[SOLVED] SDN VNet Trunking/Tagging

[waffleiron]

Hello,
Looking for guidance on how to enable trunking/tagging on an SDN VNet. Use case is pictured below.

Host is bonded to a switch over 4x interfaces, vmbr0 has bond0 as a member and is vlan aware.
There is an SDN zone named "Public" that has vmbr0 as the bridge.
There are multiple vnets with tags that reference the Public zone and all of them are working fine (eg. VM1)

What I'm trying to do is create a VNet that can "pass the trunk" to a VM (eg. VM2). I thought all I would have to do is enable "vlan aware" for the Trunk vnet but it forces me to also add a tag...which confuses me. Makes me think its a q-in-q type setup which is not going to work. Regardless, when I attach VM2 to this vnet I get no network connectivity.

However, if I bypass SDN completely and configure vmbr0 as the bridge on the VM port I get network connectivity (eg. VM3) which tells me the issue is on the SDN side somewhere.

I spin up a lot of networking VMs and being able to use sub-interfaces on the fly is huge. While the vmbr0 mapping works I would prefer to keep all my network mappings within the SDN space if possible. Thanks in advance!

 

[spirit]

Hi,

can you make a feature request on bugzilla.proxmox.com ?

Currently, the vlan-aware option has been added as users requested it for special setup (vlan tag on top of vxlan, triple tag in qinq,....).
But the sdn is really made to create 1vnet=1network , because extra feature are coming (dhcp, router,...) with subnets management.

But, as qe already allowing in qinq zone to create a vnet without tag , I think it could be done too for vlan zone.

 

[waffleiron]

Thanks spirit, submitted into bugzilla. Marking as solved.

 

[bmernz]

I'd like to be able to limit the VLANs that are trunked in the VNet too.

eg.
If a VLAN Zone is selected when creating a VNet, then
If VLAN Aware: is ticked then:
Tag: field becomes Trunk:
And you can specify a list such as "90-98,100,105"

The resulting VNet then limits the VLANs any attached VM can see.

At present I can only do this from the cli manually, and any GUI changes overwrite it. eg:

ovs-vsctl set port ln_Cust90 vlan_mode=trunk trunk=90-98,100,105
ovs-vsctl show
.....
        Port ln_Cust90
            trunks: [90, 91, 92, 93, 94, 95, 96, 97, 98,100,105]
            Interface ln_Cust90
                type: internal
.....

@waffleiron Could you please post a link to your bugzilla ticket so I can add my comments there too?



Important Note:

Not only do SDN changes via the GUI override these settings, but a host reboot will also revert to the GUI settings.

 

[waffleiron]

https://bugzilla.proxmox.com/show_bug.cgi?id=5443

 

[maxilee]

hi.
I wanted to do the same.
and for trunk port I've configured in /etc/network/interface as below.
the concept is the same as SDN creates VLAN networks - it creates ln_xxxx openvswitch internal port and put them in regular linux bridge to which are VMs connected.

auto ln_vmbr4096
iface ln_vmbr4096 inet manual
        ovs_type OVSIntPort
        ovs_bridge br1g
        ovs_options trunk=10,20,30,40,50,60,70,80,90,99

auto br1g
iface br1g inet manual
        ovs_type OVSBridge
        ovs_ports bond0 mgmt20 ln_vmbr4096

auto vmbr4096
iface vmbr4096 inet manual
        bridge-ports ln_vmbr4096
        bridge-stp off
        bridge-fd 0

interface bridge "vmbr4096" is selectable as network in PVE GUI.
the rest of VLAN are configured in SDN as regular VLAN networks.

the only minor problem is that bridge br1g is also visible in GUI , but I've no idea how to hide it from GUI.

 

[pvef]

What is the solution to allow the VLAN tagging from the guest VM (e.g. OPNsense)?

 

[SomeGuy42]

What is the solution to allow the VLAN tagging from the guest VM (e.g. OPNsense)?

Did you ever get an answer on the tagging for open sense? We will likely need to do the same with f5s

 

[maxilee]

my "solution" works for any OS inside VM - pfsense or F5 - it is doesn't metter. when you connect VM to bridge vmbr4096 you can tag vlan from list ovs_options trunk=10,20,30,40,50,60,70,80,90,99.
if you ommit this settings - you can use any VLAN

 

[SomeGuy42]

Thanks, but this is using a bridge and not SDN. I am thinking I need to set up separate physical adapters to allow for trunking since I am not sure how it's possible using SDN.

 

[waffleiron]

I opened a bug for this, a few others have chimed in on the bug saying they want the feature as well. Have no real updates on if/when a solution will be implemented.

To share how I'm making it work today in case it helps anyone...
Interface config is below, but basically any VM you want to "trunk" needs to attach to vmbr0 instead of your SDN vnet. So long as vmbr0 is named the same on all hosts you can migrate between hosts without issue.

Just a side note, my host management is vlan 12. I can NOT put any VM on vlan 12 as it knocks the host offline. Not sure if this related to SDN or something else but figured I'd mention it.

auto lo
iface lo inet loopback

auto enp10s0
iface enp10s0 inet manual
mtu 9000

auto enp11s0
iface enp11s0 inet manual
mtu 9000

iface eno1 inet manual

iface eno2 inet manual

auto bond0
iface bond0 inet manual
bond-slaves enp10s0 enp11s0
bond-miimon 100
bond-mode 802.3ad
mtu 9000

auto vmbr0
iface vmbr0 inet manual
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
mtu 9000
bridge-pvid 99

auto vmbr0.12
iface vmbr0.12 inet static
address 10.10.10.10/24
gateway 10.10.10.1
mtu 9000

source /etc/network/interfaces.d/*