[ovirt-users] Re: attach untagged vlan internally on vm
Ernest,you need to understand how things work under to hood to answer your question. If the traffic needs to pass through the NIC or not matters here. How things work: For any VM network, a bridge is created on the host and the vNIC from VM/s are connected to it using a tap device. When one defines a non vlan network, the bridge is created over the NIC directly, passing all traffic (tag and non tag alike). When a vlan network is defined, the bridge is created over a VLAN interface and that VLAN interface is defined over the NIC, therefore, only traffic with the specific vlan tag is forwarded from the nic through the vlan interface to the bridge (and from there to the vNIC/s). When there is a combination (VLAN + non VLAN networks), the traffic for the VLAN networks is forwarded as mentioned above, anything else, including non-tag and tag traffic, is forwarded to the non-vlan network (this is why you can call it also a trunk network). Now, if the traffic between your VM/s is local and will never go out (including needed control traffic), it does not matter on what the bridge is defined on (on a vlan or nic directly). This means, if you define a special network A, as vlanned or not, it will not matter for the traffic between two tap devices connected to the same network. Traffic that comes from one tap device can pass to the other tap device, ignoring VLAN/s. [vnic]--trunk--[bridge]--trunk--[vnic] | +--[nic/vlan]--[external-switch] If you want to make sure traffic does not get out, define the network as a VLAN which does not exists on the external switch. On Fri, Aug 23, 2019 at 5:53 PM Tony Pearce wrote: > May be I misunderstand but no need for any tag on same layer 2 network > > On Fri., 23 Aug. 2019, 22:15 Ernest Clyde Chua, < > ernestclydeac...@gmail.com> wrote: > >> Good day. >> yes the VMs and the firewall on the same L2 network also the firewall is >> hosted in oVirt along side the VMs, currently there is no external switch >> connected to the nic and i would like to know if it is possible to pass tag >> internally. >> >> >> On Fri, Aug 23, 2019 at 9:21 PM Tony Pearce wrote: >> >>> Have the VM and the firewall on the same L2 network. Configure the VM >>> with a default gateway of the interface of the firewall. >>> >>> Is it what you're looking for? >>> >>> On Fri., 23 Aug. 2019, 21:15 Ernest Clyde Chua, < >>> ernestclydeac...@gmail.com> wrote: >>> Good day. sorry if i got you guys confused. for clarity: i have a server with two nic, currently one nic is connected to public network and the other one is disconnected. And i have a vm that will be the firewall of other vm inside this standalone/selfhosted ovirt. then i am figuring out how can i pass the vlan ids on the vm or is it possible. On Fri, 23 Aug 2019, 7:46 PM Dominik Holler wrote: > > > On Thu, Aug 22, 2019 at 1:18 PM Miguel Duarte de Mora Barroso < > mdbarr...@redhat.com> wrote: > >> On Wed, Aug 21, 2019 at 9:18 AM wrote: >> > >> > good day >> > currently i am testing oVirt on a single box and setup some tagged >> vms and non tagged vm. >> > the non tagged vm is a firewall but it has limitations on the >> number of nic so i cannot attach tagged vnic and wish to handdle vlan >> tagging on it >> > >> > is it possible to pass untaged franes internally? >> >> I think it would fallback to the linux bridge default configuration, >> which internally tags untagged frames with vlanID 1, and untags them >> when exiting the port. Unless I'm wrong (for instance, we change the >> bridge defaults), this means you can pass untagged frames through the >> bridge. >> >> Adding Edward, to keep me honest. >> >> >> > I am unsure if I got the problem. > If you connect an untagged logical network to a vNIC (virtual NIC of a > VM), all untagged Ethernet frames will be forwarded from the host > interface > (physical NIC or bond). > If no tagged logical network is attached to this host interface, VLAN > tag filtering is not activated and even tagged Frames would be forwarded > to > the vNC. > > Does this answer the question? > > > >> >> >> > ___ >> > Users mailing list -- users@ovirt.org >> > To unsubscribe send an email to users-le...@ovirt.org >> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> > oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> > List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5DKBYWFF44NCB4E3CD5GKH4/ >> ___ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to
[ovirt-users] Re: attach untagged vlan internally on vm
May be I misunderstand but no need for any tag on same layer 2 network On Fri., 23 Aug. 2019, 22:15 Ernest Clyde Chua, wrote: > Good day. > yes the VMs and the firewall on the same L2 network also the firewall is > hosted in oVirt along side the VMs, currently there is no external switch > connected to the nic and i would like to know if it is possible to pass tag > internally. > > > On Fri, Aug 23, 2019 at 9:21 PM Tony Pearce wrote: > >> Have the VM and the firewall on the same L2 network. Configure the VM >> with a default gateway of the interface of the firewall. >> >> Is it what you're looking for? >> >> On Fri., 23 Aug. 2019, 21:15 Ernest Clyde Chua, < >> ernestclydeac...@gmail.com> wrote: >> >>> Good day. >>> sorry if i got you guys confused. >>> for clarity: >>> >>> i have a server with two nic, currently one nic is connected to public >>> network and the other one is disconnected. >>> >>> And i have a vm that will be the firewall of other vm inside this >>> standalone/selfhosted ovirt. >>> >>> then i am figuring out how can i pass the vlan ids on the vm or is it >>> possible. >>> >>> >>> >>> >>> >>> On Fri, 23 Aug 2019, 7:46 PM Dominik Holler wrote: >>> On Thu, Aug 22, 2019 at 1:18 PM Miguel Duarte de Mora Barroso < mdbarr...@redhat.com> wrote: > On Wed, Aug 21, 2019 at 9:18 AM wrote: > > > > good day > > currently i am testing oVirt on a single box and setup some tagged > vms and non tagged vm. > > the non tagged vm is a firewall but it has limitations on the number > of nic so i cannot attach tagged vnic and wish to handdle vlan tagging on > it > > > > is it possible to pass untaged franes internally? > > I think it would fallback to the linux bridge default configuration, > which internally tags untagged frames with vlanID 1, and untags them > when exiting the port. Unless I'm wrong (for instance, we change the > bridge defaults), this means you can pass untagged frames through the > bridge. > > Adding Edward, to keep me honest. > > > I am unsure if I got the problem. If you connect an untagged logical network to a vNIC (virtual NIC of a VM), all untagged Ethernet frames will be forwarded from the host interface (physical NIC or bond). If no tagged logical network is attached to this host interface, VLAN tag filtering is not activated and even tagged Frames would be forwarded to the vNC. Does this answer the question? > > > > ___ > > Users mailing list -- users@ovirt.org > > To unsubscribe send an email to users-le...@ovirt.org > > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5DKBYWFF44NCB4E3CD5GKH4/ > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/ME77W5PLKOQC5U3OXNZE3W7W27ZOPVIP/ > ___ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: >>> https://www.ovirt.org/community/about/community-guidelines/ >>> List Archives: >>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/UE3XZWUU5UMT4PGN6GEHH4KCAEDT4MN3/ >>> >> ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/22CK4OVY36OXGKZUYH6LUN5OBSLOJYM6/
[ovirt-users] Re: attach untagged vlan internally on vm
Good day. yes the VMs and the firewall on the same L2 network also the firewall is hosted in oVirt along side the VMs, currently there is no external switch connected to the nic and i would like to know if it is possible to pass tag internally. On Fri, Aug 23, 2019 at 9:21 PM Tony Pearce wrote: > Have the VM and the firewall on the same L2 network. Configure the VM with > a default gateway of the interface of the firewall. > > Is it what you're looking for? > > On Fri., 23 Aug. 2019, 21:15 Ernest Clyde Chua, < > ernestclydeac...@gmail.com> wrote: > >> Good day. >> sorry if i got you guys confused. >> for clarity: >> >> i have a server with two nic, currently one nic is connected to public >> network and the other one is disconnected. >> >> And i have a vm that will be the firewall of other vm inside this >> standalone/selfhosted ovirt. >> >> then i am figuring out how can i pass the vlan ids on the vm or is it >> possible. >> >> >> >> >> >> On Fri, 23 Aug 2019, 7:46 PM Dominik Holler wrote: >> >>> >>> >>> On Thu, Aug 22, 2019 at 1:18 PM Miguel Duarte de Mora Barroso < >>> mdbarr...@redhat.com> wrote: >>> On Wed, Aug 21, 2019 at 9:18 AM wrote: > > good day > currently i am testing oVirt on a single box and setup some tagged vms and non tagged vm. > the non tagged vm is a firewall but it has limitations on the number of nic so i cannot attach tagged vnic and wish to handdle vlan tagging on it > > is it possible to pass untaged franes internally? I think it would fallback to the linux bridge default configuration, which internally tags untagged frames with vlanID 1, and untags them when exiting the port. Unless I'm wrong (for instance, we change the bridge defaults), this means you can pass untagged frames through the bridge. Adding Edward, to keep me honest. >>> I am unsure if I got the problem. >>> If you connect an untagged logical network to a vNIC (virtual NIC of a >>> VM), all untagged Ethernet frames will be forwarded from the host interface >>> (physical NIC or bond). >>> If no tagged logical network is attached to this host interface, VLAN >>> tag filtering is not activated and even tagged Frames would be forwarded to >>> the vNC. >>> >>> Does this answer the question? >>> >>> >>> > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ > List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5DKBYWFF44NCB4E3CD5GKH4/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ME77W5PLKOQC5U3OXNZE3W7W27ZOPVIP/ >>> ___ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/UE3XZWUU5UMT4PGN6GEHH4KCAEDT4MN3/ >> > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6CX3VHBFTXQMSP5RHZ4TOP33XHXBNVCF/
[ovirt-users] Re: attach untagged vlan internally on vm
Have the VM and the firewall on the same L2 network. Configure the VM with a default gateway of the interface of the firewall. Is it what you're looking for? On Fri., 23 Aug. 2019, 21:15 Ernest Clyde Chua, wrote: > Good day. > sorry if i got you guys confused. > for clarity: > > i have a server with two nic, currently one nic is connected to public > network and the other one is disconnected. > > And i have a vm that will be the firewall of other vm inside this > standalone/selfhosted ovirt. > > then i am figuring out how can i pass the vlan ids on the vm or is it > possible. > > > > > > On Fri, 23 Aug 2019, 7:46 PM Dominik Holler wrote: > >> >> >> On Thu, Aug 22, 2019 at 1:18 PM Miguel Duarte de Mora Barroso < >> mdbarr...@redhat.com> wrote: >> >>> On Wed, Aug 21, 2019 at 9:18 AM wrote: >>> > >>> > good day >>> > currently i am testing oVirt on a single box and setup some tagged vms >>> and non tagged vm. >>> > the non tagged vm is a firewall but it has limitations on the number >>> of nic so i cannot attach tagged vnic and wish to handdle vlan tagging on it >>> > >>> > is it possible to pass untaged franes internally? >>> >>> I think it would fallback to the linux bridge default configuration, >>> which internally tags untagged frames with vlanID 1, and untags them >>> when exiting the port. Unless I'm wrong (for instance, we change the >>> bridge defaults), this means you can pass untagged frames through the >>> bridge. >>> >>> Adding Edward, to keep me honest. >>> >>> >>> >> I am unsure if I got the problem. >> If you connect an untagged logical network to a vNIC (virtual NIC of a >> VM), all untagged Ethernet frames will be forwarded from the host interface >> (physical NIC or bond). >> If no tagged logical network is attached to this host interface, VLAN tag >> filtering is not activated and even tagged Frames would be forwarded to the >> vNC. >> >> Does this answer the question? >> >> >> >>> >>> >>> > ___ >>> > Users mailing list -- users@ovirt.org >>> > To unsubscribe send an email to users-le...@ovirt.org >>> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> > oVirt Code of Conduct: >>> https://www.ovirt.org/community/about/community-guidelines/ >>> > List Archives: >>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5DKBYWFF44NCB4E3CD5GKH4/ >>> ___ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: >>> https://www.ovirt.org/community/about/community-guidelines/ >>> List Archives: >>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/ME77W5PLKOQC5U3OXNZE3W7W27ZOPVIP/ >>> >> ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/UE3XZWUU5UMT4PGN6GEHH4KCAEDT4MN3/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RUWTFFWI77IQHGXXZ6STBZOBFOMMITSF/
[ovirt-users] Re: attach untagged vlan internally on vm
Good day. sorry if i got you guys confused. for clarity: i have a server with two nic, currently one nic is connected to public network and the other one is disconnected. And i have a vm that will be the firewall of other vm inside this standalone/selfhosted ovirt. then i am figuring out how can i pass the vlan ids on the vm or is it possible. On Fri, 23 Aug 2019, 7:46 PM Dominik Holler wrote: > > > On Thu, Aug 22, 2019 at 1:18 PM Miguel Duarte de Mora Barroso < > mdbarr...@redhat.com> wrote: > >> On Wed, Aug 21, 2019 at 9:18 AM wrote: >> > >> > good day >> > currently i am testing oVirt on a single box and setup some tagged vms >> and non tagged vm. >> > the non tagged vm is a firewall but it has limitations on the number of >> nic so i cannot attach tagged vnic and wish to handdle vlan tagging on it >> > >> > is it possible to pass untaged franes internally? >> >> I think it would fallback to the linux bridge default configuration, >> which internally tags untagged frames with vlanID 1, and untags them >> when exiting the port. Unless I'm wrong (for instance, we change the >> bridge defaults), this means you can pass untagged frames through the >> bridge. >> >> Adding Edward, to keep me honest. >> >> >> > I am unsure if I got the problem. > If you connect an untagged logical network to a vNIC (virtual NIC of a > VM), all untagged Ethernet frames will be forwarded from the host interface > (physical NIC or bond). > If no tagged logical network is attached to this host interface, VLAN tag > filtering is not activated and even tagged Frames would be forwarded to the > vNC. > > Does this answer the question? > > > >> >> >> > ___ >> > Users mailing list -- users@ovirt.org >> > To unsubscribe send an email to users-le...@ovirt.org >> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> > oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> > List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5DKBYWFF44NCB4E3CD5GKH4/ >> ___ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/ME77W5PLKOQC5U3OXNZE3W7W27ZOPVIP/ >> > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/UE3XZWUU5UMT4PGN6GEHH4KCAEDT4MN3/
[ovirt-users] Re: attach untagged vlan internally on vm
On Thu, Aug 22, 2019 at 1:18 PM Miguel Duarte de Mora Barroso < mdbarr...@redhat.com> wrote: > On Wed, Aug 21, 2019 at 9:18 AM wrote: > > > > good day > > currently i am testing oVirt on a single box and setup some tagged vms > and non tagged vm. > > the non tagged vm is a firewall but it has limitations on the number of > nic so i cannot attach tagged vnic and wish to handdle vlan tagging on it > > > > is it possible to pass untaged franes internally? > > I think it would fallback to the linux bridge default configuration, > which internally tags untagged frames with vlanID 1, and untags them > when exiting the port. Unless I'm wrong (for instance, we change the > bridge defaults), this means you can pass untagged frames through the > bridge. > > Adding Edward, to keep me honest. > > > I am unsure if I got the problem. If you connect an untagged logical network to a vNIC (virtual NIC of a VM), all untagged Ethernet frames will be forwarded from the host interface (physical NIC or bond). If no tagged logical network is attached to this host interface, VLAN tag filtering is not activated and even tagged Frames would be forwarded to the vNC. Does this answer the question? > > > > ___ > > Users mailing list -- users@ovirt.org > > To unsubscribe send an email to users-le...@ovirt.org > > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5DKBYWFF44NCB4E3CD5GKH4/ > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/ME77W5PLKOQC5U3OXNZE3W7W27ZOPVIP/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TBUPW6AWC6INH24Q5SWXCRHTZQYA77KJ/
[ovirt-users] Re: attach untagged vlan internally on vm
On Wed, Aug 21, 2019 at 9:18 AM wrote: > > good day > currently i am testing oVirt on a single box and setup some tagged vms and > non tagged vm. > the non tagged vm is a firewall but it has limitations on the number of nic > so i cannot attach tagged vnic and wish to handdle vlan tagging on it > > is it possible to pass untaged franes internally? I think it would fallback to the linux bridge default configuration, which internally tags untagged frames with vlanID 1, and untags them when exiting the port. Unless I'm wrong (for instance, we change the bridge defaults), this means you can pass untagged frames through the bridge. Adding Edward, to keep me honest. > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5DKBYWFF44NCB4E3CD5GKH4/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ME77W5PLKOQC5U3OXNZE3W7W27ZOPVIP/
