[solved] Help needed with trunked vlans

[Neuer_User]

Hello

I have a proxmox server with a specific interface configuration. Here is the relevant part:

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr50
iface vmbr50 inet static
        address 172.17.5.128/24
        gateway 172.17.5.1
        bridge-ports eno1.50
        bridge-stp off
        bridge-fd 0
        network 172.17.5.0

auto vmbr200
iface vmbr200 inet manual
        bridge-ports eno1.200
        bridge-stp off
        bridge-fd 0

The eno1 interface gets all traffic trunked. The proxmox server has a static IP on VLAN 50. For all clients (VMs or LXCs) I can assign the two bridges vmbr50 and vmbr200, so that the clients get access to the specific vlans only. That works nicely.

Now my problem is that I want to add a VM with a proxmox test server, which should get the same network config. So, I am attaching it to vmbr0. Then the network config of the vm is pretty similar:

iface nic0 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports nic0
        bridge-stp off
        bridge-fd 0

auto vmbr50
iface vmbr50 inet static
        bridge-ports nic0.50
        bridge-stp off
        bridge-fd 0
        network 10.0.20.0

auto vmbr200
iface vmbr200 inet manual
        address 172.17.20.129/24
        gateway 172.17.20.1
        bridge-ports nic0.200
        bridge-stp off
        bridge-fd 0

Unfortunately, the guest does not have network connectivity. In the console, everything looks ok to me. It has the IP address and the correct routing table. As I cannot ssh in, it is difficult to copy the output. I can only post screenshots:



Is there anything obviously incorrect?

When I do a tcpdump on the host proxmox on the physical interface eno1, I get a huge amount of traffic shown. But the same on the vmbr0 bridge gives nearly no traffic at all (except some stp traffic and some traffic from VLAN1). So, I have the feeling that the bridge vmrb0 is not really vlan-aware. Or am I misunderstanding something?

Thanks for any help.

 

[nico1875p]

Hello,

You are mixing two VLAN models:

• A VLAN-aware trunk bridge (vmbr0), which carries a VLAN trunk and transports tagged VLAN traffic
• Per-VLAN access bridges (vmbr50, vmbr200), where tagging is done at the interface level (eno1.50 / eno1.200)

You need to choose one design.
Either use vmbr0 as a trunk and configure VLAN tagging properly on the VM NIC,
or use dedicated bridges per VLAN and avoid VLAN-aware trunking.

Right now it’s a hybrid setup, and “Destination Host Unreachable” strongly suggests an L2 issue (most likely ARP not passing because tagged traffic is being filtered).

Think of it like this:

A VLAN-aware bridge is a highway carrying multiple lanes (VLANs) on the same road.

Per-VLAN bridges are separate dedicated roads, one road per VLAN.
Right now you are building a highway for all VLANs, and at the same time trying to create separate roads for the same traffic.

Both designs work — but not together.

Additionally, make sure your physical switch port connected to eno1 is configured consistently (either as a proper trunk allowing the required VLANs, or as access if you use per-VLAN bridges).

 

[Neuer_User]

Hi Nico

yeah, I probably do that. The idea is that there is one trunked bridge that is not used for management of proxmox. But it is connected to the VM 1.
The proxmox host is connected to another bridge. Also two vms (actually more than two) are connected to the two untagged bridges.

The setup with the untagged bridges is working for a long time already. Now, as I want to run a VM with a proxmox text system, I want to connect it to the tagged bridge (vmbr0).

The strange thing is, when I tcpdump the eno1 interface on the proxmox host, it shows all traffic, but the vmbr0 traffic only the PVID traffic, although the bridge is vlan-aware. That is what I currently don't understand. Can the other bridges really influence the vmbr0 bridge?

 

[nico1875p]

Hello,

 eno1 (trunk)
               │
   ┌───────────┼───────────┐
   │           │           │
eno1.50     eno1.200     vmbr0 (vlan-aware)
   │           │             │
 vmbr50      vmbr200        VM1 (trunk)
   │           │
 VM3 (V50)   VM2 (V200)

This layout does not work because Linux VLAN subinterfaces (eno1.50 / eno1.200) intercept tagged frames before they reach the vlan-aware bridge path.
So tcpdump -i eno1 shows all VLANs, but tcpdump -i vmbr0 only sees PVID (untagged) traffic.

           Switch (trunk: 50,200,...)
                     │
                  eno1
                     │
              vmbr0 (vlan-aware)
                     │
     ┌───────────────┼───────────────┐
     │               │               │
 Nested PVE      VM (VLAN 50)    VM (VLAN 200)
 (no tag)         tag=50           tag=200

Remove eno1.50/eno1.200 and vmbr50/vmbr200 if you want vmbr0 to carry the full trunk.

auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet manual
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.50
iface vmbr0.50 inet static
    address 172.17.5.128/24
    gateway 172.17.5.1

Set the VLAN tag (50 or 200) on the VM network device in Proxmox.
If VLAN 50 is configured as native VLAN on the switch, then the management IP must be placed on vmbr0 instead of vmbr0.50.

Example switch configuration (Cisco-style):

interface GigabitEthernet1/0/1
 description Proxmox
 switchport mode trunk
 switchport trunk allowed vlan 50,200
 switchport trunk native vlan 999
 spanning-tree portfast trunk

VLAN 50 is used for management (host GUI) and can also be used for VMs if desired.
VLAN 200 is another regular VLAN.
VLAN 999 is only used as the native (untagged) VLAN on the trunk and should not carry any production traffic.

 

[Neuer_User]

Hi Nico

Thanks a lot for your help. Indeed, your solution works. I have changed the networks now accordingly and everything works.

 

[nico1875p]

Glad it helped !!!

Good to hear everything is working now.

 

[caplam]

Thank you for that.
I was also dealing with the same kind of problem and was also mixing things.