Vlan tagging from inside KVM Guest Issues

Discussion in 'Proxmox VE: Installation and configuration' started by frizianz, Sep 22, 2013.

  1. frizianz

    frizianz New Member

    Joined:
    Sep 22, 2013
    Messages:
    5
    Likes Received:
    0
    Hi Guys,

    Having a few issues with getting vlan tagging from inside the guests working.

    I am putting the eth0 of the guest into vmbr0 and then tagging from the guest with vlan 103. This is confirmed working (tcpdump on tap interface facing vm). The issue that I encounter is that doing a tcpdump on eth0 of the host I see the frame from the Guest with QinQ tagging with the management vlan as the outer.

    Code:
    [COLOR=#333333][FONT=lucida grande]21:41:54.905877 ae:f9:37:25:8f:79 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 50, p 0, ethertype 802.1Q, vlan 103, p 0, ethertype ARP, Request who-has [/FONT][/COLOR][URL="http://10.0.103.254/"]10.0.103.254[/URL][COLOR=#333333][FONT=lucida grande] tell [/FONT][/COLOR][URL="http://10.0.103.250/"]10.0.103.250[/URL][COLOR=#333333][FONT=lucida grande], length 42[/FONT][/COLOR]
    Here is my /etc/network/interfaces file from the host:

    Code:
    auto eth0
    iface eth0 inet manual
    
    
    auto vmbr0
    iface vmbr0 inet manual
            bridge_ports eth0
            bridge_stp off
            bridge_fd 0
    
    
    #Management Network
    auto eth0.50
    iface eth0.50 inet manual
            vlan-raw-device eth0
    
    
    auto vmbr50
    iface vmbr50 inet static
            address 10.0.101.61
            netmask  255.255.255.224
            gateway  10.0.101.62
            bridge_ports eth0.50
            bridge_stp off
            bridge_fd 0
    
    And my brctl show
    Code:
    bridge name     bridge id               STP enabled     interfaces
    vmbr0           8000.c86000706be7       no              eth0
                                                            tap100i0
    vmbr50          8000.c86000706be7       no              eth0.50
    
    Does anyone have any ideas what might be causing this?

    Thanks

    Fraser
     
  2. mir

    mir Well-Known Member
    Proxmox Subscriber

    Joined:
    Apr 14, 2012
    Messages:
    3,480
    Likes Received:
    96
    From my understanding the bridge will drop all vlan tags. A bridge can be compared to a simple unmanaged switch. If you want working vlan tagging from within your VM's you will need to assign the VM's interface directly to a physical nic or bond.
     
  3. mir

    mir Well-Known Member
    Proxmox Subscriber

    Joined:
    Apr 14, 2012
    Messages:
    3,480
    Likes Received:
    96
    The most flexible, and IMHO best approach, is to create a bridge for each configured vlan and then assign the desired bridge to the VM. The reason for this is two-fold:
    1) VM's need not concern them self with vlan issues. Simply use the plain network tools for getting an IP.
    2) Higher security since you don't disclose your network architecture to the VM's
     
  4. frizianz

    frizianz New Member

    Joined:
    Sep 22, 2013
    Messages:
    5
    Likes Received:
    0
    I'm not concerned about exposing the vlan tagging to the VM. Main reason I need the vlans exposed to the VM is I want to do 802.1p QoS from the VM, of which is in the vlan header.

    The bridge is definately passing traffic correctly - I see this from the gateway box which is external to the proxmox server. Also Can i note that you can't assign the VM directly to the physical interface without it erroring.

    Code:
    08:32:28.160666  In ae:f9:37:25:8f:79 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 50, p 0, ethertype 802.1Q, vlan 103, p 0, ethertype ARP, arp who-has 10.0.103.254 tell 10.0.103.250
     
  5. screenie

    screenie Member

    Joined:
    Jul 21, 2009
    Messages:
    146
    Likes Received:
    0
    not 100% sure but i think you should only assign a bridge or vlan to the phy interface and not both;
     
  6. screenie

    screenie Member

    Joined:
    Jul 21, 2009
    Messages:
    146
    Likes Received:
    0
    yes, the gateway is seeing the packet but stacked vlan's in the frame is normally not what you want to have;
    in his case the outer tag comes from vlan50 where his guest is connected to the bridge on the native vlan - so his traffic ends up in the wrong vlan;

    assuming he is running the os of the vm in the native vlan (vmbr0) and has a application running (voip applications or something) which requires the tag, he would need to move the management vlan to another phy interface or put the regular traffic from the os into another vlan and attach vmbr0 to it;

    there might be another option using iptables marking the packets and stripe the outer tag;
     
  7. frizianz

    frizianz New Member

    Joined:
    Sep 22, 2013
    Messages:
    5
    Likes Received:
    0
    I'll try wack a seperate NIC into it for management and retry. Just as an FYI the native VLAN doesnt go anywhere as shown by my Juniper Switch Configuration for the interface:

    Code:
    frizianz@swc01.chc> show configuration | display set | match ge-0/0/11    
    set interfaces ge-0/0/11 description "Legolas VM Server"
    set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
    set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members all
    
    
    {master:0}
    frizianz@swc01.chc> 
    
     
  8. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,431
    Likes Received:
    298
    What network configuration do you use for the guest?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. screenie

    screenie Member

    Joined:
    Jul 21, 2009
    Messages:
    146
    Likes Received:
    0
    if you don't need the native vlan inside the vm than you can create eth0.130 on the pve host and connect the vmbr0 to it - and you don't need to tag the traffic inside the vm as you normally would put a regular computer in vlan130 via access mode on the switch;
     
  10. frizianz

    frizianz New Member

    Joined:
    Sep 22, 2013
    Messages:
    5
    Likes Received:
    0
    Here is my /etc/network/interfaces

    Code:
    auto eth0
    iface eth0 inet manual
    
    
    auto eth0.103
    iface eth0.103 inet static
            address 10.0.103.250
            netmask 255.255.255.0
            gateway 10.0.103.254
            dns-nameservers 10.0.103.1
    
     
  11. frizianz

    frizianz New Member

    Joined:
    Sep 22, 2013
    Messages:
    5
    Likes Received:
    0
    What this entire thread is about is the fact that I want to tag from inside the VM as I want to have 802.1p tags from inside a VM (These are in the VLAN header).
     
  12. screenie

    screenie Member

    Joined:
    Jul 21, 2009
    Messages:
    146
    Likes Received:
    0
    then i guess you have only the one option to put in an extra nic and move the management to it
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice