[Users] Networking questions (LONG)
Itamar Heim
iheim at redhat.com
Fri Jan 10 13:06:28 UTC 2014
On 01/10/2014 01:32 PM, Dan Kenigsberg wrote:
> On Thu, Jan 09, 2014 at 10:53:25PM +0200, Lior Vernia wrote:
>> Hello Alan,
>>
>> On 09/01/14 10:07, Alan Murrell wrote:
>>> Hello,
>>>
>>> I am evaluating oVirt as a replacement/alternative to VMware deployments
>>> we typically do. I have installed and all-in-one setup on a test box
>>> (which itself used to be an ESXi server), but it only has one NIC. I
>>> trying to duplicate our typical configuration we do in VMware, which is
>>> this:
>>>
>>> 1.) we create several "port groups" on the vSwitch, each assigned a
>>> VLAN ID, such as:
>>>
>>> - VLAN001 (VLAN ID: 1)
>>> - VLAN002 (VLAN ID: 2)
>>> - VLAN009 (VLAN ID: 9)
>>> - VLAN010 (VLAN ID: 10)
>>> - VLAN200 (VLAN ID: 200)
>>> - TRUNK (VLAN ID: 4095 - in VMware-world, VLAN ID "4095" is "all
>>> VLANS" and basically just passes the VLANs through to whatever is
>>> attached to the port group for the VM to handle)
>>>
>>> 2.) We assign VMs to port groups appropriate for the VLAN they are
>>> part of.
>>> 3.) The only VM that has a NIC assigned to the "TRUNK" port group is
>>> the firewall (which is Linux), and we create VLAN interfaces on it
>>> (i.e., "eth1.1", "eth1.2", "eth1.10", "eth1.200"). The firewall VM acts
>>> as the router between the various VLANs.
>>>
>>> To replicate the above in oVirt, I created logical networks for each
>>> VLAN, and assigned the appropriate VLAN ID. It seems oVirt/KVM does not
>>> have an equivalent for VMware's VLAN ID of "4095", so after some
>>> searching around, so for the "TRUNK" network, I left it with no VLAN
>>> assigned. Because i cannot add VLAN and non-VLAN networks to the same
>>> physical NIC, after some searching around, it looks like I may have to
>>> utilise two NICS: one for the VLAN networks and one for the "TRUNK" network.
>>
>> That is true. One non-VLAN network can in fact sit on the same NIC with
>> VLAN networks, but it has to be non-VM.
>
> This was devised as a security constraint - otherwise, a VM attached to
> the non-VLAN network could sniff traffic from another (VLAN) network.
> However, it seems that this is exactly what you need - a special VM that
> is designed to do just that.
>
isn't that was promiscious mode (aka port mirroring) is for?
> And it's not only you: there's another recent request for lifting this
> limitation:
> Bug 1049476 - [RFE] Mix untagged and tagged Logical Networks on the
> same NIC
>
>>
>> However, I'm not sure that you in fact need a "TRUNK" VM network in
>> oVirt. If you want your firewall VM to get all traffic from the VLANs,
>> you could create a vNIC for each network, to which you'll attach a
>> profile (oVirt's equivalent of port group if I'm not mistaken) of the
>> corresponding network. The host can remain with just the VLAN networks
>> attached to its NICs, without a designated "TRUNK".
>>
>> This way the firewall VM will get something like "eth1" for VLAN 1,
>> "eth2" for VLAN 200 and so forth, which might be close enough to what
>> you described on your previous setup (oVirt currently doesn't allow
>> creating VLANs inside VMs). And if I correctly understood your needs it
>> will save you the trouble you described below (well, you would need the
>> one dummy interface).
>>
>>>
>>> Because, at this point, I am not yet concerned with making the test VMs
>>> I will be setting up be accessible from outside the virtual lab
>>> environment (i.e., everything will communicate within my oVirt
>>> server/network for now), I am trying to make use of "dummy" interfaces,
>>> but I am not sure the best way to make use of this. I am able to create
>>> the dummy* interfaces and have them show up in oVirt, but I am not sure
>>> of how they should be setup. Here is what I am *thinking* should be
>>> done, but want to make sure it is correct before getting too deep:
>>>
>>> - I will use the physical NIC for management, therefore the
>>> "ovirtmgmt" bridge with eth0 assigned to it will remain as-is
>>> - Create two dummy interfaces: "dummy0" and "dummy1"
>>> - Create a new bridge, "ovirtvm" and assign "dummy0" and "dummy1" to it
>>
>> This is something that currently can't be done from within the oVirt
>> engine, but if my above suggestion works for you then it won't be needed.
>>
>>> - Attach the VLAN-enabled networks to "dummy0"
>>> - Attach the "TRUNK" network to "dummy1"
>
> I do not understand what you are trying to do with dummy devices (after
> all, they are not going to send any packet anywhere).
>
> But if you are willing to mess with network configuration under the feet
> of oVirt, you could do the following:
> - create a network tagged with an id that is not really used in your
> datacenter, say 999, and attach it to the host.
> - build and install vdsm-hook-extnet rpm
> - define a vnic profile using this network, and adding a custom propery
> called "extnet" with the value of (say) "untagged".
> - set up a bridge named "untagged" directly on top of your eth0 (say
> "breth0")
> - define a libvirt bridged network named "untagged", that uses "breth0".
> - attach the vnic of your firewall VM to your vnic profile.
>
> Now, when you start up your firewall vm, the "extnet" hook gets into
> action, and forces the firewall vm from the 999 network, into using your
> hand-crafted network.
>
> This all sounds a bit long and hacky, but I believe it would work. I'll
> love to hear if it does.
>
>>>
>>> Would the above be the way to go about this? The one thing I am not
>>> sure of is whether or not having no VLAN assigned (on the "TRUNK"
>>> network) accomplishes the same this as the "VLAN ID 4095" in VMware:
>>> will oVirt/KVM just pass the traffic through for the VM attached to it
>>> to deal with?
>
> Yes. Untagged network passes all ethernet frames to the VM, be them
> tagged or not. Inside the VM you can further process them (It's less
> clear to me how you intend to do the processing, and how would the
> firewall would block offensive traffic from reaching "normal" VMs).
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list