Tagged VLAN (trunk) support for VM guests
|Assignee:||Jaime Melis||% Done:|
|Target version:||Release 4.6|
At the moment (ONE 4.2) it's not possible to pass tagged (802.1Q) VLANS to a guest domain, although it is possible to do with OpenvSwitch. I would like to have support for this, as it opens the way to use (many) VLAN's on a single interface.
In order to use VLAN functionality in ONE using OpenvSwitch you would set two parameters:
VLAN = "YES"
VLAN_ID = VID (integer)
A virtual machine using this virtual network will get a "ACCESS" VLAN interface in the given VLAN.
To provide tagged interface support (trunk) a modification should be made to allow multple VLAN ID's to be declared, i.e:
VLAN_TAGGED_ID = "VID-1, VID-2, VID-3"
A virtual machine using a virtual network with only this VLAN declaration would get a trunked interface with VLAN_ID's VID-1, VID-2, VID-3 on it.
If both VLAN_ID and VLAN_TAGGED_ID are declared in the virtual network, the network interface would get both properties, i.e ACCESS (native) VLAN (untagged) and tagged VLAN's (trunk). It should not be allowed to have a VID in both VLAN_TAGGED_ID and VLAN_ID declaration (should produce an error while trying to create such a network).
One other thing that has to be taken into consideration is IP / NETWORK management. As it's possible to have multiple virtual interfaces it should also be possible to declare multiple different NETWORK's / IP's on those virtual interfaces. A possible solution might be to add a postfix consisting of the VLAN_ID, i.e. GATEWAY_VID = "", DNS_VID = "", etc.
- Router / Firewall in multiple networks to route / filter traffic between networks. Useful in somewhat more complex setups making use of LAN,DMZ, WAN networks.
- DHCP / PXE server providing DHCP services to multiple networks.
There has been a discussion on the mailinglist a while ago , so there's definately a demand for this.
How would one go by setting this up using OpenvSwitch:
Create ACCESS VLAN:
ovs-vsctl set port <port name> tag=VID-1
Create TRUNK VLAN
ovs-vsctl set port <port name> trunks=VID-1,VID-2,VID-3
Enable both ACCESS VLAN as wel as TRUNK VLAN:
ovs-vsctl set port <port name> vlan_mode=native-untagged
Feature #2345: Open vSwitch drivers now managed the VLAN_TAGGED_ID parameter. This parameter is not yet sent from the core.
#6 Updated by Stefan Kooman almost 4 years ago
I have setup a "nested" hypervisor. The underlying hypervisor (L0) is managed by opennebula. In order to have network isoloation in the guest hypervisor (L1) I have set up a "trunk" port using the "VLAN_TAGGED_ID" attribute (VLAN_TAGGED_ID="226,227"). As the virtual network has a AR in it, it is seen as a "ACCESS PORT" as well as a "TRUNK" port. Resulting in the following configuration:
trunks: [226, 227]
This configuration is treated as a "native vlan" by openvswitch. See discussion here: http://openvswitch.org/pipermail/discuss/2015-June/017924.html. Currently there is no way to provide a "trunk" only port with OpenNebula. As a virtual network needs to have a AR to get a lease (and thus reducing the trunk port to a native vlan port for one of the defined vlans). How can we come by this problem in OpenNebula? Drop the requirement for a AR? Add a "TRUNK" option for a virtual network? A "pure" trunked interface is very useful in "nested" hypervisor situations.