3:49 a.m.
Ernest,you need to understand how things work under to hood to answer your
question.
If the traffic needs to pass through the NIC or not matters here.
How things work: For any VM network, a bridge is created on the host and
the vNIC from VM/s are connected to it using a tap device.
When one defines a non vlan network, the bridge is created over the NIC
directly, passing all traffic (tag and non tag alike).
When a vlan network is defined, the bridge is created over a VLAN interface
and that VLAN interface is defined over the NIC,
therefore, only traffic with the specific vlan tag is forwarded from the
nic through the vlan interface to the bridge (and from there to the vNIC/s).
When there is a combination (VLAN + non VLAN networks), the traffic for the
VLAN networks is forwarded as mentioned above, anything else,
including non-tag and tag traffic, is forwarded to the non-vlan network
(this is why you can call it also a trunk network).
Now, if the traffic between your VM/s is local and will never go out
(including needed control traffic), it does not matter on what the bridge
is defined on (on a vlan or nic directly).
This means, if you define a special network A, as vlanned or not, it will
not matter for the traffic between two tap devices connected to the same
network.
Traffic that comes from one tap device can pass to the other tap device,
ignoring VLAN/s.
[vnic]--trunk--<tap>[bridge]<tap>--trunk--[vnic]
|
+--[nic/vlan]--[external-switch]
If you want to make sure traffic does not get out, define the network as a
VLAN which does not exists on the external switch.
On Fri, Aug 23, 2019 at 5:53 PM Tony Pearce <tonyppe(a)gmail.com> wrote:
May be I misunderstand but no need for any tag on same layer 2
network
On Fri., 23 Aug. 2019, 22:15 Ernest Clyde Chua, <
ernestclydeachua(a)gmail.com> wrote:
> Good day.
> yes the VMs and the firewall on the same L2 network also the firewall is
> hosted in oVirt along side the VMs, currently there is no external switch
> connected to the nic and i would like to know if it is possible to pass tag
> internally.
>
>
> On Fri, Aug 23, 2019 at 9:21 PM Tony Pearce <tonyppe(a)gmail.com> wrote:
>
>> Have the VM and the firewall on the same L2 network. Configure the VM
>> with a default gateway of the interface of the firewall.
>>
>> Is it what you're looking for?
>>
>> On Fri., 23 Aug. 2019, 21:15 Ernest Clyde Chua, <
>> ernestclydeachua(a)gmail.com> wrote:
>>
>>> Good day.
>>> sorry if i got you guys confused.
>>> for clarity:
>>>
>>> i have a server with two nic, currently one nic is connected to public
>>> network and the other one is disconnected.
>>>
>>> And i have a vm that will be the firewall of other vm inside this
>>> standalone/selfhosted ovirt.
>>>
>>> then i am figuring out how can i pass the vlan ids on the vm or is it
>>> possible.
>>>
>>>
>>>
>>>
>>>
>>> On Fri, 23 Aug 2019, 7:46 PM Dominik Holler <dholler(a)redhat.com>
wrote:
>>>
>>>>
>>>>
>>>> On Thu, Aug 22, 2019 at 1:18 PM Miguel Duarte de Mora Barroso <
>>>> mdbarroso(a)redhat.com> wrote:
>>>>
>>>>> On Wed, Aug 21, 2019 at 9:18 AM <ernestclydeachua(a)gmail.com>
wrote:
>>>>> >
>>>>> > good day
>>>>> > currently i am testing oVirt on a single box and setup some
tagged
>>>>> vms and non tagged vm.
>>>>> > the non tagged vm is a firewall but it has limitations on the
>>>>> number of nic so i cannot attach tagged vnic and wish to handdle
vlan
>>>>> tagging on it
>>>>> >
>>>>> > is it possible to pass untaged franes internally?
>>>>>
>>>>> I think it would fallback to the linux bridge default configuration,
>>>>> which internally tags untagged frames with vlanID 1, and untags them
>>>>> when exiting the port. Unless I'm wrong (for instance, we change
the
>>>>> bridge defaults), this means you can pass untagged frames through
the
>>>>> bridge.
>>>>>
>>>>> Adding Edward, to keep me honest.
>>>>>
>>>>>
>>>>>
>>>> I am unsure if I got the problem.
>>>> If you connect an untagged logical network to a vNIC (virtual NIC of a
>>>> VM), all untagged Ethernet frames will be forwarded from the host
interface
>>>> (physical NIC or bond).
>>>> If no tagged logical network is attached to this host interface, VLAN
>>>> tag filtering is not activated and even tagged Frames would be forwarded
to
>>>> the vNC.
>>>>
>>>> Does this answer the question?
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> > _______________________________________________
>>>>> > Users mailing list -- users(a)ovirt.org
>>>>> > To unsubscribe send an email to users-leave(a)ovirt.org
>>>>> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>>>> > oVirt Code of Conduct:
>>>>> https://www.ovirt.org/community/about/community-guidelines/
>>>>> > List Archives:
>>>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HYFSLS5QM5D...
>>>>> _______________________________________________
>>>>> Users mailing list -- users(a)ovirt.org
>>>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>>>> oVirt Code of Conduct:
>>>>> https://www.ovirt.org/community/about/community-guidelines/
>>>>> List Archives:
>>>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ME77W5PLKOQ...
>>>>>
>>>> _______________________________________________
>>> Users mailing list -- users(a)ovirt.org
>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UE3XZWUU5UM...
>>>
>> _______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/22CK4OVY36O...