Hey Felix. IIUC your frames are dropped by the bridge. Ovirt uses Linux Bridges To connect virtual machines to 'networks'. The guest connects to the bridge using a tap device which usually is called 'vnet<number>'. So, just to verify, can you please tcpdump both on the bridge device and on the tap device? The bridge can be quite noisy so I suggest filtering traffic using the guest's MAC address. So I am not sure what protocol you use for tunneling but applying a filter similar to this one should do the job: tcpdump -n -i vnet0 -vvv -s 1500 'udp[38:4]=0x001a4aaeec8e' My guess is that you will observe traffic on the tap device, but not on the bridge. You didn't specify which centOS version you use but I do remember seeing people complaining about Linux bridges discarding their tagged frames. You can -maybe- also observe the 'dropped' counter increases on the bridge by running: 'ip -s link show dev trunk' There were a few bugs on rhel6/7 about this, specifically I remember https://bugzilla.redhat.com/show_bug.cgi?id=1174291 and https://bugzilla.redhat.com/show_bug.cgi?id=1200275#c20 Also, is the vlan module loaded on your host? 'lsmod |grep 8021q' Thanks, Ido ----- Original Message ----- From: "Felix Pepinghege" <pepinghege@ira.uka.de> To: Users@ovirt.org Sent: Monday, June 15, 2015 11:33:39 AM Subject: [ovirt-users] vlan-tagging on non-tagged network Hi everybody! I am experiencing a behaviour of ovirt, of which I don't know whether it is expected or not. My setup is as follows: A virtual machine has a logical network attached to it, which is configured without vlan-tagging and listens to the name 'trunk'. The VM is running an openvpn server. It is a patched openvpn version, including vlan-tagging. That is, openvpn clients get a vlan tag. This should not really be an issue but should satisfy the "why do you want to do it in the first place"-questions. Anyhow, effectively, the VM simply puts vlan-tagged ethernet-frames on the virtual network. These frames, however, never make it to the host's network bridge, which represents the logical network. My observations are: According to tcpdump, the vlan-tagged packages arrive at the "eth1"-interface inside the VM (which *is* the correct interface). Again, according to tcpdump, these packages never arrive at the corresponding network-bridge (i.e., the interface 'trunk') on the host. I know that the setup itself is feasible with KVM---I have it working on a proxmox-machine. Therefore, my conclusion is, that ovirt doesn't like vlan-tagged ethernet-frames on non-tagged logical networks, and somehow filters them out, though I don't really see on what "level" that would happen (Handling the ethernet frames should be a concern of KVM/QEMU/Linux only, once ovirt has started the VM). So this problem could be a CentOS issue, but I really don't see why CentOS should act differently than debian does (proxmox is debian-based). Is this a known/wanted/expected behaviour of ovirt, and can I somehow prevent or elude it? Any help is much appreciated! Of course I am happy to provide more information if that helps helping me :) Regards, Felix _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users