Hello again! In last article we introduced the basic concept of a virtual switch. Now is a good time to introduce VLANs and how we can integrate them with LibVirt. This will allow us to segregate VMs just like we would segregate physical machines and devices using traditional managed switches.
Make sure you have a basic vSwitch set up, as well as LibVirt + KVM + Virt-manager so we can deploy a virtual machine into our new VLAN and test connectivity.
This tutorial will assume you moved your external interface and the IP address to the vSwitch. This means your external interface (e.g. eth0) has no IP addressing because the bridge (ovsbr0) has the addressing instead.
We are going to introduce three VLANs:
- 100 – This VLAN will provide connectivity to external world
- 101 – Network A
- 102 – Network B
Lets change the external interface first. This change will make the eth0/enp3s0/em4 port an “access port” in Cisco terms belonging to VLAN100.
Open the /etc/sysconfig/network-scripts/ifcfg-em4 file. Change it from this:
TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=ovsbr0 PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none ONBOOT=yes NAME=em4 # Change this to your interface DEVICE=em4 # Change this to your interface NM_CONTROLLED=no
TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=ovsbr0 OVS_OPTIONS="tag=100" PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none ONBOOT=yes NAME=em4 DEVICE=em4 NM_CONTROLLED=no
As you can see we introduced the new option –
OVS_OPTIONS="tag=100". It’s an equivalent of
sudo ovs-vsctl set port em4 tag=100 command which means the switch will set the port to access port in VLAN 100.
Let’s open the /etc/sysconfig/network-scripts/ifcfg-ovsbr0 file now and remove the “IPADDR”, “NETMASK”, “GATEWAY” and “DNS” lines. Change “BOOTPROTO” to “none”:
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none ONBOOT=yes DEVICE=ovsbr0 NM_CONTROLLED=no
Now it’s time to introduce a concept of an internal interface within the VLAN. Treat is as an SVI that we create for each specific VLAN we want to route the traffic for. We need those SVIs to allow inter-VLAN routing. Let’s start off with creating the SVI for VLAN 100 so we don’t lose internet connectivity after we restart networking.
Create a new file /etc/sysconfig/network-scripts/ifcfg-ovsbr0.100 and paste following content:
DEVICE=ovsbr0.100 DEVICETYPE=ovs TYPE=OVSIntPort OVS_BRIDGE=ovsbr0 OVS_OPTIONS="tag=100" BOOTPROTO=static ONBOOT=yes IPADDR=192.168.1.230 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 DNS1=10.2.0.11 DNS2=10.1.0.11 DNS3=22.214.171.124
See what we’ve done here? We essentially carried over the config that previously defined our bridge (ovsbr0) to a new sub-interface. Since our external interface’s been marked as access port on vlan 100, applying the changes will allow us to communicate with the hypervisor from our LAN (assuming your LAN is 192.168.1.0/24).
Let’s set up another SVI but this time for VLAN 101.
Create a new file again – /etc/sysconfig/network-scripts/ifcfg-ovsbr0.101 – and paste following config:
DEVICE=ovsbr0.101 DEVICETYPE=ovs TYPE=OVSIntPort OVS_BRIDGE=ovsbr0 OVS_OPTIONS="tag=101" BOOTPROTO=static ONBOOT=yes IPADDR=10.255.255.250 NETMASK=255.255.255.0
As you can see, this config lacks few options that VLAN 100 had – GATEWAY, and all three DNS servers. This is because this interface won’t be facing our default gateway and the DNS servers have already been defined in the VLAN100 file.
Alright, having all this set up, you can go ahead and do systemctl restart network to apply the configs. It might take a couple of seconds for the connectivity to come back up but if you did everything correctly, you should eventually see the shell prompt again.
We are done reconfiguring interfaces. Let’s change our ovsbr0-network and assign port groups
Reconfiguring the LibVirt network
Let’s edit our ovsbr0-network network using
sudo virsh net-edit ovsbr0-network command. It will take you to the text editor. That’s what our network was configured like before:
<network> <name>ovsbr0-network</name> <forward mode='bridge'/> <bridge name='ovsbr0'/> <virtualport type='openvswitch'/> </network>
And we’re going to change it to:
<network> <name>ovsbr0-network</name> <uuid>66cf345c-127a-4317-add1-9014d35bc1e1</uuid> <forward mode='bridge'/> <bridge name='ovsbr0'/> <virtualport type='openvswitch'/> <portgroup name='vlan-100' default='yes'> <vlan> <tag id='100'/> </vlan> </portgroup> <portgroup name='vlan-101'> <vlan> <tag id='101'/> </vlan> </portgroup> <portgroup name='vlan-102'> <vlan> <tag id='102'/> </vlan> </portgroup> </network>
Wow, that’s quite a lot of new stuff! Don’t worry, let me cover the changes – as you can see, majority of changes took place after the “<virtualport type=’openvswitch’/>” part of config. We introduced something called port groups. They are useful because every time you stop and start a virtual machine attached to a bridge, the interface name the VM uses changes. Therefore, as you can imagine, keeping the VLAN configuration persistent might be a little tricky. With port groups, however, we can select which group the interface should put itself in and therefore what VLAN settings it should use.
Having that in mind we can see that I introduced 3 VLANs I mentioned at the beginning of the article – 100, 101 and 102. 100 is the default VLAN which means that if we create a VM and select the ovsbr0-network as the interface’s network without specifying the port group, LibVirt will pick 100 as it’s the default port group. Every port group has a <vlan><tag id=’xxx’/></vlan> section which simply specifies the tag it will use.
Note: Trunks will be covered in a CheckPoint VSX article. Even if you’re not interested in CheckPoint technology, please pay it a visit if you wish to see how to configure a trunk port group.
Save the file, and apply the changes with
sudo virsh net-destroy ovsbr0-network and then
sudo virsh net-start ovsbr0-network to restart the network.
Let’s create a CentOS 7 VM now. When you get to the network selection step, select our ovsbr0-network. Notice how selecting it brings up a little drop-down field below with our portgroups:
Select “vlan-101” and proceed with installation. After you finish installation, configure the external interface with an IP address on the 10.255.255.0/24 (VLAN 101) network unless you have already done that. To add an IP address to interface, do
sudo ip addr add 10.255.255.10/24 dev ethX (replace X with the interface number). Try to ping our VLAN 101 SVI (10.255.255.250). It should work as expected:
Okay. What about inter-VLAN routing? Make sure your host has ip_forward parameter enabled (
cat /proc/sys/net/ipv4/ip_forward should return 1). To enable it, run
sudo sh -c 'echo "1" > /proc/sys/net/ipv4/ip_forward'. Then try to ping the 192.168.1.230 IP. If everything was set up correctly, you should get a ping back:
We’re not trying to ping anything else on the 192.168.1.0/24 or on the internet because you might need routes for that. If you would like this to work, make sure your devices know how to route traffic for 10.255.255.0/24 network back to your hypervisor (192.168.1.230).
Hope that makes sense! If you have any questions, please post them in the comments section. Next thing coming up is a VSX setup using trunks on our vSwitch.