[ovirt-users] Re: Ovirt VLAN Primer

Ah ... so if I connected one of the other ethernet ports to the tagged traffic (second physical network for tagged traffic), it should work as I expect?

Regards, David Johnson Director of Development, Maxis Technology 844.696.2947 ext 702 (o) | 479.531.3590 (c) djohnson(a)maxistechnology.com [image: Maxis Techncology] <http://www.maxistechnology.com> www.maxistechnology.com *stay connected <http://www.linkedin.com/in/pojoguy>* On Tue, Feb 2, 2021 at 12:56 PM Dan Yasny <dyasny(a)gmail.com&gt; wrote: > You're trying to mix tagged and untagged traffic. That, iirc, isn't > supported for security reasons (the untagged network can see all the tagged > traffic). You can put multiple tagged networks on the same NIC though. > > Please check with the ovirt folks though, it's been a while since I last > checked the state of things > > On Tue, Feb 2, 2021 at 1:51 PM David Johnson < > djohnson(a)maxistechnology.com&gt; wrote: > >> I have a physical network ovirtmgmt, and a logical network 10-non-prod >> with the vlan tag of 10 and the network label of 10. >> >> The physical and vlan have both been dragged to the enp0 NIC on the host. >> >> What I understand from this is that the bridge has been there all along, >> but, since I can't ping the host no traffic is crossing it. >> >> Host IP's : *192.168.2.18/24 <http://192.168.2.18/24> * and *10.210.100.18/24 >> <http://10.210.100.18/24>* >> VLAN IP on host: *10.210.10.18/24 <http://10.210.10.28/24>* >> >> >> Regards, >> >> David Johnson >> >> On Tue, Feb 2, 2021 at 12:44 PM Dan Yasny <dyasny(a)gmail.com&gt; wrote: >> >>> >>> >>> On Tue, Feb 2, 2021 at 1:38 PM David Johnson < >>> djohnson(a)maxistechnology.com&gt; wrote: >>> >>>> Thanks, this is a step closer, but the details are still very sketchy. >>>> >>>> Following the instructions at >>>> https://www.ovirt.org/documentation/administration_guide/#appe-Custom_Net... >>>> : >>>> >>>> If I understand the instructions correctly: >>>> >>>> 1. Open the host in the Ovirt UI >>>> 2. Go to the Network tab >>>> 3. Select the NIC I want to bridge to >>>> 4. Click "Setup Host Networks" >>>> 5. Click the pencil icon on the (host? VLAN?) network >>>> 6. Choose the Custom Properties tab >>>> 7. In the Custom Properties (Please Select a key), choose >>>> "bridge_opts" >>>> 8. ???? At this point, there is no way to add the keys it looks >>>> like it needs ??? Total loss ??? >>>> >>>> >>> You need to create a logical network first. Do you have any of those? >>> Logical networks are where you may add VLAN tags. >>> >>> In the hosts' network setup window you simply drag the logical network >>> to the NIC or bond and save. The VLAN tag and bridge will be created >>> accordingly on the host >>> >>> >>>> >>>> Regards, >>>> David Johnson >>>> Director of Development, Maxis Technology >>>> 844.696.2947 ext 702 (o) | 479.531.3590 (c) >>>> djohnson(a)maxistechnology.com >>>> >>>> >>>> [image: Maxis Techncology] <http://www.maxistechnology.com> >>>> www.maxistechnology.com >>>> >>>> >>>> *stay connected <http://www.linkedin.com/in/pojoguy>* >>>> >>>> >>>> On Tue, Feb 2, 2021 at 9:24 AM Dan Yasny <dyasny(a)gmail.com&gt; wrote: >>>> >>>>> >>>>> >>>>> On Tue, Feb 2, 2021 at 10:20 AM David Johnson < >>>>> djohnson(a)maxistechnology.com&gt; wrote: >>>>> >>>>>> This is great ... I am missing the bridge (at least). >>>>>> >>>>>> Does the bridge reside on the host or the VM? Is it created in the >>>>>> Ovirt UI, or in the VM operating system? >>>>>> >>>>> >>>>> On the host. Logical networks in oVirt are a virtual construct, >>>>> translating to a "profile" that gets built on the hosts in the cluster. >>>>> Essentially, each logical network is a bridge with the same name on the >>>>> hosts, and if there's a vlan tag, then the interface (or bond) gets tagged, >>>>> and the bridge is built on top of that tagged interface. VMs are plugged >>>>> into the bridges and their traffic flows through the bridges to the >>>>> switches. Very simple really, and there was a KB we published about this >>>>> about a decade ago. >>>>> >>>>> >>>>>> >>>>>> Thanks! >>>>>> >>>>>> David Johnson >>>>>> >>>>>> On Tue, Feb 2, 2021 at 9:16 AM Dan Yasny <dyasny(a)gmail.com&gt; wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Feb 2, 2021 at 10:06 AM David Johnson < >>>>>>> djohnson(a)maxistechnology.com&gt; wrote: >>>>>>> >>>>>>>> Good morning Ales, >>>>>>>> >>>>>>>> Thank you for your response. >>>>>>>> >>>>>>>> At this point, while I believe I have marked the networks as >>>>>>>> required, I am hesitant to assume that they are marked because I don't >>>>>>>> understand for sure which pieces I don't understand. >>>>>>>> >>>>>>>> Unfortunately, what I am missing is a number of random bits and >>>>>>>> pieces that tie everything together. >>>>>>>> >>>>>>>> I have fought with the networking on this cluster for over a week. >>>>>>>> The network configuration was so messed up it was faster and cleaner to >>>>>>>> wipe the cluster completely and start from scratch, and I just finished a >>>>>>>> clean reinstallation. >>>>>>>> >>>>>>>> Now that it's back up and I understand it better, the VM's on >>>>>>>> VLAN's are still unable to reach beyond themselves - they cannot even ping >>>>>>>> the host they are on. >>>>>>>> >>>>>>>> Rather than try to address it symptom by symptom, I would like to >>>>>>>> get a solid overview of how the different pieces tie together. >>>>>>>> Unfortunately, in the official documentation, all I found was which buttons >>>>>>>> to push to edit the vlan, with nothing that addresses how the different >>>>>>>> pieces are wired together. >>>>>>>> >>>>>>>> My understanding of the architecture is: >>>>>>>> >>>>>>>> VM -> vNIC -> virtual switch -> physical NIC -> external network >>>>>>>> -> gateway -> internet >>>>>>>> >>>>>>> >>>>>>> When you create a tagged network, the scheme changes a bit: >>>>>>> VM -> vNIC -> BRIDGE -> NIC.tag -> NIC -> switch >>>>>>> >>>>>>> All the VM traffic will get tagged this way, and the switch port >>>>>>> should be in trunk mode allowing tagged traffic through. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> What I don't understand is how to determine at which point in the >>>>>>>> architecture the configuration is wrong, when the only symptom I have for >>>>>>>> sure right now is that my VM's on a VLAN won't ping the host or anything on >>>>>>>> the external network. >>>>>>>> >>>>>>>> At one point everything was working as expected, briefly, before >>>>>>>> the whole thing came crashing down, so the external network is at least >>>>>>>> mostly configured. >>>>>>>> >>>>>>>> On Tue, Feb 2, 2021, 12:20 AM Ales Musil <amusil(a)redhat.com&gt; >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Feb 2, 2021 at 6:18 AM David Johnson < >>>>>>>>> djohnson(a)maxistechnology.com&gt; wrote: >>>>>>>>> >>>>>>>>>> Good morning all, >>>>>>>>>> >>>>>>>>>> On my ovirt 4.4.4 cluster, I am trying to use VLan's to separate >>>>>>>>>> VM's for security purposes. >>>>>>>>>> >>>>>>>>>> Is there a usable how-to document that describes how to >>>>>>>>>> configure the vlan's so they actually function without taking the host into >>>>>>>>>> non-operational mode? >>>>>>>>>> >>>>>>>>>> Thank you in advance. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> David Johnson >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Users mailing list -- users(a)ovirt.org >>>>>>>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>>>>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html >>>>>>>>>> oVirt Code of Conduct: >>>>>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>>>>> List Archives: >>>>>>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/IYPORJKHTSV... >>>>>>>>>> >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I assume that you have marked those networks as required. This is >>>>>>>>> handy to make sure that all hosts in a cluster have this network attached. >>>>>>>>> Which implies that the host is considered non operational until >>>>>>>>> you assign all required networks. >>>>>>>>> >>>>>>>>> To avoid this you can uncheck it for a new network in the cluster >>>>>>>>> tab of the "New Logical Network" window. For existing go to >>>>>>>>> Compute -> Clusters -> $YOUR_CLUSTER -> Logical Networks -> >>>>>>>>> Manage Networks and uncheck required for the affected network. >>>>>>>>> This can be always changed back. >>>>>>>>> >>>>>>>>> Hopefully this helps. >>>>>>>>> Regards, >>>>>>>>> Ales >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Ales Musil >>>>>>>>> >>>>>>>>> Software Engineer - RHV Network >>>>>>>>> >>>>>>>>> Red Hat EMEA <https://www.redhat.com> >>>>>>>>> >>>>>>>>> amusil(a)redhat.com IM: amusil >>>>>>>>> <https://red.ht/sig> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Users mailing list -- users(a)ovirt.org >>>>>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html >>>>>>>> oVirt Code of Conduct: >>>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>>> List Archives: >>>>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/47JUY2NVTCQ... >>>>>>>> >>>>>>>