Tagged VLAN (trunk) support for VM guests

Added by Stefan Kooman almost 8 years ago.

Status:ClosedStart date:09/27/2013
Target version:Release 4.6
At the moment (ONE 4.2) it's not possible to pass tagged (802.1Q) VLANS to a guest domain, although it is possible to do with OpenvSwitch. I would like to have support for this, as it opens the way to use (many) VLAN's on a single interface.

In order to use VLAN functionality in ONE using OpenvSwitch you would set two parameters:

VLAN_ID = VID (integer)

A virtual machine using this virtual network will get a "ACCESS" VLAN interface in the given VLAN.

To provide tagged interface support (trunk) a modification should be made to allow multple VLAN ID's to be declared, i.e:


A virtual machine using a virtual network with only this VLAN declaration would get a trunked interface with VLAN_ID's VID-1, VID-2, VID-3 on it.

If both VLAN_ID and VLAN_TAGGED_ID are declared in the virtual network, the network interface would get both properties, i.e ACCESS (native) VLAN (untagged) and tagged VLAN's (trunk). It should not be allowed to have a VID in both VLAN_TAGGED_ID and VLAN_ID declaration (should produce an error while trying to create such a network).

One other thing that has to be taken into consideration is IP / NETWORK management. As it's possible to have multiple virtual interfaces it should also be possible to declare multiple different NETWORK's / IP's on those virtual interfaces. A possible solution might be to add a postfix consisting of the VLAN_ID, i.e. GATEWAY_VID = "", DNS_VID = "", etc.

Use cases:
- Router / Firewall in multiple networks to route / filter traffic between networks. Useful in somewhat more complex setups making use of LAN,DMZ, WAN networks.
- DHCP / PXE server providing DHCP services to multiple networks.

There has been a discussion on the mailinglist a while ago [1], so there's definately a demand for this.

[1]: http://www.mail-archive.com/users@lists.opennebula.org/msg10279.html

How would one go by setting this up using OpenvSwitch:

ovs-vsctl set port <port name> tag=VID-1

ovs-vsctl set port <port name> trunks=VID-1,VID-2,VID-3

Enable both ACCESS VLAN as wel as TRUNK VLAN:
ovs-vsctl set port <port name> vlan_mode=native-untagged

Added by Jaime Melis over 7 years ago

Feature #2345: Open vSwitch drivers now managed the VLAN_TAGGED_ID parameter. This parameter is not yet sent from the core.

Added by Jaime Melis over 7 years ago

Feature #2345: add VLAN_TAGGED_ID to the list of image inherited attributes


Note that it's possible to make a full trunk port, not limited to a list of VLAN IDs:

root@server:~# ovs-vsctl set port <port name> vlan_mode=trunk


I have setup a "nested" hypervisor. The underlying hypervisor (L0) is managed by opennebula. In order to have network isoloation in the guest hypervisor (L1) I have set up a "trunk" port using the "VLAN_TAGGED_ID" attribute (VLAN_TAGGED_ID="226,227"). As the virtual network has a AR in it, it is seen as a "ACCESS PORT" as well as a "TRUNK" port. Resulting in the following configuration:

Port "vnet6"
tag: 226
trunks: [226, 227]
Interface "vnet6"

This configuration is treated as a "native vlan" by openvswitch. See discussion here: http://openvswitch.org/pipermail/discuss/2015-June/017924.html. Currently there is no way to provide a "trunk" only port with OpenNebula. As a virtual network needs to have a AR to get a lease (and thus reducing the trunk port to a native vlan port for one of the defined vlans). How can we come by this problem in OpenNebula? Drop the requirement for a AR? Add a "TRUNK" option for a virtual network? A "pure" trunked interface is very useful in "nested" hypervisor situations.

Yes I'd say that an specific attribute would be the ideal. Probably we should open an issue for this in the backlog (instead of reopening this)?

Issue #5503 created for this, as suggested by Ruben.

