mixing tagged and untagged vlans on a same interface
Hi all, On a standalone libvirt/KVM, I've been used to mix tagged and untagged vlans on the same interface, the untagged vlan dedicated to the physical interface em1 and the other tagged ones to VLAN em1.X. I've just installed a new datacenter with an untagged ovirtmgmt and then realized that I've been prevented from attaching additional vlan to the same inetrface. Is there a reason for that, knowing that nothing should technically be wrong?
On 13 Feb 2015, at 16:17, Nathana=C3=ABl Blanchet <blanchet@abes.fr> = wrote: =20 Hi all, =20 On a standalone libvirt/KVM, I've been used to mix tagged and untagged = vlans on the same interface, the untagged vlan dedicated to the physical = interface em1 and the other tagged ones to VLAN em1.X. I've just installed a new datacenter with an untagged ovirtmgmt and =
--Apple-Mail=_819B8C08-D8E8-4238-AA7C-17377E564E19 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, it is possible to achieve the state you describe. You just can=E2=80=99t = have ovirtmgmt as VM network in such case. You need to set ovirtmgmt as nonVM [1] (aka bridgeless network), then = you can put it on one interface with VLANs. Be aware that you can put on one interface only one bridges network + = multiple VLANs. [1] = http://www.ovirt.org/Features/Design/Network/Bridgeless_Networks#Functiona= lity HTH Martin Pavlik RHEV QE then realized that I've been prevented from attaching additional vlan to = the same inetrface.
Is there a reason for that, knowing that nothing should technically be = wrong? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--Apple-Mail=_819B8C08-D8E8-4238-AA7C-17377E564E19 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJU3hi+AAoJENsSVGhnNZo+4poIAIvEiF8uGNmLYQC84TXmTDGW mKGdBf+jTsbRpvl8fMUsUBZ99mYPtmEPy/7Qeb1/y8JUCAOIFdxERZ0Yab3y4Wu6 nROYREMm0HkB0WjDun37TTCvNqQAmJjTQS0/gEXnFzOSUDAS8xQJXy8dx8mh8gJJ eXERSok/GdOoODOa3Y4zcK5qUi3HzsXGK0neA77a5+T8Iw2iUh9Sn761jC79ESYF sAmo7RTk88Ej6HE1drUByo8MoY5sRrdLBdUZJT7HFONtupmAQlLoTV1vIMekJSOX bGOrpQvhQN9OsVcY4uBNfzxREqJrLvTlNhr/gOccpQJgMep04nWfxCqiDbL7qgI= =ekO3 -----END PGP SIGNATURE----- --Apple-Mail=_819B8C08-D8E8-4238-AA7C-17377E564E19--
What Martin said is correct, let me just add that originally this limitation was put in place because in older kernels the bridge for the untagged network could see tagged traffic over the same physical interface, which was a security loophole (as a VM using the untagged bridge could sniff all the traffic on the physical interface). This isn't the case anymore, so in 3.6 we want to remove this limitation. On 13/02/15 17:31, Martin Pavlík wrote:
Hi,
it is possible to achieve the state you describe. You just can’t have ovirtmgmt as VM network in such case.
You need to set ovirtmgmt as nonVM [1] (aka bridgeless network), then you can put it on one interface with VLANs.
Be aware that you can put on one interface only one bridges network + multiple VLANs.
[1] http://www.ovirt.org/Features/Design/Network/Bridgeless_Networks#Functionali...
HTH
Martin Pavlik
RHEV QE
On 13 Feb 2015, at 16:17, Nathanaël Blanchet <blanchet@abes.fr> wrote:
Hi all,
On a standalone libvirt/KVM, I've been used to mix tagged and untagged vlans on the same interface, the untagged vlan dedicated to the physical interface em1 and the other tagged ones to VLAN em1.X. I've just installed a new datacenter with an untagged ovirtmgmt and then realized that I've been prevented from attaching additional vlan to the same inetrface. Is there a reason for that, knowing that nothing should technically be wrong? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Thank you for the explanation. Le 16/02/2015 09:06, Lior Vernia a écrit :
What Martin said is correct, let me just add that originally this limitation was put in place because in older kernels the bridge for the untagged network could see tagged traffic over the same physical interface, which was a security loophole (as a VM using the untagged bridge could sniff all the traffic on the physical interface).
This isn't the case anymore, so in 3.6 we want to remove this limitation.
On 13/02/15 17:31, Martin Pavlík wrote:
Hi,
it is possible to achieve the state you describe. You just can’t have ovirtmgmt as VM network in such case.
You need to set ovirtmgmt as nonVM [1] (aka bridgeless network), then you can put it on one interface with VLANs.
Be aware that you can put on one interface only one bridges network + multiple VLANs.
[1] http://www.ovirt.org/Features/Design/Network/Bridgeless_Networks#Functionali...
HTH
Martin Pavlik
RHEV QE
On 13 Feb 2015, at 16:17, Nathanaël Blanchet <blanchet@abes.fr> wrote:
Hi all,
On a standalone libvirt/KVM, I've been used to mix tagged and untagged vlans on the same interface, the untagged vlan dedicated to the physical interface em1 and the other tagged ones to VLAN em1.X. I've just installed a new datacenter with an untagged ovirtmgmt and then realized that I've been prevented from attaching additional vlan to the same inetrface. Is there a reason for that, knowing that nothing should technically be wrong? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Lior Vernia -
Martin Pavlík -
Nathanaël Blanchet