Thank you.
I got so buried in the mechanics that I lost sight of the purpose of the
tagging. The tagged network should not be able to ping the untagged - that
was the whole purpose of the exercise.
The real problem is that the untagged network is unable to see its gateway
to the internet, which may be something as simple as configuring the
gateway on the router (not an ovirt problem). I was caught up chasing a red
herring by trying to ping the physical network.
On Wed, Feb 3, 2021, 12:26 AM Ales Musil <amusil(a)redhat.com> wrote:
On Tue, Feb 2, 2021 at 8:07 PM Dan Yasny <dyasny(a)gmail.com> wrote:
>
>
> On Tue, Feb 2, 2021 at 2:00 PM David Johnson <
> djohnson(a)maxistechnology.com> wrote:
>
>> Ah ... so if I connected one of the other ethernet ports to the tagged
>> traffic (second physical network for tagged traffic), it should work as I
>> expect?
>>
>
> Yes, if there are no untagged networks attached
>
Mixing untagged and tagged is not a good practice from a security point of
view but it should work.
There might be 2 things blocking traffic to/from VM. Please make sure that
the network does not have "Port Isolation".
The second thing might be network filters, it can be disabled in
corresponding vNIC profile and then rebooting VM or plugging/unplugging VM
interface will make this change effective.
Regards,
Ales
>
>
>> Regards,
>> David Johnson
>> Director of Development, Maxis Technology
>> 844.696.2947 ext 702 (o) | 479.531.3590 (c)
>> djohnson(a)maxistechnology.com
>>
>>
>> [image: Maxis Techncology] <
http://www.maxistechnology.com>
>>
www.maxistechnology.com
>>
>>
>> *stay connected <
http://www.linkedin.com/in/pojoguy>*
>>
>>
>> On Tue, Feb 2, 2021 at 12:56 PM Dan Yasny <dyasny(a)gmail.com> wrote:
>>
>>> You're trying to mix tagged and untagged traffic. That, iirc, isn't
>>> supported for security reasons (the untagged network can see all the tagged
>>> traffic). You can put multiple tagged networks on the same NIC though.
>>>
>>> Please check with the ovirt folks though, it's been a while since I
>>> last checked the state of things
>>>
>>> On Tue, Feb 2, 2021 at 1:51 PM David Johnson <
>>> djohnson(a)maxistechnology.com> wrote:
>>>
>>>> I have a physical network ovirtmgmt, and a logical network 10-non-prod
>>>> with the vlan tag of 10 and the network label of 10.
>>>>
>>>> The physical and vlan have both been dragged to the enp0 NIC on the
>>>> host.
>>>>
>>>> What I understand from this is that the bridge has been there all
>>>> along, but, since I can't ping the host no traffic is crossing it.
>>>>
>>>> Host IP's : *192.168.2.18/24 <
http://192.168.2.18/24> * and
*10.210.100.18/24
>>>> <
http://10.210.100.18/24>*
>>>> VLAN IP on host: *10.210.10.18/24 <
http://10.210.10.28/24>*
>>>>
>>>>
>>>> Regards,
>>>>
>>>> David Johnson
>>>>
>>>> On Tue, Feb 2, 2021 at 12:44 PM Dan Yasny <dyasny(a)gmail.com>
wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, Feb 2, 2021 at 1:38 PM David Johnson <
>>>>> djohnson(a)maxistechnology.com> wrote:
>>>>>
>>>>>> Thanks, this is a step closer, but the details are still very
>>>>>> sketchy.
>>>>>>
>>>>>> Following the instructions at
>>>>>>
https://www.ovirt.org/documentation/administration_guide/#appe-Custom_Net...
>>>>>> :
>>>>>>
>>>>>> If I understand the instructions correctly:
>>>>>>
>>>>>> 1. Open the host in the Ovirt UI
>>>>>> 2. Go to the Network tab
>>>>>> 3. Select the NIC I want to bridge to
>>>>>> 4. Click "Setup Host Networks"
>>>>>> 5. Click the pencil icon on the (host? VLAN?) network
>>>>>> 6. Choose the Custom Properties tab
>>>>>> 7. In the Custom Properties (Please Select a key), choose
>>>>>> "bridge_opts"
>>>>>> 8. ???? At this point, there is no way to add the keys it
looks
>>>>>> like it needs ??? Total loss ???
>>>>>>
>>>>>>
>>>>> You need to create a logical network first. Do you have any of
those?
>>>>> Logical networks are where you may add VLAN tags.
>>>>>
>>>>> In the hosts' network setup window you simply drag the logical
>>>>> network to the NIC or bond and save. The VLAN tag and bridge will be
>>>>> created accordingly on the host
>>>>>
>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> David Johnson
>>>>>> Director of Development, Maxis Technology
>>>>>> 844.696.2947 ext 702 (o) | 479.531.3590 (c)
>>>>>> djohnson(a)maxistechnology.com
>>>>>>
>>>>>>
>>>>>> [image: Maxis Techncology]
<
http://www.maxistechnology.com>
>>>>>>
www.maxistechnology.com
>>>>>>
>>>>>>
>>>>>> *stay connected <
http://www.linkedin.com/in/pojoguy>*
>>>>>>
>>>>>>
>>>>>> On Tue, Feb 2, 2021 at 9:24 AM Dan Yasny <dyasny(a)gmail.com>
wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Feb 2, 2021 at 10:20 AM David Johnson <
>>>>>>> djohnson(a)maxistechnology.com> wrote:
>>>>>>>
>>>>>>>> This is great ... I am missing the bridge (at least).
>>>>>>>>
>>>>>>>> Does the bridge reside on the host or the VM? Is it
created in
>>>>>>>> the Ovirt UI, or in the VM operating system?
>>>>>>>>
>>>>>>>
>>>>>>> On the host. Logical networks in oVirt are a virtual
construct,
>>>>>>> translating to a "profile" that gets built on the
hosts in the cluster.
>>>>>>> Essentially, each logical network is a bridge with the same
name on the
>>>>>>> hosts, and if there's a vlan tag, then the interface (or
bond) gets tagged,
>>>>>>> and the bridge is built on top of that tagged interface. VMs
are plugged
>>>>>>> into the bridges and their traffic flows through the bridges
to the
>>>>>>> switches. Very simple really, and there was a KB we published
about this
>>>>>>> about a decade ago.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> David Johnson
>>>>>>>>
>>>>>>>> On Tue, Feb 2, 2021 at 9:16 AM Dan Yasny
<dyasny(a)gmail.com> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Feb 2, 2021 at 10:06 AM David Johnson <
>>>>>>>>> djohnson(a)maxistechnology.com> wrote:
>>>>>>>>>
>>>>>>>>>> Good morning Ales,
>>>>>>>>>>
>>>>>>>>>> Thank you for your response.
>>>>>>>>>>
>>>>>>>>>> At this point, while I believe I have marked the
networks as
>>>>>>>>>> required, I am hesitant to assume that they are
marked because I don't
>>>>>>>>>> understand for sure which pieces I don't
understand.
>>>>>>>>>>
>>>>>>>>>> Unfortunately, what I am missing is a number of
random bits and
>>>>>>>>>> pieces that tie everything together.
>>>>>>>>>>
>>>>>>>>>> I have fought with the networking on this cluster
for over a
>>>>>>>>>> week. The network configuration was so messed up
it was faster and cleaner
>>>>>>>>>> to wipe the cluster completely and start from
scratch, and I just
>>>>>>>>>> finished a clean reinstallation.
>>>>>>>>>>
>>>>>>>>>> Now that it's back up and I understand it
better, the VM's on
>>>>>>>>>> VLAN's are still unable to reach beyond
themselves - they cannot even ping
>>>>>>>>>> the host they are on.
>>>>>>>>>>
>>>>>>>>>> Rather than try to address it symptom by symptom,
I would like
>>>>>>>>>> to get a solid overview of how the different
pieces tie together.
>>>>>>>>>> Unfortunately, in the official documentation, all
I found was which buttons
>>>>>>>>>> to push to edit the vlan, with nothing that
addresses how the different
>>>>>>>>>> pieces are wired together.
>>>>>>>>>>
>>>>>>>>>> My understanding of the architecture is:
>>>>>>>>>>
>>>>>>>>>> VM -> vNIC -> virtual switch -> physical
NIC -> external network
>>>>>>>>>> -> gateway -> internet
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> When you create a tagged network, the scheme changes
a bit:
>>>>>>>>> VM -> vNIC -> BRIDGE -> NIC.tag -> NIC
-> switch
>>>>>>>>>
>>>>>>>>> All the VM traffic will get tagged this way, and the
switch port
>>>>>>>>> should be in trunk mode allowing tagged traffic
through.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> What I don't understand is how to determine
at which point in
>>>>>>>>>> the architecture the configuration is wrong, when
the only symptom I have
>>>>>>>>>> for sure right now is that my VM's on a VLAN
won't ping the host or
>>>>>>>>>> anything on the external network.
>>>>>>>>>>
>>>>>>>>>> At one point everything was working as expected,
briefly, before
>>>>>>>>>> the whole thing came crashing down, so the
external network is at least
>>>>>>>>>> mostly configured.
>>>>>>>>>>
>>>>>>>>>> On Tue, Feb 2, 2021, 12:20 AM Ales Musil
<amusil(a)redhat.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Feb 2, 2021 at 6:18 AM David Johnson
<
>>>>>>>>>>> djohnson(a)maxistechnology.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Good morning all,
>>>>>>>>>>>>
>>>>>>>>>>>> On my ovirt 4.4.4 cluster, I am trying to
use VLan's to
>>>>>>>>>>>> separate VM's for security purposes.
>>>>>>>>>>>>
>>>>>>>>>>>> Is there a usable how-to document that
describes how to
>>>>>>>>>>>> configure the vlan's so they actually
function without taking the host into
>>>>>>>>>>>> non-operational mode?
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you in advance.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> David Johnson
>>>>>>>>>>>>
>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>> Users mailing list -- users(a)ovirt.org
>>>>>>>>>>>> To unsubscribe send an email to
users-leave(a)ovirt.org
>>>>>>>>>>>> Privacy Statement:
https://www.ovirt.org/privacy-policy.html
>>>>>>>>>>>> oVirt Code of Conduct:
>>>>>>>>>>>>
https://www.ovirt.org/community/about/community-guidelines/
>>>>>>>>>>>> List Archives:
>>>>>>>>>>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IYPORJKHTSV...
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I assume that you have marked those networks
as required. This
>>>>>>>>>>> is handy to make sure that all hosts in a
cluster have this network
>>>>>>>>>>> attached.
>>>>>>>>>>> Which implies that the host is considered non
operational until
>>>>>>>>>>> you assign all required networks.
>>>>>>>>>>>
>>>>>>>>>>> To avoid this you can uncheck it for a new
network in the
>>>>>>>>>>> cluster tab of the "New Logical
Network" window. For existing go to
>>>>>>>>>>> Compute -> Clusters -> $YOUR_CLUSTER
-> Logical Networks ->
>>>>>>>>>>> Manage Networks and uncheck required for the
affected network.
>>>>>>>>>>> This can be always changed back.
>>>>>>>>>>>
>>>>>>>>>>> Hopefully this helps.
>>>>>>>>>>> Regards,
>>>>>>>>>>> Ales
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> Ales Musil
>>>>>>>>>>>
>>>>>>>>>>> Software Engineer - RHV Network
>>>>>>>>>>>
>>>>>>>>>>> Red Hat EMEA <
https://www.redhat.com>
>>>>>>>>>>>
>>>>>>>>>>> amusil(a)redhat.com IM: amusil
>>>>>>>>>>> <
https://red.ht/sig>
>>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list -- users(a)ovirt.org
>>>>>>>>>> To unsubscribe send an email to
users-leave(a)ovirt.org
>>>>>>>>>> Privacy Statement:
https://www.ovirt.org/privacy-policy.html
>>>>>>>>>> oVirt Code of Conduct:
>>>>>>>>>>
https://www.ovirt.org/community/about/community-guidelines/
>>>>>>>>>> List Archives:
>>>>>>>>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/47JUY2NVTCQ...
>>>>>>>>>>
>>>>>>>>>
--
Ales Musil
Software Engineer - RHV Network
Red Hat EMEA <
https://www.redhat.com>
amusil(a)redhat.com IM: amusil
<
https://red.ht/sig>