> > > Keep in mind you are in unchartered waters – so there may be
> some
> > > stumbling blocks before you get this to work.
> > >
> > > I suspect what you have to do is change cloudbr1 such that it
> is
> > backed by
> > > a fake or dummy ethernet interface. What seems to happen is
> the agent
> > > script looks for the network device backing the bridge rather
> than
> > the
> > > bridge itself.
> > > This would mean your setup is like this:
> > >
> > >  Physical eth0 -> cloudbr0 > handles management and public
> > >  Dummy eth1 -> cloudbr1 > handles isolated guest traffic and
> allows
> > for
> > > isolated VLANs internally on the host
> > >
> > > Keep in mind the context here – you have stated you don’t want
> VLANs
> > > traversing your physical network, hence we are trying to get
> this
> > working
> > > on a single host only. How you configure your IP ranges for
> > management and
> > > public is something you need to experiment with and see what
> works
> > for you.
> > >
> > > Regards,
> > > Dag Sonstebo
> > > Cloud Architect
> > > ShapeBlue
> > >
> > > From: Parth Patel <parthpatel2...@gmail.com>
> > > Reply-To: "users@cloudstack.apache.org" <
> users@cloudstack.apache.org
> > >
> > > Date: Friday, 6 April 2018 at 07:30
> > > To: "users@cloudstack.apache.org" <users@cloudstack.apache.org
> >
> > > Subject: Re: Untagged Networking for Advanced Zone possible?
> > >
> > > Hi Dag,
> > >
> > > When I tried your method and created a NIC-less bridge,
> following
> > are the
> > > contents of my ifcfg-* network files:
> > >
> > > ifcfg-cloudbr0:
> > > TYPE=Bridge
> > > PROXY_METHOD=none
> > > BROWSER_ONLY=no
> > > BOOTPROTO=none
> > > DEFROUTE=yes
> > > IPV4_FAILURE_FATAL=no
> > > NAME=cloudbr0
> > > UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> > > DEVICE=cloudbr0
> > > ONBOOT=yes
> > > IPADDR=172.

Re: Untagged Networking for Advanced Zone possible?

[Parth Patel]

e thing: are
> "untagged"
> > VLAN networks sufficient for an advanced zone to function with
> two
> > networks? I did not state I do not want to use VLANs for
> networking
> > but I
> > wanted to know if ACS advanced zone would function if VLANs are
> > untagged?
> > (The network router/switch did not support them). According to my
> > knowledge
> > I would have to dig much deeper into kernel files to provide a
> dummy
> > interface as systemctl restart network would not function
> properly,
> > still
> > appreciate the advice. I will look into this more and see what I
> can do
> > with it.
> >
> > Thanks,
> > Parth Patel
> >
> > On Fri, 6 Apr 2018 at 13:59 Dag Sonstebo <
> dag.sonst...@shapeblue.com>
> > wrote:
> >
> > > Hi Parth,
> > >
> > > Keep in mind you are in unchartered waters – so there may be
> some
> > > stumbling blocks before you get this to work.
> > >
> > > I suspect what you have to do is change cloudbr1 such that it
> is
> > backed by
> > > a fake or dummy ethernet interface. What seems to happen is
> the agent
> > > script looks for the network device backing the bridge rather
> than
> > the
> > > bridge itself.
> > > This would mean your setup is like this:
> > >
> > >  Physical eth0 -> cloudbr0 > handles management and public
> > >  Dummy eth1 -> cloudbr1 > handles isolated guest traffic and
> allows
> > for
> > > isolated VLANs internally on the host
> > >
> > > Keep in mind the context here – you have stated you don’t want
> VLANs
> > > traversing your physical network, hence we are trying to get
> this
> > working
> > > on a single host only. How you configure your IP ranges for
> > management and
> > > public is something you need to experiment with and see what
> works
> > for you.
> > >
> > > Regards,
> > > Dag Sonstebo
> > > Cloud Architect
> > > ShapeBlue
> > >
> > > From: Parth Patel <parthpatel2...@gmail.com>
> > > Reply-To: "users@cloudstack.apache.org" <
> users@cloudstack.apache.org
> > >
> > > Date: Friday, 6 April 2018 at 07:30
> > > To: "users@cloudstack.apache.org" <users@cloudstack.apache.org
> >
> > > Subject: Re: Untagged Networking for Advanced Zone possible?
> > >
> > > Hi Dag,
> > >
> > > When I tried your method and created a NIC-less bridge,
> following
> > are the
> > > contents of my ifcfg-* network files:
> > >
> > > ifcfg-cloudbr0:
> > > TYPE=Bridge
> > > PROXY_METHOD=none
> > > BROWSER_ONLY=no
> > > BOOTPROTO=none
> > > DEFROUTE=yes
> > > IPV4_FAILURE_FATAL=no
> > > NAME=cloudbr0
> > > UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> > > DEVICE=cloudbr0
> > > ONBOOT=yes
> > > IPADDR=172.16.20.13
> > > PREFIX=16
> > > GATEWAY=172.16.0.1
> > > DNS1=8.8.8.8
> > > DNS2=172.16.0.1
> > > NM_CONTROLLED=no
> > >
> > > ifcfg-cloudbr1:
> > > TYPE=Bridge
> > > IPV4_FAILURE_FATAL=no
> > > NAME=cloudbr1
> > > UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> > > DEVICE=cloudbr1
> > > ONBOOT=yes
> > > NM_CONTROLLED=no
> > >
> > > ifcfg-eno1:
> > > TYPE=Ethernet
> > > PROXY_METHOD=none
> > > BROWSER_ONLY=no
> > > BOOTPROTO=none
> > > DEFROUTE=yes
> > > IPV4_FAILURE_FATAL=no
> > > NAME=eno1
> > > UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> > > DEVICE=eno1
> > > ONBOOT=yes
> > > IPADDR=172.16.20.13
> > > PREFIX=16
> > > GATEWAY=172.16.0.1
> > > DNS1=8.8.8.8
&

Re: Untagged Networking for Advanced Zone possible?

[Dag Sonstebo]

nst...@shapeblue.com>
> wrote:
>
> > Hi Parth,
> >
> > Keep in mind you are in unchartered waters – so there may be some
> > stumbling blocks before you get this to work.
> >
> > I suspect what you have to do is change cloudbr1 such that it is
> backed by
> > a fake or dummy ethernet interface. What seems to happen is the 
agent
> > script looks for the network device backing the bridge rather than
> the
> > bridge itself.
> > This would mean your setup is like this:
> >
> >  Physical eth0 -> cloudbr0 > handles management and public
> >  Dummy eth1 -> cloudbr1 > handles isolated guest traffic and allows
> for
> > isolated VLANs internally on the host
> >
> > Keep in mind the context here – you have stated you don’t want VLANs
> > traversing your physical network, hence we are trying to get this
> working
> > on a single host only. How you configure your IP ranges for
> management and
> > public is something you need to experiment with and see what works
> for you.
    > >
>     > Regards,
> > Dag Sonstebo
> > Cloud Architect
> > ShapeBlue
> >
> > From: Parth Patel <parthpatel2...@gmail.com>
> > Reply-To: "users@cloudstack.apache.org" <users@cloudstack.apache.org
> >
> > Date: Friday, 6 April 2018 at 07:30
> > To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
> > Subject: Re: Untagged Networking for Advanced Zone possible?
> >
> > Hi Dag,
> >
> > When I tried your method and created a NIC-less bridge, following
> are the
> > contents of my ifcfg-* network files:
> >
> > ifcfg-cloudbr0:
> > TYPE=Bridge
> > PROXY_METHOD=none
> > BROWSER_ONLY=no
> > BOOTPROTO=none
> > DEFROUTE=yes
> > IPV4_FAILURE_FATAL=no
> > NAME=cloudbr0
> > UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> > DEVICE=cloudbr0
> > ONBOOT=yes
> > IPADDR=172.16.20.13
> > PREFIX=16
> > GATEWAY=172.16.0.1
> > DNS1=8.8.8.8
> > DNS2=172.16.0.1
> > NM_CONTROLLED=no
> >
> > ifcfg-cloudbr1:
> > TYPE=Bridge
> > IPV4_FAILURE_FATAL=no
> > NAME=cloudbr1
> > UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> > DEVICE=cloudbr1
> > ONBOOT=yes
> > NM_CONTROLLED=no
> >
> > ifcfg-eno1:
> > TYPE=Ethernet
> > PROXY_METHOD=none
> > BROWSER_ONLY=no
> > BOOTPROTO=none
> > DEFROUTE=yes
> > IPV4_FAILURE_FATAL=no
> > NAME=eno1
> > UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> > DEVICE=eno1
> > ONBOOT=yes
> > IPADDR=172.16.20.13
> > PREFIX=16
> > GATEWAY=172.16.0.1
> > DNS1=8.8.8.8
> > DNS2=172.16.0.1
> > NM_CONTROLLED=no
> > BRIDGE=cloudbr0
> >
> > brctl show output:
> > [root@srvr3 ~]# brctl show
> > bridge name bridge id STP enabled interfaces
> > cloud0 8000. no
> > cloudbr0 8000.3464a92a09f3 no eno1
> > cloudbr1 8000. no
> > virbr0 8000.5254002dabdb yes virbr0-nic
> >
> >
> >
> > when adding a host in advanced zone it shows the following error:
> Could
> > not find network 'cloudbr1'
> >
> > 2018-04-04 02:03:11,887 DEBUG [c.c.u.s.SSHCmdHelper]
> > (qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23)
> Executing cmd:
> > /usr/share/cloudstack-common/scripts/util/keystore-cert-import
> > /etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/
> > 2018-04-04 02:03:15,686 DEBUG [c.c.h.k.d.LibvirtServerDiscoverer]
> > (qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23)
> Succeeded to
> > import certificate in the keystore for agent on the KVM host:
> 172.16.20.13.
> > Agent secured and trusted.
> > 2018-04-04 02:03:1

Re: Untagged Networking for Advanced Zone possible?

[Parth Patel]

Hi Dag,

Thank you for guiding me, i know it's a weird use case and probably would
never be required in a production environment. I will definitely try to
make a dummy interface and give it to the guest network target bridge. I
know it would be out of the scope of this email trail for you to explain me
tagged and untagged networking in L2 and L3 networks, but I would search
around the internet and ping this thread if I'm again stuck at some
specific issue after I reach my university's lab. Appreciate your help.

Thanks,
Parth Patel

On Fri, 6 Apr 2018 at 17:06 Dag Sonstebo <dag.sonst...@shapeblue.com> wrote:

> Hi Parth,
>
> Take a look through the full email trail – I think we discussed this
> earlier on. In short the answer is no – by definition you can not run
> completely untagged isolated networks in an advanced zone – but “tagged”
> means different things for L2 and L3 isolation. The real answer - “it
> depends” – an advanced zone always relies on some sort of guest network
> isolation, which in it’s simplest form equates to L2 VLANs. If you were to
> invest time, effort and money into an SDN solution like Nuage or Nicira/NSX
> you could potentially get around it – but complexity and cost goes up. You
> could have a play with something like GRE tunnelling (L3) – but in my
> experience this doesn’t scale well, eats a ton of CPU cycles and may not be
> fit for purpose. Again you are looking at a more complex solution.
>
> Regarding the dummy network interface it looks to me like a simple module
> install and configuration – see e.g.
> https://www.question-defense.com/2012/11/26/linux-create-fake-ethernet-interface
> . Not my post and I can’t vouch for it’s validity – but the process seems
> straight forward:
>
> [root@kvm1 hooks]# lsmod | grep dummy
> [root@kvm1 hooks]# modprobe dummy
> [root@kvm1 hooks]# lsmod | grep dummy
> dummy   2714  0
> [root@kvm1 hooks]# ip link set name eth99 dev dummy0
> [root@kvm1 hooks]# ifconfig eth99
> eth99 Link encap:Ethernet  HWaddr 92:BF:A6:30:20:3E
>   BROADCAST NOARP  MTU:1500  Metric:1
>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:0
>   RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>
>
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
>
> dag.sonst...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> On 06/04/2018, 11:45, "Parth Patel" <parthpatel2...@gmail.com> wrote:
>
> Hi Dag,
>
> Thanks for the response. I am currently looking into VLANs and network
> configuration for my case. But I want to know one thing: are "untagged"
> VLAN networks sufficient for an advanced zone to function with two
> networks? I did not state I do not want to use VLANs for networking
> but I
> wanted to know if ACS advanced zone would function if VLANs are
> untagged?
> (The network router/switch did not support them). According to my
> knowledge
> I would have to dig much deeper into kernel files to provide a dummy
> interface as systemctl restart network would not function properly,
> still
> appreciate the advice. I will look into this more and see what I can do
> with it.
>
> Thanks,
> Parth Patel
>
> On Fri, 6 Apr 2018 at 13:59 Dag Sonstebo <dag.sonst...@shapeblue.com>
> wrote:
>
> > Hi Parth,
> >
> > Keep in mind you are in unchartered waters – so there may be some
> > stumbling blocks before you get this to work.
> >
> > I suspect what you have to do is change cloudbr1 such that it is
> backed by
> > a fake or dummy ethernet interface. What seems to happen is the agent
> > script looks for the network device backing the bridge rather than
> the
> > bridge itself.
> > This would mean your setup is like this:
> >
> >  Physical eth0 -> cloudbr0 > handles management and public
> >  Dummy eth1 -> cloudbr1 > handles isolated guest traffic and allows
> for
> > isolated VLANs internally on the host
> >
> > Keep in mind the context here – you have stated you don’t want VLANs
> > traversing your physical network, hence we are trying to get this
> working
> > on a single host only. How you configure your IP ranges for
> management and
> > public is something you need to experiment with and see what works
> for you.
> >
> > Regards,
> > Dag Sonstebo
> > Cloud Architect
> > ShapeBlue
> >
> > From: Parth 

Re: Untagged Networking for Advanced Zone possible?

[Dag Sonstebo]

Hi Parth,

Take a look through the full email trail – I think we discussed this earlier 
on. In short the answer is no – by definition you can not run completely 
untagged isolated networks in an advanced zone – but “tagged” means different 
things for L2 and L3 isolation. The real answer - “it depends” – an advanced 
zone always relies on some sort of guest network isolation, which in it’s 
simplest form equates to L2 VLANs. If you were to invest time, effort and money 
into an SDN solution like Nuage or Nicira/NSX you could potentially get around 
it – but complexity and cost goes up. You could have a play with something like 
GRE tunnelling (L3) – but in my experience this doesn’t scale well, eats a ton 
of CPU cycles and may not be fit for purpose. Again you are looking at a more 
complex solution.

Regarding the dummy network interface it looks to me like a simple module 
install and configuration – see e.g. 
https://www.question-defense.com/2012/11/26/linux-create-fake-ethernet-interface
 . Not my post and I can’t vouch for it’s validity – but the process seems 
straight forward:

[root@kvm1 hooks]# lsmod | grep dummy
[root@kvm1 hooks]# modprobe dummy
[root@kvm1 hooks]# lsmod | grep dummy
dummy   2714  0
[root@kvm1 hooks]# ip link set name eth99 dev dummy0
[root@kvm1 hooks]# ifconfig eth99
eth99 Link encap:Ethernet  HWaddr 92:BF:A6:30:20:3E
  BROADCAST NOARP  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


Dag Sonstebo
Cloud Architect
ShapeBlue


dag.sonst...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

On 06/04/2018, 11:45, "Parth Patel" <parthpatel2...@gmail.com> wrote:

Hi Dag,

Thanks for the response. I am currently looking into VLANs and network
configuration for my case. But I want to know one thing: are "untagged"
VLAN networks sufficient for an advanced zone to function with two
networks? I did not state I do not want to use VLANs for networking but I
wanted to know if ACS advanced zone would function if VLANs are untagged?
(The network router/switch did not support them). According to my knowledge
I would have to dig much deeper into kernel files to provide a dummy
interface as systemctl restart network would not function properly, still
appreciate the advice. I will look into this more and see what I can do
with it.

Thanks,
Parth Patel

On Fri, 6 Apr 2018 at 13:59 Dag Sonstebo <dag.sonst...@shapeblue.com> wrote:

> Hi Parth,
>
> Keep in mind you are in unchartered waters – so there may be some
> stumbling blocks before you get this to work.
>
> I suspect what you have to do is change cloudbr1 such that it is backed by
> a fake or dummy ethernet interface. What seems to happen is the agent
> script looks for the network device backing the bridge rather than the
> bridge itself.
> This would mean your setup is like this:
>
>  Physical eth0 -> cloudbr0 > handles management and public
>  Dummy eth1 -> cloudbr1 > handles isolated guest traffic and allows for
> isolated VLANs internally on the host
>
> Keep in mind the context here – you have stated you don’t want VLANs
> traversing your physical network, hence we are trying to get this working
> on a single host only. How you configure your IP ranges for management and
> public is something you need to experiment with and see what works for 
you.
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
> From: Parth Patel <parthpatel2...@gmail.com>
> Reply-To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
    > Date: Friday, 6 April 2018 at 07:30
> To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
> Subject: Re: Untagged Networking for Advanced Zone possible?
>
> Hi Dag,
>
> When I tried your method and created a NIC-less bridge, following are the
> contents of my ifcfg-* network files:
>
> ifcfg-cloudbr0:
> TYPE=Bridge
> PROXY_METHOD=none
> BROWSER_ONLY=no
> BOOTPROTO=none
> DEFROUTE=yes
> IPV4_FAILURE_FATAL=no
> NAME=cloudbr0
> UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> DEVICE=cloudbr0
> ONBOOT=yes
> IPADDR=172.16.20.13
> PREFIX=16
> GATEWAY=172.16.0.1
> DNS1=8.8.8.8
> DNS2=172.16.0.1
> NM_CONTROLLED=no
>
> ifcfg-cloudbr1:
> TYPE=Bridge
> IPV4_FAILURE_FATAL=no
> NAME=cloudbr1
> UUID=25aabe73

Re: Untagged Networking for Advanced Zone possible?

[Parth Patel]

Hi Dag,

Thanks for the response. I am currently looking into VLANs and network
configuration for my case. But I want to know one thing: are "untagged"
VLAN networks sufficient for an advanced zone to function with two
networks? I did not state I do not want to use VLANs for networking but I
wanted to know if ACS advanced zone would function if VLANs are untagged?
(The network router/switch did not support them). According to my knowledge
I would have to dig much deeper into kernel files to provide a dummy
interface as systemctl restart network would not function properly, still
appreciate the advice. I will look into this more and see what I can do
with it.

Thanks,
Parth Patel

On Fri, 6 Apr 2018 at 13:59 Dag Sonstebo <dag.sonst...@shapeblue.com> wrote:

> Hi Parth,
>
> Keep in mind you are in unchartered waters – so there may be some
> stumbling blocks before you get this to work.
>
> I suspect what you have to do is change cloudbr1 such that it is backed by
> a fake or dummy ethernet interface. What seems to happen is the agent
> script looks for the network device backing the bridge rather than the
> bridge itself.
> This would mean your setup is like this:
>
>  Physical eth0 -> cloudbr0 > handles management and public
>  Dummy eth1 -> cloudbr1 > handles isolated guest traffic and allows for
> isolated VLANs internally on the host
>
> Keep in mind the context here – you have stated you don’t want VLANs
> traversing your physical network, hence we are trying to get this working
> on a single host only. How you configure your IP ranges for management and
> public is something you need to experiment with and see what works for you.
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
> From: Parth Patel <parthpatel2...@gmail.com>
> Reply-To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
> Date: Friday, 6 April 2018 at 07:30
> To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
> Subject: Re: Untagged Networking for Advanced Zone possible?
>
> Hi Dag,
>
> When I tried your method and created a NIC-less bridge, following are the
> contents of my ifcfg-* network files:
>
> ifcfg-cloudbr0:
> TYPE=Bridge
> PROXY_METHOD=none
> BROWSER_ONLY=no
> BOOTPROTO=none
> DEFROUTE=yes
> IPV4_FAILURE_FATAL=no
> NAME=cloudbr0
> UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> DEVICE=cloudbr0
> ONBOOT=yes
> IPADDR=172.16.20.13
> PREFIX=16
> GATEWAY=172.16.0.1
> DNS1=8.8.8.8
> DNS2=172.16.0.1
> NM_CONTROLLED=no
>
> ifcfg-cloudbr1:
> TYPE=Bridge
> IPV4_FAILURE_FATAL=no
> NAME=cloudbr1
> UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> DEVICE=cloudbr1
> ONBOOT=yes
> NM_CONTROLLED=no
>
> ifcfg-eno1:
> TYPE=Ethernet
> PROXY_METHOD=none
> BROWSER_ONLY=no
> BOOTPROTO=none
> DEFROUTE=yes
> IPV4_FAILURE_FATAL=no
> NAME=eno1
> UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
> DEVICE=eno1
> ONBOOT=yes
> IPADDR=172.16.20.13
> PREFIX=16
> GATEWAY=172.16.0.1
> DNS1=8.8.8.8
> DNS2=172.16.0.1
> NM_CONTROLLED=no
> BRIDGE=cloudbr0
>
> brctl show output:
> [root@srvr3 ~]# brctl show
> bridge name bridge id STP enabled interfaces
> cloud0 8000. no
> cloudbr0 8000.3464a92a09f3 no eno1
> cloudbr1 8000. no
> virbr0 8000.5254002dabdb yes virbr0-nic
>
>
>
> when adding a host in advanced zone it shows the following error: Could
> not find network 'cloudbr1'
>
> 2018-04-04 02:03:11,887 DEBUG [c.c.u.s.SSHCmdHelper]
> (qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Executing cmd:
> /usr/share/cloudstack-common/scripts/util/keystore-cert-import
> /etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/
> 2018-04-04 02:03:15,686 DEBUG [c.c.h.k.d.LibvirtServerDiscoverer]
> (qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Succeeded to
> import certificate in the keystore for agent on the KVM host: 172.16.20.13.
> Agent secured and trusted.
> 2018-04-04 02:03:15,688 DEBUG [c.c.u.s.SSHCmdHelper]
> (qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Executing cmd:
> cloudstack-setup-agent  -m 172.16.20.13 -z 1 -p 1 -c 1 -g
> 1fd67886-c5d9-3464-ac73-46689258b34e -a --pubNic=cloudbr0 --prvNic=cloudbr0
> --guestNic=cloudbr1 --hypervisor=kvm
> 2018-04-04 02:03:19,674 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
> (AsyncJobMgr-Heartbeat-1:ctx-af4b26a6) (logid:4c5c40d4) Begin cleanup
> expired async-jobs
> 2018-04-04 02:03:19,683 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
> (AsyncJobMgr-Heartbeat-1:ctx-af4b26a6) (logid:4c5c40d4) End cleanup expired
> async-jobs
> 2018-04-04 02:03:20,022 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
> (RouterStatusMonitor-1:ctx-f1d46df0) (logid:a021

Re: Untagged Networking for Advanced Zone possible?

[Dag Sonstebo]

Hi Parth,

Keep in mind you are in unchartered waters – so there may be some stumbling 
blocks before you get this to work.

I suspect what you have to do is change cloudbr1 such that it is backed by a 
fake or dummy ethernet interface. What seems to happen is the agent script 
looks for the network device backing the bridge rather than the bridge itself.
This would mean your setup is like this:

 Physical eth0 -> cloudbr0 > handles management and public
 Dummy eth1 -> cloudbr1 > handles isolated guest traffic and allows for 
isolated VLANs internally on the host

Keep in mind the context here – you have stated you don’t want VLANs traversing 
your physical network, hence we are trying to get this working on a single host 
only. How you configure your IP ranges for management and public is something 
you need to experiment with and see what works for you.

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue

From: Parth Patel <parthpatel2...@gmail.com>
Reply-To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
Date: Friday, 6 April 2018 at 07:30
To: "users@cloudstack.apache.org" <users@cloudstack.apache.org>
Subject: Re: Untagged Networking for Advanced Zone possible?

Hi Dag,

When I tried your method and created a NIC-less bridge, following are the 
contents of my ifcfg-* network files:

ifcfg-cloudbr0:
TYPE=Bridge
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=cloudbr0
UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
DEVICE=cloudbr0
ONBOOT=yes
IPADDR=172.16.20.13
PREFIX=16
GATEWAY=172.16.0.1
DNS1=8.8.8.8
DNS2=172.16.0.1
NM_CONTROLLED=no

ifcfg-cloudbr1:
TYPE=Bridge
IPV4_FAILURE_FATAL=no
NAME=cloudbr1
UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
DEVICE=cloudbr1
ONBOOT=yes
NM_CONTROLLED=no

ifcfg-eno1:
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eno1
UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
DEVICE=eno1
ONBOOT=yes
IPADDR=172.16.20.13
PREFIX=16
GATEWAY=172.16.0.1
DNS1=8.8.8.8
DNS2=172.16.0.1
NM_CONTROLLED=no
BRIDGE=cloudbr0

brctl show output:
[root@srvr3 ~]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000. no
cloudbr0 8000.3464a92a09f3 no eno1
cloudbr1 8000. no
virbr0 8000.5254002dabdb yes virbr0-nic



when adding a host in advanced zone it shows the following error: Could not 
find network 'cloudbr1'

2018-04-04 02:03:11,887 DEBUG [c.c.u.s.SSHCmdHelper] 
(qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Executing cmd: 
/usr/share/cloudstack-common/scripts/util/keystore-cert-import 
/etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/
2018-04-04 02:03:15,686 DEBUG [c.c.h.k.d.LibvirtServerDiscoverer] 
(qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Succeeded to 
import certificate in the keystore for agent on the KVM host: 172.16.20.13. 
Agent secured and trusted.
2018-04-04 02:03:15,688 DEBUG [c.c.u.s.SSHCmdHelper] 
(qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Executing cmd: 
cloudstack-setup-agent  -m 172.16.20.13 -z 1 -p 1 -c 1 -g 
1fd67886-c5d9-3464-ac73-46689258b34e -a --pubNic=cloudbr0 --prvNic=cloudbr0 
--guestNic=cloudbr1 --hypervisor=kvm
2018-04-04 02:03:19,674 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl] 
(AsyncJobMgr-Heartbeat-1:ctx-af4b26a6) (logid:4c5c40d4) Begin cleanup expired 
async-jobs
2018-04-04 02:03:19,683 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl] 
(AsyncJobMgr-Heartbeat-1:ctx-af4b26a6) (logid:4c5c40d4) End cleanup expired 
async-jobs
2018-04-04 02:03:20,022 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl] 
(RouterStatusMonitor-1:ctx-f1d46df0) (logid:a021b44c) Found 0 routers to update 
status.
2018-04-04 02:03:20,025 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl] 
(RouterStatusMonitor-1:ctx-f1d46df0) (logid:a021b44c) Found 0 VPC networks to 
update Redundant State.
2018-04-04 02:03:20,029 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl] 
(RouterStatusMonitor-1:ctx-f1d46df0) (logid:a021b44c) Found 0 networks to 
update RvR status.
2018-04-04 02:03:22,518 DEBUG [c.c.c.ConsoleProxyManagerImpl] 
(consoleproxy-1:ctx-9d047585) (logid:3b4da034) Skip capacity scan as there is 
no Primary Storage in 'Up' state
2018-04-04 02:03:29,677 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl] 
(AsyncJobMgr-Heartbeat-1:ctx-4378508d) (logid:9de3110e) Begin cleanup expired 
async-jobs
2018-04-04 02:03:29,695 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl] 
(AsyncJobMgr-Heartbeat-1:ctx-4378508d) (logid:9de3110e) End cleanup expired 
async-jobs
2018-04-04 02:03:35,796 DEBUG [c.c.s.StatsCollector] 
(StatsCollector-2:ctx-a6998a7a) (logid:174df0f0) AutoScaling Monitor is 
running...
2018-04-04 02:03:35,812 DEBUG [c.c.s.StatsCollector] 
(StatsCollector-1:ctx-51d8b17f) (logid:8d7cca2e) HostStatsCollector is 
running...
2018-04-04 02:03:35,812 DEBUG [c.c.s.StatsCollector] 
(StatsCollector-3:ctx-db3df7da) (logid:c38b9f19) StorageCollector is running...
2018-04-04 02:03:39,675 INFO  [o.a.c.f.

Re: Untagged Networking for Advanced Zone possible?

[Parth Patel]

Hi Dag,

When I tried your method and created a NIC-less bridge, following are the
contents of my ifcfg-* network files:

*ifcfg-cloudbr0:*
TYPE=Bridge
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=cloudbr0
UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
DEVICE=cloudbr0
ONBOOT=yes
IPADDR=172.16.20.13
PREFIX=16
GATEWAY=172.16.0.1
DNS1=8.8.8.8
DNS2=172.16.0.1
NM_CONTROLLED=no

*ifcfg-cloudbr1:*
TYPE=Bridge
IPV4_FAILURE_FATAL=no
NAME=cloudbr1
UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
DEVICE=cloudbr1
ONBOOT=yes
NM_CONTROLLED=no

*ifcfg-eno1:*
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=eno1
UUID=25aabe73-8e11-408f-a4ec-c03b26d3aa6e
DEVICE=eno1
ONBOOT=yes
IPADDR=172.16.20.13
PREFIX=16
GATEWAY=172.16.0.1
DNS1=8.8.8.8
DNS2=172.16.0.1
NM_CONTROLLED=no
BRIDGE=cloudbr0

*brctl show output:*
[root@srvr3 ~]# brctl show
bridge name bridge id STP enabled interfaces
cloud0 8000. no
cloudbr0 8000.3464a92a09f3 no eno1
cloudbr1 8000. no
virbr0 8000.5254002dabdb yes virbr0-nic



*when adding a host in advanced zone it shows the following error: Could
not find network 'cloudbr1'*

2018-04-04 02:03:11,887 DEBUG [c.c.u.s.SSHCmdHelper]
(qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Executing cmd:
/usr/share/cloudstack-common/scripts/util/keystore-cert-import
/etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/
2018-04-04 02:03:15,686 DEBUG [c.c.h.k.d.LibvirtServerDiscoverer]
(qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Succeeded to
import certificate in the keystore for agent on the KVM host: 172.16.20.13.
Agent secured and trusted.
2018-04-04 02:03:15,688 DEBUG [c.c.u.s.SSHCmdHelper]
(qtp510113906-14:ctx-707b53e5 ctx-8d49ccb3) (logid:dff92f23) Executing cmd:
cloudstack-setup-agent  -m 172.16.20.13 -z 1 -p 1 -c 1 -g
1fd67886-c5d9-3464-ac73-46689258b34e -a --pubNic=cloudbr0 --prvNic=cloudbr0
--guestNic=cloudbr1 --hypervisor=kvm
2018-04-04 02:03:19,674 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-af4b26a6) (logid:4c5c40d4) Begin cleanup
expired async-jobs
2018-04-04 02:03:19,683 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-af4b26a6) (logid:4c5c40d4) End cleanup expired
async-jobs
2018-04-04 02:03:20,022 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-f1d46df0) (logid:a021b44c) Found 0 routers to
update status.
2018-04-04 02:03:20,025 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-f1d46df0) (logid:a021b44c) Found 0 VPC networks
to update Redundant State.
2018-04-04 02:03:20,029 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-f1d46df0) (logid:a021b44c) Found 0 networks to
update RvR status.
2018-04-04 02:03:22,518 DEBUG [c.c.c.ConsoleProxyManagerImpl]
(consoleproxy-1:ctx-9d047585) (logid:3b4da034) Skip capacity scan as there
is no Primary Storage in 'Up' state
2018-04-04 02:03:29,677 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-4378508d) (logid:9de3110e) Begin cleanup
expired async-jobs
2018-04-04 02:03:29,695 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-4378508d) (logid:9de3110e) End cleanup expired
async-jobs
2018-04-04 02:03:35,796 DEBUG [c.c.s.StatsCollector]
(StatsCollector-2:ctx-a6998a7a) (logid:174df0f0) AutoScaling Monitor is
running...
2018-04-04 02:03:35,812 DEBUG [c.c.s.StatsCollector]
(StatsCollector-1:ctx-51d8b17f) (logid:8d7cca2e) HostStatsCollector is
running...
2018-04-04 02:03:35,812 DEBUG [c.c.s.StatsCollector]
(StatsCollector-3:ctx-db3df7da) (logid:c38b9f19) StorageCollector is
running...
2018-04-04 02:03:39,675 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-26aea785) (logid:48c9a5ba) Begin cleanup
expired async-jobs
2018-04-04 02:03:39,686 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-26aea785) (logid:48c9a5ba) End cleanup expired
async-jobs
2018-04-04 02:03:49,677 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-ec993f07) (logid:98d10d6c) Begin cleanup
expired async-jobs
2018-04-04 02:03:49,692 INFO  [o.a.c.f.j.i.AsyncJobManagerImpl]
(AsyncJobMgr-Heartbeat-1:ctx-ec993f07) (logid:98d10d6c) End cleanup expired
async-jobs
2018-04-04 02:03:50,021 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-592f1702) (logid:39d0b341) Found 0 routers to
update status.
2018-04-04 02:03:50,024 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-592f1702) (logid:39d0b341) Found 0 VPC networks
to update Redundant State.
2018-04-04 02:03:50,027 DEBUG [c.c.n.r.VirtualNetworkApplianceManagerImpl]
(RouterStatusMonitor-1:ctx-592f1702) (logid:39d0b341) Found 0 networks to
update RvR status.
2018-04-04 02:03:52,519 DEBUG [c.c.c.ConsoleProxyManagerImpl]
(consoleproxy-1:ctx-099c555a) (logid:1e1eb23a) Skip capacity scan as there
is no Primary Storage in 'Up' state
2018-04-04 

Re: Untagged Networking for Advanced Zone possible?

[Parth Patel]

Thanks Dag. Appreciate it. Will try this out.

On Thu, 29 Mar 2018 at 16:02 Dag Sonstebo 
wrote:

> Hi Parth,
>
> If you want a KVM networking introduction take a look at my blog post from
> a couple of years back – this is still valid:
> http://www.shapeblue.com/networking-kvm-for-cloudstack/
>
> In short – you don’t set up VLAN tagging for isolated networks on the KVM
> host – you set up the bridge and then specify your VLAN range when you set
> up your zone in CloudStack. CloudStack then takes care of creating the
> isolated VLAN isolated networks on the host. So in short – you create your
> bridges, then use the bridge names in the advanced zone setup.
>
> Virtual bridge – yes this is similar to the cloud0 bridge, and yes you
> create the bridge without a physical interface.
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
>
> dag.sonst...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> On 29/03/2018, 11:14, "Parth Patel"  wrote:
>
> Hi Dag,
>
> Thanks for helping me understand the requirement of advanced
> networking.
> Sorry if I have missed something obvious or my question seems stupid,
> but I
> am just starting to learn. Can you help me out on how to setup VLAN
> "tagging" on one machine? I have tried several methods and tutorials I
> could find on the internet for VLANs, but none mention "tagging".
>
> Also, I do not fully understand private virtual bridge. Means I
> create
> an interface file for bridge but mention no physical interface device?
> Is
> it similar to how cloud0 is configured for link local network of System
> VMs? I could probably do that, but I don't know much about configuring
> VLAN
> tagging. I would appreciate if you could give me some guidance or
> point me
> where you think some good documentation is given for CentOS/RHEL hosts
> for
> configuring bridges with VLAN tagging (I have tried but failed to
> understand most of them). I am especially stuck at understanding this
> "tagging" of VLANs.
>
> Thanks,
> Parth Patel
>
> On Thu, 29 Mar 2018 at 15:17 Dag Sonstebo 
> wrote:
>
> > Hi Parth,
> >
> > Yes and no.
> >
> > No – you cannot do advanced zones with *all three* KVM hosts and
> advanced
> > networking without using VLANs (or another isolation mechanism) and
> still
> > expect traffic to flow between VMs/VRs on different KVM hosts.
> >
> > Yes – you can probably do this *on a single KVM host* – but you will
> have
> > to use VLAN tagging internally – this can however be done on a
> virtual
> > bridge interface, i.e. the L2 traffic doesn’t ever leave that host.
> >
> > Without deep diving into this I think it would look like this:
> >
> > Physical eth0 -> cloudbr0 > handles management and public
> > No nic -> private virtual bridge cloudbr1 > handles isolated guest
> traffic
> > but allows for isolated VLANs internally on the host
> >
> > Regards,
> > Dag Sonstebo
> > Cloud Architect
> > ShapeBlue
> >
> >
> > dag.sonst...@shapeblue.com
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > @shapeblue
> >
> >
> >
> > On 29/03/2018, 09:25, "Parth Patel" 
> wrote:
> >
> > Hi Dag,
> >
> > Thanks for the reply. I am trying to use Shapeblue CCS
> (Container as a
> > Service) with ACS, but for that Isolated networks are required
> which
> > are
> > only available in Advanced Zone. Further, I want to explore
> Cloudstack
> > further and am also aiming to test and configure other advanced
> > features
> > such as load balancing and auto scaling without netscaler
> device. For
> > that
> > I badly need Advanced Zone networking (especially isolated
> networks
> > offerings). I just want to know if Advanced Zone can succesfully
> > function
> > with two networks, one physcial NIC and no VLAN tagging.
> >
> > Thanks,
> > Parth Patel
> >
> > On Thu, 29 Mar 2018 at 13:48 Dag Sonstebo <
> dag.sonst...@shapeblue.com>
> > wrote:
> >
> > > Hi Parth,
> > >
> > > Not sure if I follow. Generally, your management network is
> untagged,
> > > whilst your public and isolated networks tagged. The
> underlying idea
> > of
> > > advanced zones is you must have network isolation between
> multiple
> > guest
> > > networks, otherwise you have no privacy/security. You can do
> this
> > either at
> > > L2 with VLAN tagging, which is the simplest, or with L3 using
> > various SDN
> > > overlay network solutions (more complicated and comes at a
> cost).
> > >
> > > 

Re: Untagged Networking for Advanced Zone possible?

[Dag Sonstebo]

Hi Parth,

If you want a KVM networking introduction take a look at my blog post from a 
couple of years back – this is still valid: 
http://www.shapeblue.com/networking-kvm-for-cloudstack/

In short – you don’t set up VLAN tagging for isolated networks on the KVM host 
– you set up the bridge and then specify your VLAN range when you set up your 
zone in CloudStack. CloudStack then takes care of creating the isolated VLAN 
isolated networks on the host. So in short – you create your bridges, then use 
the bridge names in the advanced zone setup.

Virtual bridge – yes this is similar to the cloud0 bridge, and yes you create 
the bridge without a physical interface. 

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue


dag.sonst...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

On 29/03/2018, 11:14, "Parth Patel"  wrote:

Hi Dag,

Thanks for helping me understand the requirement of advanced networking.
Sorry if I have missed something obvious or my question seems stupid, but I
am just starting to learn. Can you help me out on how to setup VLAN
"tagging" on one machine? I have tried several methods and tutorials I
could find on the internet for VLANs, but none mention "tagging".

Also, I do not fully understand private virtual bridge. Means I create
an interface file for bridge but mention no physical interface device? Is
it similar to how cloud0 is configured for link local network of System
VMs? I could probably do that, but I don't know much about configuring VLAN
tagging. I would appreciate if you could give me some guidance or point me
where you think some good documentation is given for CentOS/RHEL hosts for
configuring bridges with VLAN tagging (I have tried but failed to
understand most of them). I am especially stuck at understanding this
"tagging" of VLANs.

Thanks,
Parth Patel

On Thu, 29 Mar 2018 at 15:17 Dag Sonstebo 
wrote:

> Hi Parth,
>
> Yes and no.
>
> No – you cannot do advanced zones with *all three* KVM hosts and advanced
> networking without using VLANs (or another isolation mechanism) and still
> expect traffic to flow between VMs/VRs on different KVM hosts.
>
> Yes – you can probably do this *on a single KVM host* – but you will have
> to use VLAN tagging internally – this can however be done on a virtual
> bridge interface, i.e. the L2 traffic doesn’t ever leave that host.
>
> Without deep diving into this I think it would look like this:
>
> Physical eth0 -> cloudbr0 > handles management and public
> No nic -> private virtual bridge cloudbr1 > handles isolated guest traffic
> but allows for isolated VLANs internally on the host
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
>
> dag.sonst...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> On 29/03/2018, 09:25, "Parth Patel"  wrote:
>
> Hi Dag,
>
> Thanks for the reply. I am trying to use Shapeblue CCS (Container as a
> Service) with ACS, but for that Isolated networks are required which
> are
> only available in Advanced Zone. Further, I want to explore Cloudstack
> further and am also aiming to test and configure other advanced
> features
> such as load balancing and auto scaling without netscaler device. For
> that
> I badly need Advanced Zone networking (especially isolated networks
> offerings). I just want to know if Advanced Zone can succesfully
> function
> with two networks, one physcial NIC and no VLAN tagging.
>
> Thanks,
> Parth Patel
>
> On Thu, 29 Mar 2018 at 13:48 Dag Sonstebo 
> wrote:
>
> > Hi Parth,
> >
> > Not sure if I follow. Generally, your management network is 
untagged,
> > whilst your public and isolated networks tagged. The underlying idea
> of
> > advanced zones is you must have network isolation between multiple
> guest
> > networks, otherwise you have no privacy/security. You can do this
> either at
> > L2 with VLAN tagging, which is the simplest, or with L3 using
> various SDN
> > overlay network solutions (more complicated and comes at a cost).
> >
> > If you don’t want to tag anything you’re probably better off using
> basic
> > networks, where I believe you could use a single flat subnet (happy
> to be
> > proven wrong).
> >
> > Regards,
> > Dag Sonstebo
> > Cloud Architect
> > ShapeBlue
> >
> >
> > dag.sonst...@shapeblue.com
   

Re: Untagged Networking for Advanced Zone possible?

[Parth Patel]

Hi Dag,

Thanks for helping me understand the requirement of advanced networking.
Sorry if I have missed something obvious or my question seems stupid, but I
am just starting to learn. Can you help me out on how to setup VLAN
"tagging" on one machine? I have tried several methods and tutorials I
could find on the internet for VLANs, but none mention "tagging".

Also, I do not fully understand private virtual bridge. Means I create
an interface file for bridge but mention no physical interface device? Is
it similar to how cloud0 is configured for link local network of System
VMs? I could probably do that, but I don't know much about configuring VLAN
tagging. I would appreciate if you could give me some guidance or point me
where you think some good documentation is given for CentOS/RHEL hosts for
configuring bridges with VLAN tagging (I have tried but failed to
understand most of them). I am especially stuck at understanding this
"tagging" of VLANs.

Thanks,
Parth Patel

On Thu, 29 Mar 2018 at 15:17 Dag Sonstebo 
wrote:

> Hi Parth,
>
> Yes and no.
>
> No – you cannot do advanced zones with *all three* KVM hosts and advanced
> networking without using VLANs (or another isolation mechanism) and still
> expect traffic to flow between VMs/VRs on different KVM hosts.
>
> Yes – you can probably do this *on a single KVM host* – but you will have
> to use VLAN tagging internally – this can however be done on a virtual
> bridge interface, i.e. the L2 traffic doesn’t ever leave that host.
>
> Without deep diving into this I think it would look like this:
>
> Physical eth0 -> cloudbr0 > handles management and public
> No nic -> private virtual bridge cloudbr1 > handles isolated guest traffic
> but allows for isolated VLANs internally on the host
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
>
> dag.sonst...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> On 29/03/2018, 09:25, "Parth Patel"  wrote:
>
> Hi Dag,
>
> Thanks for the reply. I am trying to use Shapeblue CCS (Container as a
> Service) with ACS, but for that Isolated networks are required which
> are
> only available in Advanced Zone. Further, I want to explore Cloudstack
> further and am also aiming to test and configure other advanced
> features
> such as load balancing and auto scaling without netscaler device. For
> that
> I badly need Advanced Zone networking (especially isolated networks
> offerings). I just want to know if Advanced Zone can succesfully
> function
> with two networks, one physcial NIC and no VLAN tagging.
>
> Thanks,
> Parth Patel
>
> On Thu, 29 Mar 2018 at 13:48 Dag Sonstebo 
> wrote:
>
> > Hi Parth,
> >
> > Not sure if I follow. Generally, your management network is untagged,
> > whilst your public and isolated networks tagged. The underlying idea
> of
> > advanced zones is you must have network isolation between multiple
> guest
> > networks, otherwise you have no privacy/security. You can do this
> either at
> > L2 with VLAN tagging, which is the simplest, or with L3 using
> various SDN
> > overlay network solutions (more complicated and comes at a cost).
> >
> > If you don’t want to tag anything you’re probably better off using
> basic
> > networks, where I believe you could use a single flat subnet (happy
> to be
> > proven wrong).
> >
> > Regards,
> > Dag Sonstebo
> > Cloud Architect
> > ShapeBlue
> >
> >
> > dag.sonst...@shapeblue.com
> > www.shapeblue.com
> > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> > @shapeblue
> >
> >
> >
> > On 29/03/2018, 08:48, "Parth Patel" 
> wrote:
> >
> > Hi all,
> >
> > After banging my head with different network configuration
> > permutations, I
> > don't understand what is the issue with Network Guru here and
> why it
> > can't
> > implement the isolated guest network. I just want to know if
> Advanced
> > Zone
> > can be successfully setup or has someone configured an advanced
> zone
> > using
> > untagged VLAN traffic?
> >
> > I have the following configuration of components:
> > - I have 3 (16 GB Ram and 4 Cores) machines each with 1 physical
> NIC.
> > - I have two networks: 192.168.20.0/24 (using this for isolated
> guest
> > network) and 172.16.20.0/16 (management server and NFS servers
> > network)
> > - I am using KVM hypervisor and NFS for storage.
> > - Currently, the output of brctl show is (when the Cloudstack is
> not
> > running, other wise the interface are populated with three vnets
> for
> > cloud0
> > and 4-5 vnets for cloudbr0):
> > bridge name bridge id   

Re: Untagged Networking for Advanced Zone possible?

[Dag Sonstebo]

Hi Parth,

Yes and no. 

No – you cannot do advanced zones with *all three* KVM hosts and advanced 
networking without using VLANs (or another isolation mechanism) and still 
expect traffic to flow between VMs/VRs on different KVM hosts. 

Yes – you can probably do this *on a single KVM host* – but you will have to 
use VLAN tagging internally – this can however be done on a virtual bridge 
interface, i.e. the L2 traffic doesn’t ever leave that host. 

Without deep diving into this I think it would look like this:

Physical eth0 -> cloudbr0 > handles management and public
No nic -> private virtual bridge cloudbr1 > handles isolated guest traffic but 
allows for isolated VLANs internally on the host

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue


dag.sonst...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

On 29/03/2018, 09:25, "Parth Patel"  wrote:

Hi Dag,

Thanks for the reply. I am trying to use Shapeblue CCS (Container as a
Service) with ACS, but for that Isolated networks are required which are
only available in Advanced Zone. Further, I want to explore Cloudstack
further and am also aiming to test and configure other advanced features
such as load balancing and auto scaling without netscaler device. For that
I badly need Advanced Zone networking (especially isolated networks
offerings). I just want to know if Advanced Zone can succesfully function
with two networks, one physcial NIC and no VLAN tagging.

Thanks,
Parth Patel

On Thu, 29 Mar 2018 at 13:48 Dag Sonstebo 
wrote:

> Hi Parth,
>
> Not sure if I follow. Generally, your management network is untagged,
> whilst your public and isolated networks tagged. The underlying idea of
> advanced zones is you must have network isolation between multiple guest
> networks, otherwise you have no privacy/security. You can do this either 
at
> L2 with VLAN tagging, which is the simplest, or with L3 using various SDN
> overlay network solutions (more complicated and comes at a cost).
>
> If you don’t want to tag anything you’re probably better off using basic
> networks, where I believe you could use a single flat subnet (happy to be
> proven wrong).
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
>
> dag.sonst...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> On 29/03/2018, 08:48, "Parth Patel"  wrote:
>
> Hi all,
>
> After banging my head with different network configuration
> permutations, I
> don't understand what is the issue with Network Guru here and why it
> can't
> implement the isolated guest network. I just want to know if Advanced
> Zone
> can be successfully setup or has someone configured an advanced zone
> using
> untagged VLAN traffic?
>
> I have the following configuration of components:
> - I have 3 (16 GB Ram and 4 Cores) machines each with 1 physical NIC.
> - I have two networks: 192.168.20.0/24 (using this for isolated guest
> network) and 172.16.20.0/16 (management server and NFS servers
> network)
> - I am using KVM hypervisor and NFS for storage.
> - Currently, the output of brctl show is (when the Cloudstack is not
> running, other wise the interface are populated with three vnets for
> cloud0
> and 4-5 vnets for cloudbr0):
> bridge name bridge id   STP enabled interfaces
> cloud0  8000.   no
> cloudbr08000.3464a92a083a   no  eno1
> virbr0  8000.525400daae23   yes virbr0-nic
>
> My earlier doubt was if I can configure advanced zone with one 
physical
> interface available in each host, but that was resolved when I read
> this
> post of ShankerBalan:
>
> https://shankerbalan.net/blog/cloudstack-simple-advanced-network-example/
>
> ACS throws InsufficientVirtualNetworkCapacity exception and lines 
like:
> "NetworkGuru can't implement network [275||15]" are printed in
> management
> server logs when I try to create a simple CentOS 5.5 NoGUI KVM 
instance
> after a complete and fresh install of ACS (even of CentOS).
>
> My main doubt here is if I can successfully configure an advanced zone
> with
> two networks but with untagged VLAN traffic ? I can't currently
> configure
> the router or switches to allow tagged VLAN networking as I am doing
> this
> project in my university. But, I have requested and gained access to
> the
> mentioned two 

Re: Untagged Networking for Advanced Zone possible?

[Parth Patel]

Hi Dag,

Thanks for the reply. I am trying to use Shapeblue CCS (Container as a
Service) with ACS, but for that Isolated networks are required which are
only available in Advanced Zone. Further, I want to explore Cloudstack
further and am also aiming to test and configure other advanced features
such as load balancing and auto scaling without netscaler device. For that
I badly need Advanced Zone networking (especially isolated networks
offerings). I just want to know if Advanced Zone can succesfully function
with two networks, one physcial NIC and no VLAN tagging.

Thanks,
Parth Patel

On Thu, 29 Mar 2018 at 13:48 Dag Sonstebo 
wrote:

> Hi Parth,
>
> Not sure if I follow. Generally, your management network is untagged,
> whilst your public and isolated networks tagged. The underlying idea of
> advanced zones is you must have network isolation between multiple guest
> networks, otherwise you have no privacy/security. You can do this either at
> L2 with VLAN tagging, which is the simplest, or with L3 using various SDN
> overlay network solutions (more complicated and comes at a cost).
>
> If you don’t want to tag anything you’re probably better off using basic
> networks, where I believe you could use a single flat subnet (happy to be
> proven wrong).
>
> Regards,
> Dag Sonstebo
> Cloud Architect
> ShapeBlue
>
>
> dag.sonst...@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>
>
> On 29/03/2018, 08:48, "Parth Patel"  wrote:
>
> Hi all,
>
> After banging my head with different network configuration
> permutations, I
> don't understand what is the issue with Network Guru here and why it
> can't
> implement the isolated guest network. I just want to know if Advanced
> Zone
> can be successfully setup or has someone configured an advanced zone
> using
> untagged VLAN traffic?
>
> I have the following configuration of components:
> - I have 3 (16 GB Ram and 4 Cores) machines each with 1 physical NIC.
> - I have two networks: 192.168.20.0/24 (using this for isolated guest
> network) and 172.16.20.0/16 (management server and NFS servers
> network)
> - I am using KVM hypervisor and NFS for storage.
> - Currently, the output of brctl show is (when the Cloudstack is not
> running, other wise the interface are populated with three vnets for
> cloud0
> and 4-5 vnets for cloudbr0):
> bridge name bridge id   STP enabled interfaces
> cloud0  8000.   no
> cloudbr08000.3464a92a083a   no  eno1
> virbr0  8000.525400daae23   yes virbr0-nic
>
> My earlier doubt was if I can configure advanced zone with one physical
> interface available in each host, but that was resolved when I read
> this
> post of ShankerBalan:
>
> https://shankerbalan.net/blog/cloudstack-simple-advanced-network-example/
>
> ACS throws InsufficientVirtualNetworkCapacity exception and lines like:
> "NetworkGuru can't implement network [275||15]" are printed in
> management
> server logs when I try to create a simple CentOS 5.5 NoGUI KVM instance
> after a complete and fresh install of ACS (even of CentOS).
>
> My main doubt here is if I can successfully configure an advanced zone
> with
> two networks but with untagged VLAN traffic ? I can't currently
> configure
> the router or switches to allow tagged VLAN networking as I am doing
> this
> project in my university. But, I have requested and gained access to
> the
> mentioned two networks: 192.168.20.0/24 and 172.16.20.0/16 and both
> networks are pingable and have internet access across all three
> machines.
> Can anyone help me with this please?
>
> Thanks,
> Parth Patel
>
>
>

Re: Untagged Networking for Advanced Zone possible?

[Dag Sonstebo]

Hi Parth,

Not sure if I follow. Generally, your management network is untagged, whilst 
your public and isolated networks tagged. The underlying idea of advanced zones 
is you must have network isolation between multiple guest networks, otherwise 
you have no privacy/security. You can do this either at L2 with VLAN tagging, 
which is the simplest, or with L3 using various SDN overlay network solutions 
(more complicated and comes at a cost).

If you don’t want to tag anything you’re probably better off using basic 
networks, where I believe you could use a single flat subnet (happy to be 
proven wrong).

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue


dag.sonst...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

On 29/03/2018, 08:48, "Parth Patel"  wrote:

Hi all,

After banging my head with different network configuration permutations, I
don't understand what is the issue with Network Guru here and why it can't
implement the isolated guest network. I just want to know if Advanced Zone
can be successfully setup or has someone configured an advanced zone using
untagged VLAN traffic?

I have the following configuration of components:
- I have 3 (16 GB Ram and 4 Cores) machines each with 1 physical NIC.
- I have two networks: 192.168.20.0/24 (using this for isolated guest
network) and 172.16.20.0/16 (management server and NFS servers network)
- I am using KVM hypervisor and NFS for storage.
- Currently, the output of brctl show is (when the Cloudstack is not
running, other wise the interface are populated with three vnets for cloud0
and 4-5 vnets for cloudbr0):
bridge name bridge id   STP enabled interfaces
cloud0  8000.   no
cloudbr08000.3464a92a083a   no  eno1
virbr0  8000.525400daae23   yes virbr0-nic

My earlier doubt was if I can configure advanced zone with one physical
interface available in each host, but that was resolved when I read this
post of ShankerBalan:
https://shankerbalan.net/blog/cloudstack-simple-advanced-network-example/

ACS throws InsufficientVirtualNetworkCapacity exception and lines like:
"NetworkGuru can't implement network [275||15]" are printed in management
server logs when I try to create a simple CentOS 5.5 NoGUI KVM instance
after a complete and fresh install of ACS (even of CentOS).

My main doubt here is if I can successfully configure an advanced zone with
two networks but with untagged VLAN traffic ? I can't currently configure
the router or switches to allow tagged VLAN networking as I am doing this
project in my university. But, I have requested and gained access to the
mentioned two networks: 192.168.20.0/24 and 172.16.20.0/16 and both
networks are pingable and have internet access across all three machines.
Can anyone help me with this please?

Thanks,
Parth Patel