Cannot forward traffic through VXLAN
Hi all I have a VM network created with some hosts and I have included a vyos router acting as a Layer 2 extension to another hypervisor through VXLAN. I can see traffic reaching VMs from the other hypervisor to the ovirt hosted VMs. I can see traffic leaving the VMs hosted on the ovirt hypervisor. However, i do not see return traffic reaching the vyos VXLAN hosted on ovirt. I believe the VM network drops return traffic based on the destination MAC address. However, i have created the VM Network with security disabled. Can you please assist on how to troubleshoot?
On Wed, Dec 11, 2019 at 12:12 PM <k.betsis@gmail.com> wrote:
Hi all
I have a VM network created with some hosts and I have included a vyos router acting as a Layer 2 extension to another hypervisor through VXLAN.
This sounds interesting, but might be not supported by oVir. Can you share details? What is your motivation to do this? Would the internal OVN networking work for you, too?
I can see traffic reaching VMs from the other hypervisor to the ovirt hosted VMs. I can see traffic leaving the VMs hosted on the ovirt hypervisor. However, i do not see return traffic reaching the vyos VXLAN hosted on ovirt.
I believe the VM network drops return traffic based on the destination MAC address.
However, i have created the VM Network with security disabled.
Can you please assist on how to troubleshoot? _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z3AVFZRF3CJTKI...
We currently have 2 bare metals. One holds the ovirt and the other proxmox. As to enable high availability and config sync on the proxmox hosted VMs we have deployed VyOS on both hyper-visors. We then use L2TPv3 as to extend VM networks from proxmox to ovirt and vice versa. When that was finalized and all VMs were activated in ovirt we would delete proxmox and deploy ovirt and re-do the same think as to re-enable VM high availability. The issue is that VM Networks drop traffic towards the VyOS VM even through we have enable mac-spoofing and promiscuous on the VM custom properties. The VM Networks must drop frames for destination MAC addresses not directly hosted on it and i don't know how to disable/bypass that.
On Wed, Dec 11, 2019 at 5:31 PM <k.betsis@gmail.com> wrote:
We currently have 2 bare metals. One holds the ovirt and the other proxmox.
As to enable high availability and config sync on the proxmox hosted VMs we have deployed VyOS on both hyper-visors.
Is VyOS installed on the host, or in a VM?
We then use L2TPv3 as to extend VM networks from proxmox to ovirt and vice versa.
Does this mean that the VyOS VM on oVirt should forward layer 2 traffic to the VyOS VM on proxmox? Is there a way to share a VLAN? (This would avoid additional tunneling.) Can you please share some details?
When that was finalized and all VMs were activated in ovirt we would delete proxmox and deploy ovirt and re-do the same think as to re-enable VM high availability.
The issue is that VM Networks drop traffic towards the VyOS VM even through we have enable mac-spoofing and promiscuous on the VM custom properties.
If VyOS is a VM on oVirt, network filtering should be disabled on the vNIC profile which sends and receives the unencapsulated traffic, before the oVirt VM is booted.
The VM Networks must drop frames for destination MAC addresses not directly hosted on it and i don't know how to disable/bypass that.
Don't understand.
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/T6FKORHF3NCVWQ...
On Wed, Dec 11, 2019 at 5:31 PM <k.betsis(a)gmail.com> wrote:
Is VyOS installed on the host, or in a VM?
VyOS is installed on the ovirt node
Does this mean that the VyOS VM on oVirt should forward layer 2 traffic to the VyOS VM on proxmox? Is there a way to share a VLAN? (This would avoid additional tunneling.) Can you please share some details?
VLAN approach is not feasible unfortunatelly. VyOS VM on oVirt should forward Layer 2 traffic over ovirtmgmt network. So from oVirt's perspective there is no tunneling.
If VyOS is a VM on oVirt, network filtering should be disabled on the vNIC profile which sends and receives the unencapsulated traffic, before the oVirt VM is booted.
I have disabled all filters on the VM Network by selecting Network Port Security: Disabled
Don't understand.
I have created a VM Network with no filters on ovirt named auth_net with the following parameters: 1. VM Network, check 2. MTU, custom 2000 3. Create on external provider, check 3a. External provider: ovirt-provider-ovn 3b. Network Port Security: Disabled This is done as to allow me to attach VMs to this network. I have attached 3 VMs on this VM Network. A firewall with IP e.g. 10.0.0.1 The VyOS VM An LDAP VM with IP e.g. 10.0.0.5 The VyOS VM is attached to the auth_net with no IP address and with L2TPv3 via ovirtmgmt as to get the VM network Layer 2 traffic and forward it to the proxmox network through the VyOS routers. Even though i have not created any network filters traffic is dropped before reaching VyOS VM from the LDAP Auth server. TCPDUMP on the LDAP VM shows traffic leaving the LDAP VM. TCPDUMP on the VyOS VM does not show traffic reaching the vnic.
On Thu, Dec 12, 2019 at 11:29 AM <k.betsis@gmail.com> wrote:
On Wed, Dec 11, 2019 at 5:31 PM <k.betsis(a)gmail.com> wrote:
Is VyOS installed on the host, or in a VM?
VyOS is installed on the ovirt node
Does this mean that the VyOS VM on oVirt should forward layer 2 traffic
to
the VyOS VM on proxmox? Is there a way to share a VLAN? (This would avoid additional tunneling.) Can you please share some details?
VLAN approach is not feasible unfortunatelly. VyOS VM on oVirt should forward Layer 2 traffic over ovirtmgmt network. So from oVirt's perspective there is no tunneling.
If VyOS is a VM on oVirt, network filtering should be disabled on the
vNIC
profile which sends and receives the unencapsulated traffic, before the oVirt VM is booted.
I have disabled all filters on the VM Network by selecting Network Port Security: Disabled
Don't understand.
I have created a VM Network with no filters on ovirt named auth_net with the following parameters: 1. VM Network, check 2. MTU, custom 2000 3. Create on external provider, check 3a. External provider: ovirt-provider-ovn
I see. This will create an external OVN network. As far as I know, OVN networks do not allow mac spoofing, even if port security is disabled. Are you able to use physical networks (oVirt logical network with VM networking, optional VLAN tag, but not external) to connect the oVirt VMs?
3b. Network Port Security: Disabled
This is done as to allow me to attach VMs to this network.
I have attached 3 VMs on this VM Network. A firewall with IP e.g. 10.0.0.1 The VyOS VM An LDAP VM with IP e.g. 10.0.0.5
The VyOS VM is attached to the auth_net with no IP address and with L2TPv3 via ovirtmgmt as to get the VM network Layer 2 traffic and forward it to the proxmox network through the VyOS routers. Even though i have not created any network filters traffic is dropped before reaching VyOS VM from the LDAP Auth server. TCPDUMP on the LDAP VM shows traffic leaving the LDAP VM. TCPDUMP on the VyOS VM does not show traffic reaching the vnic. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BOEK5LTE6CMYTU...
On Thu, Dec 12, 2019 at 11:29 AM <k.betsis(a)gmail.com> wrote:
I see. This will create an external OVN network. As far as I know, OVN networks do not allow mac spoofing, even if port security is disabled.
I have installed the vdsm hook for allow both promiscuous and mac-spoofing and have the same experience. So it is safe to assume that this cannot be supported in ovirt?
Are you able to use physical networks (oVirt logical network with VM networking, optional VLAN tag, but not external) to connect the oVirt VMs?
I can connect to VMs through the internet and IPSEC, but i wanted to extend them. Do you know of any other way where i can extend on VM network from ovirt to another hypervisor? Any idea will help. Appreciate the till now assistance.
On Thu, Dec 12, 2019 at 4:27 PM <k.betsis@gmail.com> wrote:
On Thu, Dec 12, 2019 at 11:29 AM <k.betsis(a)gmail.com> wrote:
I see. This will create an external OVN network. As far as I know, OVN networks do not allow mac spoofing, even if port security is disabled.
I have installed the vdsm hook for allow both promiscuous and mac-spoofing and have the same experience. So it is safe to assume that this cannot be supported in ovirt?
Not external logical networks, with vNIC profiles, have no network filter during the VM is started (or the vNIC is hotplugged), allows any MAC address. This works without any hook required. In most simple flow for a lab would be to remove the network filter from ovirtmgmt, attach ovirtmgmt to a VM and boot the VM.
Are you able to use physical networks (oVirt logical network with VM networking, optional VLAN tag, but not external) to connect the oVirt VMs?
I can connect to VMs through the internet and IPSEC, but i wanted to extend them. Do you know of any other way where i can extend on VM network from ovirt to another hypervisor?
As I wrote above, layer 2 tunneling from one VM to another should work. Are you force to extend the network on layer 2? If not, two VMs connected by a tunnel or a VPN might be more straight and would even limit layer 2 broadcasts.
Any idea will help.
Appreciate the till now assistance. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PPOE54V2SXWZUN...
On Thu, Dec 12, 2019 at 4:27 PM <k.betsis(a)gmail.com> wrote:
Not external logical networks, with vNIC profiles, have no network filter during the VM is started (or the vNIC is hotplugged), allows any MAC address. This works without any hook required. In most simple flow for a lab would be to remove the network filter from ovirtmgmt, attach ovirtmgmt to a VM and boot the VM.
Well this is where theory contradicts practice... Based on what you say layer 2 frames would traverse the VM Network bridge and reach VyOS vnic, which they do not. Layer 2 frames are dropped after leaving the VM and before reaching the VyOS vnic. In theory if the VM bridge did not know where they should be forwarded it should broadcast them to all attached ports, which again it is not been done. So i am not sure if it is a bug, or a feature...
As I wrote above, layer 2 tunneling from one VM to another should work. Are you force to extend the network on layer 2? If not, two VMs connected by a tunnel or a VPN might be more straight and would even limit layer 2 broadcasts.
I agree Layer 3 would be the best way forward but we need layer 2 extension since the firewalls require it for high availability as well and we need pcsd VIPs attached to monitored services to have high availability.
On Fri, Dec 13, 2019 at 3:56 PM <k.betsis@gmail.com> wrote:
On Thu, Dec 12, 2019 at 4:27 PM <k.betsis(a)gmail.com> wrote:
Not external logical networks, with vNIC profiles, have no network filter during the VM is started (or the vNIC is hotplugged), allows any MAC address. This works without any hook required. In most simple flow for a lab would be to remove the network filter from ovirtmgmt, attach ovirtmgmt to a VM and boot the VM.
Well this is where theory contradicts practice... Based on what you say layer 2 frames would traverse the VM Network bridge and reach VyOS vnic, which they do not. Layer 2 frames are dropped after leaving the VM and before reaching the VyOS vnic. In theory if the VM bridge did not know where they should be forwarded it should broadcast them to all attached ports, which again it is not been done. So i am not sure if it is a bug, or a feature...
This works very reliably. To check the oVirt networking related part, I tried the following setup: VM1 <-vlan4->VM0<->ovirtmgmt<->dhcpserver/gateway With a bridge on VM0 which connects the interfaces connected to vlan4 and ovirtmgmt. VM0 was the "CentOS 8 test image v20191009 for x86_64 (280f3e8)" from ovirt-image-repository. I installed cockpit in VM0 and added a bridge on cockpit web UI over the two virtual NICs on VM0. VM1 was able to get an IP address via DHCP and ping through the gateway to the outside world. Are you able to replicate this as a first step to isolate the problem?
As I wrote above, layer 2 tunneling from one VM to another should work. Are you force to extend the network on layer 2? If not, two VMs connected by a tunnel or a VPN might be more straight and would even limit layer 2 broadcasts.
I agree Layer 3 would be the best way forward but we need layer 2 extension since the firewalls require it for high availability as well and we need pcsd VIPs attached to monitored services to have high availability. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WFV4A4YIDL7TFH...
participants (2)
-
Dominik Holler -
k.betsis@gmail.com