Vlan tagging from inside KVM Guest Issues

frizianz

Renowned Member
Sep 22, 2013
5
0
66
Hi Guys,

Having a few issues with getting vlan tagging from inside the guests working.

I am putting the eth0 of the guest into vmbr0 and then tagging from the guest with vlan 103. This is confirmed working (tcpdump on tap interface facing vm). The issue that I encounter is that doing a tcpdump on eth0 of the host I see the frame from the Guest with QinQ tagging with the management vlan as the outer.

Code:
[COLOR=#333333][FONT=lucida grande]21:41:54.905877 ae:f9:37:25:8f:79 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 50, p 0, ethertype 802.1Q, vlan 103, p 0, ethertype ARP, Request who-has [/FONT][/COLOR][URL="http://10.0.103.254/"]10.0.103.254[/URL][COLOR=#333333][FONT=lucida grande] tell [/FONT][/COLOR][URL="http://10.0.103.250/"]10.0.103.250[/URL][COLOR=#333333][FONT=lucida grande], length 42[/FONT][/COLOR]

Here is my /etc/network/interfaces file from the host:

Code:
auto eth0
iface eth0 inet manual


auto vmbr0
iface vmbr0 inet manual
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0


#Management Network
auto eth0.50
iface eth0.50 inet manual
        vlan-raw-device eth0


auto vmbr50
iface vmbr50 inet static
        address 10.0.101.61
        netmask  255.255.255.224
        gateway  10.0.101.62
        bridge_ports eth0.50
        bridge_stp off
        bridge_fd 0

And my brctl show
Code:
bridge name     bridge id               STP enabled     interfaces
vmbr0           8000.c86000706be7       no              eth0
                                                        tap100i0
vmbr50          8000.c86000706be7       no              eth0.50

Does anyone have any ideas what might be causing this?

Thanks

Fraser
 
From my understanding the bridge will drop all vlan tags. A bridge can be compared to a simple unmanaged switch. If you want working vlan tagging from within your VM's you will need to assign the VM's interface directly to a physical nic or bond.
 
The most flexible, and IMHO best approach, is to create a bridge for each configured vlan and then assign the desired bridge to the VM. The reason for this is two-fold:
1) VM's need not concern them self with vlan issues. Simply use the plain network tools for getting an IP.
2) Higher security since you don't disclose your network architecture to the VM's
 
I'm not concerned about exposing the vlan tagging to the VM. Main reason I need the vlans exposed to the VM is I want to do 802.1p QoS from the VM, of which is in the vlan header.

The bridge is definately passing traffic correctly - I see this from the gateway box which is external to the proxmox server. Also Can i note that you can't assign the VM directly to the physical interface without it erroring.

Code:
08:32:28.160666  In ae:f9:37:25:8f:79 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 50, p 0, ethertype 802.1Q, vlan 103, p 0, ethertype ARP, arp who-has 10.0.103.254 tell 10.0.103.250
 
not 100% sure but i think you should only assign a bridge or vlan to the phy interface and not both;
 
The bridge is definately passing traffic correctly - I see this from the gateway box which is external to the proxmox server. Also Can i note that you can't assign the VM directly to the physical interface without it erroring.

Code:
08:32:28.160666  In ae:f9:37:25:8f:79 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 50, p 0, ethertype 802.1Q, vlan 103, p 0, ethertype ARP, arp who-has 10.0.103.254 tell 10.0.103.250

yes, the gateway is seeing the packet but stacked vlan's in the frame is normally not what you want to have;
in his case the outer tag comes from vlan50 where his guest is connected to the bridge on the native vlan - so his traffic ends up in the wrong vlan;

assuming he is running the os of the vm in the native vlan (vmbr0) and has a application running (voip applications or something) which requires the tag, he would need to move the management vlan to another phy interface or put the regular traffic from the os into another vlan and attach vmbr0 to it;

there might be another option using iptables marking the packets and stripe the outer tag;
 
yes, the gateway is seeing the packet but stacked vlan's in the frame is normally not what you want to have;
in his case the outer tag comes from vlan50 where his guest is connected to the bridge on the native vlan - so his traffic ends up in the wrong vlan;

assuming he is running the os of the vm in the native vlan (vmbr0) and has a application running (voip applications or something) which requires the tag, he would need to move the management vlan to another phy interface or put the regular traffic from the os into another vlan and attach vmbr0 to it;

there might be another option using iptables marking the packets and stripe the outer tag;

I'll try wack a seperate NIC into it for management and retry. Just as an FYI the native VLAN doesnt go anywhere as shown by my Juniper Switch Configuration for the interface:

Code:
frizianz@swc01.chc> show configuration | display set | match ge-0/0/11    
set interfaces ge-0/0/11 description "Legolas VM Server"
set interfaces ge-0/0/11 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members all


{master:0}
frizianz@swc01.chc>
 
if you don't need the native vlan inside the vm than you can create eth0.130 on the pve host and connect the vmbr0 to it - and you don't need to tag the traffic inside the vm as you normally would put a regular computer in vlan130 via access mode on the switch;
 
What network configuration do you use for the guest?

Here is my /etc/network/interfaces

Code:
auto eth0
iface eth0 inet manual


auto eth0.103
iface eth0.103 inet static
        address 10.0.103.250
        netmask 255.255.255.0
        gateway 10.0.103.254
        dns-nameservers 10.0.103.1
 
if you don't need the native vlan inside the vm than you can create eth0.130 on the pve host and connect the vmbr0 to it - and you don't need to tag the traffic inside the vm as you normally would put a regular computer in vlan130 via access mode on the switch;
What this entire thread is about is the fact that I want to tag from inside the VM as I want to have 802.1p tags from inside a VM (These are in the VLAN header).
 
then i guess you have only the one option to put in an extra nic and move the management to it