[Users] networking: basic vlan help
--Sig_/UE.5pfd3QaxDXa=Ws+08+Lk Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello again, I'm new to VLANs and have a few questions. Right now I just have the mgmt interface (bridged with eth0) on my all-in-one oVirt test setup. I want to separate some VMs from the public facing net, which I think means that they need to be on a different VLAN. I created two new networks, pubX and privY, with vlan ids X and Y, but couldn't assign them to eth0 because the current mgmt network is non-VLAN. I was about to enable VLAN tagging on the mgmt network, but I wanted to make sure that doing so wouldn't do anything to eth0 that would disrupt access to it (I only have remote access and don't want to lock myself out). Also, if it is safe, does the mgmt vlan tag id matter? is 0 the right value? Any/all help, hints, tips or references to examples/links greatly appreciated. Robert --Sig_/UE.5pfd3QaxDXa=Ws+08+Lk Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlLhON4ACgkQ7/fVLLY1mniiJACcDurddwt0UzLeya6K64CBMt4q 1M4An3WGwate1/4fyOOBdqXAhvC34d13 =6/cS -----END PGP SIGNATURE----- --Sig_/UE.5pfd3QaxDXa=Ws+08+Lk--
If you enable VLAN tagging on the management network, which is configured on eth0 (Which also provides internet access from my understanding) then you will connectivity as (I assume) your physical switches aren't configured for VLANs. For an all-in-one, what I would suggest is the following procedure: On your PC, create a dummy NIC via: sudo ip link add dev dummy_0 type dummy sudo ip link set dev dummy_0 up It's important that the name will be in the dummy_* format. Following that, go back to the GUI, select the host and hit Refresh Host Capabilities. You should see the new dummy_0 device as a host NIC. Create a VM network, and under the host Network Interfaces tab hit Setup Host Networks. Drag and drop the new VM network on dummy_0 (Don't give dummy_0 a boot protocol or an IP address in the edit network dialog). At this point you should be able to attach VM vNICs' to the new VM network and they won't be physically connected to any other network, but they'll be able to talk amongst themselves. The "private network" feature is planned* for oVirt 3.5, so in the future you'll be able to just define a network as a private one and everything will work automatically. * No promises! Assaf Muller, Cloud Networking Engineer Red Hat ----- Original Message ----- From: "Robert Story" <rstory@tislabs.com> To: "users" <users@ovirt.org> Sent: Thursday, January 23, 2014 5:44:25 PM Subject: [Users] networking: basic vlan help Hello again, I'm new to VLANs and have a few questions. Right now I just have the mgmt interface (bridged with eth0) on my all-in-one oVirt test setup. I want to separate some VMs from the public facing net, which I think means that they need to be on a different VLAN. I created two new networks, pubX and privY, with vlan ids X and Y, but couldn't assign them to eth0 because the current mgmt network is non-VLAN. I was about to enable VLAN tagging on the mgmt network, but I wanted to make sure that doing so wouldn't do anything to eth0 that would disrupt access to it (I only have remote access and don't want to lock myself out). Also, if it is safe, does the mgmt vlan tag id matter? is 0 the right value? Any/all help, hints, tips or references to examples/links greatly appreciated. Robert _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 01/23/2014 05:59 PM, Assaf Muller wrote:
If you enable VLAN tagging on the management network, which is configured on eth0 (Which also provides internet access from my understanding) then you will connectivity as (I assume) your physical switches aren't configured for VLANs.
For an all-in-one, what I would suggest is the following procedure: On your PC, create a dummy NIC via: sudo ip link add dev dummy_0 type dummy sudo ip link set dev dummy_0 up
It's important that the name will be in the dummy_* format.
Following that, go back to the GUI, select the host and hit Refresh Host Capabilities.
You should see the new dummy_0 device as a host NIC.
Create a VM network, and under the host Network Interfaces tab hit Setup Host Networks.
Drag and drop the new VM network on dummy_0 (Don't give dummy_0 a boot protocol or an IP address in the edit network dialog).
At this point you should be able to attach VM vNICs' to the new VM network and they won't be physically connected to any other network, but they'll be able to talk amongst themselves.
The "private network" feature is planned* for oVirt 3.5, so in the future you'll be able to just define a network as a private one and everything will work automatically.
* No promises!
Assaf Muller, Cloud Networking Engineer Red Hat
----- Original Message ----- From: "Robert Story" <rstory@tislabs.com> To: "users" <users@ovirt.org> Sent: Thursday, January 23, 2014 5:44:25 PM Subject: [Users] networking: basic vlan help
Hello again,
I'm new to VLANs and have a few questions. Right now I just have the mgmt interface (bridged with eth0) on my all-in-one oVirt test setup. I want to separate some VMs from the public facing net, which I think means that they need to be on a different VLAN. I created two new networks, pubX and privY, with vlan ids X and Y, but couldn't assign them to eth0 because the current mgmt network is non-VLAN. I was about to enable VLAN tagging on the mgmt network, but I wanted to make sure that doing so wouldn't do anything to eth0 that would disrupt access to it (I only have remote access and don't want to lock myself out). Also, if it is safe, does the mgmt vlan tag id matter? is 0 the right value?
Any/all help, hints, tips or references to examples/links greatly appreciated.
Robert
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
wouldn't disabling 'vm network' on the mgmt network to simply allow the VLAN'd networks for VMs be simpler? also, since this question/use-case came up several times past 2 weeks - do we have a good enough user feedback on why user can't attach a logical network to the same interface, suggesting there is a non-vlan'd network visible to VMs, and that if they want to use VLAN'd networks on the same nic, they should disable the 'vm network' role on the non-vlan'd network?
On 23/01/14 18:35, Itamar Heim wrote:
On 01/23/2014 05:59 PM, Assaf Muller wrote:
If you enable VLAN tagging on the management network, which is configured on eth0 (Which also provides internet access from my understanding) then you will connectivity as (I assume) your physical switches aren't configured for VLANs.
For an all-in-one, what I would suggest is the following procedure: On your PC, create a dummy NIC via: sudo ip link add dev dummy_0 type dummy sudo ip link set dev dummy_0 up
It's important that the name will be in the dummy_* format.
Following that, go back to the GUI, select the host and hit Refresh Host Capabilities.
You should see the new dummy_0 device as a host NIC.
Create a VM network, and under the host Network Interfaces tab hit Setup Host Networks.
Drag and drop the new VM network on dummy_0 (Don't give dummy_0 a boot protocol or an IP address in the edit network dialog).
At this point you should be able to attach VM vNICs' to the new VM network and they won't be physically connected to any other network, but they'll be able to talk amongst themselves.
The "private network" feature is planned* for oVirt 3.5, so in the future you'll be able to just define a network as a private one and everything will work automatically.
* No promises!
Assaf Muller, Cloud Networking Engineer Red Hat
----- Original Message ----- From: "Robert Story" <rstory@tislabs.com> To: "users" <users@ovirt.org> Sent: Thursday, January 23, 2014 5:44:25 PM Subject: [Users] networking: basic vlan help
Hello again,
I'm new to VLANs and have a few questions. Right now I just have the mgmt interface (bridged with eth0) on my all-in-one oVirt test setup. I want to separate some VMs from the public facing net, which I think means that they need to be on a different VLAN. I created two new networks, pubX and privY, with vlan ids X and Y, but couldn't assign them to eth0 because the current mgmt network is non-VLAN. I was about to enable VLAN tagging on the mgmt network, but I wanted to make sure that doing so wouldn't do anything to eth0 that would disrupt access to it (I only have remote access and don't want to lock myself out). Also, if it is safe, does the mgmt vlan tag id matter? is 0 the right value?
Any/all help, hints, tips or references to examples/links greatly appreciated.
Robert
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
wouldn't disabling 'vm network' on the mgmt network to simply allow the VLAN'd networks for VMs be simpler?
Yes, this is an alternative to VLAN-tagging the mgmt network. And segregation from the "outer world" could be achieved as proposed by Robert using VLANs, if switches are configured properly.
also, since this question/use-case came up several times past 2 weeks - do we have a good enough user feedback on why user can't attach a logical network to the same interface, suggesting there is a non-vlan'd network visible to VMs, and that if they want to use VLAN'd networks on the same nic, they should disable the 'vm network' role on the non-vlan'd network?
When trying to put such networks together via the Setup Networks dialog, users are currently informed that non-tagged VM networks can't exist on the same interface as tagged VM networks, and are advised to detach the non-tagged network. If this appears to be insufficient, I could replace it by a suggestion to configure it as non-VM, or add that to the existing suggestion, but we're kinda short on real-estate in the status panel of that dialog (and that's a lot of information to absorb in one error).
--Sig_/I.0bq/1R+5=8=Pola=1f=Za Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 23 Jan 2014 10:59:57 -0500 (EST) Assaf wrote: AM> If you enable VLAN tagging on the management network, which is AM> configured on eth0 (Which also provides internet access from my AM> understanding) then you will connectivity as (I assume) your physical AM> switches aren't configured for VLANs. I'm assuming "will connectivity" should have been "will lose connectivity", which is what I feared. I'm glad I asked! AM> For an all-in-one, what I would suggest is the following procedure: Excellent, I'll try that. Thanks! My next question is for future planning. There is a second interface (eth1) with a separate physical network which only contains the engine, nodes and the nfs server.=20 +----------+ | internet |-----|-----------|----------| +----------+ +--------+ +-------+ +-------+ < eth0 | engine | | node1 | | node2 | +-----+ +--------+ +-------+ +-------+ < eth1 | nfs |-------|-----------|----------| +-----+ Can the mgmt network be easily moved to eth1? Then the pubX would be non-vlan on eth0, and mgmt + privY would be on eth1. If all the eth1 interfaces are connected to a dedicated/isolated switch, does that switch need to explicitly support vlans, or does it matter? Robert -- Senior Software Engineer @ Parsons --Sig_/I.0bq/1R+5=8=Pola=1f=Za Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlLhTVoACgkQ7/fVLLY1mngsuwCeJoEbSAkeyFuCEcGETMErbMoK HBUAn2KBoQo0f1FuxdC5USyUK2KaEYBP =xWbb -----END PGP SIGNATURE----- --Sig_/I.0bq/1R+5=8=Pola=1f=Za--
What is the purpose of PubY on eth1? Assaf Muller, Cloud Networking Engineer Red Hat ----- Original Message ----- From: "Robert Story" <rstory@tislabs.com> To: "Assaf Muller" <amuller@redhat.com> Cc: "users" <users@ovirt.org> Sent: Thursday, January 23, 2014 7:11:50 PM Subject: Re: [Users] networking: basic vlan help On Thu, 23 Jan 2014 10:59:57 -0500 (EST) Assaf wrote: AM> If you enable VLAN tagging on the management network, which is AM> configured on eth0 (Which also provides internet access from my AM> understanding) then you will connectivity as (I assume) your physical AM> switches aren't configured for VLANs. I'm assuming "will connectivity" should have been "will lose connectivity", which is what I feared. I'm glad I asked! AM> For an all-in-one, what I would suggest is the following procedure: Excellent, I'll try that. Thanks! My next question is for future planning. There is a second interface (eth1) with a separate physical network which only contains the engine, nodes and the nfs server. +----------+ | internet |-----|-----------|----------| +----------+ +--------+ +-------+ +-------+ < eth0 | engine | | node1 | | node2 | +-----+ +--------+ +-------+ +-------+ < eth1 | nfs |-------|-----------|----------| +-----+ Can the mgmt network be easily moved to eth1? Then the pubX would be non-vlan on eth0, and mgmt + privY would be on eth1. If all the eth1 interfaces are connected to a dedicated/isolated switch, does that switch need to explicitly support vlans, or does it matter? Robert -- Senior Software Engineer @ Parsons
Sorry, privY on eth1. Assaf Muller, Cloud Networking Engineer Red Hat ----- Original Message ----- From: "Robert Story" <rstory@tislabs.com> To: "Assaf Muller" <amuller@redhat.com> Cc: "users" <users@ovirt.org> Sent: Thursday, January 23, 2014 7:11:50 PM Subject: Re: [Users] networking: basic vlan help On Thu, 23 Jan 2014 10:59:57 -0500 (EST) Assaf wrote: AM> If you enable VLAN tagging on the management network, which is AM> configured on eth0 (Which also provides internet access from my AM> understanding) then you will connectivity as (I assume) your physical AM> switches aren't configured for VLANs. I'm assuming "will connectivity" should have been "will lose connectivity", which is what I feared. I'm glad I asked! AM> For an all-in-one, what I would suggest is the following procedure: Excellent, I'll try that. Thanks! My next question is for future planning. There is a second interface (eth1) with a separate physical network which only contains the engine, nodes and the nfs server. +----------+ | internet |-----|-----------|----------| +----------+ +--------+ +-------+ +-------+ < eth0 | engine | | node1 | | node2 | +-----+ +--------+ +-------+ +-------+ < eth1 | nfs |-------|-----------|----------| +-----+ Can the mgmt network be easily moved to eth1? Then the pubX would be non-vlan on eth0, and mgmt + privY would be on eth1. If all the eth1 interfaces are connected to a dedicated/isolated switch, does that switch need to explicitly support vlans, or does it matter? Robert -- Senior Software Engineer @ Parsons
--Sig_/xo_1gV=Y/NLD6w28sNoPp6y Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 23 Jan 2014 13:33:07 -0500 (EST) Assaf wrote: AM> Sorry, privY on eth1. For VM to VM communication that doesn't need to go over the public net.. Robert -- Senior Software Engineer @ Parsons --Sig_/xo_1gV=Y/NLD6w28sNoPp6y Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlLhYmoACgkQ7/fVLLY1mnh0ZgCgmW8peR1Tb/+rJw5T3mi0/1cF G+EAnikfQm7apnumOr+tzEWKco03FpLQ =CS/c -----END PGP SIGNATURE----- --Sig_/xo_1gV=Y/NLD6w28sNoPp6y--
Then the currently offered topology is to have ovirtmgmt on eth1 untagged, and non-VM, and have privY as a VM, tagged network on eth1. That would require the physical switch to be VLAN-aware and configured properly. oVirt wise you should have no problems using the GUI to move to that topology once you've decided to do so. Assaf Muller, Cloud Networking Engineer Red Hat ----- Original Message ----- From: "Robert Story" <rstory@tislabs.com> To: "Assaf Muller" <amuller@redhat.com> Cc: "users" <users@ovirt.org> Sent: Thursday, January 23, 2014 8:41:43 PM Subject: Re: [Users] networking: basic vlan help On Thu, 23 Jan 2014 13:33:07 -0500 (EST) Assaf wrote: AM> Sorry, privY on eth1. For VM to VM communication that doesn't need to go over the public net.. Robert -- Senior Software Engineer @ Parsons
participants (4)
-
Assaf Muller -
Itamar Heim -
Lior Vernia -
Robert Story