well, that's what we were mentioning. check iptables on the destination host here your secondary IP was originally sitting (I mean where VM is sitting) - there is a chain per VM or something. Check also ebtables rules, if any - somewhere you will probably see us filtering the ARP or something like that.
On Fri, 22 Nov 2019 at 18:22, Fariborz Navidan <mdvlinqu...@gmail.com> wrote: > The issue is when I assign a secondary IP to a VM, it works if I set it on > guest1, it works well but if I unset it on that guest (i.e. ip addr del > command) and set it on another guest via 'ip' command, it does work because > it is not resolved by it's new MAC being announced. > > On Fri, Nov 22, 2019 at 8:30 PM Andrija Panic <andrija.pa...@gmail.com> > wrote: > > > Select * from nic_secondary_ips - will show you no presence of MAC > > address, so both your main IP and this secondary IP will have THE SAME > MAC > > address from the ACS perspective. The thing here is, you are MANUALLY > > adding this second IP address (Virtual IP address) on some of the > existing > > i.e. eth0 interfaces - so that secondary IP will be resolvable via ARP to > > the same MAC address as the main IP. CloudStack has nothing to with that. > > > > The only thing you should worry is if we filter based on the IP address - > > but that is something you control via ingress and egress rules and > > hopefully will work > > > > On Fri, 22 Nov 2019 at 17:30, Fariborz Navidan <mdvlinqu...@gmail.com> > > wrote: > > > > > You mean IPs are not constrained by MAC? > > > > > > On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <andrija.pa...@gmail.com > > > > > wrote: > > > > > > > Er... not sure what MAC address has to do with the secondary IP - > > > > secondary IP is just an "alias IP" for the existing NIC, having the > > same > > > > MAC address as the main NIC (since it's an additional IP for that > NIC) > > - > > > > unless something is broken > > > > > > > > On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan < > mdvlinqu...@gmail.com> > > > > wrote: > > > > > > > > > It does work in that way because it seems IPs are associated with > > > > randomly > > > > > assigned MAC address assigned to a NIC. It means in gest OS, you > can > > > only > > > > > use IPs which are reversed for a NIC on that VM. So bridge does not > > > > accept > > > > > traffic from that IP it is used by another guest . It means there > is > > a > > > > > builtin MAC filter. So I am not able to freely use IPs on any VM I > > > wish. > > > > > > > > > > I a not sure if this behavior is related to security group or is > a a > > > > > default behavior of KVM or ACS > > > > > > > > > > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic < > > andrija.pa...@gmail.com > > > > > > > > > wrote: > > > > > > > > > > > you assign a single secondary IP for just one of the VMs (so it's > > > > > reserved > > > > > > and will not be assigned later to other VMs via ACS). This > > secondary > > > IP > > > > > is > > > > > > NOT handled via DHCP, it is just reserved in DB as used. > > > > > > > > > > > > Now, go and manually use it inside both VMs. simple. > > > > > > > > > > > > its better question if VRRP heartbeat is allowed between 2 VMs > > > > > > (protocol/port) and if you can allow traffic access to that > > secondary > > > > IP > > > > > > address from outside. > > > > > > > > > > > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, < > > mdvlinqu...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > The challenge is how can we assign a single iP as secondary IP > on > > > two > > > > > or > > > > > > > more VMs? > > > > > > > > > > > > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic < > > > > andrija.pa...@gmail.com > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > VRRP is possible to configure anywhere - it's a different > > > question > > > > > > > whether > > > > > > > > it will work due to firewall rules... > > > > > > > > The simplest way to give yourself an answer is to test (allow > > all > > > > > > > ingress, > > > > > > > > all egress and test). > > > > > > > > > > > > > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan < > > > > > mdvlinqu...@gmail.com> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > If security groups use ebtables, so why does my ebtables > does > > > not > > > > > > have > > > > > > > > any > > > > > > > > > rule on the host? Default egress policy on my guest network > > is > > > > > Allow > > > > > > > and > > > > > > > > I > > > > > > > > > have added tcp/udp/icmp ingress rules to allow traffic go > > > > through. > > > > > > > > > > > > > > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav < > > > > > > > rohit.ya...@shapeblue.com> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > VRRP is a network layer protocol, uses multicast address > > > > > 224.0.0.18 > > > > > > > and > > > > > > > > > > protocol number 112. As long as SG can allow this, it's > > > > possible, > > > > > > > > however > > > > > > > > > > that may not be available out of the box. You can try > some > > > > custom > > > > > > > > > ebtables > > > > > > > > > > rules on the KVM hosts. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > > > Rohit Yadav > > > > > > > > > > > > > > > > > > > > Software Architect, ShapeBlue > > > > > > > > > > > > > > > > > > > > https://www.shapeblue.com > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > > > From: Fariborz Navidan <mdvlinqu...@gmail.com> > > > > > > > > > > Sent: Thursday, November 21, 2019 17:56 > > > > > > > > > > To: users@cloudstack.apache.org < > > users@cloudstack.apache.org > > > > > > > > > > > > > > Subject: Is VRRP possible inside KVM/ACS > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > > > > > Is it possible to configure VRRP inside KVM in a > security > > > > group > > > > > > > > enabled > > > > > > > > > > advanced zone? Should I enable Promisscouous mode and > > forged > > > > > > > transmit? > > > > > > > > > > > > > > > > > > > > rohit.ya...@shapeblue.com > > > > > > > > > > www.shapeblue.com > > > > > > > > > > Amadeus House, Floral Street, London WC2E 9DPUK > > > > > > > > > > @shapeblue > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > Andrija Panić > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Andrija Panić > > > > > > > > > > > > > -- > > > > Andrija Panić > > > -- Andrija Panić
