[ UPDATE! ] vm vlans are not allowed on vnet!

[Gilberto Ferreira]

Hi there.

I had have created a bunch of vlan zone, like
ID: vlanzone
Bridge: vmbr0
IPAM: pve
others parameters I just leave as it is.
Than, inside this vlanzone, I had created some vnets like:

Name: vnet221
Tag:221

But tried to assigned that vnet221 to a VM, I got this error, when try to either change the nic configuration with the VM on or off.

vm vlans are not allowed on vnet vnet221 at /usr/share/perl5/PVE/Network/SDN/Zones/Plugin.pm line 235.

After rollback the nic to vmbr0, than I was able to start the VM.

pveversion 8.2.7

Note that I already had a vmbr0v221 created before tried to do the same via SDN.
What do I miss?

Thanks for any advice.

[ UPDATE! ]
I tried with pveversion 8.2.8 from test repo in a lab env and works perfect.
Back there in my client, I just installed Debian first, and than had have installed Proxmox over Debian.
Is this something to do with the issue?

 

[Gilberto Ferreira]

ok! I will answer my own thread.
This error message appears when I already had a vlan with the same name.
So, for example, I had the vlan defined in the interfaces file, like this:

auto enp6s18.10
iface enp6s18.10 inet manual

auto vmbr0v10
iface vmbr0v10 inet manual
bridge-ports enp6s18.10
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

And if I tried to create the same VLAN 10 in the SDN, I can do that:
pve01:~# cat /etc/pve/sdn/zones.cfg
vlan: teste
bridge vmbr0
ipam pve

pve01:~# cat /etc/pve/sdn/vnets.cfg
vnet: vnet10
zone teste
tag 10

But when I tried to assigned the same vlan 10 to a VM using te vnet10 like that:
...
...
net0: virtio=BC:24:11:B6:19:3F,bridge=vnet10,firewall=1,tag=10
...
...

Than I got error
vm vlans are not allowed on vnet vnet10 at /usr/share/perl5/PVE/Network/SDN/Zones/Plugin.pm line 235.
kvm: -netdev type=tap,id=net0,ifname=tap100i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on: network script /var/lib/qemu-server/pve-bridge failed with status 6400
TASK ERROR: start failed: QEMU exited with code 1

Perhaps I can not have the some vlan name.

Strangly enough, if I change the vlan tag to 100, I still get the error!

So I go ahead and remove everything about vlan from /etc/network/interfaces, go to SDN -> Status and apply.
But still, got error
vm vlans are not allowed on vnet vnet10

Geez!

Just wonder why.

 

[cshill]

Morning GIlberto,
I actually ran into this issue yesterday so I can do my best to explain. I'm not a Proxmox employee, just an avid learner of Proxmox and I will be posting a question after this post regarding more networking questions if you'd like to take a look.

Short answer is the vmaware status of the bridge, vnet, and the network device attached to the VM.

Here's the Bridge Code

auto vmbr0
iface vmbr0 inet static
        address 192.168.XXX.XXX/21
        gateway 192.168.XXX.XXX
        bridge-ports enp4s0f0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

I have setup 3 VLANS all with bridge vmbr0

VNETs
VLAN1 / Zone VLAN1 / Tag 66
VLAN2 / Zone VLAN2 / Tag 77 / VLAN Aware
VLAN3 / Zone VLAN3 / Tag 88 / No VLAN AWARE / Subnet 10.10.10.1


Results:
VLAN 1 doesn't allow you to tag the network device on the VM as the VNET is not VLAN Aware. This is the ultimate "On an Island" experience a VLAN can receive. 0 connections

VLAN2 allows tagging the network device of the VM as the VNET and the bridge are VM Aware. This now creates a "Cluster of Islands" where you can have VM's communicate to one another as long as they are on the VLAN2/Vnet combo with the VLAN Tag of 77. They however have no gateway so no internet.

VLAN3 does not allow VLAN Aware with a subnet. Also you can't switch network devices over to this VLAN from VLAN1/VLAN2 due to hotplug problem. Also it does not put the VM onto a subnet even when I have SNAT on. Only time subnetting works is with simple setup, not vlan.

 

[Gilberto Ferreira]

Well in my case, everyt single VLAN is works nicely.
But I need to do that in a host level, like this:

auto eno1
iface eno1 inet manual

auto eno1.221
iface eno1.221 inet manual

auto eno1.223
iface eno1.223 inet manual

auto eno1.225
iface eno1.225 inet manual

auto eno1.226
iface eno1.226 inet manual

auto eno1.227
iface eno1.227 inet manual

auto eno1.229
iface eno1.229 inet manual

auto eno1.230
iface eno1.230 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr0v221
iface vmbr0v221 inet manual
        bridge-ports eno1.221
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v223
iface vmbr0v223 inet manual
        bridge-ports eno1.223
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v225
iface vmbr0v225 inet manual
        bridge-ports eno1.225
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v226
iface vmbr0v226 inet manual
        bridge-ports eno1.226
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v227
iface vmbr0v227 inet manual
        bridge-ports eno1.227
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v229
iface vmbr0v229 inet static
        address  10.22.21.21/25
        gateway  10.22.21.1
        bridge-ports eno1.229
        bridge-stp off
        bridge-fd 0

auto vmbr0v230
iface vmbr0v230 inet manual
        bridge-ports eno1.230
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

And than, in the VM network config I just put vmbr0 and the necessary TAG for the VLAN works.
But I would like to do that in a Cluster Level, to facilitate the administration.
Any way, I will keep as it is, because with the SDN seems to be only problem!

Thanks any way.

 

[cshill]

Well in my case, everyt single VLAN is works nicely.
But I need to do that in a host level, like this:

auto eno1
iface eno1 inet manual

auto eno1.221
iface eno1.221 inet manual

auto eno1.223
iface eno1.223 inet manual

auto eno1.225
iface eno1.225 inet manual

auto eno1.226
iface eno1.226 inet manual

auto eno1.227
iface eno1.227 inet manual

auto eno1.229
iface eno1.229 inet manual

auto eno1.230
iface eno1.230 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr0v221
iface vmbr0v221 inet manual
        bridge-ports eno1.221
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v223
iface vmbr0v223 inet manual
        bridge-ports eno1.223
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v225
iface vmbr0v225 inet manual
        bridge-ports eno1.225
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v226
iface vmbr0v226 inet manual
        bridge-ports eno1.226
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v227
iface vmbr0v227 inet manual
        bridge-ports eno1.227
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0v229
iface vmbr0v229 inet static
        address  10.22.21.21/25
        gateway  10.22.21.1
        bridge-ports eno1.229
        bridge-stp off
        bridge-fd 0

auto vmbr0v230
iface vmbr0v230 inet manual
        bridge-ports eno1.230
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

And than, in the VM network config I just put vmbr0 and the necessary TAG for the VLAN works.
But I would like to do that in a Cluster Level, to facilitate the administration.
Any way, I will keep as it is, because with the SDN seems to be only problem!

Thanks any way.

Yeah that looks kinda painful but if the results work they work. I'll send you a link if you want to see my questions

 

[Gilberto Ferreira]

I don't who is responsable for the SDN stack, but would like to call @fiona @t.lamprecht @aaron or any other Proxmox staff to that a look of this, and perhaps shed some light for us.
Because, AFAIK, SDN is no tech preview anymore, isn't?
So I suppose this should be production ready, right?
Thanks