VLANs with and without OpenVSwitch

[150d]

Hello,

I'm currently working on setting up VLANs in Proxmox to use with my VMs. I'm not quite sure whether I should go for Linux Bridges or OpenVSwitch:

With Linux Bridges, I seem to need one bridge per VLAN. When passed to VMs, the interfaces become "unrecognizable" - on the guest, you can't tell which VLAN "eth0" refers to. Also, there seems to be no way to pass more than one VLAN on a single interface ("trunked").

OVS can pass a whole bridge to the VM, including all VLANs, leaving it to the guest to sort it out. But I can't find out where to define _which_ VLANs are passed to the guest - different VMs require different sets of VLANs. OVS apparently can pass either all or a single one, but not an arbitrary number of them. I thought about creating additional OVS Bridges, each with a destinctive set of VLANs, that can each be passed to a VM as a whole - but it seems you can only attach a device (physical NIC on the host) to one bridge, not to two or more.

Is this it, are these my choices? Or did I overlook something?

Regards

 

[spirit]

With Linux Bridges, I seem to need one bridge per VLAN.

you can use vlan-aware linux bridge, it'll tag the vlans by port, like openvswitch. (and you can also use trunks)

OVS can pass a whole bridge to the VM, including all VLANs, leaving it to the guest to sort it out. But I can't find out where to define _which_ VLANs are passed to the guest - different VMs require different sets of VLANs. OVS apparently can pass either all or a single one, but not an arbitrary number of them.

if you need the send multiple vlans to 1 vm nic, and need to filter them (by default ovs or linux bridge vlan-aware send al vlans)
you can filter them by editing vm configuration manually (not yet available in gui), and add "netX: ........,trunks=10;20;30-40"

 

[150d]

Thank you for those hints (especially "trunked" using Linux Bridges), I will do some more research about that. This seems to be what I'm after.

For the "different VLAN sets for different VMs problem", I still can't really imagine how to work this in practice, though. The only way I can think of would be this:

vmbr1 (connected to physical NIC, pass all VLANs)
and
vmbr1a (connected to vmbr1, pass VLAN 1 / 2 to VM1)
vmbr1b (connected to vmbr1, pass VLAN 3 / 4 to VM2)

(not necessarily with those names and numbers, of course.)

Would that be the "recommended" way?

Regards

 

[JasonJoel]

Thank you for those hints (especially "trunked" using Linux Bridges), I will do some more research about that. This seems to be what I'm after.

For the "different VLAN sets for different VMs problem", I still can't really imagine how to work this in practice, though. The only way I can think of would be this:

vmbr1 (connected to physical NIC, pass all VLANs)
and
vmbr1a (connected to vmbr1, pass VLAN 1 / 2 to VM1)
vmbr1b (connected to vmbr1, pass VLAN 3 / 4 to VM2)

(not necessarily with those names and numbers, of course.)

Would that be the "recommended" way?

Regards

I just do it the traditional way - make individual vlans and bridges for each vlan. I only have a handful of vlans, so it works. My way certainly would not be manageable on large networks with a large number of vlans.

I assume most people use a non-trunked vlan aware bridge though. Especially if they have a lot of VLANs. Then you just specify the VLAN needed on the VM's nic configuration. I do this on my development proxmox system as it only has 1 nic:

See host nic for "VM" (second one) -


Then in the VM config (this one specifies VLAN 1):


I never need a trunked connection to a VM - I add a nic per VLAN in the VMs that need that - so I don't use trunked bridges.

 

[spirit]

Would that be the "recommended" way?

The recommended way is to defined vlan(s) on vm nic interface, not creating different vmbrX for each vlan.
If you really only need 2 vlans by vm, personnaly, I'll use 2 nics in the vm with different vlan tag.

if you need a lof of vlans for 1 vms, I'll use a trunk. (no vlan define in nic gui, and you can filter the vlans list with trunk=...). Then tag the vlans inside your guest os.

 

[150d]

After considering my options, I realized that I had only one VM (a router) that needs to see multiple VLANs in the first place. All the other VMs/LXCs only need to see a single VLAN each.

So I "passed through" one NIC as a PCI device to the router VM and manage VLANs within the guest OS. All other machines are given one single VLAN from a VLAN-aware bridge.

Thanks for all your input!