KVM + OpenvSwitch + libvirt + VLANs/Trunks

[anowak]

Hi All,

I have a debian OS running KVM. I've been running it with openvswitch + libvirt integration for many years.
Recently I tried to put a firewall VM onto it using only trunked ports but have not found a way for this to work?

Say I have 4 VLANs -

VLAN ID 20 - LAN
VLAN ID 30 - WIRELESS
VLAN ID 40 - IoT
VLAN ID 50 - WAN

I am able to trunk this to the VM using an ovs-network definition.

<network>
  <name>ovs-network</name>
  <uuid>......</uuid>
  <forward mode='bridge'/>
  <bridge name='ovs-br0'/>
  <virtualport type='openvswitch'/>
  <portgroup name='native' default='yes'></portgroup>
  <portgroup name='wan_vl50'>
    <vlan>
      <tag id='50'/>
    </vlan>
  </portgroup>
  <portgroup name='wlan_vl30'>
    <vlan>
      <tag id='30'/>
    </vlan>
  </portgroup>
  <portgroup name='iot'>
    <vlan>
      <tag id='40'/>
    </vlan>
  </portgroup>
  <portgroup name='eth0-Trunk'>
    <vlan trunk='yes'>
      <tag id='20'/>
      <tag id='30'/>
      <tag id='40'/>
      <tag id='50'/>
    </vlan>
  </portgroup>
</network>

VLAN20 is my native VLAN on my KVM host and this is also the management VLAN on the firewall, although since I am passing it a trunk it has a VLAN interface 20 with an IP address attached. How do I get the firewall to talk to the rest of the network?

Switch KVM Host VM
20 --> untagged bridge IP --> tagged vif 20
30 --> tagged N/A --> tagged vif 30
40 --> tagged N/A --> tagged vif 40
50 --> tagged N/A --> tagged vif 50


Kind Regards

[anowak]

Believe this may explain it a little better

U = untagged, T= tagged

So from the PC I am unable to communicate with vif 20 when vmnet15 is set as a trunk port.

I believe the issue maybe that VLAN20 is native on host and it's tagged within VM.. when it leaves the VM with a tag it does not associate with the native?

I've looked at the following
https://blog.scottlowe.org/2012/11/07/u ... d-libvirt/

I tried setting the KVM eth0 nic to tag the port with VLAN 20 but this just kills the network altogether.

Code: Select all

ovs-vsctl set port eth0 tag=20

I then found a mention about vlan_mode
https://manpages.debian.org/wheezy/open ... .5.en.html - search vlan_mode & native-tagged

native-tagged
A native-tagged port resembles a trunk port, with the exception that a packet without an 802.1Q header that ingresses on a native-tagged port is in the ``native VLAN’’ (specified in the tag column).

Code: Select all

ovs-vsctl set port eth0 vlan_mode=native-untagged

Still no network connectivity.

If I try the following the network comes up again, but the virtual still can't communicate on VLAN20.

Code: Select all

ovs-vsctl set port eth0 tag=20
ovs-vsctl set port eth0 vlan_mode=trunk

Somehow I can communicate on the other VLANs 30 and 40 as these are tagged from the switch all the way to the VM?

[JohnnyVBut]

Hi,

I would try this way considering that your switchport is configured like this:

Code: Select all

switchport mode trunk
switchport trunk native vlan 20

Code: Select all

ovs-vsctl set port eth0 tag=20 trunks=20,30,40,50 vlan_mode=native-untagged

AFAIK there are 4 port roles in openvswitch:

Access: vlan number is defined by tag keyword
Trunk: All ethernet frames should be tagged. If there is no tag (native vlan) - frame will be dropped
native-tagged: its trunk mode, but incoming frames without a tag will be placed into vlan specified in tag keyword. Note that this is unidirectional behaviour, meaning that frame will be put back to the wire tagged
native-untagged: It's the same as native-tagged, but tag will be removed on its way back before putting it to the wire

Hope this makes sense.