Results 1 to 5 of 5

Thread: Vlan

Hybrid View

  1. Vlan

    I am going to have to have a dedicated nic on a vm to use on a vlan for a
    guest. Do I pass it through as a nic and than assign it to the vlan in the
    vm or do I have to assign the vlan on the nic config on the host?

    Thanks


  2. Re: Vlan

    Hi warper2,
    Quote Originally Posted by warper2 View Post
    I am going to have to have a dedicated nic on a vm to use on a vlan for a
    guest. Do I pass it through as a nic and than assign it to the vlan in the
    vm or do I have to assign the vlan on the nic config on the host?

    Thanks
    both ways will work. If the system (your VM in this case) will connect to only a single VLAN and that VLAN will not change routinely, folks usually are more comfortable seeing no trace of VLAN configuration on that system - you'd then rather configure the infrastructure (switch port or vNIC configuration on the host).

    What Hypervisor are you using? I have plenty of experience with Xen environments with trunked Dom0 Ethernet connections, running IEEE 802.1q to the switches and multiple VLANs on top, with DomUs connecting to one or more of those VLANs.

    Regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

  3. Re: Vlan

    jmozdzen wrote:

    >
    > Hi warper2,
    > warper2;23432 Wrote:
    >> I am going to have to have a dedicated nic on a vm to use on a vlan for
    >> a
    >> guest. Do I pass it through as a nic and than assign it to the vlan in
    >> the
    >> vm or do I have to assign the vlan on the nic config on the host?
    >>
    >> Thanks

    >
    > both ways will work. If the system (your VM in this case) will connect
    > to only a single VLAN and that VLAN will not change routinely, folks
    > usually are more comfortable seeing no trace of VLAN configuration on
    > that system - you'd then rather configure the infrastructure (switch
    > port or vNIC configuration on the host).
    >
    > What Hypervisor are you using? I have plenty of experience with Xen
    > environments with trunked Dom0 Ethernet connections, running IEEE 802.1q
    > to the switches and multiple VLANs on top, with DomUs connecting to one
    > or more of those VLANs.
    >
    > Regards,
    > Jens
    >
    >


    Hi Jens

    Actually this is for my firewall I am running virtual so I will explain what
    I am doing and this is a fully virtualized vm.

    eth0 br1
    eth3 br2

    I need to add a vlan on eth4 to become br4 to only listen for traffic on
    vlan11.

    Thanks





  4. Re: Vlan

    Hi warper 2,
    Quote Originally Posted by warper2 View Post
    jmozdzen wrote:Hi Jens

    Actually this is for my firewall I am running virtual so I will explain what
    I am doing and this is a fully virtualized vm.

    eth0 br1
    eth3 br2

    I need to add a vlan on eth4 to become br4 to only listen for traffic on
    vlan11.
    (sorry for the delayed response, times are busy right now...)

    I assume those device/bridge names are from the host system and your hypervisor is Xen on SLES11(SPx), since you indicated "fully virtualized vm".

    Still the picture is unclear - we'd need to know how your switch is passing the traffic to your host machine: If you have these three NICs each configured in the switch to be a member of the according VLAN, neither your host nor your guest needs to know anything about VLANs.

    If your host NICs are using IEEE802.1q ("tagged VLANs") to communicate multiple VLANs to your host (I don't think so, but who knows ), you have a choice:

    - create a bridge per VLAN inside the host, each connecting to the corresponding VLAN interface of the host
    - connect the vNICs (those from the guest) to each bridge, so that the guest needs to know nothing about VLANs (traditional setup, especially for firewalls, where each "network" (i.e. VLAN) has its own, isolated physical interface)

    or you can pass through the tagged traffic:

    - create a bridge to the physical NIC on the host (thus giving you access to the tagged traffic)
    - bridge a single vNIC (guest interface) to that bridge and use your firewall's mechanisms to access each VLAN

    If you get each VLAN's traffic without any tagging from your switch (via those three NICs), your Dom0 sees nothing of VLANs - those are simply "networks"... create a new bridge like the two other ones (selecting the right physical NIC to bridge to, of course) and add a vNIC to your DomU, connecting that to the new bridge.

    Please be (far) more specific in your description to receive a more detailed explanation of what to configure at what layer...

    - what hypervisor are you running (probably Xen on SLES, since the distinction HVM/PVM usually applies to that scenario) and what version of the host OS?
    - what OS is your firewall running - some dedicated system (since you're running an HVM) rather than a SLES-based setup?
    - how's the connectivity between switch and host/Dom0 set up?
    - which are the interfaces at Dom0 level, and are those 802.1q? (eth0, eth3, eth4)
    - which are the interfaces at DomU level, do you need/want 802.1q there or prefer dedicated interfaces per VLAN?

    And if the "simple scenario" applies, be a bit more verbose about the difficulties you are facing / the questions you have, because that looks like "simply do it as with the other two interfaces" to me and I'd need to know what steps you're fighting with.

    Best regards,
    Jens
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

  5. Re: Vlan

    jmozdzen wrote:

    >
    > Hi warper 2,
    > warper2;23468 Wrote:
    >> jmozdzen wrote:Hi Jens
    >>
    >> Actually this is for my firewall I am running virtual so I will explain
    >> what
    >> I am doing and this is a fully virtualized vm.
    >>
    >> eth0 br1
    >> eth3 br2
    >>
    >> I need to add a vlan on eth4 to become br4 to only listen for traffic on
    >> vlan11.

    >
    > (sorry for the delayed response, times are busy right now...)
    >
    > I assume those device/bridge names are from the host system and your
    > hypervisor is Xen on SLES11(SPx), since you indicated "fully virtualized
    > vm".
    >
    > Still the picture is unclear - we'd need to know how your switch is
    > passing the traffic to your host machine: If you have these three NICs
    > each configured in the switch to be a member of the according VLAN,
    > neither your host nor your guest needs to know anything about VLANs.
    >
    > If your host NICs are using IEEE802.1q ("tagged VLANs") to communicate
    > multiple VLANs to your host (I don't think so, but who knows ), you
    > have a choice:
    >
    > - create a bridge per VLAN inside the host, each connecting to the
    > corresponding VLAN interface of the host
    > - connect the vNICs (those from the guest) to each bridge, so that the
    > guest needs to know nothing about VLANs (traditional setup, especially
    > for firewalls, where each "network" (i.e. VLAN) has its own, isolated
    > physical interface)
    >
    > or you can pass through the tagged traffic:
    >
    > - create a bridge to the physical NIC on the host (thus giving you
    > access to the tagged traffic)
    > - bridge a single vNIC (guest interface) to that bridge and use your
    > firewall's mechanisms to access each VLAN
    >
    > If you get each VLAN's traffic without any tagging from your switch (via
    > those three NICs), your Dom0 sees nothing of VLANs - those are simply
    > "networks"... create a new bridge like the two other ones (selecting the
    > right physical NIC to bridge to, of course) and add a vNIC to your DomU,
    > connecting that to the new bridge.
    >
    > Please be (far) more specific in your description to receive a more
    > detailed explanation of what to configure at what layer...
    >
    > - what hypervisor are you running (probably Xen on SLES, since the
    > distinction HVM/PVM usually applies to that scenario) and what version
    > of the host OS?
    > - what OS is your firewall running - some dedicated system (since you're
    > running an HVM) rather than a SLES-based setup?
    > - how's the connectivity between switch and host/Dom0 set up?
    > - which are the interfaces at Dom0 level, and are those 802.1q? (eth0,
    > eth3, eth4)
    > - which are the interfaces at DomU level, do you need/want 802.1q there
    > or prefer dedicated interfaces per VLAN?
    >
    > And if the "simple scenario" applies, be a bit more verbose about the
    > difficulties you are facing / the questions you have, because that looks
    > like "simply do it as with the other two interfaces" to me and I'd need
    > to know what steps you're fighting with.
    >
    > Best regards,
    > Jens
    >
    >


    Thanks Jens, I already got it working. It worked best with the host nic just
    connected as a nic and no vlan. Than set the vlan on the vm and all was
    good.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •