Re: [Users] Networking questions (LONG)
Quoting Dan Kenigsberg dan...@redhat.com: This was devised as a security constraint - otherwise, a VM attached to the non-VLAN network could sniff traffic from another (VLAN) network. However, it seems that this is exactly what you need - a special VM that is designed to do just that. Well, I would prefer it not be a VM but part of the oVirt networking stack itself. VMware has this built in with just a few clicks (you assign a VLAN ID of 4095 to a port group/network and it is basically tagging that port group with all VLAN IDs). VMware of course is not using the Linux networking, though; they use their own vSwitch, so that is probably how they are able to do it. So it seems to me the problem of no being able to do exactly what I am looking to do within oVirt itself is not really a shortfall of oVirt, per se, but the underlying platform on which it relies :-( And it's not only you: there's another recent request for lifting this limitation: Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the same NIC I actually do not have a problem with not being able to mix untagged and tagged Logical Networks on the same NIC; it is very convenient to be able to do so, but would not be considered a show-stopper IMO; if two physical NICs would need to be used, so be it. I do not understand what you are trying to do with dummy devices (after all, they are not going to send any packet anywhere). Since my test server only has one physical NIC, I am using the dummy devices instead of physical ones. I know they cannot pass traffic outside of the server (unless attached to a VM was is also attached to the physical NIC), but I am not concerned with that at the moment. I am trying to test with a virtual lab, and as long as the traffic/access behaves as expected within it, there should be no reason it should not behave as expected with physical NICs, when I get to that stage. But if you are willing to mess with network configuration under the feet of oVirt, you could do the following: As long as it does not involve too much complexity, I have no problem with having to mess with some configuration outside of oVirt. It has to be kept pretty minimal. We are looking for a good alternative to VMware so we don't have to keep putting up with their onerous licensing. oVirt is our evaluation; if it ticks all our boxes, we would likely go with RHEV for those clients who are more comfortable with the commercial support, and oVirt for the others. Unfortunately, this trunk capability is a pretty big one :-( - create a network tagged with an id that is not really used in your datacenter, say 999, and attach it to the host. - build and install vdsm-hook-extnet rpm - define a vnic profile using this network, and adding a custom propery called extnet with the value of (say) untagged. - set up a bridge named untagged directly on top of your eth0 (say breth0) - define a libvirt bridged network named untagged, that uses breth0. - attach the vnic of your firewall VM to your vnic profile. I will give the above a try and let you know. It might be a few days before I can get to it though. I am really looking to do a trunk port though, which actually carries multiple tagged VLANs. Going back to VMware, just for clarification, when VLAN ID 4095 is assigned to the trunk port group/network we create, that's the same thing as tagging that port group with all VLAN IDs, from 1 through to 4094. It is very different from having it untagged. OpenvSwitch supports this, but it appears it will be a while until full/natural integration is done with OpenvSwitch. Unfortunately, we are not developers, so we are unable help with it's integration :-( Anyway, we are not ready to give up yet. We'll see what we can do with the above and let you know. The other work-around, of course, is an earlier suggestion of just adding as many vNICs to the firewall VM as we need for each VLAN'd Logical Network, but that would raise another problem, albeit a rare one: if we were to put oVirt/RHEV in our own datacenter, replacing VMware, we have a couple of BGP routers that are setup with a few dozen VLANs. It would be a PITA to add a vNIC for each one :-( Most of our deployments with our clients, though, have less than ten VLANs, so it *could* be workable enough in those cases. -Alan ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Networking questions (LONG)
hi,Alan i think the best way to solve your question is openvswitch(corresponding to vmware vswitch). but it has not been intigrated with ovirt. your solution by adding dummy ethernet, i do not think it can work as you expect. because vm's ethernet(vnet) is vlan-aware or not. if it is vlan-aware , it can be aware of just only one tag. prosmisc mode is limited in single vlan scope. At 2014-01-09 16:07:46,Alan Murrell li...@murrell.ca wrote: Hello, I am evaluating oVirt as a replacement/alternative to VMware deployments we typically do. I have installed and all-in-one setup on a test box (which itself used to be an ESXi server), but it only has one NIC. I trying to duplicate our typical configuration we do in VMware, which is this: 1.) we create several port groups on the vSwitch, each assigned a VLAN ID, such as: - VLAN001 (VLAN ID: 1) - VLAN002 (VLAN ID: 2) - VLAN009 (VLAN ID: 9) - VLAN010 (VLAN ID: 10) - VLAN200 (VLAN ID: 200) - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID 4095 is all VLANS and basically just passes the VLANs through to whatever is attached to the port group for the VM to handle) 2.) We assign VMs to port groups appropriate for the VLAN they are part of. 3.) The only VM that has a NIC assigned to the TRUNK port group is the firewall (which is Linux), and we create VLAN interfaces on it (i.e., eth1.1, eth1.2, eth1.10, eth1.200). The firewall VM acts as the router between the various VLANs. To replicate the above in oVirt, I created logical networks for each VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not have an equivalent for VMware's VLAN ID of 4095, so after some searching around, so for the TRUNK network, I left it with no VLAN assigned. Because i cannot add VLAN and non-VLAN networks to the same physical NIC, after some searching around, it looks like I may have to utilise two NICS: one for the VLAN networks and one for the TRUNK network. Because, at this point, I am not yet concerned with making the test VMs I will be setting up be accessible from outside the virtual lab environment (i.e., everything will communicate within my oVirt server/network for now), I am trying to make use of dummy interfaces, but I am not sure the best way to make use of this. I am able to create the dummy* interfaces and have them show up in oVirt, but I am not sure of how they should be setup. Here is what I am *thinking* should be done, but want to make sure it is correct before getting too deep: - I will use the physical NIC for management, therefore the ovirtmgmt bridge with eth0 assigned to it will remain as-is - Create two dummy interfaces: dummy0 and dummy1 - Create a new bridge, ovirtvm and assign dummy0 and dummy1 to it - Attach the VLAN-enabled networks to dummy0 - Attach the TRUNK network to dummy1 Would the above be the way to go about this? The one thing I am not sure of is whether or not having no VLAN assigned (on the TRUNK network) accomplishes the same this as the VLAN ID 4095 in VMware: will oVirt/KVM just pass the traffic through for the VM attached to it to deal with? Thanks for reading this far, and I appreciate any help you might be able to lend in the above. -Alan ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Networking questions (LONG)
Hi Allan, On 10/01/14 02:16, Alan Murrell wrote: Hello Lior, Thank you for your reply. Sure, let's try to get that setup of yours working :) Quoting Lior Vernia lver...@redhat.com: This way the firewall VM will get something like eth1 for VLAN 1, eth2 for VLAN 200 and so forth, which might be close enough to what you described on your previous setup (oVirt currently doesn't allow creating VLANs inside VMs). And if I correctly understood your needs it will save you the trouble you described below (well, you would need the one dummy interface). That would be doable, except I am not sure if there is a limit to the number of vNICs a VM could have and/or if there is an OS-level limit to how many? It is also a bit messier IMO, but that is more of a personal issue than a technical one, and one I could probably get over :-) oVirt does not enforce any sort of limit on the number of vNICs. I personally don't know about KVM or your VMs' OS, but this should be Googleable. When you say that oVirt currently doesn't allow creating VLANs inside VMs, are you referring to the use of VLAN interfaces like I describe (e.g., eth1.1, eth1.2, eth1.10, etc.)? If so, is that an oVirt limitation, or a KVM one? Yes, sorry, I realise now that my phrasing was only half-understandable. I indeed meant that oVirt doesn't support attaching more than one network to the same vNIC (be it VLAN-tagged or not). I doubt that this is a KVM limitation (but I'm no expert on KVM), I think it's just something that we haven't yet found a strong case for in oVirt. I have seen examples where one can create a Trunk with KVM and Open vSwitch, and I thought for some reason oVirt used Open vSwitch, but none of the commands I tried from the examples were found. A check of http://www.ovirt.org/Features/Node/OpenVSwitchSupport shows that indeed there does not appear to be any integration yet, and it is only 60% done :-( I actually know nothing of the link you provided, but I can offer alternatives. If you REALLY want to use OVS with oVirt NOW, you could take advantage of its integration with OpenStack Neutron. That would require you to install another machine (should be possible on an all-in-one setup too) as a Neutron server. This might go smoothly or it might cause you some headaches. http://www.ovirt.org/Features/Detailed_OSN_Integration It will probably become possible in the future to use OVS with oVirt directly (although I can't promise or commit on the time frame) by leveraging a development process that's going on in VDSM networking right now. In fact, if you're a developer you could help make it happen and control the time frame yourself by contributing to an OVS backend. http://www.ovirt.org/Feature/NetworkReloaded With regards to using the dummy interfaces, I realised I probably do not need to add them to a bridge, since they would be physical NICs in production (this is just for testing). I initially did create the ovirtvm bridge before I realised that, but have made them stand-alone NICs with no IPs attached to them, but they are not green in oVirt when I try to attach my logical networks to them under Networks Hosts vmhost01 Setup Host Networks. When I am in Setup Host Networks, I see my dummy interfaces, but they have a red dot instead of a green one (like what eth0 has). I can my logical networks to them, but the Network Device Status has a red arrow pointing down. Here are my ifcfg-dummy* files: I'm not an expert on these things, but this Down status is basically the administrative link state on the host. From my experience when logical networks are attached via the Setup Networks dialog, it does go up, although I haven't tried without an IP address. Also, it's worth trying to see if the actual networking works even if the NIC shows as down, or to ifup the NIC manually if it doesn't. --- ifcfg-dummy0 --- DEVICE=dummy0 ONBOOT=yes TYPE=Ethernet DELAY=0 BOOTPROTO=none NM_CONTROLLED=no STP=no --- ifcfg-dummy0 --- My ifcfg-dummy1 is identical, except of course it has DEVICE=dummy1 in it. The interfaces do come up on the host, but as I said, in Setup Host Networks they have a red dot instead of a green one. Perhaps I do need to assign an IP? I can maybe assign a dummy one (i.e., one that I would never use)? -Alan ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Networking questions (LONG)
On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote: Hello Alan, On 09/01/14 10:07, Alan Murrell wrote: Hello, I am evaluating oVirt as a replacement/alternative to VMware deployments we typically do. I have installed and all-in-one setup on a test box (which itself used to be an ESXi server), but it only has one NIC. I trying to duplicate our typical configuration we do in VMware, which is this: 1.) we create several port groups on the vSwitch, each assigned a VLAN ID, such as: - VLAN001 (VLAN ID: 1) - VLAN002 (VLAN ID: 2) - VLAN009 (VLAN ID: 9) - VLAN010 (VLAN ID: 10) - VLAN200 (VLAN ID: 200) - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID 4095 is all VLANS and basically just passes the VLANs through to whatever is attached to the port group for the VM to handle) 2.) We assign VMs to port groups appropriate for the VLAN they are part of. 3.) The only VM that has a NIC assigned to the TRUNK port group is the firewall (which is Linux), and we create VLAN interfaces on it (i.e., eth1.1, eth1.2, eth1.10, eth1.200). The firewall VM acts as the router between the various VLANs. To replicate the above in oVirt, I created logical networks for each VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not have an equivalent for VMware's VLAN ID of 4095, so after some searching around, so for the TRUNK network, I left it with no VLAN assigned. Because i cannot add VLAN and non-VLAN networks to the same physical NIC, after some searching around, it looks like I may have to utilise two NICS: one for the VLAN networks and one for the TRUNK network. That is true. One non-VLAN network can in fact sit on the same NIC with VLAN networks, but it has to be non-VM. This was devised as a security constraint - otherwise, a VM attached to the non-VLAN network could sniff traffic from another (VLAN) network. However, it seems that this is exactly what you need - a special VM that is designed to do just that. And it's not only you: there's another recent request for lifting this limitation: Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the same NIC However, I'm not sure that you in fact need a TRUNK VM network in oVirt. If you want your firewall VM to get all traffic from the VLANs, you could create a vNIC for each network, to which you'll attach a profile (oVirt's equivalent of port group if I'm not mistaken) of the corresponding network. The host can remain with just the VLAN networks attached to its NICs, without a designated TRUNK. This way the firewall VM will get something like eth1 for VLAN 1, eth2 for VLAN 200 and so forth, which might be close enough to what you described on your previous setup (oVirt currently doesn't allow creating VLANs inside VMs). And if I correctly understood your needs it will save you the trouble you described below (well, you would need the one dummy interface). Because, at this point, I am not yet concerned with making the test VMs I will be setting up be accessible from outside the virtual lab environment (i.e., everything will communicate within my oVirt server/network for now), I am trying to make use of dummy interfaces, but I am not sure the best way to make use of this. I am able to create the dummy* interfaces and have them show up in oVirt, but I am not sure of how they should be setup. Here is what I am *thinking* should be done, but want to make sure it is correct before getting too deep: - I will use the physical NIC for management, therefore the ovirtmgmt bridge with eth0 assigned to it will remain as-is - Create two dummy interfaces: dummy0 and dummy1 - Create a new bridge, ovirtvm and assign dummy0 and dummy1 to it This is something that currently can't be done from within the oVirt engine, but if my above suggestion works for you then it won't be needed. - Attach the VLAN-enabled networks to dummy0 - Attach the TRUNK network to dummy1 I do not understand what you are trying to do with dummy devices (after all, they are not going to send any packet anywhere). But if you are willing to mess with network configuration under the feet of oVirt, you could do the following: - create a network tagged with an id that is not really used in your datacenter, say 999, and attach it to the host. - build and install vdsm-hook-extnet rpm - define a vnic profile using this network, and adding a custom propery called extnet with the value of (say) untagged. - set up a bridge named untagged directly on top of your eth0 (say breth0) - define a libvirt bridged network named untagged, that uses breth0. - attach the vnic of your firewall VM to your vnic profile. Now, when you start up your firewall vm, the extnet hook gets into action, and forces the firewall vm from the 999 network, into using your hand-crafted network. This all sounds a bit long
Re: [Users] Networking questions (LONG)
Hi Dan, I take the chance to ask; why is that the untagged IF can see the traffic of the tagged vlans? Isn't that filtered at kernel level? Is this a virtualization design limitation or is it down to the kernel? I don't know how the kernel processes the packages, but I thought that packages that arrives to the nic are filtered by the kernel and sent to the respective vif (untagged to the master interface and tagged to the .XX interfaces). I ask because other virtualization platforms don't have this limitation and I wonder if it's because they don't care of because they solved this somehow. Regards, On 10/01/14 09:32, Dan Kenigsberg wrote: On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote: Hello Alan, On 09/01/14 10:07, Alan Murrell wrote: Hello, I am evaluating oVirt as a replacement/alternative to VMware deployments we typically do. I have installed and all-in-one setup on a test box (which itself used to be an ESXi server), but it only has one NIC. I trying to duplicate our typical configuration we do in VMware, which is this: 1.) we create several port groups on the vSwitch, each assigned a VLAN ID, such as: - VLAN001 (VLAN ID: 1) - VLAN002 (VLAN ID: 2) - VLAN009 (VLAN ID: 9) - VLAN010 (VLAN ID: 10) - VLAN200 (VLAN ID: 200) - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID 4095 is all VLANS and basically just passes the VLANs through to whatever is attached to the port group for the VM to handle) 2.) We assign VMs to port groups appropriate for the VLAN they are part of. 3.) The only VM that has a NIC assigned to the TRUNK port group is the firewall (which is Linux), and we create VLAN interfaces on it (i.e., eth1.1, eth1.2, eth1.10, eth1.200). The firewall VM acts as the router between the various VLANs. To replicate the above in oVirt, I created logical networks for each VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not have an equivalent for VMware's VLAN ID of 4095, so after some searching around, so for the TRUNK network, I left it with no VLAN assigned. Because i cannot add VLAN and non-VLAN networks to the same physical NIC, after some searching around, it looks like I may have to utilise two NICS: one for the VLAN networks and one for the TRUNK network. That is true. One non-VLAN network can in fact sit on the same NIC with VLAN networks, but it has to be non-VM. This was devised as a security constraint - otherwise, a VM attached to the non-VLAN network could sniff traffic from another (VLAN) network. However, it seems that this is exactly what you need - a special VM that is designed to do just that. And it's not only you: there's another recent request for lifting this limitation: Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the same NIC However, I'm not sure that you in fact need a TRUNK VM network in oVirt. If you want your firewall VM to get all traffic from the VLANs, you could create a vNIC for each network, to which you'll attach a profile (oVirt's equivalent of port group if I'm not mistaken) of the corresponding network. The host can remain with just the VLAN networks attached to its NICs, without a designated TRUNK. This way the firewall VM will get something like eth1 for VLAN 1, eth2 for VLAN 200 and so forth, which might be close enough to what you described on your previous setup (oVirt currently doesn't allow creating VLANs inside VMs). And if I correctly understood your needs it will save you the trouble you described below (well, you would need the one dummy interface). Because, at this point, I am not yet concerned with making the test VMs I will be setting up be accessible from outside the virtual lab environment (i.e., everything will communicate within my oVirt server/network for now), I am trying to make use of dummy interfaces, but I am not sure the best way to make use of this. I am able to create the dummy* interfaces and have them show up in oVirt, but I am not sure of how they should be setup. Here is what I am *thinking* should be done, but want to make sure it is correct before getting too deep: - I will use the physical NIC for management, therefore the ovirtmgmt bridge with eth0 assigned to it will remain as-is - Create two dummy interfaces: dummy0 and dummy1 - Create a new bridge, ovirtvm and assign dummy0 and dummy1 to it This is something that currently can't be done from within the oVirt engine, but if my above suggestion works for you then it won't be needed. - Attach the VLAN-enabled networks to dummy0 - Attach the TRUNK network to dummy1 I do not understand what you are trying to do with dummy devices (after all, they are not going to send any packet anywhere). But if you are willing to mess with network configuration under the feet of oVirt, you could do the following: - create a network tagged with an id that is not really used in your
Re: [Users] Networking questions (LONG)
On 01/10/2014 01:32 PM, Dan Kenigsberg wrote: On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote: Hello Alan, On 09/01/14 10:07, Alan Murrell wrote: Hello, I am evaluating oVirt as a replacement/alternative to VMware deployments we typically do. I have installed and all-in-one setup on a test box (which itself used to be an ESXi server), but it only has one NIC. I trying to duplicate our typical configuration we do in VMware, which is this: 1.) we create several port groups on the vSwitch, each assigned a VLAN ID, such as: - VLAN001 (VLAN ID: 1) - VLAN002 (VLAN ID: 2) - VLAN009 (VLAN ID: 9) - VLAN010 (VLAN ID: 10) - VLAN200 (VLAN ID: 200) - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID 4095 is all VLANS and basically just passes the VLANs through to whatever is attached to the port group for the VM to handle) 2.) We assign VMs to port groups appropriate for the VLAN they are part of. 3.) The only VM that has a NIC assigned to the TRUNK port group is the firewall (which is Linux), and we create VLAN interfaces on it (i.e., eth1.1, eth1.2, eth1.10, eth1.200). The firewall VM acts as the router between the various VLANs. To replicate the above in oVirt, I created logical networks for each VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not have an equivalent for VMware's VLAN ID of 4095, so after some searching around, so for the TRUNK network, I left it with no VLAN assigned. Because i cannot add VLAN and non-VLAN networks to the same physical NIC, after some searching around, it looks like I may have to utilise two NICS: one for the VLAN networks and one for the TRUNK network. That is true. One non-VLAN network can in fact sit on the same NIC with VLAN networks, but it has to be non-VM. This was devised as a security constraint - otherwise, a VM attached to the non-VLAN network could sniff traffic from another (VLAN) network. However, it seems that this is exactly what you need - a special VM that is designed to do just that. isn't that was promiscious mode (aka port mirroring) is for? And it's not only you: there's another recent request for lifting this limitation: Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the same NIC However, I'm not sure that you in fact need a TRUNK VM network in oVirt. If you want your firewall VM to get all traffic from the VLANs, you could create a vNIC for each network, to which you'll attach a profile (oVirt's equivalent of port group if I'm not mistaken) of the corresponding network. The host can remain with just the VLAN networks attached to its NICs, without a designated TRUNK. This way the firewall VM will get something like eth1 for VLAN 1, eth2 for VLAN 200 and so forth, which might be close enough to what you described on your previous setup (oVirt currently doesn't allow creating VLANs inside VMs). And if I correctly understood your needs it will save you the trouble you described below (well, you would need the one dummy interface). Because, at this point, I am not yet concerned with making the test VMs I will be setting up be accessible from outside the virtual lab environment (i.e., everything will communicate within my oVirt server/network for now), I am trying to make use of dummy interfaces, but I am not sure the best way to make use of this. I am able to create the dummy* interfaces and have them show up in oVirt, but I am not sure of how they should be setup. Here is what I am *thinking* should be done, but want to make sure it is correct before getting too deep: - I will use the physical NIC for management, therefore the ovirtmgmt bridge with eth0 assigned to it will remain as-is - Create two dummy interfaces: dummy0 and dummy1 - Create a new bridge, ovirtvm and assign dummy0 and dummy1 to it This is something that currently can't be done from within the oVirt engine, but if my above suggestion works for you then it won't be needed. - Attach the VLAN-enabled networks to dummy0 - Attach the TRUNK network to dummy1 I do not understand what you are trying to do with dummy devices (after all, they are not going to send any packet anywhere). But if you are willing to mess with network configuration under the feet of oVirt, you could do the following: - create a network tagged with an id that is not really used in your datacenter, say 999, and attach it to the host. - build and install vdsm-hook-extnet rpm - define a vnic profile using this network, and adding a custom propery called extnet with the value of (say) untagged. - set up a bridge named untagged directly on top of your eth0 (say breth0) - define a libvirt bridged network named untagged, that uses breth0. - attach the vnic of your firewall VM to your vnic profile. Now, when you start up your firewall vm, the extnet hook gets into action, and forces the firewall vm from the 999 network, into using your hand-crafted network. This
Re: [Users] Networking questions (LONG)
On Fri, Jan 10, 2014 at 10:39:20AM -0200, Juan Pablo Lorier wrote: Hi Dan, I take the chance to ask; why is that the untagged IF can see the traffic of the tagged vlans? Isn't that filtered at kernel level? Is this a virtualization design limitation or is it down to the kernel? I don't know how the kernel processes the packages, but I thought that packages that arrives to the nic are filtered by the kernel and sent to the respective vif (untagged to the master interface and tagged to the .XX interfaces). I ask because other virtualization platforms don't have this limitation and I wonder if it's because they don't care of because they solved this somehow. I do not know how this is implemented elsewhere, but to the best of my knowledge, the master interface sees tagged packets, too (which is the basis of Alan's use case: he wants the trunk VM to see all traffic). BTW, Alan, for this to actually work, you need to enable macspoofing on the relevant nic. Yet another step on the hack I've outlined earlier. Dan. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Networking questions (LONG)
On Fri, Jan 10, 2014 at 03:06:28PM +0200, Itamar Heim wrote: On 01/10/2014 01:32 PM, Dan Kenigsberg wrote: On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote: Hello Alan, On 09/01/14 10:07, Alan Murrell wrote: Hello, I am evaluating oVirt as a replacement/alternative to VMware deployments we typically do. I have installed and all-in-one setup on a test box (which itself used to be an ESXi server), but it only has one NIC. I trying to duplicate our typical configuration we do in VMware, which is this: 1.) we create several port groups on the vSwitch, each assigned a VLAN ID, such as: - VLAN001 (VLAN ID: 1) - VLAN002 (VLAN ID: 2) - VLAN009 (VLAN ID: 9) - VLAN010 (VLAN ID: 10) - VLAN200 (VLAN ID: 200) - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID 4095 is all VLANS and basically just passes the VLANs through to whatever is attached to the port group for the VM to handle) 2.) We assign VMs to port groups appropriate for the VLAN they are part of. 3.) The only VM that has a NIC assigned to the TRUNK port group is the firewall (which is Linux), and we create VLAN interfaces on it (i.e., eth1.1, eth1.2, eth1.10, eth1.200). The firewall VM acts as the router between the various VLANs. To replicate the above in oVirt, I created logical networks for each VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not have an equivalent for VMware's VLAN ID of 4095, so after some searching around, so for the TRUNK network, I left it with no VLAN assigned. Because i cannot add VLAN and non-VLAN networks to the same physical NIC, after some searching around, it looks like I may have to utilise two NICS: one for the VLAN networks and one for the TRUNK network. That is true. One non-VLAN network can in fact sit on the same NIC with VLAN networks, but it has to be non-VM. This was devised as a security constraint - otherwise, a VM attached to the non-VLAN network could sniff traffic from another (VLAN) network. However, it seems that this is exactly what you need - a special VM that is designed to do just that. isn't that was promiscious mode (aka port mirroring) is for? Oh that makes more sense... But unfortunately, it is impossible to mirror more than a single network onto a vnic. (Engine implementation limitation). However, one can device a tc-based after_network_setup hook, that directs all traffic from all bridges onto a specific target bridge, onto which the firewall VM is connected. Dan. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Networking questions (LONG)
One other question to add: If I do indeed ned to create a new bridge (ovirtvm in my example), I do not want to assign any IPs to it, nor any of the logical networks I create. When I did try this in my fooling around, oVirt would not let me save the changes, giving me an error about network parameters not correct (I have the host shut down a the moment, so I can get the exact message, but if necessary, I can get it for you when I get in to our shop in the morning) Thanks! :-) -Alan ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Networking questions (LONG)
Just as a quick shot: it is possible to configure it the way you want (ip-less bridges), but I can't exactly tell you what you're doing wrong atm. ip-less bridges work here with vlans and stuff, so keep trying or post more info about your setup :-) Am 09.01.2014 09:22, schrieb Alan Murrell: One other question to add: If I do indeed ned to create a new bridge (ovirtvm in my example), I do not want to assign any IPs to it, nor any of the logical networks I create. When I did try this in my fooling around, oVirt would not let me save the changes, giving me an error about network parameters not correct (I have the host shut down a the moment, so I can get the exact message, but if necessary, I can get it for you when I get in to our shop in the morning) -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Networking questions (LONG)
Hello Alan, On 09/01/14 10:07, Alan Murrell wrote: Hello, I am evaluating oVirt as a replacement/alternative to VMware deployments we typically do. I have installed and all-in-one setup on a test box (which itself used to be an ESXi server), but it only has one NIC. I trying to duplicate our typical configuration we do in VMware, which is this: 1.) we create several port groups on the vSwitch, each assigned a VLAN ID, such as: - VLAN001 (VLAN ID: 1) - VLAN002 (VLAN ID: 2) - VLAN009 (VLAN ID: 9) - VLAN010 (VLAN ID: 10) - VLAN200 (VLAN ID: 200) - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID 4095 is all VLANS and basically just passes the VLANs through to whatever is attached to the port group for the VM to handle) 2.) We assign VMs to port groups appropriate for the VLAN they are part of. 3.) The only VM that has a NIC assigned to the TRUNK port group is the firewall (which is Linux), and we create VLAN interfaces on it (i.e., eth1.1, eth1.2, eth1.10, eth1.200). The firewall VM acts as the router between the various VLANs. To replicate the above in oVirt, I created logical networks for each VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not have an equivalent for VMware's VLAN ID of 4095, so after some searching around, so for the TRUNK network, I left it with no VLAN assigned. Because i cannot add VLAN and non-VLAN networks to the same physical NIC, after some searching around, it looks like I may have to utilise two NICS: one for the VLAN networks and one for the TRUNK network. That is true. One non-VLAN network can in fact sit on the same NIC with VLAN networks, but it has to be non-VM. However, I'm not sure that you in fact need a TRUNK VM network in oVirt. If you want your firewall VM to get all traffic from the VLANs, you could create a vNIC for each network, to which you'll attach a profile (oVirt's equivalent of port group if I'm not mistaken) of the corresponding network. The host can remain with just the VLAN networks attached to its NICs, without a designated TRUNK. This way the firewall VM will get something like eth1 for VLAN 1, eth2 for VLAN 200 and so forth, which might be close enough to what you described on your previous setup (oVirt currently doesn't allow creating VLANs inside VMs). And if I correctly understood your needs it will save you the trouble you described below (well, you would need the one dummy interface). Because, at this point, I am not yet concerned with making the test VMs I will be setting up be accessible from outside the virtual lab environment (i.e., everything will communicate within my oVirt server/network for now), I am trying to make use of dummy interfaces, but I am not sure the best way to make use of this. I am able to create the dummy* interfaces and have them show up in oVirt, but I am not sure of how they should be setup. Here is what I am *thinking* should be done, but want to make sure it is correct before getting too deep: - I will use the physical NIC for management, therefore the ovirtmgmt bridge with eth0 assigned to it will remain as-is - Create two dummy interfaces: dummy0 and dummy1 - Create a new bridge, ovirtvm and assign dummy0 and dummy1 to it This is something that currently can't be done from within the oVirt engine, but if my above suggestion works for you then it won't be needed. - Attach the VLAN-enabled networks to dummy0 - Attach the TRUNK network to dummy1 Would the above be the way to go about this? The one thing I am not sure of is whether or not having no VLAN assigned (on the TRUNK network) accomplishes the same this as the VLAN ID 4095 in VMware: will oVirt/KVM just pass the traffic through for the VM attached to it to deal with? Thanks for reading this far, and I appreciate any help you might be able to lend in the above. -Alan ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
