SDN and QinQ

[sipani909]

Looking to understand how can I get QinQ working with an OVS bridge.
My topology looks like this:

VM (will send tagged and untagged packets) --> TAP itf (configured with outer tag on proxomox UI) --> OVS bridge --> physical NIC --> C9300 Switch (which is configured to act in dot1q-tunnel mode)

Currently if I send untagged packets from VM they work fine and the outer tag is added correctly by the tap itf and forwarded out via the bridge to the physical itf. However when I send tagged packets I see them on the capture on the tap itf but not on the bridge. Making me think that the tap is dropping them as the inner tag does not match the outer tag. Is that a correct understanding?

If yes how can I setup OVS bridge to double tag packets?

Appreciate any help in this regard! Thanks in advance!

 

[spirit]

do you use sdn qinq zone ? if yes, the outer tag is configured in the zone options, and the inner tag on the vnet.

 

[sipani909]

I did yes but it didn’t work and I am assuming I didn’t configure something correctly. My requirement is to send inner tags (different tags based on different traffic tests) from a traffic generator inside the VM. How can I set it up so that the zone only adds the outer tag and preserves the tag from inside the VM?

 

[spirit]

I did yes but it didn’t work and I am assuming I didn’t configure something correctly. My requirement is to send inner tags (different tags based on different traffic tests) from a traffic generator inside the VM. How can I set it up so that the zone only adds the outer tag and preserves the tag from inside the VM?

create a vnet without tag in the qinq zone and enable vlan-aware on the vnet.
The vlan tag coming from your guest os should be preserved.

 

[sipani909]

Will that work for untagged traffic as well?

 

[sipani909]

I added them like this. But I still dont see my VM traffic getting forwarded from tap to the zone itfs. Wireshark shows packets reaching tap correctly but not getting seen on the zone itf or the bridge itf at all

 

[sipani909]

I see the same behavior for both tagged and untagged packets coming from VM, even when I change zone to 802.1ad

 

[spirit]

do you have tried virtio nic instead e1000 ? I'm not sure that tagging with e1000 is working fine.

with tcpdump or wireshard, you should see tagged packet on <vnetid> bridge

and double tag on the physical interface out of server




Another way: you can also use a vlan zone, define the outer vlan on the vnet (+vlan aware). Then the inner vlan inside your guest.

 

[sipani909]

Tried both of the above. Same result. I dont see any packets reaching the OVS bridge at all from tap itf

 

[sipani909]

also does an SDN zone use linux bridges under the hood? Asking as I see the zones under output of brctl show on the node. A linux bridge unfortunately does not pass LACP or STP packets which is why I was creating ovs bridges in the first place.

 

[spirit]

also does an SDN zone use linux bridges under the hood? Asking as I see the zones under output of brctl show on the node. A linux bridge unfortunately does not pass LACP or STP packets which is why I was creating ovs bridges in the first place.

the vnets are linux bridge, connected to your main vmbrX defined in the zone. And it can be a linux bridge or ovs bridge.

(I haved tested qinq with differents users with both ovs or linux bridge for the vmbrX).

The config is generated in /etc/network/interfaces.d/sdn

 

[sipani909]

How can I make them an ovs bridge? I don’t see any option to do that on proxmox UI. Also are there any firewall settings no a I need to change? Sorry for the constant questions here but I feel like I am missing something very basic. Do you have an example configuration that you could share or a guide on how to set this up on proxmox?

 

[sipani909]

This is what my current SDN file looks like as generated from proxmox

 

[sipani909]

I realized SDN will not work as they use linux bridges at the vnet level and the linux bridges do not have the ability to forward LACP and STP frames by default unless you patch the kernel. I had done that previously for CentOS7.9 previously and it is a major pain to keep doing that every time you bringup a new server/node. Which is why I had switched to proxmox to be able to use OVS bridges. To workaround this I ended up adding the outer tag manually on the tap itf of the bridge connected to the VM.

ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=tap105i1,action=push_vlan:0x8100,set_field:573->vlan_vid,output:1"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=tap105i2,action=push_vlan:0x8100,set_field:574->vlan_vid,output:1"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=tap105i3,action=push_vlan:0x8100,set_field:575->vlan_vid,output:1"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=tap105i4,action=push_vlan:0x8100,set_field:576->vlan_vid,output:1"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=tap105i5,action=push_vlan:0x8100,set_field:577->vlan_vid,output:1"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=1,dl_vlan=573,actions=strip_vlan,output:tap105i1"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=1,dl_vlan=574,actions=strip_vlan,output:tap105i2"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=1,dl_vlan=575,actions=strip_vlan,output:tap105i3"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=1,dl_vlan=576,actions=strip_vlan,output:tap105i4"
ovs-ofctl --protocols=OpenFlow11 add-flow cat4k "in_port=1,dl_vlan=577,actions=strip_vlan,output:tap105i5"

This seems to work for now. Will test more for all L2 protocols from the traffic generator.

 

[sipani909]

Can this be a feature request? To allow QinQ directly with 802.1ad or 802.1q on the OVS bridge itself rather than SDN?