vlan set up

RobFantini

Famous Member
May 24, 2012
2,009
102
133
Boston,Mass
Hello,
This is my first attempt to set up vlan.

We have a Netgear layer 3 switch.

Pfsense is used for a router/gateway .

On the switch 3 ports are set up as vlan5 and connected to a nic on 3 proxmox hosts.

The test vlan network is 10.1.1.0/24 .

the 3 pve systems have a vmbr set up like this:
Code:
auto vmbr4
iface vmbr4 inet static 
        address  10.1.1.241
        netmask  255.255.255.0
        bridge_ports eth4
        bridge_stp on
        bridge_fd 0

the can ping each other.

each pve system has a kvm set up like this:
Code:
net0: virtio=12:C7:B5:4E:24:46,bridge=vmbr4,tag=5


However the from pve I can not ping the kvm's .

Nor can the kvm's ping out. or each other.

interfaces in kvm are like this:
Code:
auto eth0
iface eth0 inet static
  address 10.1.1.51
  netmask 255.255.255.0
  gateway 10.1.1.1

I've tried using e1000 and not vitrio nics.

Any clues on how to get this working?
 
is the kvm's gateway accessible, can you ping it?
does the gateway do NAT and allow to forward packages?
Also remember that unless explicitly configured on the switch intervlan communication is strictly forbidden.

What model is your Netgear switch. AFAIK no Netgear switch of the branch smart switch is layer 3 capable.
 
Last edited:
mir,
thank you for the response.

I realized that the reason the pve systems may be able to ping each other is that the interface does not have vlan5 assigned. So next I'll test a pve <> pve ping after I get that set up.

Do you have a suggestion on setting up the hosts interface file for vlan ?

the switch model info http://www.newegg.com/Product/Product.aspx?Item=N82E16833122156
GSM7328S - NetGear GSM7328S - 24 GE, 4 TENGIG . .
Code:
 Layer 2 Services      * IEEE 802.1Q Static VLAN (Up to 4k VLAN ID)     * IEEE 802.1p Class of Service (CoS)     * IEEE 802.1D Spanning Tree Protocol     * IEEE 802.1v Protocol VLAN & Port VLAN     * IEEE 802.1 Q-inQ     * IEEE 802.1w Rapid Spanning Tree     * IEEE 802.1s Multiple Spanning Tree     * IEEE 802.3ad Link Aggregation (LACP) up to 48 trunks     * IEEE 802.1x Port Access Authentication     * IGMP v1, v2, v3 Snooping Support     * Network Storm Protection including Broadcast, multicast and unicast traffic     * Static multicast filtering     * Port locking     * Ingress Rate Limit in 1Kbps increments     * GARP/GVRP/GMRP  Layer 3 Services      * VLAN routing     * Port routing     * RIP v1/v2 (RFC 1058, 2453)     * OSPF v2 (RFC 1583, 2328)     * OSPF Equal Cost Multipath (4 - ECMP routes)     * VRRP (RFC 2338, 2787) 64 instances     * Access Control Lists (ACL) - MAC, IP, TCP     * ACLs – 1,024 Global     * COS     * DiffServ QOS (RFC 2998)     * DNS Caching     * DHCP/Bootp Relay -primary and backup (RFC3046, option 82)



Also I'll keep this in mind after I get ping working: ' Also remember that unless explicitly configured on the switch intervlan communication is strictly forbidden.'
 
Last edited:
Hello,
This is my first attempt to set up vlan.

We have a Netgear layer 3 switch.

Pfsense is used for a router/gateway .

On the switch 3 ports are set up as vlan5 and connected to a nic on 3 proxmox hosts.

The test vlan network is 10.1.1.0/24 .

the 3 pve systems have a vmbr set up like this:
Code:
auto vmbr4
iface vmbr4 inet static 
        address  10.1.1.241
        netmask  255.255.255.0
        bridge_ports eth4
        bridge_stp on
        bridge_fd 0

the can ping each other.

each pve system has a kvm set up like this:
Code:
net0: virtio=12:C7:B5:4E:24:46,bridge=vmbr4,tag=5


However the from pve I can not ping the kvm's .

Nor can the kvm's ping out. or each other.

interfaces in kvm are like this:
Code:
auto eth0
iface eth0 inet static
  address 10.1.1.51
  netmask 255.255.255.0
  gateway 10.1.1.1

I've tried using e1000 and not vitrio nics.

Any clues on how to get this working?
Hi,
you mixed tagged und untagged vlan.

In your setup the switchport don't use vlan-tagging! It's simply configured to be an untagged port in vlan 5.

If you enabled vlan-tagging for the switchport your host will not be pingable, because you need assing eth4.5 as bridgeport and not eth4.

like this:
Code:
autho eth4
iface eth4 manual

auto eth4.5
iface eth4.5 manual

auto vmbr4
iface vmbr4 inet static 
        address  10.1.1.241
        netmask  255.255.255.0
        bridge_ports eth4.5
        bridge_stp on
        bridge_fd 0
But then you don't need an vlan-tag on the VM-config side, because vmbr4 is allready untagged.

But if you don't need an IP on the host (and have some more vlans) you can use vlan-tagging in the VM-config if you use an untagged bridge:
Code:
autho eth4
iface eth4 manual

 auto vmbr4
 iface vmbr4 inet static
        address 0.0.0.0
         netmask  0.0.0.0
         bridge_ports eth4
         bridge_stp on
         bridge_fd 0
Then the VM-config with "net0: virtio=12:C7:B5:4E:24:46,bridge=vmbr4,tag=5" should work and another VM-Nic can use ...bridge=vmbr4,tag=10 and so on (if this vlans also configured on the switchport).

Udo
 
Udo : Thank you for the detailed reply.

I'll use that info when next on site ..

So vlans on switch will do NO tag or untag .


For pc's , phones, cameras etc, the switch can do 'IP Subnet Based VLAN ' .

Have you used something like that?
 
Udo : Thank you for the detailed reply.

I'll use that info when next on site ..

So vlans on switch will do NO tag or untag .


For pc's , phones, cameras etc, the switch can do 'IP Subnet Based VLAN ' .

Have you used something like that?
Hi Rob,
some vendors have curios numenclature.
With the office-switch from cisco you need to set the Port as "tagged only" for 802.1q and "No" for an untagged Port.
PVID is the default Vlan - for 802.1q select 1, and then assing this port as member for all needed vlans.

Don't know how Netgear this handles - perhaps RTFM?

Udo
 
Re: vlan set up - Routing

We have a couple of 5 year old layer 3 netgear switches.

Now routing can be done using those or using Debian and /etc/network/interfaces .

Is there any reason NOT to use Debian based routing ?

It seems to me that with powerful server hardware that it'd be simplier to use Debian.
 
Re: vlan set up - Routing

1) A switch does the routing in hardware while a Debian server does it in software
2) Routing in the switch means for the most parts that packages never leaves layer 2
3) Switch based routing is more secure since you will be able to control exactly which clients will be allowed on any subnet
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!