Libvirt/KVM/QEMU – How to Configure VLANs with OVS

kvm-virtualizationlinux-networkingopenvswitchvlan

I am using Debian 9 machine as a router with two interfaces:

eth0 for WAN
eth1 for LAN

The eth1 has subinterfaces for multiple VLANs (eth1.10; eth1.20; eth1.30) and has trunk connection to managed switch. Various devices are connected to the switch access ports and have Internet access. Pretty standard setup, everything works as expected.

Now what I am trying to do is to create few VMs right inside the Debian router using libvirt/KVM/Qemu and connect them using OVS bridge to the existing VLANs. Something like recreating the same physical configuration as I described above, but virtualized.

I tried to create ovsbr0, add eth1 port to bridge and then add tagged ports for particular VLANs I wanted the VMs to connect to like this:

# ovs-vsctl add-br ovsbr0
# ovs-vsctl add-port ovsbr0 eth1
# ovs-vsctl add-port ovsbr0 vnet1 tag=10
# ovs-vsctl add-port ovsbr0 vnet2 tag=20
# ovs-vsctl add-port ovsbr0 vnet3 tag=30

When I run the actual VMs, the bridge looks like this:

# ovs-vsctl show
   Bridge ovsbr0
       Port ovsbr0
           Interface ovsbr0
               type: internal
       Port "eth1"
           Interface "eth1"
       Port "vnet1"
           tag: 10
           Interface "vnet1"
       Port "vnet2"
           tag: 20
           Interface "vnet2"
       Port "vnet3"
           tag: 30
           Interface "vnet3"

To my suprise the VMs vnet interfaces have no connection. From tcpdump on eth1, I can see that ARP frames from VMs are correctly tagged and reaching eth1 interface, but are not for some reason forwarded to the subinterfaces. I have never used OVS before, so I am obviously missing something important, but cannot figure out what it is.

Can somebody point me in the right direction?

Best Answer

The OVS bridge will forward traffic only to ports that are part of actual configured bridge. Although the eth1 is correctly added to the bridge as trunk interfaces, the subinterfaces (eth1.10; eht1.20; eth1.30) are not part of the bridge and would never see the traffic. The solution is simple - just add mentioned VLAN subinterfaces to the bridge.

A lengthy solution ...

So I've been toying around with different concepts and I think I've made a workable solution. Basically, there is a main bridge trunk (bt) that eth0 belongs to. Then for each firewall VM has its own bridge.

bridge name     bridge id               STP enabled     interfaces
bt              8000.002618895a72       no              eth0
bt-fw1          8000.000000000000       no              tap100i0
bt-fw2          8000.000000000000       no              tap101i0

At this point the tagged traffic from the firewall VMs will enter their own bridge for traffic to enter.

I then created VLANs for each interface that needs tagged traffic - and the respective VLAN on the main bridge for untagged traffic.

Eg. VLANs 1, 4000-4005

bt-fw1.1       | 1  | bt-fw1
bt-fw1.4000    | 4000  | bt-fw1
bt-fw1.4001    | 4001  | bt-fw1
bt-fw1.4002    | 4002  | bt-fw1
bt-fw1.4003    | 4003  | bt-fw1
bt-fw1.4004    | 4004  | bt-fw1
bt-fw1.4005    | 4005  | bt-fw1
bt-fw2.1       | 1  | bt-fw2
bt-fw2.4000    | 4000  | bt-fw2
bt-fw2.4001    | 4001  | bt-fw2
bt-fw2.4002    | 4002  | bt-fw2
bt-fw2.4003    | 4003  | bt-fw2
bt-fw2.4004    | 4004  | bt-fw2
bt-fw2.4005    | 4005  | bt-fw2
bt.1           | 1  | bt
bt.4000        | 4000  | bt
bt.4001        | 4001  | bt
bt.4002        | 4002  | bt
bt.4003        | 4003  | bt
bt.4004        | 4004  | bt
bt.4005        | 4005  | bt

Then for each VLAN, a bridge is created, that combines all respective VLANs from each interface to allow untagged communication between the main bridge and VM bridges.

bt.v1                   8000.2a8c73ad057d       no      bt-fw1.1
                                                        bt-fw2.1
                                                        bt.1
bt.v4000                8000.2a8c73ad057d       no      bt-fw1.4000
                                                        bt-fw2.4000
                                                        bt.4000
bt.v4001                8000.2a8c73ad057d       no      bt-fw1.4001
                                                        bt-fw2.4001
                                                        bt.4001
bt.v4002                8000.2a8c73ad057d       no      bt-fw1.4002
                                                        bt-fw2.4002
                                                        bt.4002
bt.v4003                8000.2a8c73ad057d       no      bt-fw1.4003
                                                        bt-fw2.4003
                                                        bt.4003
bt.v4004                8000.2a8c73ad057d       no      bt-fw1.4004
                                                        bt-fw2.4004
                                                        bt.4004
bt.v4005                8000.2a8c73ad057d       no      bt-fw1.4005
                                                        bt-fw2.4005
                                                        bt.4005

This now allows trunked interfaces to the firewall VMs, with only the VLANs I want on them.

Any future guests that need a single untagged VLAN only, can merely be added to the respective bt.X bridge.

Adding host IP interfaces is as easy as adding the IP to the respective VLAN bridge

Eg.

ip addr add 192.168.100.1/24 dev bt.v4005

A helper script

As my /etc/network/interfaces file could rapidly end up being massive, I wrote a small script that allows for minimal configuration - but with the same desired end result.

In the /etc/network/interfaces file it contains

# bridge bt-c0-fw1 vlan 1 4000-4005 interfaces tap100i0
# bridge bt-c0-fw2 vlan 1 4000-4005 interfaces tap101i0
# bridge bt vlan 1 4000-4005 interfaces eth0
# bridge-vlan bt vlan 1 4000-4005 interfaces bt-fw1 bt-fw2 bt

auto eth0
iface eth0 inet manual
  post-up /scripts/build-bridges.sh || /bin/true

Then in the post-up script, /scripts/build-bridges.sh

#!/bin/bash

CONFIG="/etc/network/interfaces"
DEFINERS="vlan|interfaces"
DEBUG=0

# Tear down all interfaces
modprobe -r 8021q
modprobe 8021q

brctl show | awk 'NR>1{print $1}' | while read BRIDGE; do
  ifconfig "$BRIDGE" down
  brctl delbr "$BRIDGE"
done

function run()
{
  if [ $DEBUG -eq 1 ]; then
    echo "$@"
  else
    eval "$@"
  fi
}

function get_vars()
{
  DATA=( $(echo "$2" | grep -Eoh "$1.+?" | sed -E "s/^$1 //g;s/($DEFINERS).+//g") )
  for VAL in ${DATA[@]}; do
    echo $VAL | grep -qE "[0-9]+-[0-9]+"
    if [ $? -eq 0 ]; then
      LOWER=$(echo $VAL | cut -f1 -d"-")
      UPPER=$(echo $VAL | cut -f2 -d"-")
      for i in $(seq $LOWER $UPPER); do
        echo $i
      done
    else
      echo $VAL
    fi
  done
}

# Build bridges
while read LINE; do
  BRIDGE=$(get_vars bridge "$LINE")
  if [[ ! "$BRIDGE" == "" ]]; then
    run brctl addbr $BRIDGE
    run ifconfig $BRIDGE up
    for INTERFACE in $(get_vars interfaces "$LINE"); do
      ifconfig $INTERFACE >/dev/null 2>&1
      if [ $? -eq 0 ]; then
        run brctl addif $BRIDGE $INTERFACE
      fi
    done
    run ifconfig $BRIDGE up
    for VLAN in $(get_vars vlan "$LINE"); do
      run vconfig add $BRIDGE $VLAN 2>&1 | grep -vE "(VLAN 1 does not work|consider another number)"
      run ifconfig $BRIDGE.$VLAN up
    done
  fi
done < <(grep -E "^# bridge " $CONFIG)

# Build vlan bridges
while read LINE; do
  BRIDGE=$(get_vars "bridge-vlan" "$LINE")
  for VLAN in $(get_vars " vlan" "$LINE"); do
    run brctl addbr $BRIDGE.v$VLAN
    run ifconfig $BRIDGE.v$VLAN up
    for INTERFACE in $(get_vars interfaces "$LINE"); do
      ifconfig $INTERFACE.$VLAN >/dev/null 2>&1
      if [ $? -eq 0 ]; then
        run brctl addif $BRIDGE.v$VLAN $INTERFACE.$VLAN
      fi
    done
  done
done < <(grep -E "^# bridge-vlan " $CONFIG)

exit 0

I hope this helps someone else, I've spent DAYS reading and testing and this seems to be the most elegant, easy to manage solution.

There's some good reading here too http://blog.davidvassallo.me/2012/05/05/kvm-brctl-in-linux-bringing-vlans-to-the-guests/

Linux Bridges – Tags on interface vs. on bridge

What is the difference between tagging on the bridge vs a physical interface then adding that tagged interface onto the bridge?

The difference is that you may not want all the interfaces in the bridge to be tagged.

Is net effect the same? Or is there some functional difference I'm missing here?

If you want all traffic traversing the bridge to be tagged, then there is no difference.

Convention, though, is to tag interfaces.

Best Answer

Related Solutions

Linux – Multiple, different VLAN trunks to KVM guests (Linux)

A lengthy solution ...

A helper script

Linux Bridges – Tags on interface vs. on bridge

Related Topic